Skip to content

Commit

Permalink
add explicit --auth-mode login to az storage commands
Browse files Browse the repository at this point in the history
  • Loading branch information
nojnhuh authored and k8s-infra-cherrypick-robot committed Aug 30, 2024
1 parent be33b5a commit 2a8ec3e
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 22 deletions.
3 changes: 0 additions & 3 deletions hack/ensure-azcli.sh
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,6 @@ if [[ -z "$(command -v az)" ]]; then
# AZURE_CLIENT_ID has been overloaded with Azure Workload ID in the preset-azure-cred-wi.
# This is done to avoid exporting Azure Workload ID as AZURE_CLIENT_ID in the test scenarios.
az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" --federated-token "$(cat "${AZURE_FEDERATED_TOKEN_FILE}")" > /dev/null

# Use --auth-mode "login" in az storage commands to use RBAC permissions of login identity. This is a well known ENV variable the Azure cli
export AZURE_STORAGE_AUTH_MODE="login"
else
echo "AZURE_FEDERATED_TOKEN_FILE environment variable must be set to path location of token file"
exit 1
Expand Down
16 changes: 8 additions & 8 deletions scripts/ci-build-azure-ccm.sh
Original file line number Diff line number Diff line change
Expand Up @@ -66,17 +66,17 @@ main() {
echo "Building and pushing Linux and Windows amd64 Azure ACR credential provider"
make -C "${AZURE_CLOUD_PROVIDER_ROOT}" bin/azure-acr-credential-provider bin/azure-acr-credential-provider.exe

if [[ "$(az storage container exists --name "${AZURE_BLOB_CONTAINER_NAME}" --query exists --output tsv)" == "false" ]]; then
if [[ "$(az storage container exists --name "${AZURE_BLOB_CONTAINER_NAME}" --query exists --output tsv --auth-mode login)" == "false" ]]; then
echo "Creating ${AZURE_BLOB_CONTAINER_NAME} storage container"
az storage container create --name "${AZURE_BLOB_CONTAINER_NAME}" > /dev/null
az storage container create --name "${AZURE_BLOB_CONTAINER_NAME}" --auth-mode login > /dev/null
# if the storage account has public access disabled at the account level this will return 404
az storage container set-permission --name "${AZURE_BLOB_CONTAINER_NAME}" --public-access container > /dev/null
AZURE_STORAGE_AUTH_MODE=login az storage container set-permission --name "${AZURE_BLOB_CONTAINER_NAME}" --public-access container > /dev/null
fi

az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/bin/azure-acr-credential-provider" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/azure-acr-credential-provider"
az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/bin/azure-acr-credential-provider.exe" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/azure-acr-credential-provider.exe"
az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/examples/out-of-tree/credential-provider-config.yaml" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/credential-provider-config.yaml"
az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/examples/out-of-tree/credential-provider-config-win.yaml" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/credential-provider-config-win.yaml"
az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/bin/azure-acr-credential-provider" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/azure-acr-credential-provider" --auth-mode login
az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/bin/azure-acr-credential-provider.exe" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/azure-acr-credential-provider.exe" --auth-mode login
az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/examples/out-of-tree/credential-provider-config.yaml" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/credential-provider-config.yaml" --auth-mode login
az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/examples/out-of-tree/credential-provider-config-win.yaml" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/credential-provider-config-win.yaml" --auth-mode login
fi
}

Expand All @@ -100,7 +100,7 @@ can_reuse_artifacts() {
fi

for BINARY in azure-acr-credential-provider azure-acr-credential-provider.exe credential-provider-config.yaml credential-provider-config-win.yaml; do
if [[ "$(az storage blob exists --container-name "${AZURE_BLOB_CONTAINER_NAME}" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/${BINARY}" --query exists --output tsv)" == "false" ]]; then
if [[ "$(az storage blob exists --container-name "${AZURE_BLOB_CONTAINER_NAME}" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/${BINARY}" --query exists --output tsv --auth-mode login)" == "false" ]]; then
echo "false" && return
fi
done
Expand Down
14 changes: 7 additions & 7 deletions scripts/ci-build-kubernetes.sh
Original file line number Diff line number Diff line change
Expand Up @@ -77,10 +77,10 @@ setup() {
}

main() {
if [[ "$(az storage container exists --name "${AZURE_BLOB_CONTAINER_NAME}" --query exists --output tsv)" == "false" ]]; then
if [[ "$(az storage container exists --name "${AZURE_BLOB_CONTAINER_NAME}" --query exists --output tsv --auth-mode login)" == "false" ]]; then
echo "Creating ${AZURE_BLOB_CONTAINER_NAME} storage container"
az storage container create --name "${AZURE_BLOB_CONTAINER_NAME}" > /dev/null
az storage container set-permission --name "${AZURE_BLOB_CONTAINER_NAME}" --public-access container > /dev/null
az storage container create --name "${AZURE_BLOB_CONTAINER_NAME}" --auth-mode login > /dev/null
az storage container set-permission --name "${AZURE_BLOB_CONTAINER_NAME}" --auth-mode login --public-access container > /dev/null
fi

if [[ "${KUBE_BUILD_CONFORMANCE:-}" =~ [yY] ]]; then
Expand Down Expand Up @@ -113,7 +113,7 @@ main() {
for BINARY in "${BINARIES[@]}"; do
BIN_PATH="${KUBE_GIT_VERSION}/bin/linux/amd64/${BINARY}"
echo "uploading ${BIN_PATH}"
az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${KUBE_ROOT}/_output/dockerized/bin/linux/amd64/${BINARY}" --name "${BIN_PATH}"
az storage blob upload --auth-mode login --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${KUBE_ROOT}/_output/dockerized/bin/linux/amd64/${BINARY}" --name "${BIN_PATH}"
done

if [[ "${TEST_WINDOWS:-}" == "true" ]]; then
Expand All @@ -126,7 +126,7 @@ main() {
for BINARY in "${WINDOWS_BINARIES[@]}"; do
BIN_PATH="${KUBE_GIT_VERSION}/bin/windows/amd64/${BINARY}.exe"
echo "uploading ${BIN_PATH}"
az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${KUBE_ROOT}/_output/dockerized/bin/windows/amd64/${BINARY}.exe" --name "${BIN_PATH}"
az storage blob upload --auth-mode login --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${KUBE_ROOT}/_output/dockerized/bin/windows/amd64/${BINARY}.exe" --name "${BIN_PATH}"
done
fi
fi
Expand All @@ -141,14 +141,14 @@ can_reuse_artifacts() {
done

for BINARY in "${BINARIES[@]}"; do
if [[ "$(az storage blob exists --container-name "${AZURE_BLOB_CONTAINER_NAME}" --name "${KUBE_GIT_VERSION}/bin/linux/amd64/${BINARY}" --query exists --output tsv)" == "false" ]]; then
if [[ "$(az storage blob exists --auth-mode login --container-name "${AZURE_BLOB_CONTAINER_NAME}" --name "${KUBE_GIT_VERSION}/bin/linux/amd64/${BINARY}" --query exists --output tsv)" == "false" ]]; then
echo "false" && return
fi
done

if [[ "${TEST_WINDOWS:-}" == "true" ]]; then
for BINARY in "${WINDOWS_BINARIES[@]}"; do
if [[ "$(az storage blob exists --container-name "${AZURE_BLOB_CONTAINER_NAME}" --name "${KUBE_GIT_VERSION}/bin/windows/amd64/${BINARY}.exe" --query exists --output tsv)" == "false" ]]; then
if [[ "$(az storage blob exists --auth-mode login --container-name "${AZURE_BLOB_CONTAINER_NAME}" --name "${KUBE_GIT_VERSION}/bin/windows/amd64/${BINARY}.exe" --query exists --output tsv)" == "false" ]]; then
echo "false" && return
fi
done
Expand Down
9 changes: 5 additions & 4 deletions scripts/kind-with-registry.sh
Original file line number Diff line number Diff line change
Expand Up @@ -110,12 +110,12 @@ function checkAZWIENVPreReqsAndCreateFiles() {
sleep 5
done
echo "Configuring storage account '${AZWI_STORAGE_ACCOUNT}' as static website"
az storage blob service-properties update --account-name "${AZWI_STORAGE_ACCOUNT}" --static-website
az storage blob service-properties update --account-name "${AZWI_STORAGE_ACCOUNT}" --static-website --auth-mode login
fi

if ! az storage container show --name "${AZWI_STORAGE_CONTAINER}" --account-name "${AZWI_STORAGE_ACCOUNT}" > /dev/null 2>&1; then
if ! az storage container show --name "${AZWI_STORAGE_CONTAINER}" --account-name "${AZWI_STORAGE_ACCOUNT}" --auth-mode login > /dev/null 2>&1; then
echo "Creating storage container '${AZWI_STORAGE_CONTAINER}' in '${AZWI_STORAGE_ACCOUNT}'"
az storage container create --name "${AZWI_STORAGE_CONTAINER}" --account-name "${AZWI_STORAGE_ACCOUNT}" --output none --only-show-errors
az storage container create --name "${AZWI_STORAGE_CONTAINER}" --account-name "${AZWI_STORAGE_ACCOUNT}" --output none --only-show-errors --auth-mode login
fi

SERVICE_ACCOUNT_ISSUER=$(az storage account show --name "${AZWI_STORAGE_ACCOUNT}" --resource-group "${AZWI_RESOURCE_GROUP}" -o json | jq -r .primaryEndpoints.web)
Expand Down Expand Up @@ -195,7 +195,8 @@ function upload_to_blob() {
--file "${file_path}" \
--name "${blob_name}" \
--account-name "${AZWI_STORAGE_ACCOUNT}" \
--output none --only-show-errors
--output none --only-show-errors \
--auth-mode login
}

# This function create a kind cluster for Workload identity which requires key pairs path
Expand Down

0 comments on commit 2a8ec3e

Please sign in to comment.