generate token using azidentity

go.mod

@@ -22,6 +22,7 @@ require (
 	github.com/evanphx/json-patch v5.9.0+incompatible
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/go-logr/logr v1.4.2
+	github.com/jongio/azidext/go/azidext v0.5.0
 	github.com/onsi/ginkgo/v2 v2.21.0
 	github.com/onsi/gomega v1.35.0
 	github.com/prometheus/client_golang v1.20.5

pkg/provider/azure.go

@@ -29,9 +29,8 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/go-autorest/autorest"
-	"github.com/Azure/go-autorest/autorest/adal"
 	"github.com/Azure/go-autorest/autorest/azure"
-
+	"github.com/jongio/azidext/go/azidext"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -705,12 +704,7 @@ func (az *Cloud) InitializeCloudFromConfig(ctx context.Context, config *Config,
 		return err
 	}
 	az.AuthProvider = authProvider
-	// If uses network resources in different AAD Tenant, then prepare corresponding Service Principal Token for VM/VMSS client and network resources client
-	multiTenantServicePrincipalToken, networkResourceServicePrincipalToken, err := az.getAuthTokenInMultiTenantEnv(servicePrincipalToken, authProvider)
-	if err != nil {
-		return err
-	}
-	az.configAzureClients(servicePrincipalToken, multiTenantServicePrincipalToken, networkResourceServicePrincipalToken)
+	az.configAzureClients(authProvider)
 
 	if az.ComputeClientFactory == nil {
 		var cred azcore.TokenCredential
@@ -908,23 +902,6 @@ func (az *Cloud) setLBDefaults(config *Config) error {
 	return nil
 }
 
-func (az *Cloud) getAuthTokenInMultiTenantEnv(_ *adal.ServicePrincipalToken, authProvider *azclient.AuthProvider) (adal.MultitenantOAuthTokenProvider, adal.OAuthTokenProvider, error) {
-	var err error
-	var multiTenantOAuthToken adal.MultitenantOAuthTokenProvider
-	var networkResourceServicePrincipalToken adal.OAuthTokenProvider
-	if az.Config.UsesNetworkResourceInDifferentTenant() {
-		multiTenantOAuthToken, err = ratelimitconfig.GetMultiTenantServicePrincipalToken(&az.Config.AzureAuthConfig, &az.Environment, authProvider)
-		if err != nil {
-			return nil, nil, err
-		}
-		networkResourceServicePrincipalToken, err = ratelimitconfig.GetNetworkResourceServicePrincipalToken(&az.Config.AzureAuthConfig, &az.Environment, authProvider)
-		if err != nil {
-			return nil, nil, err
-		}
-	}
-	return multiTenantOAuthToken, networkResourceServicePrincipalToken, nil
-}
-
 func (az *Cloud) setCloudProviderBackoffDefaults(config *Config) wait.Backoff {
 	// Conditionally configure resource request backoff
 	resourceRequestBackoff := wait.Backoff{
@@ -966,11 +943,10 @@ func (az *Cloud) setCloudProviderBackoffDefaults(config *Config) wait.Backoff {
 }
 
 func (az *Cloud) configAzureClients(
-	servicePrincipalToken *adal.ServicePrincipalToken,
-	multiTenantOAuthTokenProvider adal.MultitenantOAuthTokenProvider,
-	networkResourceServicePrincipalToken adal.OAuthTokenProvider,
+	authProvider *azclient.AuthProvider,
 ) {
-	azClientConfig := az.getAzureClientConfig(servicePrincipalToken)
+	token := azidext.NewTokenCredentialAdapter(authProvider.GetAzIdentity(), []string{azidext.DefaultManagementScope})
+	azClientConfig := az.getAzureClientConfig(token)
 
 	// Prepare AzureClientConfig for all azure clients
 	interfaceClientConfig := azClientConfig.WithRateLimiter(az.Config.InterfaceRateLimit)
@@ -996,22 +972,22 @@ func (az *Cloud) configAzureClients(
 	vmasClientConfig := azClientConfig.WithRateLimiter(az.Config.AvailabilitySetRateLimit)
 
 	// If uses network resources in different AAD Tenant, update Authorizer for VM/VMSS/VMAS client config
-	if multiTenantOAuthTokenProvider != nil {
-		multiTenantServicePrincipalTokenAuthorizer := autorest.NewMultiTenantServicePrincipalTokenAuthorizer(multiTenantOAuthTokenProvider)
+	if authProvider.IsMultiTenantModeEnabled() {
+		multiTenantOAuthTokenProvider := azidext.NewTokenCredentialAdapter(authProvider.GetMultiTenantIdentity(), []string{azidext.DefaultManagementScope})
 
-		vmClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
-		vmssClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
-		vmssVMClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
-		vmasClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
+		vmClientConfig.Authorizer = multiTenantOAuthTokenProvider
+		vmssClientConfig.Authorizer = multiTenantOAuthTokenProvider
+		vmssVMClientConfig.Authorizer = multiTenantOAuthTokenProvider
+		vmasClientConfig.Authorizer = multiTenantOAuthTokenProvider
 	}
 
 	// If uses network resources in different AAD Tenant, update SubscriptionID and Authorizer for network resources client config
-	if networkResourceServicePrincipalToken != nil {
-		networkResourceServicePrincipalTokenAuthorizer := autorest.NewBearerAuthorizer(networkResourceServicePrincipalToken)
-		subnetClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
-		routeTableClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
-		loadBalancerClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
-		publicIPClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
+	if authProvider.GetNetworkAzIdentity() != nil {
+		networkResourceServicePrincipalToken := azidext.NewTokenCredentialAdapter(authProvider.GetNetworkAzIdentity(), []string{azidext.DefaultManagementScope})
+		subnetClientConfig.Authorizer = networkResourceServicePrincipalToken
+		routeTableClientConfig.Authorizer = networkResourceServicePrincipalToken
+		loadBalancerClientConfig.Authorizer = networkResourceServicePrincipalToken
+		publicIPClientConfig.Authorizer = networkResourceServicePrincipalToken
 	}
 
 	if az.UsesNetworkResourceInDifferentSubscription() {
@@ -1041,13 +1017,13 @@ func (az *Cloud) configAzureClients(
 	az.PrivateLinkServiceClient = privatelinkserviceclient.New(privateLinkServiceConfig)
 }
 
-func (az *Cloud) getAzureClientConfig(servicePrincipalToken *adal.ServicePrincipalToken) *azclients.ClientConfig {
+func (az *Cloud) getAzureClientConfig(token autorest.Authorizer) *azclients.ClientConfig {
 	azClientConfig := &azclients.ClientConfig{
 		CloudName:               az.Config.Cloud,
 		Location:                az.Config.Location,
 		SubscriptionID:          az.Config.SubscriptionID,
 		ResourceManagerEndpoint: az.Environment.ResourceManagerEndpoint,
-		Authorizer:              autorest.NewBearerAuthorizer(servicePrincipalToken),
+		Authorizer:              token,
 		Backoff:                 &retry.Backoff{Steps: 1},
 		DisableAzureStackCloud:  az.Config.DisableAzureStackCloud,
 		UserAgent:               az.Config.UserAgent,

pkg/provider/config/azure_auth.go

@@ -193,33 +193,34 @@ func GetMultiTenantServicePrincipalToken(config *AzureAuthConfig, env *azure.Env
 		return nil, fmt.Errorf("creating the multi-tenant OAuth config: %w", err)
 	}
 
-	if len(config.AADClientSecret) > 0 && !strings.EqualFold(config.AADClientSecret, "msi") {
-		logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_password")
-		return adal.NewMultiTenantServicePrincipalToken(
-			multiTenantOAuthConfig,
-			config.AADClientID,
-			config.AADClientSecret,
-			env.ServiceManagementEndpoint)
-	}
-
-	if len(config.AADClientCertPath) > 0 {
-		logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_certificate")
-		certData, err := os.ReadFile(config.AADClientCertPath)
-		if err != nil {
-			return nil, fmt.Errorf("reading the client certificate from file %s: %w", config.AADClientCertPath, err)
+	if !config.UseManagedIdentityExtension {
+		if len(config.AADClientSecret) > 0 {
+			logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_password")
+			return adal.NewMultiTenantServicePrincipalToken(
+				multiTenantOAuthConfig,
+				config.AADClientID,
+				config.AADClientSecret,
+				env.ServiceManagementEndpoint)
 		}
-		certificate, privateKey, err := parseCertificate(certData, config.AADClientCertPassword)
-		if err != nil {
-			return nil, fmt.Errorf("decoding the client certificate: %w", err)
+
+		if len(config.AADClientCertPath) > 0 {
+			logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_certificate")
+			certData, err := os.ReadFile(config.AADClientCertPath)
+			if err != nil {
+				return nil, fmt.Errorf("reading the client certificate from file %s: %w", config.AADClientCertPath, err)
+			}
+			certificate, privateKey, err := parseCertificate(certData, config.AADClientCertPassword)
+			if err != nil {
+				return nil, fmt.Errorf("decoding the client certificate: %w", err)
+			}
+			return adal.NewMultiTenantServicePrincipalTokenFromCertificate(
+				multiTenantOAuthConfig,
+				config.AADClientID,
+				certificate,
+				privateKey,
+				env.ServiceManagementEndpoint)
 		}
-		return adal.NewMultiTenantServicePrincipalTokenFromCertificate(
-			multiTenantOAuthConfig,
-			config.AADClientID,
-			certificate,
-			privateKey,
-			env.ServiceManagementEndpoint)
 	}
-
 	if authProvider.ComputeCredential != nil && authProvider.NetworkCredential != nil {
 		logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "msi_with_auxiliary_token")
 		return armauth.NewMultiTenantTokenProvider(

vendor/modules.txt

@@ -337,6 +337,9 @@ github.com/imdario/mergo
 # github.com/inconshreveable/mousetrap v1.1.0
 ## explicit; go 1.18
 github.com/inconshreveable/mousetrap
+# github.com/jongio/azidext/go/azidext v0.5.0
+## explicit; go 1.18
+github.com/jongio/azidext/go/azidext
 # github.com/josharian/intern v1.0.0
 ## explicit; go 1.5
 github.com/josharian/intern