Skip to content

Commit f1203bf

Browse files
committed
Azure STS | Support the standardized Azure Identity
Signed-off-by: Naveen Paul <napaul@redhat.com>
1 parent 45461a4 commit f1203bf

21 files changed

Lines changed: 551 additions & 192 deletions

deploy/crds/noobaa.io_backingstores.yaml

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,14 @@ spec:
8787
azureBlob:
8888
description: AzureBlob specifies a backing store of type azure-blob
8989
properties:
90+
clientId:
91+
description: Azure STS managed identity client id allows to get
92+
access token using NewWorkloadIdentityCredential
93+
type: string
94+
resourcegroupId:
95+
description: Azure storage account is created under this resource
96+
group
97+
type: string
9098
secret:
9199
description: |-
92100
Secret refers to a secret that provides the credentials
@@ -102,12 +110,19 @@ spec:
102110
type: string
103111
type: object
104112
x-kubernetes-map-type: atomic
113+
subscriptionId:
114+
description: Azure SubscriptionId is used to create storage account
115+
client.
116+
type: string
105117
targetBlobContainer:
106118
description: TargetBlobContainer is the name of the target Azure
107119
Blob container
108120
type: string
121+
tenantId:
122+
description: Azure STS managed identity TenantId id allows to
123+
get access token using NewWorkloadIdentityCredential
124+
type: string
109125
required:
110-
- secret
111126
- targetBlobContainer
112127
type: object
113128
googleCloudStorage:

deploy/crds/noobaa.io_namespacestores.yaml

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,14 @@ spec:
9090
azureBlob:
9191
description: AzureBlob specifies a namespace store of type azure-blob
9292
properties:
93+
clientId:
94+
description: Azure STS managed identity client id allows to get
95+
access token using NewWorkloadIdentityCredential
96+
type: string
97+
resourcegroupId:
98+
description: Azure storage account is created under this resource
99+
group
100+
type: string
93101
secret:
94102
description: |-
95103
Secret refers to a secret that provides the credentials
@@ -105,12 +113,19 @@ spec:
105113
type: string
106114
type: object
107115
x-kubernetes-map-type: atomic
116+
subscriptionId:
117+
description: Azure SubscriptionId is used to create storage account
118+
client.
119+
type: string
108120
targetBlobContainer:
109121
description: TargetBlobContainer is the name of the target Azure
110122
Blob container
111123
type: string
124+
tenantId:
125+
description: Azure STS managed identity TenantId id allows to
126+
get access token using NewWorkloadIdentityCredential
127+
type: string
112128
required:
113-
- secret
114129
- targetBlobContainer
115130
type: object
116131
googleCloudStorage:

deploy/crds/noobaa.io_noobaas.yaml

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1439,6 +1439,14 @@ spec:
14391439
azureBlob:
14401440
description: AzureBlob specifies a backing store of type azure-blob
14411441
properties:
1442+
clientId:
1443+
description: Azure STS managed identity client id allows to
1444+
get access token using NewWorkloadIdentityCredential
1445+
type: string
1446+
resourcegroupId:
1447+
description: Azure storage account is created under this resource
1448+
group
1449+
type: string
14421450
secret:
14431451
description: |-
14441452
Secret refers to a secret that provides the credentials
@@ -1454,12 +1462,19 @@ spec:
14541462
type: string
14551463
type: object
14561464
x-kubernetes-map-type: atomic
1465+
subscriptionId:
1466+
description: Azure SubscriptionId is used to create storage
1467+
account client.
1468+
type: string
14571469
targetBlobContainer:
14581470
description: TargetBlobContainer is the name of the target
14591471
Azure Blob container
14601472
type: string
1473+
tenantId:
1474+
description: Azure STS managed identity TenantId id allows
1475+
to get access token using NewWorkloadIdentityCredential
1476+
type: string
14611477
required:
1462-
- secret
14631478
- targetBlobContainer
14641479
type: object
14651480
googleCloudStorage:

deploy/internal/deployment-endpoint.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,8 @@ spec:
4242
secretName: noobaa-iam-serving-cert
4343
optional: true
4444
# This service account token can be used to provide identity outside the cluster.
45-
# For example, this token can be used with AssumeRoleWithWebIdentity to authenticate with AWS using IAM OIDC provider and STS.
45+
# For example, this token can be used with AWS(AssumeRoleWithWebIdentity)/Azure(WorkloadIdentityCredential)
46+
# to authenticate with AWS/Azure using IAM OIDC provider and STS.
4647
- name: bound-sa-token
4748
projected:
4849
sources:

deploy/internal/statefulset-core.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,8 @@ spec:
3535
secretName: noobaa-server
3636
optional: true
3737
# This service account token can be used to provide identity outside the cluster.
38-
# For example, this token can be used with AssumeRoleWithWebIdentity to authenticate with AWS using IAM OIDC provider and STS.
38+
# For example, this token can be used with AWS(AssumeRoleWithWebIdentity)/Azure(WorkloadIdentityCredential)
39+
# to authenticate with AWS/Azure using IAM OIDC provider and STS.
3940
- name: bound-sa-token
4041
projected:
4142
sources:

deploy/operator.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,8 @@ spec:
2222
type: RuntimeDefault
2323
volumes:
2424
# This service account token can be used to provide identity outside the cluster.
25-
# For example, this token can be used with AssumeRoleWithWebIdentity to authenticate with AWS using IAM OIDC provider and STS.
25+
# For example, this token can be used with AWS(AssumeRoleWithWebIdentity)/Azure(WorkloadIdentityCredential)
26+
# to authenticate with AWS/Azure using IAM OIDC provider and STS.
2627
- name: bound-sa-token
2728
projected:
2829
sources:

go.mod

Lines changed: 6 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -10,10 +10,10 @@ replace (
1010

1111
require (
1212
cloud.google.com/go/storage v1.57.2
13-
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
13+
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
14+
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
15+
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1
1416
github.com/Azure/azure-storage-blob-go v0.15.0
15-
github.com/Azure/go-autorest/autorest v0.11.30
16-
github.com/Azure/go-autorest/autorest/adal v0.9.23
1717
github.com/IBM/keyprotect-go-client v0.15.1
1818
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
1919
github.com/aws/aws-sdk-go v1.48.12
@@ -32,7 +32,7 @@ require (
3232
github.com/onsi/ginkgo/v2 v2.27.2
3333
github.com/onsi/gomega v1.38.2
3434
github.com/openshift/api v0.0.0-20251120040117-916c7003ed78
35-
github.com/openshift/cloud-credential-operator v0.0.0-20231004191224-abdf0627a0cf
35+
github.com/openshift/cloud-credential-operator v0.0.0-20251215212231-8f1a631d825f
3636
github.com/openshift/custom-resource-status v1.1.3-0.20220503160415-f2fdb4999d87
3737
github.com/operator-framework/api v0.36.0
3838
github.com/operator-framework/operator-lib v0.19.0
@@ -71,12 +71,10 @@ require (
7171
cloud.google.com/go/auth v0.17.0 // indirect
7272
cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
7373
cloud.google.com/go/monitoring v1.24.3 // indirect
74-
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 // indirect
75-
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 // indirect
74+
github.com/Azure/azure-pipeline-go v0.2.3 // indirect
7675
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
7776
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0 // indirect
7877
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
79-
github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
8078
github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
8179
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 // indirect
8280
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.54.0 // indirect
@@ -116,6 +114,7 @@ require (
116114
github.com/hashicorp/vault/api/auth/kubernetes v0.8.0 // indirect
117115
github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.7.7 // indirect
118116
github.com/kylelemons/godebug v1.1.0 // indirect
117+
github.com/mattn/go-ieproxy v0.0.1 // indirect
119118
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
120119
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
121120
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
@@ -136,7 +135,6 @@ require (
136135
go.yaml.in/yaml/v2 v2.4.3 // indirect
137136
go.yaml.in/yaml/v3 v3.0.4 // indirect
138137
golang.org/x/sync v0.18.0 // indirect
139-
golang.org/x/tools/go/expect v0.1.1-deprecated // indirect
140138
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
141139
k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f // indirect
142140
sigs.k8s.io/randfill v1.0.0 // indirect
@@ -147,13 +145,7 @@ require (
147145
cloud.google.com/go v0.123.0 // indirect
148146
cloud.google.com/go/compute/metadata v0.9.0 // indirect
149147
cloud.google.com/go/iam v1.5.3 // indirect
150-
github.com/Azure/azure-pipeline-go v0.2.3 // indirect
151148
github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
152-
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
153-
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
154-
github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
155-
github.com/Azure/go-autorest/logger v0.2.1 // indirect
156-
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
157149
github.com/MakeNowJust/heredoc v1.0.0 // indirect
158150
github.com/ansel1/merry v1.8.0 // indirect
159151
github.com/ansel1/merry/v2 v2.2.0 // indirect
@@ -197,7 +189,6 @@ require (
197189
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
198190
github.com/marstr/collection v1.0.1 // indirect
199191
github.com/mattn/go-colorable v0.1.14 // indirect
200-
github.com/mattn/go-ieproxy v0.0.1 // indirect
201192
github.com/mattn/go-isatty v0.0.20 // indirect
202193
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
203194
github.com/mitchellh/go-homedir v1.1.0 // indirect

0 commit comments

Comments
 (0)