From 8117bcbd4b549ddc596820a5de49dddb28a3fdf4 Mon Sep 17 00:00:00 2001 From: Jon Huhn Date: Tue, 13 Aug 2024 22:09:01 +0000 Subject: [PATCH] add explicit --auth-mode login to az storage commands --- hack/ensure-azcli.sh | 3 --- scripts/ci-build-azure-ccm.sh | 16 ++++++++-------- scripts/ci-build-kubernetes.sh | 14 +++++++------- scripts/kind-with-registry.sh | 9 +++++---- 4 files changed, 20 insertions(+), 22 deletions(-) diff --git a/hack/ensure-azcli.sh b/hack/ensure-azcli.sh index 57043d8d3b7..e85f1773926 100755 --- a/hack/ensure-azcli.sh +++ b/hack/ensure-azcli.sh @@ -31,9 +31,6 @@ if [[ -z "$(command -v az)" ]]; then # AZURE_CLIENT_ID has been overloaded with Azure Workload ID in the preset-azure-cred-wi. # This is done to avoid exporting Azure Workload ID as AZURE_CLIENT_ID in the test scenarios. az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" --federated-token "$(cat "${AZURE_FEDERATED_TOKEN_FILE}")" > /dev/null - - # Use --auth-mode "login" in az storage commands to use RBAC permissions of login identity. This is a well known ENV variable the Azure cli - export AZURE_STORAGE_AUTH_MODE="login" else echo "AZURE_FEDERATED_TOKEN_FILE environment variable must be set to path location of token file" exit 1 diff --git a/scripts/ci-build-azure-ccm.sh b/scripts/ci-build-azure-ccm.sh index 735cd2c9f0b..3b4887e295d 100755 --- a/scripts/ci-build-azure-ccm.sh +++ b/scripts/ci-build-azure-ccm.sh @@ -66,17 +66,17 @@ main() { echo "Building and pushing Linux and Windows amd64 Azure ACR credential provider" make -C "${AZURE_CLOUD_PROVIDER_ROOT}" bin/azure-acr-credential-provider bin/azure-acr-credential-provider.exe - if [[ "$(az storage container exists --name "${AZURE_BLOB_CONTAINER_NAME}" --query exists --output tsv)" == "false" ]]; then + if [[ "$(az storage container exists --name "${AZURE_BLOB_CONTAINER_NAME}" --query exists --output tsv --auth-mode login)" == "false" ]]; then echo "Creating ${AZURE_BLOB_CONTAINER_NAME} storage container" - az storage container create --name "${AZURE_BLOB_CONTAINER_NAME}" > /dev/null + az storage container create --name "${AZURE_BLOB_CONTAINER_NAME}" --auth-mode login > /dev/null # if the storage account has public access disabled at the account level this will return 404 - az storage container set-permission --name "${AZURE_BLOB_CONTAINER_NAME}" --public-access container > /dev/null + AZURE_STORAGE_AUTH_MODE=login az storage container set-permission --name "${AZURE_BLOB_CONTAINER_NAME}" --public-access container > /dev/null fi - az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/bin/azure-acr-credential-provider" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/azure-acr-credential-provider" - az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/bin/azure-acr-credential-provider.exe" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/azure-acr-credential-provider.exe" - az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/examples/out-of-tree/credential-provider-config.yaml" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/credential-provider-config.yaml" - az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/examples/out-of-tree/credential-provider-config-win.yaml" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/credential-provider-config-win.yaml" + az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/bin/azure-acr-credential-provider" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/azure-acr-credential-provider" --auth-mode login + az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/bin/azure-acr-credential-provider.exe" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/azure-acr-credential-provider.exe" --auth-mode login + az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/examples/out-of-tree/credential-provider-config.yaml" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/credential-provider-config.yaml" --auth-mode login + az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${AZURE_CLOUD_PROVIDER_ROOT}/examples/out-of-tree/credential-provider-config-win.yaml" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/credential-provider-config-win.yaml" --auth-mode login fi } @@ -100,7 +100,7 @@ can_reuse_artifacts() { fi for BINARY in azure-acr-credential-provider azure-acr-credential-provider.exe credential-provider-config.yaml credential-provider-config-win.yaml; do - if [[ "$(az storage blob exists --container-name "${AZURE_BLOB_CONTAINER_NAME}" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/${BINARY}" --query exists --output tsv)" == "false" ]]; then + if [[ "$(az storage blob exists --container-name "${AZURE_BLOB_CONTAINER_NAME}" --name "${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/${BINARY}" --query exists --output tsv --auth-mode login)" == "false" ]]; then echo "false" && return fi done diff --git a/scripts/ci-build-kubernetes.sh b/scripts/ci-build-kubernetes.sh index f5408a8caee..478780accc1 100755 --- a/scripts/ci-build-kubernetes.sh +++ b/scripts/ci-build-kubernetes.sh @@ -77,10 +77,10 @@ setup() { } main() { - if [[ "$(az storage container exists --name "${AZURE_BLOB_CONTAINER_NAME}" --query exists --output tsv)" == "false" ]]; then + if [[ "$(az storage container exists --name "${AZURE_BLOB_CONTAINER_NAME}" --query exists --output tsv --auth-mode login)" == "false" ]]; then echo "Creating ${AZURE_BLOB_CONTAINER_NAME} storage container" - az storage container create --name "${AZURE_BLOB_CONTAINER_NAME}" > /dev/null - az storage container set-permission --name "${AZURE_BLOB_CONTAINER_NAME}" --public-access container > /dev/null + az storage container create --name "${AZURE_BLOB_CONTAINER_NAME}" --auth-mode login > /dev/null + az storage container set-permission --name "${AZURE_BLOB_CONTAINER_NAME}" --auth-mode login --public-access container > /dev/null fi if [[ "${KUBE_BUILD_CONFORMANCE:-}" =~ [yY] ]]; then @@ -113,7 +113,7 @@ main() { for BINARY in "${BINARIES[@]}"; do BIN_PATH="${KUBE_GIT_VERSION}/bin/linux/amd64/${BINARY}" echo "uploading ${BIN_PATH}" - az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${KUBE_ROOT}/_output/dockerized/bin/linux/amd64/${BINARY}" --name "${BIN_PATH}" + az storage blob upload --auth-mode login --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${KUBE_ROOT}/_output/dockerized/bin/linux/amd64/${BINARY}" --name "${BIN_PATH}" done if [[ "${TEST_WINDOWS:-}" == "true" ]]; then @@ -126,7 +126,7 @@ main() { for BINARY in "${WINDOWS_BINARIES[@]}"; do BIN_PATH="${KUBE_GIT_VERSION}/bin/windows/amd64/${BINARY}.exe" echo "uploading ${BIN_PATH}" - az storage blob upload --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${KUBE_ROOT}/_output/dockerized/bin/windows/amd64/${BINARY}.exe" --name "${BIN_PATH}" + az storage blob upload --auth-mode login --overwrite --container-name "${AZURE_BLOB_CONTAINER_NAME}" --file "${KUBE_ROOT}/_output/dockerized/bin/windows/amd64/${BINARY}.exe" --name "${BIN_PATH}" done fi fi @@ -141,14 +141,14 @@ can_reuse_artifacts() { done for BINARY in "${BINARIES[@]}"; do - if [[ "$(az storage blob exists --container-name "${AZURE_BLOB_CONTAINER_NAME}" --name "${KUBE_GIT_VERSION}/bin/linux/amd64/${BINARY}" --query exists --output tsv)" == "false" ]]; then + if [[ "$(az storage blob exists --auth-mode login --container-name "${AZURE_BLOB_CONTAINER_NAME}" --name "${KUBE_GIT_VERSION}/bin/linux/amd64/${BINARY}" --query exists --output tsv)" == "false" ]]; then echo "false" && return fi done if [[ "${TEST_WINDOWS:-}" == "true" ]]; then for BINARY in "${WINDOWS_BINARIES[@]}"; do - if [[ "$(az storage blob exists --container-name "${AZURE_BLOB_CONTAINER_NAME}" --name "${KUBE_GIT_VERSION}/bin/windows/amd64/${BINARY}.exe" --query exists --output tsv)" == "false" ]]; then + if [[ "$(az storage blob exists --auth-mode login --container-name "${AZURE_BLOB_CONTAINER_NAME}" --name "${KUBE_GIT_VERSION}/bin/windows/amd64/${BINARY}.exe" --query exists --output tsv)" == "false" ]]; then echo "false" && return fi done diff --git a/scripts/kind-with-registry.sh b/scripts/kind-with-registry.sh index 98122a2ad24..e72386a6877 100755 --- a/scripts/kind-with-registry.sh +++ b/scripts/kind-with-registry.sh @@ -110,12 +110,12 @@ function checkAZWIENVPreReqsAndCreateFiles() { sleep 5 done echo "Configuring storage account '${AZWI_STORAGE_ACCOUNT}' as static website" - az storage blob service-properties update --account-name "${AZWI_STORAGE_ACCOUNT}" --static-website + az storage blob service-properties update --account-name "${AZWI_STORAGE_ACCOUNT}" --static-website --auth-mode login fi - if ! az storage container show --name "${AZWI_STORAGE_CONTAINER}" --account-name "${AZWI_STORAGE_ACCOUNT}" > /dev/null 2>&1; then + if ! az storage container show --name "${AZWI_STORAGE_CONTAINER}" --account-name "${AZWI_STORAGE_ACCOUNT}" --auth-mode login > /dev/null 2>&1; then echo "Creating storage container '${AZWI_STORAGE_CONTAINER}' in '${AZWI_STORAGE_ACCOUNT}'" - az storage container create --name "${AZWI_STORAGE_CONTAINER}" --account-name "${AZWI_STORAGE_ACCOUNT}" --output none --only-show-errors + az storage container create --name "${AZWI_STORAGE_CONTAINER}" --account-name "${AZWI_STORAGE_ACCOUNT}" --output none --only-show-errors --auth-mode login fi SERVICE_ACCOUNT_ISSUER=$(az storage account show --name "${AZWI_STORAGE_ACCOUNT}" --resource-group "${AZWI_RESOURCE_GROUP}" -o json | jq -r .primaryEndpoints.web) @@ -195,7 +195,8 @@ function upload_to_blob() { --file "${file_path}" \ --name "${blob_name}" \ --account-name "${AZWI_STORAGE_ACCOUNT}" \ - --output none --only-show-errors + --output none --only-show-errors \ + --auth-mode login } # This function create a kind cluster for Workload identity which requires key pairs path