Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jonmv/assume azure services #2634

Merged
merged 12 commits into from
Jun 5, 2024
Merged

Jonmv/assume azure services #2634

merged 12 commits into from
Jun 5, 2024

Conversation

jonmv
Copy link
Contributor

@jonmv jonmv commented May 31, 2024
edited
Loading

Description

This work in this PR consists of three main contributions, where the first enables the other two:

  1. Integration with Azure's user managed identities, allowing ZTS to obtain access tokens for these.
  2. Allowing Azure access tokens to be obtained based on Athenz identities, specifically, Athenz roles map to Azure identities.
  3. Using an Azure-client identity assigned to the Azure instance provider, allowing ZTS to run this as an internal component.

Contribution Checklist:

  • The pull request does not introduce any breaking changes – Yes, it does, in fact, but it was assumed the InstanceAzureProvider was not in use by others. This is the only breaking change.
  • I have read the contribution guidelines.
  • Create an issue and link to the pull request. – I have not created an issue for this, but the work follows discussions with the maintainers. I can create an issue if this is desired.

jonmv added 11 commits May 31, 2024 11:39
@jonmv
Add Azure tenant id and client id to domain
e2c74a3 
Signed-off-by: jonmv <venstad@gmail.com>
@jonmv
Refactor slightly for external creds, and verify GCP project is set
d7a6842 
Signed-off-by: jonmv <venstad@gmail.com>
@jonmv
Add AzureAccessTokenProvider with tests
4e0b9c4 
Signed-off-by: jonmv <venstad@gmail.com>
@jonmv
Modify InstanceAzureProvider to run in ZTS, for multiple subscriptions
66cd97e 
Signed-off-by: jonmv <venstad@gmail.com>
@jonmv
Add design doc for Azure integration
438b41d 
Signed-off-by: jonmv <venstad@gmail.com>
@jonmv
Fix markdown
de03756 
Signed-off-by: jonmv <venstad@gmail.com>
@jonmv
Fix markdown a bit more
b632b9c 
Signed-off-by: jonmv <venstad@gmail.com>
@jonmv
Inline default interface method to avoid coverage failure
6c940e1 
Signed-off-by: jonmv <venstad@gmail.com>
@jonmv
Fix some unit tests, and avoid "confusing varargs parameter"
dc62dfb 
Signed-off-by: jonmv <venstad@gmail.com>
@jonmv
Expect updated error message
ac5e041 
Signed-off-by: jonmv <venstad@gmail.com>
@jonmv
Make the coverage gods happy
cfa560c 
Signed-off-by: jonmv <venstad@gmail.com>
havetisyan
havetisyan requested changes Jun 4, 2024
View reviewed changes
libs/go/zmscli/cli.go Show resolved Hide resolved
...ovider/src/main/java/com/yahoo/athenz/instance/provider/impl/AzureVmUserManagedIdentity.java Show resolved Hide resolved
...ce_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceAzureProvider.java Outdated
}
}

@Override
public void close() {
/* For some reason, the close method is called after each confirmInstance, but the provider is reused, so we can't actually close it.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you please open up an issue for this. it doesn't look right and we need to fix it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's because the InstanceAzureProvider used to be a HTTP-type provider, and those are created (and closed) for each request. I think I'll just remove the close here (the default method is empty).

servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java Outdated Show resolved Hide resolved
@jonmv
Address review
48f77d3 
Signed-off-by: jonmv <venstad@gmail.com>
@havetisyan havetisyan merged commit 2c55452 into AthenZ:master Jun 5, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@havetisyan havetisyan havetisyan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jonmv @havetisyan