fluxcd
diff --git a/‎auth/azure/new_default_azure_credential.go‎
Lines changed: 91 additions & 0 deletions b/‎auth/azure/new_default_azure_credential.go‎
Lines changed: 91 additions & 0 deletions
diff --git a/‎auth/azure/options.go‎
Lines changed: 79 additions & 0 deletions b/‎auth/azure/options.go‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎auth/azure/provider.go‎
Lines changed: 189 additions & 0 deletions b/‎auth/azure/provider.go‎
Lines changed: 189 additions & 0 deletions
@@ -0,0 +1,91 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+)
+
+// NewDefaultAzureCredential is like azidentity.NewDefaultAzureCredential, but
+// does not call azidentity.NewAzureCLICredential().
+func NewDefaultAzureCredential(options *azidentity.DefaultAzureCredentialOptions) (azcore.TokenCredential, error) {
+	var (
+		azureClientID           = "AZURE_CLIENT_ID"
+		azureFederatedTokenFile = "AZURE_FEDERATED_TOKEN_FILE"
+		azureAuthorityHost      = "AZURE_AUTHORITY_HOST"
+		azureTenantID           = "AZURE_TENANT_ID"
+	)
+
+	var errorMessages []string
+
+	envCred, err := azidentity.NewEnvironmentCredential(&azidentity.EnvironmentCredentialOptions{
+		ClientOptions: options.ClientOptions, DisableInstanceDiscovery: options.DisableInstanceDiscovery},
+	)
+	if err == nil {
+		return envCred, nil
+	} else {
+		errorMessages = append(errorMessages, "EnvironmentCredential: "+err.Error())
+	}
+
+	// workload identity requires values for AZURE_AUTHORITY_HOST, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE, AZURE_TENANT_ID
+	haveWorkloadConfig := false
+	clientID, haveClientID := os.LookupEnv(azureClientID)
+	if haveClientID {
+		if file, ok := os.LookupEnv(azureFederatedTokenFile); ok {
+			if _, ok := os.LookupEnv(azureAuthorityHost); ok {
+				if tenantID, ok := os.LookupEnv(azureTenantID); ok {
+					haveWorkloadConfig = true
+					workloadCred, err := azidentity.NewWorkloadIdentityCredential(&azidentity.WorkloadIdentityCredentialOptions{
+						ClientID:                 clientID,
+						TenantID:                 tenantID,
+						TokenFilePath:            file,
+						ClientOptions:            options.ClientOptions,
+						DisableInstanceDiscovery: options.DisableInstanceDiscovery,
+					})
+					if err == nil {
+						return workloadCred, nil
+					} else {
+						errorMessages = append(errorMessages, "Workload Identity"+": "+err.Error())
+					}
+				}
+			}
+		}
+	}
+	if !haveWorkloadConfig {
+		err := errors.New("missing environment variables for workload identity. Check webhook and pod configuration")
+		errorMessages = append(errorMessages, fmt.Sprintf("Workload Identity: %s", err))
+	}
+
+	o := &azidentity.ManagedIdentityCredentialOptions{ClientOptions: options.ClientOptions}
+	if haveClientID {
+		o.ID = azidentity.ClientID(clientID)
+	}
+	miCred, err := azidentity.NewManagedIdentityCredential(o)
+	if err == nil {
+		return miCred, nil
+	} else {
+		errorMessages = append(errorMessages, "ManagedIdentity"+": "+err.Error())
+	}
+
+	return nil, errors.New(strings.Join(errorMessages, "\n"))
+}
@@ -0,0 +1,79 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/fluxcd/pkg/auth"
+)
+
+func getIdentity(serviceAccount corev1.ServiceAccount) (string, error) {
+	tenantID, err := getTenantID(serviceAccount)
+	if err != nil {
+		return "", err
+	}
+	clientID, err := getClientID(serviceAccount)
+	if err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("%s/%s", tenantID, clientID), nil
+}
+
+func getTenantID(serviceAccount corev1.ServiceAccount) (string, error) {
+	if tenantID, ok := serviceAccount.Annotations["azure.workload.identity/tenant-id"]; ok {
+		return tenantID, nil
+	}
+	if tenantID := os.Getenv("AZURE_TENANT_ID"); tenantID != "" {
+		return tenantID, nil
+	}
+	return "", fmt.Errorf("azure tenant ID not found in the service account annotations nor in the environment variable AZURE_TENANT_ID")
+}
+
+func getClientID(serviceAccount corev1.ServiceAccount) (string, error) {
+	if clientID, ok := serviceAccount.Annotations["azure.workload.identity/client-id"]; ok {
+		return clientID, nil
+	}
+	return "", fmt.Errorf("azure client ID not found in the service account annotations")
+}
+
+func getScopes(o *auth.Options) []string {
+	if o.ArtifactRepository == "" {
+		return o.Scopes
+	}
+
+	var conf *cloud.Configuration
+	switch {
+	case strings.HasSuffix(o.ArtifactRepository, ".azurecr.cn"):
+		conf = &cloud.AzureChina
+	case strings.HasSuffix(o.ArtifactRepository, ".azurecr.us"):
+		conf = &cloud.AzureGovernment
+	default:
+		conf = &cloud.AzurePublic
+	}
+
+	return []string{conf.Services[cloud.ResourceManager].Endpoint + "/" + ".default"}
+}
+
+func getACRHost(artifactRepository string) string {
+	return strings.SplitN(artifactRepository, "/", 2)[0]
+}
@@ -0,0 +1,189 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"path"
+	"strings"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/golang-jwt/jwt/v5"
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/fluxcd/pkg/auth"
+)
+
+// ProviderName is the name of the Azure authentication provider.
+const ProviderName = "azure"
+
+// Provider implements the auth.Provider interface for Azure authentication.
+type Provider struct{}
+
+// GetName implements auth.Provider.
+func (Provider) GetName() string {
+	return ProviderName
+}
+
+// NewDefaultToken implements auth.Provider.
+func (Provider) NewDefaultToken(ctx context.Context, opts ...auth.Option) (auth.Token, error) {
+	var o auth.Options
+	o.Apply(opts...)
+
+	azOpts := &azidentity.DefaultAzureCredentialOptions{}
+
+	if hc := o.GetHTTPClient(); hc != nil {
+		azOpts.Transport = hc
+	}
+
+	cred, err := NewDefaultAzureCredential(azOpts)
+	if err != nil {
+		return nil, err
+	}
+	token, err := cred.GetToken(ctx, policy.TokenRequestOptions{
+		Scopes: getScopes(&o),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &Token{token}, nil
+}
+
+// GetAudience implements auth.Provider.
+func (Provider) GetAudience(context.Context, corev1.ServiceAccount) (string, error) {
+	return "api://AzureADTokenExchange", nil
+}
+
+// GetIdentity implements auth.Provider.
+func (Provider) GetIdentity(serviceAccount corev1.ServiceAccount) (string, error) {
+	return getIdentity(serviceAccount)
+}
+
+// NewTokenForServiceAccount implements auth.Provider.
+func (Provider) NewTokenForServiceAccount(ctx context.Context, oidcToken string,
+	serviceAccount corev1.ServiceAccount, opts ...auth.Option) (auth.Token, error) {
+
+	var o auth.Options
+	o.Apply(opts...)
+
+	identity, err := getIdentity(serviceAccount)
+	if err != nil {
+		return nil, err
+	}
+	s := strings.Split(identity, "/")
+	tenantID, clientID := s[0], s[1]
+
+	azOpts := &azidentity.ClientAssertionCredentialOptions{}
+
+	if hc := o.GetHTTPClient(); hc != nil {
+		azOpts.Transport = hc
+	}
+
+	cred, err := azidentity.NewClientAssertionCredential(tenantID, clientID, func(context.Context) (string, error) {
+		return oidcToken, nil
+	}, azOpts)
+	if err != nil {
+		return nil, err
+	}
+	token, err := cred.GetToken(ctx, policy.TokenRequestOptions{
+		Scopes: getScopes(&o),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &Token{token}, nil
+}
+
+// GetArtifactCacheKey implements auth.Provider.
+func (Provider) GetArtifactCacheKey(artifactRepository string) string {
+	return getACRHost(artifactRepository)
+}
+
+// NewArtifactRegistryToken implements auth.Provider.
+func (Provider) NewArtifactRegistryToken(ctx context.Context, artifactRepository string,
+	accessToken auth.Token, opts ...auth.Option) (auth.Token, error) {
+
+	t := accessToken.(*Token)
+
+	var o auth.Options
+	o.Apply(opts...)
+
+	// Build request.
+	registryURL := artifactRepository
+	if !strings.HasPrefix(artifactRepository, "http") {
+		registryURL = fmt.Sprintf("https://%s", getACRHost(artifactRepository))
+	}
+	exchangeURL, err := url.Parse(registryURL)
+	if err != nil {
+		return nil, err
+	}
+	exchangeURL.Path = path.Join(exchangeURL.Path, "oauth2/exchange")
+	parameters := url.Values{}
+	parameters.Add("grant_type", "access_token")
+	parameters.Add("service", exchangeURL.Hostname())
+	parameters.Add("access_token", t.Token)
+	body := strings.NewReader(parameters.Encode())
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, exchangeURL.String(), body)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	// Send request.
+	httpClient := http.DefaultClient
+	if hc := o.GetHTTPClient(); hc != nil {
+		httpClient = hc
+	}
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	// Parse response.
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("unexpected status from ACR exchange request: %d", resp.StatusCode)
+	}
+	var tokenResp struct {
+		RefreshToken string `json:"refresh_token"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
+		return nil, err
+	}
+	var claims jwt.MapClaims
+	if _, _, err := jwt.NewParser().ParseUnverified(tokenResp.RefreshToken, &claims); err != nil {
+		return nil, err
+	}
+	expiry, err := claims.GetExpirationTime()
+	if err != nil {
+		return nil, err
+	}
+
+	return &auth.ArtifactRegistryCredentials{
+		// https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#az-acr-login-with---expose-token
+		Username:  "00000000-0000-0000-0000-000000000000",
+		Password:  tokenResp.RefreshToken,
+		ExpiresAt: expiry.Time,
+	}, nil
+}