Merge pull request #9851 from rna-afk/azure_user_delegated_sas

OCPBUGS-37587: Sign blob container using user delegated creds

Author: openshift-merge-bot[bot]

data/data/install.openshift.io_installconfigs.yaml

@@ -5474,6 +5474,12 @@ spec:
               azure:
                 description: Azure is the configuration used when installing on Azure.
                 properties:
+                  allowSharedKeyAccess:
+                    description: |-
+                      AllowSharedKeyAccess specifies if shared access key should be enabled for the storage account.
+                      Default value is true.
+                      Disabling this will require a new permission "Storage Blob Data Contributor" in azure.
+                    type: boolean
                   armEndpoint:
                     description: ARMEndpoint is the endpoint for the Azure API when
                       installing on Azure Stack.

pkg/explain/printer_test.go

@@ -315,6 +315,11 @@ cluster itself may not include these tags.
 	}, {
 		path: []string{"platform", "azure"},
 		desc: `FIELDS:
+    allowSharedKeyAccess <boolean>
+      AllowSharedKeyAccess specifies if shared access key should be enabled for the storage account.
+Default value is true.
+Disabling this will require a new permission "Storage Blob Data Contributor" in azure.
+
     armEndpoint <string>
       ARMEndpoint is the endpoint for the Azure API when installing on Azure Stack.
 

pkg/infrastructure/azure/azure.go

@@ -16,6 +16,8 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/sas"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service"
 	"github.com/coreos/stream-metadata-go/arch"
 	"github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
@@ -104,8 +106,8 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 	installConfig := in.InstallConfig.Config
 	platform := installConfig.Platform.Azure
 	subscriptionID := session.Credentials.SubscriptionID
-	cloudConfiguration := session.CloudConfig
-	tokenCredential := session.TokenCreds
+	p.CloudConfiguration = session.CloudConfig
+	p.TokenCredential = session.TokenCreds
 	p.ResourceGroupName = platform.ClusterResourceGroupName(in.InfraID)
 
 	userTags := platform.UserTags
@@ -118,15 +120,15 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 
 	opts := &arm.ClientOptions{
 		ClientOptions: policy.ClientOptions{
-			Cloud: cloudConfiguration,
+			Cloud: p.CloudConfiguration,
 		},
 	}
 	computeClientOpts := opts
 	if platform.CloudName == aztypes.StackCloud {
 		opts.APIVersion = stackAPIVersion
 		computeClientOpts = &arm.ClientOptions{
 			ClientOptions: policy.ClientOptions{
-				Cloud:      cloudConfiguration,
+				Cloud:      p.CloudConfiguration,
 				APIVersion: stackComputeAPIVersion,
 			},
 		}
@@ -139,7 +141,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 		region:            platform.Region,
 		resourceGroupName: p.ResourceGroupName,
 		subscriptionID:    subscriptionID,
-		tokenCredential:   tokenCredential,
+		tokenCredential:   p.TokenCredential,
 		infraID:           in.InfraID,
 		clientOpts:        p.clientOptions,
 		tags:              p.Tags,
@@ -153,7 +155,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 
 	// Creating a dummy nsg for existing vnets installation to appease the ingress operator.
 	if in.InstallConfig.Config.Azure.VirtualNetwork != "" {
-		networkClientFactory, err := armnetwork.NewClientFactory(subscriptionID, tokenCredential, p.clientOptions)
+		networkClientFactory, err := armnetwork.NewClientFactory(subscriptionID, p.TokenCredential, p.clientOptions)
 		if err != nil {
 			return fmt.Errorf("failed to create azure network factory: %w", err)
 		}
@@ -229,20 +231,26 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 	var storageClientFactory *armstorage.ClientFactory
 	var storageAccountKeys []armstorage.AccountKey
 
+	sharedKey := true
+	if in.InstallConfig.Config.Azure.AllowSharedKeyAccess != nil {
+		sharedKey = *in.InstallConfig.Config.Azure.AllowSharedKeyAccess
+	}
+
 	var createStorageAccountOutput *CreateStorageAccountOutput
 	if platform.CloudName != aztypes.StackCloud {
 		// Create storage account
 		createStorageAccountOutput, err = CreateStorageAccount(ctx, &CreateStorageAccountInput{
-			SubscriptionID:     subscriptionID,
-			ResourceGroupName:  resourceGroupName,
-			StorageAccountName: storageAccountName,
-			CloudName:          platform.CloudName,
-			Region:             platform.Region,
-			AuthType:           session.AuthType,
-			Tags:               tags,
-			CustomerManagedKey: platform.CustomerManagedKey,
-			TokenCredential:    tokenCredential,
-			ClientOpts:         p.clientOptions,
+			SubscriptionID:       subscriptionID,
+			ResourceGroupName:    resourceGroupName,
+			StorageAccountName:   storageAccountName,
+			CloudName:            platform.CloudName,
+			Region:               platform.Region,
+			AuthType:             session.AuthType,
+			AllowSharedKeyAccess: sharedKey,
+			Tags:                 tags,
+			CustomerManagedKey:   platform.CustomerManagedKey,
+			TokenCredential:      p.TokenCredential,
+			ClientOpts:           p.clientOptions,
 		})
 		if err != nil {
 			return err
@@ -275,13 +283,16 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 		logrus.Debugf("BlobContainer.ID=%s", *blobContainer.ID)
 
 		_, err = CreatePageBlob(ctx, &CreatePageBlobInput{
-			StorageURL:         storageURL,
-			BlobURL:            blobURL,
-			ImageURL:           imageURL,
-			ImageLength:        imageLength,
-			StorageAccountName: storageAccountName,
-			StorageAccountKeys: storageAccountKeys,
-			ClientOpts:         p.clientOptions,
+			StorageURL:           storageURL,
+			BlobURL:              blobURL,
+			ImageURL:             imageURL,
+			ImageLength:          imageLength,
+			CloudEnvironment:     in.InstallConfig.Azure.CloudName,
+			AllowSharedKeyAccess: sharedKey,
+			TokenCredential:      session.TokenCreds,
+			StorageAccountName:   storageAccountName,
+			StorageAccountKeys:   storageAccountKeys,
+			ClientOpts:           p.clientOptions,
 		})
 		if err != nil {
 			return err
@@ -294,7 +305,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 			GalleryName:       galleryName,
 			Region:            platform.Region,
 			Tags:              tags,
-			TokenCredential:   tokenCredential,
+			TokenCredential:   p.TokenCredential,
 			ClientOpts:        p.clientOptions,
 		})
 		if err != nil {
@@ -313,7 +324,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 			Offer:                "rhcos",
 			SKU:                  "basic",
 			Tags:                 tags,
-			TokenCredential:      tokenCredential,
+			TokenCredential:      p.TokenCredential,
 			ClientOpts:           p.clientOptions,
 			Architecture:         architecture,
 			OSType:               armcompute.OperatingSystemTypesLinux,
@@ -339,7 +350,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 			Offer:                "rhcos-gen2",
 			SKU:                  "gen2",
 			Tags:                 tags,
-			TokenCredential:      tokenCredential,
+			TokenCredential:      p.TokenCredential,
 			ClientOpts:           p.clientOptions,
 			Architecture:         architecture,
 			OSType:               armcompute.OperatingSystemTypesLinux,
@@ -385,7 +396,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 	}
 
 	if installConfig.Azure.CloudName == aztypes.StackCloud {
-		client, err := armcompute.NewImagesClient(subscriptionID, tokenCredential, p.computeClientOptions)
+		client, err := armcompute.NewImagesClient(subscriptionID, p.TokenCredential, p.computeClientOptions)
 		if err != nil {
 			return fmt.Errorf("error creating stack managed images client: %w", err)
 		}
@@ -423,7 +434,6 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 		lbClient: lbClient,
 		tags:     p.Tags,
 	}
-
 	intLoadBalancer, err := updateInternalLoadBalancer(ctx, lbInput)
 	if err != nil {
 		return fmt.Errorf("failed to update internal load balancer: %w", err)
@@ -756,25 +766,51 @@ func (p Provider) Ignition(ctx context.Context, in clusterapi.IgnitionInput) ([]
 	}
 
 	sasURL := ""
+	now := time.Now().UTC().Add(-10 * time.Second)
+	expiry := now.Add(1 * time.Hour)
+	info := service.KeyInfo{
+		Start:  to.Ptr(now.UTC().Format(sas.TimeFormat)),
+		Expiry: to.Ptr(expiry.UTC().Format(sas.TimeFormat)),
+	}
+
+	serviceClient, err := service.NewClient(fmt.Sprintf("https://%s.blob.%s/", p.StorageAccountName, session.Environment.StorageEndpointSuffix),
+		session.TokenCreds,
+		&service.ClientOptions{
+			ClientOptions: azcore.ClientOptions{
+				Cloud: p.CloudConfiguration,
+			},
+		},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create service client: %w", err)
+	}
+
+	sharedKey := true
+	if in.InstallConfig.Config.Azure.AllowSharedKeyAccess != nil {
+		sharedKey = *in.InstallConfig.Config.Azure.AllowSharedKeyAccess
+	}
 
 	if in.InstallConfig.Config.Azure.CustomerManagedKey == nil {
 		logrus.Debugf("Creating a Block Blob for ignition shim")
 		sasURL, err = CreateBlockBlob(ctx, &CreateBlockBlobInput{
-			StorageURL:         p.StorageURL,
-			BlobURL:            blobURL,
-			StorageAccountName: p.StorageAccountName,
-			StorageAccountKeys: p.StorageAccountKeys,
-			ClientOpts:         p.clientOptions,
-			BootstrapIgnData:   ignOutput.UpdatedBootstrapIgn,
-			CloudEnvironment:   in.InstallConfig.Azure.CloudName,
-			ContainerName:      ignitionContainerName,
-			BlobName:           blobName,
-			StorageSuffix:      session.Environment.StorageEndpointSuffix,
-			ARMEndpoint:        in.InstallConfig.Azure.ARMEndpoint,
-			Session:            session,
-			Region:             in.InstallConfig.Config.Azure.Region,
-			Tags:               p.Tags,
-			ResourceGroupName:  p.ResourceGroupName,
+			StorageURL:           p.StorageURL,
+			BlobURL:              blobURL,
+			AuthType:             session.AuthType,
+			TokenCredential:      session.TokenCreds,
+			StorageAccountName:   p.StorageAccountName,
+			StorageAccountKeys:   p.StorageAccountKeys,
+			AllowSharedKeyAccess: sharedKey,
+			ClientOpts:           p.clientOptions,
+			BootstrapIgnData:     ignOutput.UpdatedBootstrapIgn,
+			CloudEnvironment:     in.InstallConfig.Azure.CloudName,
+			ContainerName:        ignitionContainerName,
+			BlobName:             blobName,
+			StorageSuffix:        session.Environment.StorageEndpointSuffix,
+			ARMEndpoint:          in.InstallConfig.Azure.ARMEndpoint,
+			Session:              session,
+			Region:               in.InstallConfig.Config.Azure.Region,
+			Tags:                 p.Tags,
+			ResourceGroupName:    p.ResourceGroupName,
 		})
 		if err != nil {
 			return nil, fmt.Errorf("failed to create BlockBlob for ignition shim: %w", err)
@@ -787,19 +823,40 @@ func (p Provider) Ignition(ctx context.Context, in clusterapi.IgnitionInput) ([]
 		}
 
 		sasURL, err = CreatePageBlob(ctx, &CreatePageBlobInput{
-			StorageURL:         p.StorageURL,
-			BlobURL:            blobURL,
-			ImageURL:           "",
-			StorageAccountName: p.StorageAccountName,
-			BootstrapIgnData:   ignOutput.UpdatedBootstrapIgn,
-			ImageLength:        lengthBootstrapFile,
-			StorageAccountKeys: p.StorageAccountKeys,
-			ClientOpts:         p.clientOptions,
+			StorageURL:           p.StorageURL,
+			BlobURL:              blobURL,
+			ImageURL:             "",
+			CloudEnvironment:     in.InstallConfig.Azure.CloudName,
+			AllowSharedKeyAccess: sharedKey,
+			TokenCredential:      session.TokenCreds,
+			StorageAccountName:   p.StorageAccountName,
+			BootstrapIgnData:     ignOutput.UpdatedBootstrapIgn,
+			ImageLength:          lengthBootstrapFile,
+			StorageAccountKeys:   p.StorageAccountKeys,
+			ClientOpts:           p.clientOptions,
 		})
 		if err != nil {
 			return nil, fmt.Errorf("failed to create PageBlob for ignition shim: %w", err)
 		}
 	}
+	if sasURL == "" && !sharedKey {
+		udc, err := serviceClient.GetUserDelegationCredential(context.Background(), info, nil)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create user delegation credentials: %w", err)
+		}
+		sasQueryParams, err := sas.BlobSignatureValues{
+			Protocol:      sas.ProtocolHTTPS,
+			StartTime:     time.Now().UTC().Add(time.Second * -10),
+			ExpiryTime:    time.Now().UTC().Add(1 * time.Hour),
+			Permissions:   to.Ptr(sas.ContainerPermissions{Read: true}).String(),
+			ContainerName: "ignition",
+			BlobName:      blobName,
+		}.SignWithUserDelegation(udc)
+		if err != nil {
+			return nil, fmt.Errorf("failed to sign blob %s: %w", blobURL, err)
+		}
+		sasURL = fmt.Sprintf("https://%s.blob.%s/ignition/%s?%s", p.StorageAccountName, session.Environment.StorageEndpointSuffix, blobName, sasQueryParams.Encode())
+	}
 	ignShim, err := bootstrap.GenerateIgnitionShimWithCertBundleAndProxy(sasURL, in.InstallConfig.Config.AdditionalTrustBundle, in.InstallConfig.Config.Proxy)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ignition shim: %w", err)