From 7be7c5c24c2b2506a837db3cdd47cb73516f7d22 Mon Sep 17 00:00:00 2001 From: bennerv <10840174+bennerv@users.noreply.github.com> Date: Tue, 5 Nov 2024 21:03:00 -0500 Subject: [PATCH] remove master key authorizer in favor of local auth --- hack/db/db.go | 19 +------------------ pkg/database/database.go | 18 ------------------ 2 files changed, 1 insertion(+), 36 deletions(-) diff --git a/hack/db/db.go b/hack/db/db.go index 8bbf8d2992f..5401e4040a1 100644 --- a/hack/db/db.go +++ b/hack/db/db.go @@ -10,8 +10,6 @@ import ( "os" "strings" - "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/policy" - "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/sirupsen/logrus" "github.com/Azure/ARO-RP/pkg/database" @@ -38,11 +36,6 @@ func run(ctx context.Context, log *logrus.Entry) error { return err } - tokenCredential, err := azidentity.NewAzureCLICredential(nil) - if err != nil { - return err - } - msiKVAuthorizer, err := _env.NewMSIAuthorizer(_env.Environment().KeyVaultScope) if err != nil { return err @@ -64,17 +57,7 @@ func run(ctx context.Context, log *logrus.Entry) error { return err } - dbAccountName := os.Getenv(DatabaseAccountName) - clientOptions := &policy.ClientOptions{ - ClientOptions: _env.Environment().ManagedIdentityCredentialOptions().ClientOptions, - } - logrusEntry := log.WithField("component", "database") - dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, logrusEntry, tokenCredential, clientOptions, _env.SubscriptionID(), _env.ResourceGroup(), dbAccountName) - if err != nil { - return err - } - - dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, &noop.Noop{}, aead, dbAccountName) + dbc, err := database.NewDatabaseClientFromEnv(ctx, _env, log, &noop.Noop{}, aead) if err != nil { return err } diff --git a/pkg/database/database.go b/pkg/database/database.go index 36f8cb93652..963e79b8e66 100644 --- a/pkg/database/database.go +++ b/pkg/database/database.go @@ -10,7 +10,6 @@ import ( "reflect" "time" - "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/policy" azcorepolicy "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" sdkcosmos "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v2" "github.com/sirupsen/logrus" @@ -21,7 +20,6 @@ import ( "github.com/Azure/ARO-RP/pkg/env" "github.com/Azure/ARO-RP/pkg/metrics" dbmetrics "github.com/Azure/ARO-RP/pkg/metrics/statsd/cosmosdb" - "github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/armcosmos" "github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/azcore" "github.com/Azure/ARO-RP/pkg/util/encryption" ) @@ -57,22 +55,6 @@ func NewDatabaseClient(log *logrus.Entry, _env env.Core, authorizer cosmosdb.Aut return cosmosdb.NewDatabaseClient(log, c, h, databaseAccountName+"."+_env.Environment().CosmosDBDNSSuffix, authorizer), nil } -func NewMasterKeyAuthorizer(ctx context.Context, log *logrus.Entry, token azcore.TokenCredential, clientOptions *policy.ClientOptions, subscriptionID, resourceGroup, databaseAccountName string) (cosmosdb.Authorizer, error) { - databaseaccounts, err := armcosmos.NewDatabaseAccountsClient(subscriptionID, token, clientOptions) - if err != nil { - return nil, err - } - - // no options defined in the SDK at the moment, but better than passing a nil. - opt := sdkcosmos.DatabaseAccountsClientListKeysOptions{} - keys, err := databaseaccounts.ListKeys(ctx, resourceGroup, databaseAccountName, &opt) - if err != nil { - return nil, err - } - - return cosmosdb.NewMasterKeyAuthorizer(getDatabaseKey(keys, log)) -} - func NewTokenAuthorizer(ctx context.Context, log *logrus.Entry, cred azcore.TokenCredential, databaseAccountName string, scopes []string) (cosmosdb.Authorizer, error) { acquireToken := func(contxt context.Context) (token string, newExpiration time.Time, err error) { tk, err := cred.GetToken(contxt, azcorepolicy.TokenRequestOptions{Scopes: scopes})