-
Notifications
You must be signed in to change notification settings - Fork 89
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add azure-identity go example (#683)
Signed-off-by: Anish Ramasekar <[email protected]>
- Loading branch information
Showing
7 changed files
with
228 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
ARG BUILDER=mcr.microsoft.com/oss/go/microsoft/golang:1.19-bullseye | ||
ARG BASEIMAGE=gcr.io/distroless/static:nonroot | ||
|
||
FROM ${BUILDER} as builder | ||
|
||
WORKDIR /workspace | ||
# Copy the Go Modules manifests | ||
COPY go.mod go.mod | ||
COPY go.sum go.sum | ||
# cache deps before building and copying source so that we don't need to re-download as much | ||
# and so that source changes don't invalidate our downloaded layer | ||
RUN go mod download | ||
|
||
# Copy the go source | ||
COPY main.go main.go | ||
|
||
# Build | ||
ARG TARGETARCH | ||
RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -a -o azidgo . | ||
|
||
# Use distroless as minimal base image to package the manager binary | ||
# Refer to https://github.com/GoogleContainerTools/distroless for more details | ||
FROM --platform=${TARGETPLATFORM:-linux/amd64} ${BASEIMAGE} | ||
WORKDIR / | ||
COPY --from=builder /workspace/azidgo . | ||
# Kubernetes runAsNonRoot requires USER to be numeric | ||
USER 65532:65532 | ||
|
||
ENTRYPOINT ["/azidgo"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
REGISTRY ?= ghcr.io/azure/azure-workload-identity | ||
IMAGE_NAME := azid-go | ||
IMAGE_VERSION ?= latest | ||
|
||
DEMO_IMAGE := $(REGISTRY)/$(IMAGE_NAME):$(IMAGE_VERSION) | ||
|
||
## -------------------------------------- | ||
## Images | ||
## -------------------------------------- | ||
|
||
# Output type of docker buildx build | ||
OUTPUT_TYPE ?= type=registry | ||
|
||
ALL_OS = linux windows | ||
ALL_ARCH.linux = amd64 arm64 | ||
ALL_ARCH.windows = amd64 | ||
ALL_OSVERSIONS.windows := 1809 ltsc2022 | ||
ALL_OS_ARCH.linux = $(foreach arch, ${ALL_ARCH.linux}, linux-$(arch)) | ||
ALL_OS_ARCH.windows = $(foreach osver, ${ALL_OSVERSIONS.windows}, windows-$(osver)-$(foreach arch, ${ALL_ARCH.windows},$(arch))) | ||
ALL_OS_ARCH = $(foreach os, $(ALL_OS), ${ALL_OS_ARCH.${os}}) | ||
|
||
# The architecture of the image | ||
ARCH ?= amd64 | ||
# OS Version for the Windows images: 1809, ltsc2022 | ||
OSVERSION ?= 1809 | ||
|
||
.PHONY: container-linux | ||
container-linux: | ||
docker buildx build \ | ||
--output=$(OUTPUT_TYPE) \ | ||
--platform="linux/$(ARCH)" \ | ||
--tag=$(DEMO_IMAGE)-linux-$(ARCH) . | ||
|
||
.PHONY: container-windows | ||
container-windows: | ||
docker buildx build \ | ||
--build-arg OS_VERSION=$(OSVERSION) \ | ||
--output=$(OUTPUT_TYPE) \ | ||
--platform="windows/$(ARCH)" \ | ||
--file=windows.Dockerfile \ | ||
--tag=$(DEMO_IMAGE)-windows-$(OSVERSION)-$(ARCH) . | ||
|
||
.PHONY: container-all | ||
container-all: | ||
for arch in $(ALL_ARCH.linux); do \ | ||
ARCH=$${arch} $(MAKE) container-linux; \ | ||
done | ||
for osversion in $(ALL_OSVERSIONS.windows); do \ | ||
OSVERSION=$${osversion} $(MAKE) container-windows; \ | ||
done | ||
|
||
.PHONY: push-manifest | ||
push-manifest: | ||
docker manifest create --amend $(DEMO_IMAGE) $(foreach osarch, $(ALL_OS_ARCH), $(DEMO_IMAGE)-${osarch}) | ||
for arch in $(ALL_ARCH.linux); do docker manifest annotate --os linux --arch $${arch} $(DEMO_IMAGE) $(DEMO_IMAGE)-linux-$${arch}; done; \ | ||
set -x; \ | ||
for arch in $(ALL_ARCH.windows); do \ | ||
for osversion in $(ALL_OSVERSIONS.windows); do \ | ||
BASEIMAGE=mcr.microsoft.com/windows/nanoserver:$${osversion}; \ | ||
full_version=`docker manifest inspect $${BASEIMAGE} | jq -r '.manifests[0].platform["os.version"]'`; \ | ||
docker manifest annotate --os windows --arch $${arch} --os-version $${full_version} $(DEMO_IMAGE) $(DEMO_IMAGE)-windows-$${osversion}-$${arch}; \ | ||
done; \ | ||
done; \ | ||
docker manifest push --purge $(DEMO_IMAGE) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
module github.com/Azure/azure-workload-identity/example/azure-identity/go | ||
|
||
go 1.19 | ||
|
||
require ( | ||
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0-beta.1 | ||
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.11.0 | ||
k8s.io/klog/v2 v2.80.1 | ||
) | ||
|
||
require ( | ||
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 // indirect | ||
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect | ||
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.0 // indirect | ||
github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 // indirect | ||
github.com/go-logr/logr v1.2.0 // indirect | ||
github.com/golang-jwt/jwt/v4 v4.4.2 // indirect | ||
github.com/google/uuid v1.1.1 // indirect | ||
github.com/kylelemons/godebug v1.1.0 // indirect | ||
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect | ||
golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 // indirect | ||
golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 // indirect | ||
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect | ||
golang.org/x/text v0.3.7 // indirect | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 h1:sVW/AFBTGyJxDaMYlq0ct3jUXTtj12tQ6zE2GZUgVQw= | ||
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= | ||
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0-beta.1 h1:9qTV1dvmnXJ+2yBnNIm2SZZdXbSA+qlhksUq5Er9cTg= | ||
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0-beta.1/go.mod h1:NBanQUfSWiWn3QEpWDTCU0IjBECKOYvl2R8xdRtMtiM= | ||
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 h1:jp0dGvZ7ZK0mgqnTSClMxa5xuRL7NZgHameVYF6BurY= | ||
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w= | ||
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.11.0 h1:82w8tzLcOwDP/Q35j/wEBPt0n0kVC3cjtPdD62G8UAk= | ||
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.11.0/go.mod h1:S78i9yTr4o/nXlH76bKjGUye9Z2wSxO5Tz7GoDr4vfI= | ||
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.0 h1:Lg6BW0VPmCwcMlvOviL3ruHFO+H9tZNqscK0AeuFjGM= | ||
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.0/go.mod h1:9V2j0jn9jDEkCkv8w/bKTNppX/d0FVA1ud77xCIP4KA= | ||
github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 h1:VgSJlZH5u0k2qxSpqyghcFQKmvYckj46uymKK5XzkBM= | ||
github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0/go.mod h1:BDJ5qMFKx9DugEg3+uQSDCdbYPr5s9vBTrL9P8TpqOU= | ||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= | ||
github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c= | ||
github.com/go-logr/logr v1.2.0 h1:QK40JKJyMdUDz+h+xvCsru/bJhvG0UxvePV0ufL/AcE= | ||
github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= | ||
github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= | ||
github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= | ||
github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= | ||
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= | ||
github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= | ||
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= | ||
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 h1:Qj1ukM4GlMWXNdMBuXcXfz/Kw9s1qm0CLY32QxuSImI= | ||
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ= | ||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= | ||
github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= | ||
golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 h1:Tgea0cVUD0ivh5ADBX4WwuI12DUd2to3nCYe2eayMIw= | ||
golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= | ||
golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 h1:HVyaeDAYux4pnY+D/SiwmLOR36ewZ4iGQIIrtnuCjFA= | ||
golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= | ||
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM= | ||
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||
golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= | ||
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= | ||
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= | ||
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= | ||
k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= | ||
k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
package main | ||
|
||
import ( | ||
"context" | ||
"os" | ||
|
||
"github.com/Azure/azure-sdk-for-go/sdk/azidentity" | ||
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets" | ||
"k8s.io/klog/v2" | ||
) | ||
|
||
func main() { | ||
keyvaultURL := os.Getenv("KEYVAULT_URL") | ||
secretName := os.Getenv("SECRET_NAME") | ||
|
||
// create a secret client with the default credential | ||
// DefaultAzureCredential will use the environment variables injected by the Azure Workload Identity | ||
// mutating webhook to authenticate with Azure Key Vault. | ||
|
||
cred, err := azidentity.NewDefaultAzureCredential(nil) | ||
if err != nil { | ||
klog.Fatal(err) | ||
} | ||
client, err := azsecrets.NewClient(keyvaultURL, cred, nil) | ||
if err != nil { | ||
klog.Fatal(err) | ||
} | ||
|
||
secretBundle, err := client.GetSecret(context.Background(), secretName, "", nil) | ||
if err != nil { | ||
klog.ErrorS(err, "failed to get secret from keyvault", "keyvault", keyvaultURL, "secretName", secretName) | ||
os.Exit(1) | ||
} | ||
klog.InfoS("successfully got secret", "secret", *secretBundle.Value) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
ARG BUILDER=mcr.microsoft.com/oss/go/microsoft/golang:1.19-bullseye | ||
ARG SERVERCORE_CACHE=gcr.io/k8s-staging-e2e-test-images/windows-servercore-cache:1.0-linux-amd64-${OS_VERSION:-1809} | ||
ARG BASEIMAGE=mcr.microsoft.com/windows/nanoserver:${OS_VERSION:-1809} | ||
|
||
FROM --platform=linux/amd64 ${BUILDER} as builder | ||
|
||
WORKDIR /workspace | ||
# Copy the Go Modules manifests | ||
COPY go.mod go.mod | ||
COPY go.sum go.sum | ||
# cache deps before building and copying source so that we don't need to re-download as much | ||
# and so that source changes don't invalidate our downloaded layer | ||
RUN go mod download | ||
|
||
# Copy the go source | ||
COPY main.go main.go | ||
|
||
# Build | ||
RUN CGO_ENABLED=0 GOOS=windows GO111MODULE=on go build -a -o azidgo.exe . | ||
|
||
FROM --platform=linux/amd64 ${SERVERCORE_CACHE} as core | ||
|
||
FROM --platform=${TARGETPLATFORM:-windows/amd64} ${BASEIMAGE} | ||
WORKDIR / | ||
COPY --from=builder /workspace/azidgo.exe . | ||
COPY --from=core /Windows/System32/netapi32.dll /Windows/System32/netapi32.dll | ||
USER ContainerAdministrator | ||
|
||
ENTRYPOINT [ "/azidgo.exe" ] |