feat: add azure-identity node example (#580)

Signed-off-by: Anish Ramasekar <[email protected]>
Azure · Oct 4, 2022 · 8aadc8f · 8aadc8f
1 parent d3ea1dc
commit 8aadc8f
Show file tree

Hide file tree

Showing 8 changed files with 1,075 additions and 5 deletions.
diff --git a/docs/book/src/topics/language-specific-examples/azure-identity-sdk.md b/docs/book/src/topics/language-specific-examples/azure-identity-sdk.md
@@ -14,6 +14,7 @@ The following client libraries are the **minimum** version required
 
 ### Using `DefaultAzureCredential`
 
-| Language | Library                                                               | Example                                                                                           |
-| -------- | --------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- |
-| Python   | [azure-sdk-for-python](https://github.com/Azure/azure-sdk-for-python) | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/azure-identity/python) |
+| Language              | Library                                                               | Example                                                                                           |
+| --------------------- | --------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- |
+| Python                | [azure-sdk-for-python](https://github.com/Azure/azure-sdk-for-python) | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/azure-identity/python) |
+| JavaScript/TypeScript | [azure-sdk-for-js](https://github.com/Azure/azure-sdk-for-js)         | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/azure-identity/node)   |
diff --git a/examples/azure-identity/node/.gitignore b/examples/azure-identity/node/.gitignore
@@ -0,0 +1 @@
+node_modules/
diff --git a/examples/azure-identity/node/Dockerfile b/examples/azure-identity/node/Dockerfile
@@ -0,0 +1,15 @@
+ARG BUILDER=mcr.microsoft.com/cbl-mariner/base/nodejs:16
+ARG BASEIMAGE=mcr.microsoft.com/mirror/gcr/distroless/nodejs-debian11:16
+
+# ref: https://github.com/GoogleContainerTools/distroless/blob/main/examples/nodejs/Dockerfile
+FROM ${BUILDER} AS build-env
+ADD . /app
+WORKDIR /app
+RUN npm install
+
+FROM ${BASEIMAGE}
+COPY --from=build-env /app /app
+WORKDIR /app
+# Kubernetes runAsNonRoot requires USER to be numeric
+USER 65532:65532
+CMD ["index.js"]
diff --git a/examples/azure-identity/node/Makefile b/examples/azure-identity/node/Makefile
@@ -0,0 +1,39 @@
+REGISTRY ?= ghcr.io/azure/azure-workload-identity
+IMAGE_NAME := azid-node
+IMAGE_VERSION ?= latest
+
+DEMO_IMAGE := $(REGISTRY)/$(IMAGE_NAME):$(IMAGE_VERSION)
+
+## --------------------------------------
+## Images
+## --------------------------------------
+
+# Output type of docker buildx build
+OUTPUT_TYPE ?= type=registry
+
+ALL_OS = linux
+ALL_ARCH.linux = amd64 arm64
+ALL_OS_ARCH.linux = $(foreach arch, ${ALL_ARCH.linux}, linux-$(arch))
+ALL_OS_ARCH = $(foreach os, $(ALL_OS), ${ALL_OS_ARCH.${os}})
+
+# The architecture of the image
+ARCH ?= amd64
+
+.PHONY: container-linux
+container-linux:
+	docker buildx build \
+		--output=$(OUTPUT_TYPE) \
+		--platform="linux/$(ARCH)" \
+		--tag=$(DEMO_IMAGE)-linux-$(ARCH) .
+
+.PHONY: container-all
+container-all:
+	for arch in $(ALL_ARCH.linux); do \
+		ARCH=$${arch} $(MAKE) container-linux; \
+	done
+
+.PHONY: push-manifest
+push-manifest:
+	docker manifest create --amend $(DEMO_IMAGE) $(foreach osarch, $(ALL_OS_ARCH), $(DEMO_IMAGE)-${osarch})
+	for arch in $(ALL_ARCH.linux); do docker manifest annotate --os linux --arch $${arch} $(DEMO_IMAGE) $(DEMO_IMAGE)-linux-$${arch}; done; \
+	docker manifest push --purge $(DEMO_IMAGE)
diff --git a/examples/azure-identity/node/index.js b/examples/azure-identity/node/index.js
@@ -0,0 +1,24 @@
+/**
+ * @summary Uses a SecretClient and DefaultAzureCredential to get a secret from a Key Vault.
+ */
+
+import { DefaultAzureCredential } from "@azure/identity";
+import { SecretClient } from "@azure/keyvault-secrets";
+
+const main = async () => {
+    const keyvaultURL = process.env["KEYVAULT_URL"];
+    const secretName = process.env["SECRET_NAME"];
+
+    // DefaultAzureCredential will use the environment variables injected by the Azure Workload Identity
+    // mutating webhook to authenticate with Azure Key Vault.
+    const credential = new DefaultAzureCredential();
+    const client = new SecretClient(keyvaultURL, credential);
+
+    const secret = await client.getSecret(secretName);
+    console.log(`successfully got secret, secret=${secret.value}`);
+}
+
+main().catch((error) => {
+    console.error("An error occurred:", error);
+    process.exit(1);
+});