Merge pull request #7549 from ywk253100/240318_cert

Support certificate-based authentication for Azure

changelogs/unreleased/7549-ywk253100

@@ -0,0 +1 @@
+Support certificate-based authentication for Azure

pkg/util/azure/credential.go

@@ -81,7 +81,7 @@ type configCredentialOptions struct {
 	AdditionallyAllowedTenants []string
 }
 
-// newConfigCredential works same as the azidentity.EnvironmentCredential but reads the credentials from a map
+// newConfigCredential works similar as the azidentity.EnvironmentCredential but reads the credentials from a map
 // rather than environment variables. This is required for Velero to run B/R concurrently
 // https://github.com/Azure/azure-sdk-for-go/blob/sdk/azidentity/v1.3.0/sdk/azidentity/environment_credential.go#L80
 func newConfigCredential(creds map[string]string, options configCredentialOptions) (azcore.TokenCredential, error) {
@@ -102,19 +102,24 @@ func newConfigCredential(creds map[string]string, options configCredentialOption
 		})
 	}
 
-	// certificate
-	if certPath := creds[CredentialKeyClientCertificatePath]; certPath != "" {
-		certData, err := os.ReadFile(certPath)
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed to read certificate file %s", certPath)
+	// raw certificate or certificate file
+	if rawCerts, certsPath := []byte(creds[CredentialKeyClientCertificate]), creds[CredentialKeyClientCertificatePath]; len(rawCerts) > 0 || len(certsPath) > 0 {
+		var err error
+		// raw certificate isn't specified while certificate path is specified
+		if len(rawCerts) == 0 {
+			rawCerts, err = os.ReadFile(certsPath)
+			if err != nil {
+				return nil, errors.Wrapf(err, "failed to read certificate file %s", certsPath)
+			}
 		}
+
 		var password []byte
 		if v := creds[CredentialKeyClientCertificatePassword]; v != "" {
 			password = []byte(v)
 		}
-		certs, key, err := azidentity.ParseCertificates(certData, password)
+		certs, key, err := azidentity.ParseCertificates(rawCerts, password)
 		if err != nil {
-			return nil, errors.Wrapf(err, "failed to load certificate from %s", certPath)
+			return nil, errors.Wrap(err, "failed to parse certificate")
 		}
 		o := &azidentity.ClientCertificateCredentialOptions{
 			AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,

pkg/util/azure/util.go

@@ -43,6 +43,7 @@ const (
 	CredentialKeyTenantID                   = "AZURE_TENANT_ID"                     // #nosec
 	CredentialKeyClientID                   = "AZURE_CLIENT_ID"                     // #nosec
 	CredentialKeyClientSecret               = "AZURE_CLIENT_SECRET"                 // #nosec
+	CredentialKeyClientCertificate          = "AZURE_CLIENT_CERTIFICATE"            // #nosec
 	CredentialKeyClientCertificatePath      = "AZURE_CLIENT_CERTIFICATE_PATH"       // #nosec
 	CredentialKeyClientCertificatePassword  = "AZURE_CLIENT_CERTIFICATE_PASSWORD"   // #nosec
 	CredentialKeySendCertChain              = "AZURE_CLIENT_SEND_CERTIFICATE_CHAIN" // #nosec