Support for Azure KV Authentication with ClientCertificate

[lieberlois]

Is your feature request related to a problem? Please describe.
I find that the operator should be able to authenticate via ClientCredentials. This is an easy implementation since the used kvauth package already supports this: https://pkg.go.dev/github.com/Azure/go-autorest/autorest/azure/auth#NewClientCertificateConfig

Describe the solution you'd like
In the perfect world, it should be possible to configure a SecretStore and a ClusterSecretStore to fetch the clientCertificate key from a secret and use that for authentication against Azure KV rather than the clientSecret field.

Describe alternatives you've considered
None

Additional context
This is how I want the CRD to work:

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: store
spec:
  provider:
    azurekv:
      authSecretRef:
        clientId:
          key: ClientID
          name: azure-secret-sp
        clientCertificate:
          key: ClientCertificate
          name: azure-secret-sp
      authType: ServicePrincipal
      environmentType: PublicCloud
      tenantId: <omitted>
      vaultUrl: "https://<kv>.vault.azure.net/"

If somebody is willing to point me to the relevant code locations, I am very happy to contribute this myself, if others agree that this would be a good feature!

[lieberlois]

I started implementing this, however the Azure Autorest Library uses this signature for the certificate based authorizer:

func kvauth.NewClientCertificateConfig(certificatePath string, certificatePassword string, clientID string, tenantID string) kvauth.ClientCertificateConfig {}

Does anybody have suggestions on how we could implement this? 🤔 I'm thinking about extending the types like this, which means that the user must mount the certificate from the secret as a file - that part i dont really like:

// Configuration used to authenticate with Azure.
type AzureKVAuth struct {
	// The Azure clientId of the service principle or managed identity used for authentication.
	// +optional
	ClientID *smmeta.SecretKeySelector `json:"clientId,omitempty"`

	// The Azure tenantId of the managed identity used for authentication.
	// +optional
	TenantID *smmeta.SecretKeySelector `json:"tenantId,omitempty"`

	// The Azure ClientSecret of the service principle used for authentication.
	// +optional
	ClientSecret *smmeta.SecretKeySelector `json:"clientSecret,omitempty"`

	// The Azure ClientCertificate of the service principle used for authentication.
	// +optional
	ClientCertificate *ClientCertificateLocation `json:"clientCertificate,omitempty"`
}

type ClientCertificateLocation struct {
	Path string `json:"path,omitempty"`
}

Alternatively we could read the certificate data from a k8s secret and write it into a temporary file

[lieberlois]

Another note: its a shame that the Autorest Package doesnt support pem certificates 🤦

2024/05/07 19:35:40 failed to get oauth token from certificate auth: failed to decode pkcs12 certificate while creating spt: pkcs12: error reading P12 data: asn1: structure error: tags don't match (16 vs {class:1 tag:2 length:97 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pfxPdu @2
exit status 1

[moolen]

Oh no, how annoying 😞

AFAIK we would just use the .Authorizer() of the ClientCredentialsConfig, this is an interface. We should be able to create our own Authorizer 🤔

just like here

I would prefer a way where we wouldn't need to load certificates into ESO, instead reference them as you suggested in your initial post.

[lieberlois]

@moolen Thanks for the advice! Do you have any suggestions for a package to handle the certificate authorization then - or do you think Autorest should be able to do it? 😊 looking forward to contributing to such a cool project!

Edit: It seems to be possible 👍 just have to figure out how to parse Azure's certificate format :) Thanks!

[moolen]

Just a rough sketch: basically copy the relevant stuff from azkv, but load the cert/privkey from secret instead of from file. That should do 🤔

diff --git a/pkg/provider/azure/keyvault/keyvault.go b/pkg/provider/azure/keyvault/keyvault.go
index 1f71f058c..be98bae8b 100644
--- a/pkg/provider/azure/keyvault/keyvault.go
+++ b/pkg/provider/azure/keyvault/keyvault.go
@@ -174,6 +174,8 @@ func newClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Cl
 		authorizer, err = az.authorizerForServicePrincipal(ctx)
 	case esv1beta1.AzureWorkloadIdentity:
 		authorizer, err = az.authorizerForWorkloadIdentity(ctx, NewTokenProvider)
+	case esv1beta1.AzureCertAuth:
+		authorizer, err = az.authorizerForCertAuth(ctx)
 	default:
 		err = fmt.Errorf(errMissingAuthType)
 	}
@@ -185,6 +187,63 @@ func newClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Cl
 	return az, err
 }
 
+// ClientCertificateConfig provides the options to get a bearer authorizer from a client certificate.
+type ClientCertificateConfig struct {
+	ClientID    string
+	TenantID    string
+	AuxTenants  []string
+	AADEndpoint string
+	Resource    string
+}
+
+// ServicePrincipalToken creates a ServicePrincipalToken from client certificate.
+func (ccc ClientCertificateConfig) ServicePrincipalToken() (*adal.ServicePrincipalToken, error) {
+	oauthConfig, err := adal.NewOAuthConfig(ccc.AADEndpoint, ccc.TenantID)
+	if err != nil {
+		return nil, err
+	}
+	// TODO: fetch the certificate/private key from the secret (or PKCS#12)
+	// TODO: fetch the certificate password from the secret
+	return adal.NewServicePrincipalTokenFromCertificate(*oauthConfig, ccc.ClientID, certificate, rsaPrivateKey, ccc.Resource)
+}
+
+// MultiTenantServicePrincipalToken creates a MultiTenantServicePrincipalToken from client certificate.
+func (ccc ClientCertificateConfig) MultiTenantServicePrincipalToken() (*adal.MultiTenantServicePrincipalToken, error) {
+	oauthConfig, err := adal.NewMultiTenantOAuthConfig(ccc.AADEndpoint, ccc.TenantID, ccc.AuxTenants, adal.OAuthOptions{})
+	if err != nil {
+		return nil, err
+	}
+	// TODO: fetch the certificate/private key from the secret (or PKCS#12)
+	// TODO: fetch the certificate password from the secret
+	return adal.NewMultiTenantServicePrincipalTokenFromCertificate(oauthConfig, ccc.ClientID, certificate, rsaPrivateKey, ccc.Resource)
+}
+
+// Authorizer gets an authorizer object from client certificate.
+func (ccc ClientCertificateConfig) Authorizer() (autorest.Authorizer, error) {
+	if len(ccc.AuxTenants) == 0 {
+		spToken, err := ccc.ServicePrincipalToken()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get oauth token from certificate auth: %v", err)
+		}
+		return autorest.NewBearerAuthorizer(spToken), nil
+	}
+	mtSPT, err := ccc.MultiTenantServicePrincipalToken()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get multitenant SPT from certificate auth: %v", err)
+	}
+	return autorest.NewMultiTenantServicePrincipalTokenAuthorizer(mtSPT), nil
+}
+
+func authorizerForCertAuth(ctx context.Context) (autorest.Authorizer, error) {
+	ccc := &ClientCertificateConfig{
+		ClientID:    "some client",
+		TenantID:    "some tenant",
+		Resource:    azure.PublicCloud.ResourceManagerEndpoint,
+		AADEndpoint: azure.PublicCloud.ActiveDirectoryEndpoint,
+	}
+	return ccc.Authorizer()
+}
+
 func getProvider(store esv1beta1.GenericStore) (*esv1beta1.AzureKVProvider, error) {
 	spc := store.GetSpec()
 	if spc == nil || spc.Provider.AzureKV == nil {

[lieberlois]

Thanks, already got it 👍

[lieberlois]

@moolen I created the PR 👍 #3469

Its my first time contributing here, feel free to comment if I'm missing something :) thx for the support