chore: azure sdk update

[hauswio]

Problem Statement

Azure sdk update and custom cloud support

Related Issue

Fixes #5151

Proposed Changes

1. Feature Flag Configuration

• Added UseAzureSDK *bool field to AzureKVProvider struct
• Defaults to false (legacy SDK) for backward compatibility
• Users can opt-in to new SDK by setting useAzureSDK: true

2. Dual SDK Architecture

• Legacy path: Uses existing go-autorest SDK (default)
• New path: Uses azure-sdk-for-go with azcore, azidentity,
  and Key Vault specific packages
• Both implementations coexist safely in the same codebase

3. Complete Method Support
   Both SDK implementations support all Key Vault operations:

• GetSecret - Retrieve individual secrets, keys, certificates
• GetAllSecrets - List and retrieve multiple secrets with
  filtering
• GetSecretMap - Retrieve secret collections as maps
• PushSecret - Set/update secrets, keys, certificates with
  metadata

4. Authentication Support
   All three authentication methods work with both SDKs:

• Service Principal: Client ID/Secret and Client Certificate
  auth
• Managed Identity: System and user-assigned identities
• Workload Identity: Kubernetes service account token
  exchange

5. Cloud Environment Support
   Both implementations support all Azure environments:

• Public Cloud (default)
• US Government Cloud
• China Cloud
• German Cloud

The new SDK supports custom endpoint via the AzureStackCloud environment

Migration Path for Users

Current Users (No Action Required)

• Existing configurations continue working unchanged
• Legacy SDK remains the default behavior

Opt-in to New SDK
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
name: azure-keyvault
spec:
provider:
azurekv:
vaultUrl: "https://my-vault.vault.azure.net/"
useAzureSDK: true # Enable new SDK
authType: ServicePrincipal
# ... rest of configuration

Architecture:

• Route all operations through feature flag check
• Separate initialization functions for each SDK
• Parallel method implementations (legacy vs new)
• Unified error handling that normalizes responses
• Used explicit AzureStackCloud environment type instead of checking custom config as precedence (better performance for common cases)
• Legacy SDK explicitly rejects custom cloud configuration with helpful error messages

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

[hauswio]

FIXED: I had the python version of yq instead of the go version, thanks to debian.

Getting the following error when running the make commands:

jq: Unknown option -p=json

cursory look didn't make much sense to me, figured I'd comment in case yall have seen this before.

[moolen]

/ok-to-test sha=6de7540d1a69f706ac0e2172dc1c2ba17bcd1914

[eso-service-account-app]

[Bot] - ✅ e2e for 6de7540d1a69f706ac0e2172dc1c2ba17bcd1914 passed

[Skarlso]

In addition to my comments, can you please extract the new SDK code into a separate file so we can track that better? This one file is now starting to be rather large. :) Thanks!

Also, please address the sonarcloud issues. :)

[Skarlso]

You didn't implement any switches in the DeleteSecret section. Meaning it will fail since the client is not initialized, right?

[hauswio]

This should be implemented with yesterdays work.

[moolen]

Thank you for having a shot at this, much appreciated!

One comment from my side:

From my understanding, using the new SDK is a breaking change, (at least looking at the migration guide. This is inevitable and it will need to happen at some point, because the old SDK isn't supported any more.
I'm fine having a switch in the secret store as newer versions of the operator need to be compatible with previous ones. I think we'll need to change the defaults with v2 of the secret store.

Before merging this i need to be sure that most of the functionality using the new sdk is covered in e2e tests. At a first glance, no existing test case seems to be breaking which is good 👍, but we need certainty that we don't break our users if they enable this feature. I suggest to add another set of tests in this file which modifies the secret stores and enables the new sdk. We have these functions that allow composition of test cases

[hauswio]

@moolen & @Skarlso

I believe I've implemented most of Skarlso's requested changes. I'm working going to work on the test updates soon. I see the sonarqube issues, but they seem to be flagging the same level of layering that exists in some of the legacy functions. I assume implementing a helper func to handle the secret existence checks on the setters would alleviate the issues?

I'll try to get the test updates to yall tomorrow.

[hauswio]

@Skarlso I know you wanted the sonarqube issues addressed, maybe you can help me understand them? Am I reading right that those functions have too many layers of loops/conditionals and its failing for cognitive load? The layers should match the old implementation, but looking at it I could do a helper func to move the secret checks out of each of those functions. Theoretically that could solve the issues.

[Skarlso]

@hauswio I'm fine if you leave most it but please refactor getAllSecretsWithNewSDK at the very least. :)

For example checkTag and checkName could be small functions that return a boolean. And if false, continue.

Or the entire internal for loop can be a function on its own. Other than that, I ignored the rest of the errors.

[hauswio]

I rechecked my test code for creating the secretstore and doing the key test. The only difference between existing and new tests is setting the useAzureSDK bool on the secret store. Still authing to yalls keyvault with all the same values and pulling the same key ref. I don't know why the test is an issue now vs prior.

[Skarlso]

There is no prior. Your new test is failing. :)

[hauswio]

Sorry, what I meant is my new test is basically a copy of the existing test in azure_key.go. If you look at the diff on that file you'll see what I mean. Looking through it all again the only difference I can find is where I configure the secretstore with the feature flag. Thats why I'm confused about what the issue is.

[Skarlso]

Oh gotcha. Yeah I'm looking too, but I can't find what would cause this yet. There must be something else going on somewhere ugh.

[Skarlso]

Hm. Referent auth already adds a -.

func referentAuthName(f *framework.Framework) string {
	return "referent-auth-" + f.Namespace.Name
}

And you do:

tc.ExternalSecret.Spec.SecretStoreRef.Name = referentAuthName(tc.Framework) + "-new-sdk"

Maybe try removing that dash because otherwise the secret name will be incorrect?

[Skarlso]

Maybe it's fine because you do also:

Name:      referentAuthName(s.framework) + "-new-sdk",

So it should be the same weird -- I guess.

[Skarlso]

It's weird, because the EXPECTED secret is empty, not the fetched one :D

[Skarlso]

There might be a problem when creating the secret store maybe. There might be an authentication issue as well. The logs are difficult to gather. I need to check previous runs if the auth errors are there too. Maybe it's expected, unsure.

[hauswio]

Maybe it's fine because you do also:

Name:      referentAuthName(s.framework) + "-new-sdk",

So it should be the same weird -- I guess.

I could commit a change removing the dash? I didn't catch that.

[hauswio]

It's weird, because the EXPECTED secret is empty, not the fetched one :D

Does that make sense? I didn't dig into the esv values pulled to make the expected secret.

[hauswio]

If it helps, I've been able to sync external secrets and push secrets with a key in my environment. So this seems to be more an issue with the test, CI, test environment.

[moolen]

There are two different types at play:

The e2e tests use the old type, while the operator/e2e test produces a value using the new type

The value is essentially the same, but the order is different. That's due to the difference of the types. E.g. Kty and KeyOps is swapped

[moolen]

{
  "kid": "https://eso-e2e-keyvault.vault.azure.net/keys/e2e-tests-eso-azure-keytype-qnrd7-keytest/ffb5cfae884d457186e44ca293a221f1",
  "kty": "RSA",
  "key_ops": ["encrypt","decrypt","sign","verify","wrapKey","unwrapKey"],
  "n": "oiDBW7Urre8j_-nB0r2CazAOkZJxjscVpqH0OhpAoiK8vmDkcR298SN9aBSuI2z4LCSHKDNZ9vMkH7lKtNm1uo1uV2P0RzObKgF0iPZ2t0deIq-ULk4xTURImLG7NNKQ1uaK6a236tVONOLxvris89ZX_ZxVmtenMnCUoW-EbRriHhqB3XHPhu8HJIBZ9v2x88NYYT-ssNyrOphXIHR6JGpcy0ynjvdsJXpiHDTd0Fn9C2gXueTHFZHm6G9pafmKTeLqI4c-OMbcU6u6-6HeFgYmhfWg66QFTWJxkl7vEkWujUciwUoRYgGYW1d_UjU4InmFuEtBGAMmTV-WbtTcbQ",
  "e": "AQAB"
}

vs.

{
  "e": "AQAB",
  "key_ops": ["encrypt","decrypt","sign","verify","wrapKey","unwrapKey"],
  "kid": "https://eso-e2e-keyvault.vault.azure.net/keys/e2e-tests-eso-azure-keytype-qnrd7-keytest/ffb5cfae884d457186e44ca293a221f1",
  "kty": "RSA",
  "n": "oiDBW7Urre8j_-nB0r2CazAOkZJxjscVpqH0OhpAoiK8vmDkcR298SN9aBSuI2z4LCSHKDNZ9vMkH7lKtNm1uo1uV2P0RzObKgF0iPZ2t0deIq-ULk4xTURImLG7NNKQ1uaK6a236tVONOLxvris89ZX_ZxVmtenMnCUoW-EbRriHhqB3XHPhu8HJIBZ9v2x88NYYT-ssNyrOphXIHR6JGpcy0ynjvdsJXpiHDTd0Fn9C2gXueTHFZHm6G9pafmKTeLqI4c-OMbcU6u6-6HeFgYmhfWg66QFTWJxkl7vEkWujUciwUoRYgGYW1d_UjU4InmFuEtBGAMmTV-WbtTcbQ"
}

[Skarlso]

But the compare where it fails, essentially marshals this into an actual object and THEN compares them. It doesn't seem like that would care about the ordering. It's not a byte compare. 🤔

[moolen]

the e2e tests compare the Kind=Secret .data (here).

Where is it marshaled into an object and then compared?

[Skarlso]

Goddamn it I was LOOKING at that. How the hell didn't I see it?!?!

[Skarlso]

Okay, but that's fine. We should marshal it into map[string]interface and then do a deep equal?

[moolen]

In the using new SDK test i'd marshal/unmarshal into the new type and pass that to the expectedSecret. At least temporarily. The e2e provider implementation should be rewritten once we remove the old sdk - and then this workaround becomes obsolete. From what it looks like the new sdk implementation seems to be fully compatible 🎉 well done @hauswio

[Skarlso]

@hauswio Do you understand how to update the test? :)

[hauswio]

@Skarlso I think so. Let me know if the update matches yalls expectation.

[Skarlso]

Yah, I think that matches. Let's see if it passes.

[Skarlso]

/ok-to-test sha=1a02d9149f8c4c2cf6cdeb16a1d76cbdf57a600b

[Skarlso]

/ok-to-test sha=1a02d9149f8c4c2cf6cdeb16a1d76cbdf57a600b

[Skarlso]

Hmmm, oh-o... The e2e test is failing to launch. 🤔 Let's hope it's just a hiccup. I'll try again in half an hour.

[Skarlso]

Ah it's because of check diff.

[Skarlso]

/ok-to-test sha=edff033338dcb1261bfa86c90d58d41939572502

[Skarlso]

The runner is not working. I initiated a revert for the token update on the flow #5269.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
3 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
1.1% Duplication on New Code

See analysis details on SonarQube Cloud

[Skarlso]

/ok-to-test sha=b14ebdfd5bf6737af1034616d4bab342ad38989e

[eso-service-account-app]

[Bot] - ✅ e2e for b14ebdfd5bf6737af1034616d4bab342ad38989e passed

[Skarlso]

Thank you so much for this excellent work! Lovely!