Backend supports AKS auth provider

Signed-off-by: Jamie Klassen <jklassen@vmware.com>
2023-02-27 14:14:31 -05:00
parent cfe0f5d822
commit 05f1d74539
11 changed files with 104 additions and 0 deletions
@@ -0,0 +1,7 @@
+---
+'@backstage/plugin-kubernetes-backend': patch
+---
+
+Kubernetes clusters now support `authProvider: aks`. When configured this way,
+the `retrieveObjectsByServiceId` action will use the `auth.aks` value in the
+request body as a bearer token to authenticate with Kubernetes.
@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-kubernetes-common': patch
+---
+
+AKS access tokens can now be sent over the wire to the Kubernetes backend.
@@ -21,6 +21,15 @@ import { PluginEndpointDiscovery } from '@backstage/backend-common';
 import type { RequestHandler } from 'express';
 import { TokenCredential } from '@azure/identity';

+// @public (undocumented)
+export class AksKubernetesAuthTranslator {
+  // (undocumented)
+  decorateClusterDetailsWithAuth(
+    clusterDetails: ClusterDetails,
+    auth: KubernetesRequestAuth,
+  ): Promise<ClusterDetails>;
+}
+
 // @public (undocumented)
 export interface AWSClusterDetails extends ClusterDetails {
  // (undocumented)
@@ -256,4 +256,19 @@ describe('ConfigClusterLocator', () => {
      },
    ]);
  });
+
+  it('supports aks authProvider', async () => {
+    const cluster = {
+      name: 'aks-cluster',
+      url: 'https://aks.test',
+      authProvider: 'aks',
+    };
+    const sut = ConfigClusterLocator.fromConfig(
+      new ConfigReader({ clusters: [cluster] }),
+    );
+
+    const result = await sut.getClusters();
+
+    expect(result).toMatchObject([cluster]);
+  });
 });
@@ -76,6 +76,9 @@ export class ConfigClusterLocator implements KubernetesClustersSupplier {
          case 'googleServiceAccount': {
            return clusterDetails;
          }
+          case 'aks': {
+            return clusterDetails;
+          }
          default: {
            throw new Error(
              `authProvider "${authProvider}" has no config associated with it`,
@@ -0,0 +1,29 @@
+/*
+ * Copyright 2023 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { AksKubernetesAuthTranslator } from './AksKubernetesAuthTranslator';
+
+describe('AksKubernetesAuthTranslator', () => {
+  it('uses auth.aks value as bearer token', async () => {
+    const translator = new AksKubernetesAuthTranslator();
+
+    const details = await translator.decorateClusterDetailsWithAuth(
+      { name: '', authProvider: 'aks', url: '' },
+      { aks: 'aksToken' },
+    );
+
+    expect(details.serviceAccountToken).toBe('aksToken');
+  });
+});
@@ -0,0 +1,30 @@
+/*
+ * Copyright 2023 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { ClusterDetails } from '../types/types';
+import { KubernetesRequestAuth } from '@backstage/plugin-kubernetes-common';
+
+/**
+ *
+ * @public
+ */
+export class AksKubernetesAuthTranslator {
+  async decorateClusterDetailsWithAuth(
+    clusterDetails: ClusterDetails,
+    auth: KubernetesRequestAuth,
+  ): Promise<ClusterDetails> {
+    return { ...clusterDetails, serviceAccountToken: auth.aks };
+  }
+}
@@ -14,6 +14,7 @@
 * limitations under the License.
 */

+export * from './AksKubernetesAuthTranslator';
 export * from './AwsIamKubernetesAuthTranslator';
 export * from './AzureIdentityKubernetesAuthTranslator';
 export * from './GoogleKubernetesAuthTranslator';
@@ -33,6 +33,7 @@ import {
  GoogleServiceAccountAuthTranslator,
  AzureIdentityKubernetesAuthTranslator,
  OidcKubernetesAuthTranslator,
+  AksKubernetesAuthTranslator,
 } from '../kubernetes-auth-translator';

 import { addResourceRoutesToRouter } from '../routes/resourcesRoutes';
@@ -355,6 +356,7 @@ export class KubernetesBuilder {
  protected buildAuthTranslatorMap() {
    this.authTranslatorMap = {
      google: new GoogleKubernetesAuthTranslator(),
+      aks: new AksKubernetesAuthTranslator(),
      aws: new AwsIamKubernetesAuthTranslator({ config: this.env.config }),
      azure: new AzureIdentityKubernetesAuthTranslator(this.env.logger),
      serviceAccount: new NoopKubernetesAuthTranslator(),
@@ -226,6 +226,8 @@ export const kubernetesProxyPermission: BasicPermission;

 // @public (undocumented)
 export interface KubernetesRequestAuth {
+  // (undocumented)
+  aks?: string;
  // (undocumented)
  google?: string;
  // (undocumented)
@@ -35,6 +35,7 @@ import { Entity } from '@backstage/catalog-model';
 /** @public */
 export interface KubernetesRequestAuth {
  google?: string;
+  aks?: string;
  oidc?: {
    [key: string]: string;
  };