search

Azure / acr-builder

Azure Container Registry Build Runner
MIT License
38 stars 35 forks source link

add support for injecting keyvault endpoint #399

Closed shahzzzam closed 5 years ago

shahzzzam commented 5 years ago

Purpose of the PR: Breaking change: Remove az-cloud-name and add vault-resource-endpoint and arm-resource-endpoint to be able to inject the environment endpoint manually.

Fixes #

Tests# I followed the instructions on the doc below, https://github.com/Azure/acr-builder/blob/fa3a6488884006e4f654c7b5c5c8703e837391aa/docs/task-with-secrets.md

Created a keyvault in Prod, created a VM, created an Identity, and then ran acb inside this VM and passed --vault-resource-endpoint "https://vault.azure.net/" to acb exec and it worked.

samashah@testacbvm:~$ sudo docker run -v $(pwd):/workspace --workdir /workspace \
-v /var/run/docker.sock:/var/run/docker.sock acb exec  \
--homevol $(pwd) --vault-resource-endpoint "https://vault.azure.net/" -f task-secrets.yaml
2019/03/05 06:02:42 Using /home/samashah as the home volume
2019/03/05 06:02:43 Creating Docker network: acb_default_network, driver: 'bridge'
2019/03/05 06:02:43 Successfully set up Docker network: acb_default_network
2019/03/05 06:02:43 Setting up Docker configuration...
2019/03/05 06:02:54 Successfully set up Docker configuration
2019/03/05 06:02:54 Executing step ID: acb_step_0. Working directory: '', Network: 'acb_default_network'
2019/03/05 06:02:54 Launching container with name: acb_step_0
Unable to find image 'bash:latest' locally
latest: Pulling from library/bash
6c40cc604d8e: Pulling fs layer
4c1b15b4d6fa: Pulling fs layer
5a2cb0c37a20: Pulling fs layer
6c40cc604d8e: Verifying Checksum
6c40cc604d8e: Download complete
5a2cb0c37a20: Verifying Checksum
5a2cb0c37a20: Download complete
4c1b15b4d6fa: Verifying Checksum
4c1b15b4d6fa: Download complete
6c40cc604d8e: Pull complete
4c1b15b4d6fa: Pull complete
5a2cb0c37a20: Pull complete
Digest: sha256:d23faa1fe209068abd8424b4a38936f2b9bf2481386fdfbe7e72443dfecdae15
Status: Downloaded newer image for bash:latest
mysecret value is ACB Secret
2019/03/05 06:02:58 Successfully executed container: acb_step_0
2019/03/05 06:02:58 Step ID: acb_step_0 marked as successful (elapsed time in seconds: 4.845128)
northtyphoon commented 5 years ago

I rethink about it and feel the key vault endpoint should be extracted from key vault url directly. Basically if the code request to access https://abc.vault.azure.net, it needs to request the access token targeting https://vault.azure.net. So there is a mapping between key vault url and the resource url passed to the token server.

ARM might have a special case in some environments but in general access token api follows the above pattern.