clustermsi: log interaction with keyvault

Signed-off-by: Steve Kuznetsov <[email protected]>
Azure · Feb 7, 2025 · 51c1949 · 51c1949
1 parent 78680a8
commit 51c1949
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/pkg/cluster/clustermsi.go b/pkg/cluster/clustermsi.go
@@ -15,6 +15,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault"
 	"github.com/Azure/go-autorest/autorest/date"
 	"github.com/Azure/msi-dataplane/pkg/dataplane"
+	"github.com/sirupsen/logrus"
 
 	"github.com/Azure/ARO-RP/pkg/api"
 	"github.com/Azure/ARO-RP/pkg/env"
@@ -120,6 +121,20 @@ func (m *manager) initializeClusterMsiClients(ctx context.Context) error {
 		return err
 	}
 
+	var censored dataplane.ManagedIdentityCredentials
+	if err := json.Unmarshal([]byte(*kvSecretResponse.Value), &censored); err != nil {
+		return err
+	}
+	env.CensorManagedIdentityCredentials(&censored)
+	censoredEncoded, err := json.Marshal(&censored)
+	if err != nil {
+		return err
+	}
+	m.env.Logger().WithFields(logrus.Fields{
+		"client": "msi-dataplane",
+		"body":   string(censoredEncoded),
+	}).Info("fetched msi response from key vault")
+
 	cloud, err := m.env.Environment().CloudNameForMsiDataplane()
 	if err != nil {
 		return err
@@ -130,18 +145,25 @@ func (m *manager) initializeClusterMsiClients(ctx context.Context) error {
 		return err
 	}
 
+	var uamsiIds []string
 	var azureCred azcore.TokenCredential
 	for _, identity := range kvSecret.ExplicitIdentities {
+		if identity != nil && identity.ResourceID != nil {
+			uamsiIds = append(uamsiIds, *identity.ResourceID)
+		}
 		if identity != nil && identity.ResourceID != nil && *identity.ResourceID == msiResourceId.String() {
 			var err error
 			azureCred, err = dataplane.GetCredential(cloud, *identity)
 			if err != nil {
 				return fmt.Errorf("failed to get credential for msi identity %q: %v", msiResourceId, err)
 			}
+			if azureCred == nil {
+				return fmt.Errorf("credential for msi identity %q returned nil", msiResourceId)
+			}
 		}
 	}
 	if azureCred == nil {
-		return fmt.Errorf("managed identity credential missing user-assigned identity %q", msiResourceId)
+		return fmt.Errorf("managed identity credential had %d explicit identities (%s), but was missing user-assigned identity %q", len(kvSecret.ExplicitIdentities), strings.Join(uamsiIds, ","), msiResourceId)
 	}
 
 	// Note that we are assuming that all of the platform MIs are in the same subscription as the ARO resource.

diff --git a/pkg/env/prod.go b/pkg/env/prod.go
@@ -449,7 +449,7 @@ func ClientDebugLoggerMiddleware(log *logrus.Entry) policy.Policy {
 				if err := json.Unmarshal(body, &response); err != nil {
 					log.WithError(err).Error("error unmarshalling response body")
 				} else {
-					censorCredentials(&response)
+					CensorManagedIdentityCredentials(&response)
 					censored, err := json.Marshal(response)
 					if err != nil {
 						log.WithError(err).Error("error marshalling response body after censoring")
@@ -469,7 +469,7 @@ func ClientDebugLoggerMiddleware(log *logrus.Entry) policy.Policy {
 	})
 }
 
-func censorCredentials(input *dataplane.ManagedIdentityCredentials) {
+func CensorManagedIdentityCredentials(input *dataplane.ManagedIdentityCredentials) {
 	input.ClientSecret = nil
 	for i := 0; i < len(input.DelegatedResources); i++ {
 		if input.DelegatedResources[i] != nil && input.DelegatedResources[i].ImplicitIdentity != nil {