pkg/env: log MSI data-plane interactions

go.mod

@@ -23,7 +23,7 @@ require (
 	github.com/Azure/go-autorest/autorest/to v0.4.0
 	github.com/Azure/go-autorest/autorest/validation v0.3.1
 	github.com/Azure/go-autorest/tracing v0.6.0
-	github.com/Azure/msi-dataplane v0.1.0
+	github.com/Azure/msi-dataplane v0.3.0
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/codahale/etm v0.0.0-20141003032925-c00c9e6fb4c9
 	github.com/containers/image/v5 v5.31.0
@@ -113,7 +113,7 @@ require (
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220418222510-f25a4f6275ed // indirect
-	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
@@ -213,7 +213,6 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f // indirect
 	github.com/nxadm/tail v1.4.11 // indirect
-	github.com/oapi-codegen/runtime v1.1.1 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect

go.sum

@@ -66,8 +66,8 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z
 github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
 github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
-github.com/Azure/msi-dataplane v0.1.0 h1:YGPLZF9na0yfXeH42KAqTcuYEAvykEdVjVmTq3xJIJ4=
-github.com/Azure/msi-dataplane v0.1.0/go.mod h1:4zy4gYF6/EyxMEbuJ9Dm5bDVO0a6HR3DQx0SChcsJk8=
+github.com/Azure/msi-dataplane v0.3.0 h1:ng54QWSDGct4crZJ0Ea7Zt/ZbaQLO2s7yXicWRPyLP4=
+github.com/Azure/msi-dataplane v0.3.0/go.mod h1:y+euhWbc8/wgVM1hyJLQf4DnByegnwxAcDV0OKNM9+k=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU=
@@ -87,16 +87,15 @@ github.com/Microsoft/hcsshim v0.12.3/go.mod h1:Iyl1WVpZzr+UkzjekHZbV8o5Z9ZkxNGx6
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
 github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow=
 github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4=
 github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpHMqeKTCYkitsPqHNxTmd4SNR5r94FGM8=
 github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220418222510-f25a4f6275ed h1:ue9pVfIcP+QMEjfgo/Ez4ZjNZfonGgR6NgjMaJMu1Cg=
 github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220418222510-f25a4f6275ed/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
-github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
-github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
+github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
+github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw=
 github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4tdgBZjnU=
 github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
@@ -111,7 +110,6 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
-github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
 github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
 github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
@@ -386,7 +384,6 @@ github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2E
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
 github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKuao2vNdfD82fjjgPLfyHLpR41Z88viRWs=
 github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6/go.mod h1:3VeWNIJaW+O5xpRQbPp0Ybqu1vJd/pm7s2F473HRrkw=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
@@ -481,8 +478,6 @@ github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=
 github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc=
-github.com/oapi-codegen/runtime v1.1.1 h1:EXLHh0DXIJnWhdRPN2w4MXAzFyE4CskzhNLUmtpMYro=
-github.com/oapi-codegen/runtime v1.1.1/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
 github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
@@ -601,7 +596,6 @@ github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
 github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace h1:9PNP1jnUjRhfmGMlkXHjYPishpcw4jpSt/V/xYY3FMA=
 github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKkMo8ZTx3f+BZEkzsRUY10Xsm2mwU0=
 github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 h1:pnnLyeX7o/5aX8qUQ69P/mLojDqwda8hFOCBTmP/6hw=
 github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6/go.mod h1:39R/xuhNgVhi+K0/zst4TLrJrVmbm6LVgl4A0+ZFS5M=
 github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU=

pkg/cluster/cluster.go

@@ -332,10 +332,7 @@ func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database
 				return nil, err
 			}
 
-			msiDataplane, err = dataplane.NewClientFactory(fpMSICred, _env.MsiRpEndpoint(), msiDataplaneClientOptions)
-			if err != nil {
-				return nil, err
-			}
+			msiDataplane = dataplane.NewClientFactory(fpMSICred, _env.MsiRpEndpoint(), msiDataplaneClientOptions)
 		}
 
 		clusterMsiKeyVaultName := _env.ClusterMsiKeyVaultName()

pkg/cluster/clustermsi.go

@@ -51,7 +51,7 @@ func (m *manager) ensureClusterMsiCertificate(ctx context.Context) error {
 	}
 
 	uaMsiRequest := dataplane.UserAssignedIdentitiesRequest{
-		DelegatedResources: &[]string{clusterMsiResourceId.String()},
+		IdentityIDs: []string{clusterMsiResourceId.String()},
 	}
 
 	client, err := m.msiDataplane.NewClient(m.doc.OpenShiftCluster.Identity.IdentityURL)
@@ -131,14 +131,12 @@ func (m *manager) initializeClusterMsiClients(ctx context.Context) error {
 	}
 
 	var azureCred azcore.TokenCredential
-	if kvSecret.ExplicitIdentities != nil {
-		for _, identity := range *kvSecret.ExplicitIdentities {
-			if identity.ResourceId != nil && *identity.ResourceId == msiResourceId.String() {
-				var err error
-				azureCred, err = dataplane.GetCredential(cloud, identity)
-				if err != nil {
-					return fmt.Errorf("failed to get credential for msi identity %q: %v", msiResourceId, err)
-				}
+	for _, identity := range kvSecret.ExplicitIdentities {
+		if identity.ResourceID != nil && strings.EqualFold(*identity.ResourceID, msiResourceId.String()) {
+			var err error
+			azureCred, err = dataplane.GetCredential(cloud, identity)
+			if err != nil {
+				return fmt.Errorf("failed to get credential for msi identity %q: %v", msiResourceId, err)
 			}
 		}
 	}
@@ -181,7 +179,7 @@ func (m *manager) clusterIdentityIDs(ctx context.Context) error {
 	}
 
 	uaMsiRequest := dataplane.UserAssignedIdentitiesRequest{
-		DelegatedResources: &[]string{clusterMsiResourceId.String()},
+		IdentityIDs: []string{clusterMsiResourceId.String()},
 	}
 
 	client, err := m.msiDataplane.NewClient(m.doc.OpenShiftCluster.Identity.IdentityURL)
@@ -198,7 +196,7 @@ func (m *manager) clusterIdentityIDs(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-	if identity.ClientId == nil || identity.ObjectId == nil {
+	if identity.ClientID == nil || identity.ObjectID == nil {
 		return fmt.Errorf("unable to pull clientID and objectID from the MSI CredentialsObject")
 	}
 
@@ -208,8 +206,8 @@ func (m *manager) clusterIdentityIDs(ctx context.Context) error {
 		// passed-in casing on IDs even if it may be incorrect
 		for k, v := range doc.OpenShiftCluster.Identity.UserAssignedIdentities {
 			if strings.EqualFold(k, clusterMsiResourceId.String()) {
-				v.ClientID = *identity.ClientId
-				v.PrincipalID = *identity.ObjectId
+				v.ClientID = *identity.ClientID
+				v.PrincipalID = *identity.ObjectID
 
 				doc.OpenShiftCluster.Identity.UserAssignedIdentities[k] = v
 				return nil
@@ -226,12 +224,11 @@ func (m *manager) clusterIdentityIDs(ctx context.Context) error {
 // at a time (the cluster MSI) and thus we expect the response to only contain a single
 // identity's details.
 func getSingleExplicitIdentity(msiCredObj *dataplane.ManagedIdentityCredentials) (dataplane.UserAssignedIdentityCredentials, error) {
-	if msiCredObj.ExplicitIdentities == nil ||
-		len(*msiCredObj.ExplicitIdentities) == 0 {
+	if len(msiCredObj.ExplicitIdentities) == 0 {
 		return dataplane.UserAssignedIdentityCredentials{}, errClusterMsiNotPresentInResponse
 	}
 
-	return (*msiCredObj.ExplicitIdentities)[0], nil
+	return msiCredObj.ExplicitIdentities[0], nil
 }
 
 // fixupClusterMsiTenantID repopulates the cluster MSI's tenant ID in the cluster doc by

pkg/cluster/clustermsi_test.go

@@ -42,24 +42,24 @@ func TestEnsureClusterMsiCertificate(t *testing.T) {
 
 	placeholderString := "placeholder"
 	placeholderCredentialsObject := &dataplane.ManagedIdentityCredentials{
-		ExplicitIdentities: &[]dataplane.UserAssignedIdentityCredentials{
+		ExplicitIdentities: []dataplane.UserAssignedIdentityCredentials{
 			{
-				ClientId:                   &placeholderString,
+				ClientID:                   &placeholderString,
 				ClientSecret:               &placeholderString,
-				TenantId:                   &placeholderString,
-				ResourceId:                 &miResourceId,
+				TenantID:                   &placeholderString,
+				ResourceID:                 &miResourceId,
 				AuthenticationEndpoint:     &placeholderString,
 				CannotRenewAfter:           &placeholderString,
-				ClientSecretUrl:            &placeholderString,
+				ClientSecretURL:            &placeholderString,
 				MtlsAuthenticationEndpoint: &placeholderString,
 				NotAfter:                   &placeholderString,
 				NotBefore:                  &placeholderString,
 				RenewAfter:                 &placeholderString,
 				CustomClaims: &dataplane.CustomClaims{
-					XmsAzNwperimid: &[]string{placeholderString},
-					XmsAzTm:        &placeholderString,
+					XMSAzNwperimid: []string{placeholderString},
+					XMSAzTm:        &placeholderString,
 				},
-				ObjectId: &placeholderString,
+				ObjectID: &placeholderString,
 			},
 		},
 	}
@@ -237,24 +237,24 @@ func TestClusterIdentityIDs(t *testing.T) {
 
 	msiDataPlaneValidStub := func(client *mock_msidataplane.MockClient) {
 		client.EXPECT().GetUserAssignedIdentitiesCredentials(gomock.Any(), gomock.Any()).Return(&dataplane.ManagedIdentityCredentials{
-			ExplicitIdentities: &[]dataplane.UserAssignedIdentityCredentials{
+			ExplicitIdentities: []dataplane.UserAssignedIdentityCredentials{
 				{
-					ClientId:   &miClientId,
-					ObjectId:   &miObjectId,
-					ResourceId: &miResourceId,
+					ClientID:   &miClientId,
+					ObjectID:   &miObjectId,
+					ResourceID: &miResourceId,
 
 					ClientSecret:               &placeholderString,
-					TenantId:                   &placeholderString,
+					TenantID:                   &placeholderString,
 					AuthenticationEndpoint:     &placeholderString,
 					CannotRenewAfter:           &placeholderString,
-					ClientSecretUrl:            &placeholderString,
+					ClientSecretURL:            &placeholderString,
 					MtlsAuthenticationEndpoint: &placeholderString,
 					NotAfter:                   &placeholderString,
 					NotBefore:                  &placeholderString,
 					RenewAfter:                 &placeholderString,
 					CustomClaims: &dataplane.CustomClaims{
-						XmsAzNwperimid: &[]string{placeholderString},
-						XmsAzTm:        &placeholderString,
+						XMSAzNwperimid: []string{placeholderString},
+						XMSAzTm:        &placeholderString,
 					},
 				},
 			},
@@ -442,22 +442,22 @@ func TestClusterIdentityIDs(t *testing.T) {
 func TestGetSingleExplicitIdentity(t *testing.T) {
 	placeholderString := "placeholder"
 	validIdentity := dataplane.UserAssignedIdentityCredentials{
-		ClientId:                   &placeholderString,
+		ClientID:                   &placeholderString,
 		ClientSecret:               &placeholderString,
-		TenantId:                   &placeholderString,
-		ResourceId:                 &placeholderString,
+		TenantID:                   &placeholderString,
+		ResourceID:                 &placeholderString,
 		AuthenticationEndpoint:     &placeholderString,
 		CannotRenewAfter:           &placeholderString,
-		ClientSecretUrl:            &placeholderString,
+		ClientSecretURL:            &placeholderString,
 		MtlsAuthenticationEndpoint: &placeholderString,
 		NotAfter:                   &placeholderString,
 		NotBefore:                  &placeholderString,
 		RenewAfter:                 &placeholderString,
 		CustomClaims: &dataplane.CustomClaims{
-			XmsAzNwperimid: &[]string{placeholderString},
-			XmsAzTm:        &placeholderString,
+			XMSAzNwperimid: []string{placeholderString},
+			XMSAzTm:        &placeholderString,
 		},
-		ObjectId: &placeholderString,
+		ObjectID: &placeholderString,
 	}
 
 	for _, tt := range []struct {
@@ -474,14 +474,14 @@ func TestGetSingleExplicitIdentity(t *testing.T) {
 		{
 			name: "ExplicitIdentities empty, returns error",
 			msiCredObj: &dataplane.ManagedIdentityCredentials{
-				ExplicitIdentities: &[]dataplane.UserAssignedIdentityCredentials{},
+				ExplicitIdentities: []dataplane.UserAssignedIdentityCredentials{},
 			},
 			wantErr: errClusterMsiNotPresentInResponse.Error(),
 		},
 		{
 			name: "ExplicitIdentities first element is valid, returns it",
 			msiCredObj: &dataplane.ManagedIdentityCredentials{
-				ExplicitIdentities: &[]dataplane.UserAssignedIdentityCredentials{
+				ExplicitIdentities: []dataplane.UserAssignedIdentityCredentials{
 					validIdentity,
 				},
 			},