Add Workload Identity feature

equinor · Mar 12, 2024 · 20fe7a8 · 20fe7a8
1 parent 17dfc13
commit 20fe7a8
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 17 deletions.
diff --git a/go.mod b/go.mod
@@ -6,7 +6,7 @@ toolchain go1.21.0
 
 require (
 	github.com/containerd/containerd v1.7.11
-	github.com/equinor/radix-common v1.7.1
+	github.com/equinor/radix-common v1.9.2
 	github.com/equinor/radix-operator v1.48.0
 	github.com/golang/mock v1.6.0
 	github.com/microsoft/go-mssqldb v1.6.0
@@ -17,7 +17,7 @@ require (
 	github.com/spf13/viper v1.18.2
 	github.com/stretchr/testify v1.8.4
 	gorm.io/driver/sqlserver v1.5.2
-	gorm.io/gorm v1.25.5
+	gorm.io/gorm v1.25.7
 	k8s.io/api v0.29.0
 	k8s.io/apimachinery v0.29.0
 	k8s.io/client-go v0.29.0
@@ -26,15 +26,20 @@ require (
 
 require (
 	dario.cat/mergo v1.0.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.1.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-openapi/jsonpointer v0.20.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
@@ -48,6 +53,7 @@ require (
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
@@ -57,6 +63,7 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect

diff --git a/go.sum b/go.sum
@@ -27,11 +27,12 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko=
+github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/equinor/radix-common v1.7.1 h1:kl7Tuo2VEo2WHGm/vkvktrZ9t9S3Nht7Mob3CSIzcJI=
-github.com/equinor/radix-common v1.7.1/go.mod h1:M6mhgHtFQ3rnjJnyOuECXiZOh7XQ5xVeHMyCAU+YPzQ=
+github.com/equinor/radix-common v1.9.2 h1:pOYN/mSAoPe6KO/Nvudfd5DUETbLv4nLTLzFPr62ADw=
+github.com/equinor/radix-common v1.9.2/go.mod h1:ekn86U68NT4ccSdt3GT+ukpiclzfuhr96a7zBJKv/jw=
 github.com/equinor/radix-operator v1.48.0 h1:10ABXtD7SJAJ2FcYOTJrWjW8h9nbsCsxQQ5LwC9qqYs=
 github.com/equinor/radix-operator v1.48.0/go.mod h1:kwwnvyW1WKCKiXVSKNhkG7zAe1sFC2XW9IbNZsCCgRw=
 github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI=
@@ -40,8 +41,9 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
 github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ=
 github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA=
@@ -56,6 +58,7 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
 github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
@@ -312,8 +315,8 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/sqlserver v1.5.2 h1:+o4RQ8w1ohPbADhFqDxeeZnSWjwOcBnxBckjTbcP4wk=
 gorm.io/driver/sqlserver v1.5.2/go.mod h1:gaKF0MO0cfTq9Q3/XhkowSw4g6nIwHPGAs4hzKCmvBo=
 gorm.io/gorm v1.25.2-0.20230610234218-206613868439/go.mod h1:L4uxeKpfBml98NYqVqwAdmV1a2nBtAec/cf3fpucW/k=
-gorm.io/gorm v1.25.5 h1:zR9lOiiYf09VNh5Q1gphfyia1JpiClIWG9hQaxB/mls=
-gorm.io/gorm v1.25.5/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
+gorm.io/gorm v1.25.7 h1:VsD6acwRjz2zFxGO50gPO6AkNs7KKnvfzUjHQhZDz/A=
+gorm.io/gorm v1.25.7/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
 k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A=
 k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA=
 k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o=

diff --git a/main.go b/main.go
@@ -52,6 +52,7 @@ func setupLogger(opts *server.Options, ctx context.Context) (context.Context, er
 		log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.TimeOnly})
 	}
 	ctx = log.Logger.WithContext(ctx)
+	zerolog.DefaultContextLogger = &log.Logger
 	return ctx, nil
 }
 
@@ -64,6 +65,7 @@ func logOptions(opts *server.Options) {
 	log.Info().Msgf("  db-database: %v", opts.DB.Database)
 	log.Info().Msgf("  db-username: %v", opts.DB.UserName)
 	log.Info().Msgf("  db-password set: %v", len(opts.DB.Password) > 0)
+	log.Info().Msgf("  db-use-federated-token set: %v", opts.DB.UseFederatedToken)
 	log.Info().Msgf("  vulnerability-scan-timeout: %s", opts.VulnerabilityScan.ScanTimeout)
 	log.Info().Msgf("  vulnerability-rescan-age: %s", opts.VulnerabilityScan.RescanAge)
 	log.Info().Msgf("  docker-config-file: %s", opts.Docker.AuthsFile)

diff --git a/pkg/server/load.go b/pkg/server/load.go
@@ -58,6 +58,7 @@ func dbFlagset() *pflag.FlagSet {
 	flagset.String("db-database", "", "SQL Server database name")
 	flagset.String("db-username", "", "SQL Server user name")
 	flagset.String("db-password", "", "SQL Server password")
+	flagset.String("db-use-federated-token", "", "SQL Use federated token")
 	return flagset
 }
 

diff --git a/pkg/server/options.go b/pkg/server/options.go
@@ -24,10 +24,11 @@ type (
 
 	// DBOptions contains configuration for database connection
 	DBOptions struct {
-		Server   string `flag:"db-server" cfg:"db_server"`
-		Database string `flag:"db-database" cfg:"db_database"`
-		UserName string `flag:"db-username" cfg:"db_username"`
-		Password string `flag:"db-password" cfg:"db_password"`
+		Server            string `flag:"db-server" cfg:"db_server"`
+		Database          string `flag:"db-database" cfg:"db_database"`
+		UserName          string `flag:"db-username" cfg:"db_username"`
+		Password          string `flag:"db-password" cfg:"db_password"`
+		UseFederatedToken bool   `flag:"db-use-federated-token" cfg:"db_use_federated_token" default:"false"`
 	}
 
 	// DockerOptions contains configuration for accessing docker images

diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"sync"
 
+	commongorm "github.com/equinor/radix-common/pkg/gorm"
 	v1 "github.com/equinor/radix-operator/pkg/apis/radix/v1"
 	radix "github.com/equinor/radix-operator/pkg/client/clientset/versioned"
 	radixinformer "github.com/equinor/radix-operator/pkg/client/informers/externalversions"
@@ -14,9 +15,9 @@ import (
 	"github.com/equinor/radix-vulnerability-scanner/pkg/observe"
 	"github.com/equinor/radix-vulnerability-scanner/pkg/scan"
 	"github.com/equinor/radix-vulnerability-scanner/pkg/utils"
+	"github.com/microsoft/go-mssqldb/azuread"
 	"gorm.io/driver/sqlserver"
 	"gorm.io/gorm"
-	gormlogger "gorm.io/gorm/logger"
 	"gorm.io/gorm/schema"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/kubernetes"
@@ -149,12 +150,22 @@ func (s *Server) run(stopCh <-chan struct{}) error {
 }
 
 func getRepository(opts *DBOptions) (db.Repository, error) {
-	dsn := fmt.Sprintf("server=%s;database=%s;user id=%s;password=%s", opts.Server, opts.Database, opts.UserName, opts.Password)
+	var dsn string
+	if opts.UseFederatedToken {
+		dsn = fmt.Sprintf("server=%s;database=%s;fedauth=ActiveDirectoryDefault", opts.Server, opts.Database)
+	} else {
+		dsn = fmt.Sprintf("server=%s;database=%s;user id=%s;password=%s", opts.Server, opts.Database, opts.UserName, opts.Password)
+	}
+
+	dialector := sqlserver.New(sqlserver.Config{
+		DriverName: azuread.DriverName,
+		DSN:        dsn,
+	})
 
-	gormdb, err := gorm.Open(sqlserver.Open(dsn), &gorm.Config{
+	gormdb, err := gorm.Open(dialector, &gorm.Config{
 		NamingStrategy:       schema.NamingStrategy{NoLowerCase: true},
-		Logger:               gormlogger.Default.LogMode(gormlogger.Silent),
-		DisableAutomaticPing: true,
+		Logger:               commongorm.NewLogger(),
+		DisableAutomaticPing: false,
 	})
 	if err != nil {
 		return nil, err