kubernetes-sigs · bryan-cox · Feb 16, 2025
diff --git a/azure/scope/clients.go b/azure/scope/clients.go
@@ -25,26 +25,31 @@
 	"strings"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
-	azureautorest "github.com/Azure/go-autorest/autorest/azure"
-	"github.com/Azure/go-autorest/autorest/azure/auth"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
 
 	infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
+	"sigs.k8s.io/cluster-api-provider-azure/azure"
 )
 
 // AzureClients contains all the Azure clients used by the scopes.
 type AzureClients struct {
-	auth.EnvironmentSettings
+	environmentSettings
 
 	TokenCredential            azcore.TokenCredential
-	ResourceManagerEndpoint    string
 	ResourceManagerVMDNSSuffix string
 
 	authType infrav1.IdentityType
 }
 
+type environmentSettings struct {
+	Values        map[string]string
+	CloudType     string
+	CloudSettings cloud.Configuration
+}
+
 // CloudEnvironment returns the Azure environment the controller runs in.
 func (c *AzureClients) CloudEnvironment() string {
-	return c.Environment.Name
+	return c.environmentSettings.CloudType
 }
 
 // TenantID returns the Azure tenant id the controller runs in.
@@ -86,45 +91,40 @@
 		return fmt.Errorf("credentials provider cannot have an empty value")
 	}
 
-	settings, err := c.getSettingsFromEnvironment(environmentName)
-	if err != nil {
-		return err
-	}
+	c.environmentSettings = c.getSettingsFromEnvironment(environmentName)
 
 	if subscriptionID == "" {
-		subscriptionID = settings.GetSubscriptionID()
+		subscriptionID = c.environmentSettings.Values["AZURE_SUBSCRIPTION_ID"]
 		if subscriptionID == "" {
 			return fmt.Errorf("error creating azure services. subscriptionID is not set in cluster or AZURE_SUBSCRIPTION_ID env var")
 		}
 	}
 
-	c.EnvironmentSettings = settings
-	c.ResourceManagerEndpoint = settings.Environment.ResourceManagerEndpoint
-	c.ResourceManagerVMDNSSuffix = settings.Environment.ResourceManagerVMDNSSuffix
-	c.Values["AZURE_SUBSCRIPTION_ID"] = strings.TrimSuffix(subscriptionID, "\n")
-	c.Values["AZURE_TENANT_ID"] = strings.TrimSuffix(credentialsProvider.GetTenantID(), "\n")
-	c.Values["AZURE_CLIENT_ID"] = strings.TrimSuffix(credentialsProvider.GetClientID(), "\n")
+	c.environmentSettings.Values["AZURE_SUBSCRIPTION_ID"] = strings.TrimSuffix(subscriptionID, "\n")
+	c.environmentSettings.Values["AZURE_TENANT_ID"] = strings.TrimSuffix(credentialsProvider.GetTenantID(), "\n")
+	c.environmentSettings.Values["AZURE_CLIENT_ID"] = strings.TrimSuffix(credentialsProvider.GetClientID(), "\n")
 
 	clientSecret, err := credentialsProvider.GetClientSecret(ctx)
 	if err != nil {
 		return err
 	}
-	c.Values["AZURE_CLIENT_SECRET"] = strings.TrimSuffix(clientSecret, "\n")
+	c.environmentSettings.Values["AZURE_CLIENT_SECRET"] = strings.TrimSuffix(clientSecret, "\n")
 
 	c.authType = credentialsProvider.Type()
 
-	tokenCredential, err := credentialsProvider.GetTokenCredential(ctx, c.ResourceManagerEndpoint, c.Environment.ActiveDirectoryEndpoint, c.Environment.TokenAudience)
+	tokenCredential, err := credentialsProvider.GetTokenCredential(ctx, c.CloudSettings)
 	if err != nil {
 		return err
 	}
 	c.TokenCredential = tokenCredential
 	return err
 }
 
-func (c *AzureClients) getSettingsFromEnvironment(environmentName string) (s auth.EnvironmentSettings, err error) {
-	s = auth.EnvironmentSettings{
-		Values: map[string]string{},
+func (c *AzureClients) getSettingsFromEnvironment(environmentName string) environmentSettings {
+	s := environmentSettings{
+		Values: make(map[string]string),
 	}
+
 	s.Values["AZURE_ENVIRONMENT"] = environmentName
 	setValue(s, "AZURE_SUBSCRIPTION_ID")
 	setValue(s, "AZURE_TENANT_ID")
@@ -137,19 +137,33 @@
 	setValue(s, "AZURE_PASSWORD")
 	setValue(s, "AZURE_AD_RESOURCE")
 	if v := s.Values["AZURE_ENVIRONMENT"]; v == "" {
-		s.Environment = azureautorest.PublicCloud
+		s.CloudType = azure.PublicCloudName
+		s.CloudSettings = cloud.AzurePublic
 	} else {
-		s.Environment, err = azureautorest.EnvironmentFromName(v)
-	}
-	if s.Values["AZURE_AD_RESOURCE"] == "" {
-		s.Values["AZURE_AD_RESOURCE"] = s.Environment.ResourceManagerEndpoint
+		s.CloudType, s.CloudSettings = getCloudEnvironment(os.Getenv("AZURE_ENVIRONMENT"))
 	}
-	return
+	return s
 }
 
 // setValue adds the specified environment variable value to the Values map if it exists.
-func setValue(settings auth.EnvironmentSettings, key string) {
+func setValue(settings environmentSettings, key string) {
 	if v := os.Getenv(key); v != "" {
 		settings.Values[key] = v
 	}
 }
+
+func getCloudEnvironment(cloudType string) (string, cloud.Configuration) {
+	cloudType = strings.ToUpper(cloudType)
+	switch cloudType {
+	case "AZUREPUBLICCLOUD":
+		return azure.PublicCloudName, cloud.AzurePublic
+	case "AZURECLOUD":
+		return azure.PublicCloudName, cloud.AzurePublic
+	case "AZURECHINACLOUD":
+		return azure.ChinaCloudName, cloud.AzureChina
+	case "AZUREUSGOVERNMENT":
+		return azure.USGovernmentCloudName, cloud.AzureGovernment
+	default:
+		return azure.PublicCloudName, cloud.AzurePublic
+	}
+}
diff --git a/azure/scope/cluster.go b/azure/scope/cluster.go
@@ -25,6 +25,7 @@
 	"strconv"
 	"strings"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
 	asonetworkv1api20201101 "github.com/Azure/azure-service-operator/v2/api/network/v1api20201101"
 	asonetworkv1api20220701 "github.com/Azure/azure-service-operator/v2/api/network/v1api20220701"
 	asoresourcesv1 "github.com/Azure/azure-service-operator/v2/api/resources/v1api20200601"
@@ -128,7 +129,7 @@
 
 // BaseURI returns the Azure ResourceManagerEndpoint.
 func (s *ClusterScope) BaseURI() string {
-	return s.ResourceManagerEndpoint
+	return s.AzureClients.CloudSettings.Services[cloud.ResourceManager].Endpoint
 }
 
 // GetClient returns the controller-runtime client.
@@ -893,7 +894,7 @@
 		return ""
 	}
 	hash := fmt.Sprintf("%x", h.Sum32())
-	return strings.ToLower(fmt.Sprintf("%s-%s.%s.%s", s.ClusterName(), hash, s.Location(), s.AzureClients.ResourceManagerVMDNSSuffix))
+	return strings.ToLower(fmt.Sprintf("%s-%s.%s", s.ClusterName(), hash, s.Location()))
 }
 
 // GenerateLegacyFQDN generates an IP name and a fully qualified domain name, based on a hash, cluster name and cluster location.
@@ -904,7 +905,7 @@
 		return "", ""
 	}
 	ipName := fmt.Sprintf("%s-%x", s.ClusterName(), h.Sum32())
-	fqdn := fmt.Sprintf("%s.%s.%s", ipName, s.Location(), s.AzureClients.ResourceManagerVMDNSSuffix)
+	fqdn := fmt.Sprintf("%s.%s", ipName, s.Location())
 	return ipName, fqdn
 }
 

diff --git a/azure/scope/cluster_test.go b/azure/scope/cluster_test.go
@@ -26,7 +26,6 @@ import (
 	asonetworkv1api20201101 "github.com/Azure/azure-service-operator/v2/api/network/v1api20201101"
 	asonetworkv1api20220701 "github.com/Azure/azure-service-operator/v2/api/network/v1api20220701"
 	asoresourcesv1 "github.com/Azure/azure-service-operator/v2/api/resources/v1api20200601"
-	"github.com/Azure/go-autorest/autorest/azure/auth"
 	"github.com/google/go-cmp/cmp"
 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
@@ -56,6 +55,7 @@ import (
 const fakeClientID = "fake-client-id"
 const fakeTenantID = "fake-tenant-id"
 const fakeSubscriptionID = "123"
+const SubscriptionID = "AZURE_SUBSCRIPTION_ID"
 
 func specToString(spec any) string {
 	var sb strings.Builder
@@ -875,9 +875,9 @@ func TestNatGatewaySpecs(t *testing.T) {
 					},
 				},
 				AzureClients: AzureClients{
-					EnvironmentSettings: auth.EnvironmentSettings{
+					environmentSettings: environmentSettings{
 						Values: map[string]string{
-							auth.SubscriptionID: "123",
+							SubscriptionID: "123",
 						},
 					},
 				},
@@ -949,9 +949,9 @@ func TestNatGatewaySpecs(t *testing.T) {
 					},
 				},
 				AzureClients: AzureClients{
-					EnvironmentSettings: auth.EnvironmentSettings{
+					environmentSettings: environmentSettings{
 						Values: map[string]string{
-							auth.SubscriptionID: "123",
+							SubscriptionID: "123",
 						},
 					},
 				},
@@ -1041,9 +1041,9 @@ func TestNatGatewaySpecs(t *testing.T) {
 					},
 				},
 				AzureClients: AzureClients{
-					EnvironmentSettings: auth.EnvironmentSettings{
+					environmentSettings: environmentSettings{
 						Values: map[string]string{
-							auth.SubscriptionID: "123",
+							SubscriptionID: "123",
 						},
 					},
 				},
@@ -1341,9 +1341,9 @@ func TestSubnetSpecs(t *testing.T) {
 					},
 				},
 				AzureClients: AzureClients{
-					EnvironmentSettings: auth.EnvironmentSettings{
+					environmentSettings: environmentSettings{
 						Values: map[string]string{
-							auth.SubscriptionID: "123",
+							SubscriptionID: "123",
 						},
 					},
 				},
@@ -1422,9 +1422,9 @@ func TestSubnetSpecs(t *testing.T) {
 					},
 				},
 				AzureClients: AzureClients{
-					EnvironmentSettings: auth.EnvironmentSettings{
+					environmentSettings: environmentSettings{
 						Values: map[string]string{
-							auth.SubscriptionID: "123",
+							SubscriptionID: "123",
 						},
 					},
 				},
@@ -1718,9 +1718,9 @@ func TestAzureBastionSpec(t *testing.T) {
 					},
 				},
 				AzureClients: AzureClients{
-					EnvironmentSettings: auth.EnvironmentSettings{
+					environmentSettings: environmentSettings{
 						Values: map[string]string{
-							auth.SubscriptionID: "123",
+							SubscriptionID: "123",
 						},
 					},
 				},
@@ -3174,9 +3174,9 @@ func TestClusterScope_LBSpecs(t *testing.T) {
 				Cluster:      cluster,
 				AzureCluster: tc.azureCluster,
 				AzureClients: AzureClients{
-					EnvironmentSettings: auth.EnvironmentSettings{
+					environmentSettings: environmentSettings{
 						Values: map[string]string{
-							auth.SubscriptionID: tc.azureCluster.Spec.SubscriptionID,
+							SubscriptionID: tc.azureCluster.Spec.SubscriptionID,
 						},
 					},
 				},
@@ -3496,9 +3496,9 @@ func TestVNetPeerings(t *testing.T) {
 				Cluster:      cluster,
 				AzureCluster: azureCluster,
 				AzureClients: AzureClients{
-					EnvironmentSettings: auth.EnvironmentSettings{
+					environmentSettings: environmentSettings{
 						Values: map[string]string{
-							auth.SubscriptionID: tc.subscriptionID,
+							SubscriptionID: tc.subscriptionID,
 						},
 					},
 				},

diff --git a/azure/scope/identity.go b/azure/scope/identity.go
@@ -45,7 +45,7 @@ type CredentialsProvider interface {
 	GetClientID() string
 	GetClientSecret(ctx context.Context) (string, error)
 	GetTenantID() string
-	GetTokenCredential(ctx context.Context, resourceManagerEndpoint, activeDirectoryEndpoint, tokenAudience string) (azcore.TokenCredential, error)
+	GetTokenCredential(ctx context.Context, cloudConfig cloud.Configuration) (azcore.TokenCredential, error)
 	Type() infrav1.IdentityType
 }
 
@@ -82,7 +82,7 @@ func NewAzureCredentialsProvider(ctx context.Context, cache azure.CredentialCach
 }
 
 // GetTokenCredential returns an Azure TokenCredential based on the provided azure identity.
-func (p *AzureCredentialsProvider) GetTokenCredential(ctx context.Context, resourceManagerEndpoint, activeDirectoryEndpoint, tokenAudience string) (azcore.TokenCredential, error) {
+func (p *AzureCredentialsProvider) GetTokenCredential(ctx context.Context, cloudConfig cloud.Configuration) (azcore.TokenCredential, error) {
 	ctx, log, done := tele.StartSpanWithLogger(ctx, "azure.scope.AzureCredentialsProvider.GetTokenCredential")
 	defer done()
 
@@ -117,15 +117,7 @@ func (p *AzureCredentialsProvider) GetTokenCredential(ctx context.Context, resou
 		options := azidentity.ClientSecretCredentialOptions{
 			ClientOptions: azcore.ClientOptions{
 				TracingProvider: tracingProvider,
-				Cloud: cloud.Configuration{
-					ActiveDirectoryAuthorityHost: activeDirectoryEndpoint,
-					Services: map[cloud.ServiceName]cloud.ServiceConfiguration{
-						cloud.ResourceManager: {
-							Audience: tokenAudience,
-							Endpoint: resourceManagerEndpoint,
-						},
-					},
-				},
+				Cloud:           cloudConfig,
 			},
 		}
 		cred, authErr = p.cache.GetOrStoreClientSecret(p.GetTenantID(), p.Identity.Spec.ClientID, clientSecret, &options)

diff --git a/azure/scope/identity_test.go b/azure/scope/identity_test.go
@@ -277,15 +277,7 @@ func TestGetTokenCredential(t *testing.T) {
 			cacheExpect: func(cache *mock_azure.MockCredentialCache) {
 				cache.EXPECT().GetOrStoreClientSecret(fakeTenantID, fakeClientID, "fooSecret", gomock.Cond(func(opts *azidentity.ClientSecretCredentialOptions) bool {
 					// ignore tracing provider
-					return reflect.DeepEqual(opts.ClientOptions.Cloud, cloud.Configuration{
-						ActiveDirectoryAuthorityHost: "https://login.microsoftonline.com",
-						Services: map[cloud.ServiceName]cloud.ServiceConfiguration{
-							cloud.ResourceManager: {
-								Audience: "",
-								Endpoint: "",
-							},
-						},
-					})
+					return reflect.DeepEqual(opts.ClientOptions.Cloud, cloud.AzurePublic)
 				}))
 			},
 		},
@@ -322,15 +314,7 @@ func TestGetTokenCredential(t *testing.T) {
 			cacheExpect: func(cache *mock_azure.MockCredentialCache) {
 				cache.EXPECT().GetOrStoreClientSecret(fakeTenantID, fakeClientID, "fooSecret", gomock.Cond(func(opts *azidentity.ClientSecretCredentialOptions) bool {
 					// ignore tracing provider
-					return reflect.DeepEqual(opts.ClientOptions.Cloud, cloud.Configuration{
-						ActiveDirectoryAuthorityHost: "https://login.microsoftonline.com",
-						Services: map[cloud.ServiceName]cloud.ServiceConfiguration{
-							cloud.ResourceManager: {
-								Audience: "",
-								Endpoint: "",
-							},
-						},
-					})
+					return reflect.DeepEqual(opts.ClientOptions.Cloud, cloud.AzurePublic)
 				}))
 			},
 		},
@@ -443,7 +427,7 @@ func TestGetTokenCredential(t *testing.T) {
 
 			provider, err := NewAzureCredentialsProvider(context.Background(), cache, fakeClient, tt.cluster.Spec.IdentityRef, "")
 			g.Expect(err).NotTo(HaveOccurred())
-			_, err = provider.GetTokenCredential(context.Background(), "", tt.ActiveDirectoryAuthorityHost, "")
+			_, err = provider.GetTokenCredential(context.Background(), cloud.AzurePublic)
 			g.Expect(err).NotTo(HaveOccurred())
 		})
 	}