Merge branch 'master' into master

Author: joselcaguilar

functional_tests/helpers.go

@@ -8,7 +8,6 @@ package functests
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"strings"
 
@@ -49,10 +48,10 @@ func check(cbCtx *appgw.ConfigBuilderContext, expectedFilename string, stopChan
 
 	// Repair tests
 	if os.Getenv("RENDER_SNAPSHOTS") != "" {
-		ioutil.WriteFile(expectedFilename, []byte(actualJSONTxt), 0644)
+		os.WriteFile(expectedFilename, []byte(actualJSONTxt), 0644)
 	}
 
-	expectedBytes, err := ioutil.ReadFile(expectedFilename)
+	expectedBytes, err := os.ReadFile(expectedFilename)
 	expectedJSON := strings.Trim(string(expectedBytes), "\n")
 	gomega.Expect(err).ToNot(gomega.HaveOccurred())
 

helm/ingress-azure/templates/crds.yaml

@@ -24,7 +24,7 @@ metadata:
   {{- end }}
 spec:
   {{- if .hostname }}
-  hostname: {{ .hostname }}
+  hostname: {{ .hostname | quote }}
   {{- end }}
   {{- if .paths }}
   paths:
@@ -35,4 +35,4 @@ spec:
 ---
 {{- end }}
 {{- end -}}
-{{- end -}}
+{{- end -}}

helm/ingress-azure/tests/snapshots.go

@@ -9,7 +9,6 @@ import (
 	"bufio"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -73,7 +72,7 @@ func RenderChart(chart, values, dir string) error {
 
 // CaptureSnapshot renders a new snapshot from a given Helm chart and values file.
 func CaptureSnapshot(chart, values string) (*Snapshot, error) {
-	dir, err := ioutil.TempDir("", "")
+	dir, err := os.MkdirTemp("", "")
 	if err != nil {
 		return nil, fmt.Errorf("creating tempdir: %v", err)
 	}
@@ -163,7 +162,7 @@ func StripNonDeterministic(path string) error {
 				lines = append(lines, text)
 			}
 
-			return ioutil.WriteFile(path, []byte(strings.Join(lines, "\n")), 0644)
+			return os.WriteFile(path, []byte(strings.Join(lines, "\n")), 0644)
 		})
 }
 

pkg/appgw/appgw_test.go

@@ -8,7 +8,7 @@ package appgw
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"time"
 
 	n "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2021-03-01/network"
@@ -606,11 +606,11 @@ var _ = Describe("Tests `appgw.ConfigBuilder`", func() {
 				Data: make(map[string][]byte),
 			}
 
-			key, err := ioutil.ReadFile("../../tests/data/k8s.cert.key")
+			key, err := os.ReadFile("../../tests/data/k8s.cert.key")
 			Ω(err).ToNot(HaveOccurred(), "Unable to read the cert key: %v", err)
 			ingressSecret.Data["tls.key"] = key
 
-			cert, err := ioutil.ReadFile("../../tests/data/k8s.x509.cert")
+			cert, err := os.ReadFile("../../tests/data/k8s.x509.cert")
 			Ω(err).ToNot(HaveOccurred(), "Unable to read the cert key: %v", err)
 			ingressSecret.Data["tls.crt"] = cert
 

pkg/azure/client.go

@@ -174,7 +174,7 @@ func (az *azClient) WaitForGetAccessOnGateway(maxRetryCount int) (err error) {
 					)
 
 					e.Message += fmt.Sprintf(" You can use '%s' to assign permissions."+
-						" AGIC Identity needs atleast has 'Contributor' access to Application Gateway '%s' and 'Reader' access to Application Gateway's Resource Group '%s'.",
+						" AGIC Identity needs at least 'Contributor' access to Application Gateway '%s' and 'Reader' access to Application Gateway's Resource Group '%s'.",
 						roleAssignmentCmd,
 						string(az.appGwName),
 						string(az.resourceGroupName),

pkg/azure/client_test.go

@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"errors"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"time"
 
@@ -29,7 +29,7 @@ func (fs *FakeSender) Do(request *http.Request) (response *http.Response, err er
 		if fs.body != nil {
 			b, err := json.Marshal(fs.body)
 			if err == nil {
-				response.Body = ioutil.NopCloser(bytes.NewReader(b))
+				response.Body = io.NopCloser(bytes.NewReader(b))
 			}
 		}
 	}

pkg/azure/cloudproviderconfig.go

@@ -8,7 +8,7 @@ package azure
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
 )
 
 // CloudProviderConfig represent the CloudProvider Context file such as Azure
@@ -29,7 +29,7 @@ type CloudProviderConfig struct {
 
 // NewCloudProviderConfig returns an CloudProviderConfig struct from file path
 func NewCloudProviderConfig(path string) (*CloudProviderConfig, error) {
-	b, err := ioutil.ReadFile(path)
+	b, err := os.ReadFile(path)
 	if err != nil {
 		return nil, fmt.Errorf("Reading Az Context file %q failed: %v", path, err)
 	}

pkg/azure/defaultazurecredential/authorizer.go

@@ -2,11 +2,14 @@ package defaultazurecredential
 
 import (
 	"context"
+	"fmt"
+	"os"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/go-autorest/autorest"
+	"github.com/Azure/go-autorest/autorest/azure"
 	"k8s.io/klog/v2"
 )
 
@@ -26,20 +29,34 @@ func NewAuthorizer() (autorest.Authorizer, error) {
 		return nil, err
 	}
 
+	scope := tokenScopeFromEnvironment()
+	klog.V(7).Infof("Fetching token with scope %s", scope)
 	return autorest.NewBearerAuthorizer(&tokenCredentialWrapper{
-		cred: cred,
+		cred:  cred,
+		scope: scope,
 	}), nil
 }
 
+func tokenScopeFromEnvironment() string {
+	cloud := os.Getenv("AZURE_ENVIRONMENT")
+	env, err := azure.EnvironmentFromName(cloud)
+	if err != nil {
+		env = azure.PublicCloud
+	}
+
+	return fmt.Sprintf("%s.default", env.TokenAudience)
+}
+
 type tokenCredentialWrapper struct {
-	cred azcore.TokenCredential
+	cred  azcore.TokenCredential
+	scope string
 }
 
 func (w *tokenCredentialWrapper) OAuthToken() string {
 	klog.V(7).Info("Getting Azure token using DefaultAzureCredential")
 
 	token, err := w.cred.GetToken(context.Background(), policy.TokenRequestOptions{
-		Scopes: []string{"https://management.azure.com/.default"},
+		Scopes: []string{w.scope},
 	})
 
 	if err != nil {

pkg/azure/defaultazurecredential/authorizer_test.go

@@ -0,0 +1,22 @@
+package defaultazurecredential
+
+import (
+	"os"
+	"testing"
+)
+
+func TestTokenScopeFromEnvironment(t *testing.T) {
+	scope := map[string]string{
+		"AZUREPUBLICCLOUD":       "https://management.azure.com/.default",
+		"AZURECHINACLOUD":        "https://management.chinacloudapi.cn/.default",
+		"AZUREUSGOVERNMENTCLOUD": "https://management.usgovcloudapi.net/.default",
+	}
+
+	for env, expectedScope := range scope {
+		os.Setenv("AZURE_ENVIRONMENT", env)
+		scope := tokenScopeFromEnvironment()
+		if scope != expectedScope {
+			t.Errorf("Expected scope %s, got %s", expectedScope, scope)
+		}
+	}
+}

pkg/brownfield/targets.go

@@ -34,7 +34,7 @@ func (t Target) IsBlacklisted(blacklist TargetBlacklist) bool {
 		// An empty blacklist hostname indicates that any hostname would be blacklisted.
 		// If host names match - this target is in the blacklist.
 		// AGIC is allowed to create and modify App Gwy config for blank host.
-		hostIsBlacklisted := blTarget.Hostname == "" || strings.ToLower(t.Hostname) == strings.ToLower(blTarget.Hostname)
+		hostIsBlacklisted := blTarget.Hostname == "" || strings.EqualFold(t.Hostname, blTarget.Hostname)
 
 		pathIsBlacklisted := blTarget.Path == "" || blTarget.Path == "/*" || t.Path.lower() == blTarget.Path.lower() || blTarget.Path.contains(t.Path) // TODO(draychev): || t.Path.contains(blTarget.Path)