refactor: re-impl azure keyvault deployer

2025-04-18 17:46:40 +08:00
parent 0004eac764
commit 283b150d60
7 changed files with 140 additions and 58 deletions
--- a/internal/pkg/core/uploader/providers/azure-keyvault/azure_keyvault.go
+++ b/internal/pkg/core/uploader/providers/azure-keyvault/azure_keyvault.go
@@ -30,8 +30,6 @@ type UploaderConfig struct {
 	CloudName string `json:"cloudName,omitempty"`
 	// Key Vault 名称。
 	KeyVaultName string `json:"keyvaultName"`
-	// Certificate 名称。
-	CertificateName string `json:"certificateName,omitempty"`
 }

 type UploaderProvider struct {
@@ -91,11 +89,6 @@ func (u *UploaderProvider) Upload(ctx context.Context, certPem string, privkeyPe
 		}

 		for _, certItem := range page.Value {
-			// 如果已经指定了证书名称，则跳过证书名称不匹配的证书
-			if u.config.CertificateName != "" && certItem.ID.Name() != u.config.CertificateName {
-				continue
-			}
-
 			// 先对比证书有效期
 			if certItem.Attributes == nil {
 				continue
@@ -146,16 +139,13 @@ func (u *UploaderProvider) Upload(ctx context.Context, certPem string, privkeyPe
 		}
 	}

-	certName := u.config.CertificateName
-	if certName == "" {
-		// 未指定证书名称时，生成包含timestamp的新证书名（需符合 Azure 命名规则）
-		certName = fmt.Sprintf("certimate-%d", time.Now().UnixMilli())
-	}
+	// 生成新证书名（需符合 Azure 命名规则）
+	certName := fmt.Sprintf("certimate-%d", time.Now().UnixMilli())

-	// Azure Key Vault 不支持导入带有Certificiate Chain的PEM证书。
+	// Azure Key Vault 不支持导入带有 Certificiate Chain 的 PEM 证书。
 	// Issue Link: https://github.com/Azure/azure-cli/issues/19017
 	// 暂时的解决方法是，将 PEM 证书转换成 PFX 格式，然后再导入。
-	pfxCert, err := certutil.TransformCertificateFromPEMToPFX(certPem, privkeyPem, "")
+	certPfx, err := certutil.TransformCertificateFromPEMToPFX(certPem, privkeyPem, "")
 	if err != nil {
 		return nil, xerrors.Wrap(err, "failed to transform certificate from PEM to PFX")
 	}
@@ -163,7 +153,7 @@ func (u *UploaderProvider) Upload(ctx context.Context, certPem string, privkeyPe
 	// 导入证书
 	// REF: https://learn.microsoft.com/en-us/rest/api/keyvault/certificates/import-certificate/import-certificate
 	importCertificateParams := azcertificates.ImportCertificateParameters{
-		Base64EncodedCertificate: to.Ptr(base64.StdEncoding.EncodeToString(pfxCert)),
+		Base64EncodedCertificate: to.Ptr(base64.StdEncoding.EncodeToString(certPfx)),
 		CertificatePolicy: &azcertificates.CertificatePolicy{
 			SecretProperties: &azcertificates.SecretProperties{
 				ContentType: to.Ptr("application/x-pkcs12"),
--- a/internal/pkg/core/uploader/providers/azure-keyvault/azure_keyvault_test.go
+++ b/internal/pkg/core/uploader/providers/azure-keyvault/azure_keyvault_test.go
@@ -13,13 +13,13 @@ import (
 )

 var (
-	fInputCertPath   string
-	fInputKeyPath    string
-	fTenantId        string
-	fAccessKeyId     string
-	fSecretAccessKey string
-	fKeyVaultName    string
-	fCertificateName string
+	fInputCertPath string
+	fInputKeyPath  string
+	fTenantId      string
+	fClientId      string
+	fClientSecret  string
+	fCloudName     string
+	fKeyVaultName  string
 )

 func init() {
@@ -28,10 +28,10 @@ func init() {
 	flag.StringVar(&fInputCertPath, argsPrefix+"INPUTCERTPATH", "", "")
 	flag.StringVar(&fInputKeyPath, argsPrefix+"INPUTKEYPATH", "", "")
 	flag.StringVar(&fTenantId, argsPrefix+"TENANTID", "", "")
-	flag.StringVar(&fAccessKeyId, argsPrefix+"ACCESSKEYID", "", "")
-	flag.StringVar(&fSecretAccessKey, argsPrefix+"SECRETACCESSKEY", "", "")
+	flag.StringVar(&fClientId, argsPrefix+"CLIENTID", "", "")
+	flag.StringVar(&fClientSecret, argsPrefix+"CLIENTSECRET", "", "")
+	flag.StringVar(&fCloudName, argsPrefix+"CLOUDNAME", "", "")
 	flag.StringVar(&fKeyVaultName, argsPrefix+"KEYVAULTNAME", "", "")
-	flag.StringVar(&fCertificateName, argsPrefix+"CERTIFICATENAME", "", "")
 }

 /*
@@ -41,10 +41,10 @@ Shell command to run this test:
 	--CERTIMATE_UPLOADER_AZUREKEYVAULT_INPUTCERTPATH="/path/to/your-input-cert.pem" \
 	--CERTIMATE_UPLOADER_AZUREKEYVAULT_INPUTKEYPATH="/path/to/your-input-key.pem" \
 	--CERTIMATE_UPLOADER_AZUREKEYVAULT_TENANTID="your-tenant-id" \
-	--CERTIMATE_UPLOADER_AZUREKEYVAULT_ACCESSKEYID="your-app-registration-client-id" \
-	--CERTIMATE_UPLOADER_AZUREKEYVAULT_SECRETACCESSKEY="your-app-registration-client-secret" \
-	--CERTIMATE_UPLOADER_AZUREKEYVAULT_KEYVAULTNAME="your-keyvault-name" \
-	--CERTIMATE_UPLOADER_AZUREKEYVAULT_CERTIFICATENAME="your-certificate-name"
+	--CERTIMATE_UPLOADER_AZUREKEYVAULT_CLIENTID="your-app-registration-client-id" \
+	--CERTIMATE_UPLOADER_AZUREKEYVAULT_CLIENTSECRET="your-app-registration-client-secret" \
+	--CERTIMATE_UPLOADER_AZUREKEYVAULT_CLOUDNAME="china" \
+	--CERTIMATE_UPLOADER_AZUREKEYVAULT_KEYVAULTNAME="your-keyvault-name"
 */
 func TestDeploy(t *testing.T) {
 	flag.Parse()
@@ -55,18 +55,18 @@ func TestDeploy(t *testing.T) {
 			fmt.Sprintf("INPUTCERTPATH: %v", fInputCertPath),
 			fmt.Sprintf("INPUTKEYPATH: %v", fInputKeyPath),
 			fmt.Sprintf("TENANTID: %v", fTenantId),
-			fmt.Sprintf("ACCESSKEYID: %v", fAccessKeyId),
-			fmt.Sprintf("SECRETACCESSKEY: %v", fSecretAccessKey),
+			fmt.Sprintf("CLIENTID: %v", fClientId),
+			fmt.Sprintf("CLIENTSECRET: %v", fClientSecret),
+			fmt.Sprintf("CLOUDNAME: %v", fCloudName),
 			fmt.Sprintf("KEYVAULTNAME: %v", fKeyVaultName),
-			fmt.Sprintf("CERTIFICATENAME: %v", fCertificateName),
 		}, "\n"))

 		uploader, err := provider.NewUploader(&provider.UploaderConfig{
-			TenantId:        fTenantId,
-			ClientId:        fAccessKeyId,
-			ClientSecret:    fSecretAccessKey,
-			KeyVaultName:    fKeyVaultName,
-			CertificateName: fCertificateName,
+			TenantId:     fTenantId,
+			ClientId:     fClientId,
+			ClientSecret: fClientSecret,
+			CloudName:    fCloudName,
+			KeyVaultName: fKeyVaultName,
 		})
 		if err != nil {
 			t.Errorf("err: %+v", err)