in pkg/internal/token/clientcertcredential.go [26:72]
func newClientCertificateCredential(opts *Options) (CredentialProvider, error) {
if opts.ClientID == "" {
return nil, fmt.Errorf("client ID cannot be empty")
}
if opts.TenantID == "" {
return nil, fmt.Errorf("tenant ID cannot be empty")
}
if opts.ClientCert == "" {
return nil, fmt.Errorf("client certificate cannot be empty")
}
var (
c azidentity.Cache
err error
)
if opts.UsePersistentCache {
c, err = cache.New(nil)
if err != nil {
klog.V(5).Infof("failed to create cache: %v", err)
}
}
// Get the certificate and private key from file
cert, rsaPrivateKey, err := readCertificate(opts.ClientCert, opts.ClientCertPassword)
if err != nil {
return nil, fmt.Errorf("failed to read certificate: %w", err)
}
azOpts := &azidentity.ClientCertificateCredentialOptions{
ClientOptions: azcore.ClientOptions{Cloud: opts.GetCloudConfiguration()},
Cache: c,
SendCertificateChain: true,
DisableInstanceDiscovery: opts.DisableInstanceDiscovery,
}
if opts.httpClient != nil {
azOpts.ClientOptions.Transport = opts.httpClient
}
cred, err := azidentity.NewClientCertificateCredential(
opts.TenantID, opts.ClientID,
[]*x509.Certificate{cert}, rsaPrivateKey,
azOpts)
if err != nil {
return nil, fmt.Errorf("failed to create client certificate credential: %w", err)
}
return &ClientCertificateCredential{cred: cred}, nil
}