Merge e332b30e02 into 9fc01b272b

2025-08-05 17:16:59 +02:00 · 2025-08-05 09:37:04 -04:00 · 2025-08-05 09:37:04 -04:00 · 7e1447c954
commit 7e1447c954
parent 9fc01b272b e332b30e02
3 changed files with 21 additions and 5 deletions
--- a/docs/tutorials/azure.md
+++ b/docs/tutorials/azure.md
@ -58,8 +58,11 @@ The following fields are used:
 * `aadClientSecret` is associated with the Service Principal. This is only used with Service Principal method documented in the next section.
 * `useManagedIdentityExtension` - this is set to `true` if you use either AKS Kubelet Identity or AAD Pod Identities methods documented in the next section.
 * `userAssignedIdentityID` - this contains the client id from the Managed identity when using the AAD Pod Identities method documented in the next setion.
-* `activeDirectoryAuthorityHost` - this contains the uri to overwrite the default provided AAD Endpoint. This is useful for providing additional support where the endpoint is not available in the default cloud config from the [azure-sdk-for-go](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud#pkg-variables).
+* `activeDirectoryAuthorityHost` - this contains the URI to override the default Azure Active Directory authority endpoint.
+  This is useful for Azure Stack Cloud deployments or custom environments.
 * `useWorkloadIdentityExtension` - this is set to `true` if you use Workload Identity method documented in the next section.
+* `ResourceManagerAudience` - this specifies the audience for the Azure Resource Manager service when using Azure Stack Cloud. This is required for Azure Stack Cloud deployments to authenticate with the correct Resource Manager endpoint.
+* `ResourceManagerEndpoint` - this specifies the endpoint URL for the Azure Resource Manager service when using Azure Stack Cloud. This is required for Azure Stack Cloud deployments to point to the correct Resource Manager instance.

 The Azure DNS provider expects, by default, that the configuration file is at `/etc/kubernetes/azure.json`.  This can be overridden with the `--azure-config-file` option when starting ExternalDNS.

--- a/provider/azure/config.go
+++ b/provider/azure/config.go
@ -46,6 +46,8 @@ type config struct {
 	UseWorkloadIdentityExtension bool   `json:"useWorkloadIdentityExtension" yaml:"useWorkloadIdentityExtension"`
 	UserAssignedIdentityID       string `json:"userAssignedIdentityID"       yaml:"userAssignedIdentityID"`
 	ActiveDirectoryAuthorityHost string `json:"activeDirectoryAuthorityHost" yaml:"activeDirectoryAuthorityHost"`
+	ResourceManagerAudience      string `json:"resourceManagerAudience"      yaml:"resourceManagerAudience"`
+	ResourceManagerEndpoint      string `json:"resourceManagerEndpoint"      yaml:"resourceManagerEndpoint"`
 }

 func getConfig(configFile, subscriptionID, resourceGroup, userAssignedIdentityClientID, activeDirectoryAuthorityHost string) (*config, error) {
@ -106,7 +108,7 @@ func CustomHeaderPolicynew() policy.Policy { return &customHeaderPolicy{} }

 // getCredentials retrieves Azure API credentials.
 func getCredentials(cfg config, maxRetries int) (azcore.TokenCredential, *arm.ClientOptions, error) {
-	cloudCfg, err := getCloudConfiguration(cfg.Cloud)
+	cloudCfg, err := getCloudConfiguration(cfg)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to get cloud configuration: %w", err)
 	}
@ -193,8 +195,8 @@ func getCredentials(cfg config, maxRetries int) (azcore.TokenCredential, *arm.Cl
 	return nil, nil, fmt.Errorf("no credentials provided for Azure API")
 }

-func getCloudConfiguration(name string) (cloud.Configuration, error) {
-	name = strings.ToUpper(name)
+func getCloudConfiguration(cfg config) (cloud.Configuration, error) {
+	name := strings.ToUpper(cfg.Cloud)
 	switch name {
 	case "AZURECLOUD", "AZUREPUBLICCLOUD", "":
 		return cloud.AzurePublic, nil
@ -202,6 +204,16 @@ func getCloudConfiguration(name string) (cloud.Configuration, error) {
 		return cloud.AzureGovernment, nil
 	case "AZURECHINACLOUD":
 		return cloud.AzureChina, nil
+	case "AZURESTACKCLOUD":
+		return cloud.Configuration{
+			ActiveDirectoryAuthorityHost: cfg.ActiveDirectoryAuthorityHost,
+			Services: map[cloud.ServiceName]cloud.ServiceConfiguration{
+				cloud.ResourceManager: {
+					Audience: cfg.ResourceManagerAudience,
+					Endpoint: cfg.ResourceManagerEndpoint,
+				},
+			},
+		}, nil
 	}
 	return cloud.Configuration{}, fmt.Errorf("unknown cloud name: %s", name)
 }
--- a/provider/azure/config_test.go
+++ b/provider/azure/config_test.go
@ -45,7 +45,8 @@ func TestGetCloudConfiguration(t *testing.T) {

 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-			cloudCfg, err := getCloudConfiguration(test.cloudName)
+			cfg := config{Cloud: test.cloudName}
+			cloudCfg, err := getCloudConfiguration(cfg)
 			if err != nil {
 				t.Errorf("got unexpected err %v", err)
 			}