Merge pull request #3940 from Azure/bvesel/remove-master-key-authorizer

remove master key authorizer in favor of local auth

hack/db/db.go

@@ -10,8 +10,6 @@ import (
 	"os"
 	"strings"
 
-	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/policy"
-	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/sirupsen/logrus"
 
 	"github.com/Azure/ARO-RP/pkg/database"
@@ -38,11 +36,6 @@ func run(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}
 
-	tokenCredential, err := azidentity.NewAzureCLICredential(nil)
-	if err != nil {
-		return err
-	}
-
 	msiKVAuthorizer, err := _env.NewMSIAuthorizer(_env.Environment().KeyVaultScope)
 	if err != nil {
 		return err
@@ -64,17 +57,7 @@ func run(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}
 
-	dbAccountName := os.Getenv(DatabaseAccountName)
-	clientOptions := &policy.ClientOptions{
-		ClientOptions: _env.Environment().ManagedIdentityCredentialOptions().ClientOptions,
-	}
-	logrusEntry := log.WithField("component", "database")
-	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, logrusEntry, tokenCredential, clientOptions, _env.SubscriptionID(), _env.ResourceGroup(), dbAccountName)
-	if err != nil {
-		return err
-	}
-
-	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, &noop.Noop{}, aead, dbAccountName)
+	dbc, err := database.NewDatabaseClientFromEnv(ctx, _env, log, &noop.Noop{}, aead)
 	if err != nil {
 		return err
 	}

pkg/database/database.go

@@ -10,7 +10,6 @@ import (
 	"reflect"
 	"time"
 
-	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/policy"
 	azcorepolicy "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	sdkcosmos "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v2"
 	"github.com/sirupsen/logrus"
@@ -21,7 +20,6 @@ import (
 	"github.com/Azure/ARO-RP/pkg/env"
 	"github.com/Azure/ARO-RP/pkg/metrics"
 	dbmetrics "github.com/Azure/ARO-RP/pkg/metrics/statsd/cosmosdb"
-	"github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/armcosmos"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/azcore"
 	"github.com/Azure/ARO-RP/pkg/util/encryption"
 )
@@ -57,22 +55,6 @@ func NewDatabaseClient(log *logrus.Entry, _env env.Core, authorizer cosmosdb.Aut
 	return cosmosdb.NewDatabaseClient(log, c, h, databaseAccountName+"."+_env.Environment().CosmosDBDNSSuffix, authorizer), nil
 }
 
-func NewMasterKeyAuthorizer(ctx context.Context, log *logrus.Entry, token azcore.TokenCredential, clientOptions *policy.ClientOptions, subscriptionID, resourceGroup, databaseAccountName string) (cosmosdb.Authorizer, error) {
-	databaseaccounts, err := armcosmos.NewDatabaseAccountsClient(subscriptionID, token, clientOptions)
-	if err != nil {
-		return nil, err
-	}
-
-	// no options defined in the SDK at the moment, but better than passing a nil.
-	opt := sdkcosmos.DatabaseAccountsClientListKeysOptions{}
-	keys, err := databaseaccounts.ListKeys(ctx, resourceGroup, databaseAccountName, &opt)
-	if err != nil {
-		return nil, err
-	}
-
-	return cosmosdb.NewMasterKeyAuthorizer(getDatabaseKey(keys, log))
-}
-
 func NewTokenAuthorizer(ctx context.Context, log *logrus.Entry, cred azcore.TokenCredential, databaseAccountName string, scopes []string) (cosmosdb.Authorizer, error) {
 	acquireToken := func(contxt context.Context) (token string, newExpiration time.Time, err error) {
 		tk, err := cred.GetToken(contxt, azcorepolicy.TokenRequestOptions{Scopes: scopes})