operator-notes: add section for azure blob access

fixes:coreos#2011
prestist · Feb 12, 2025 · eb38595 · eb38595
1 parent 6754f74
commit eb38595
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 13 deletions.
diff --git a/docs/operator-notes.md b/docs/operator-notes.md
@@ -30,6 +30,12 @@ Ignition has built-in support for fetching resources from the Amazon Simple Stor
 
 Append `?versionId=<version>` to any of the URL formats to fetch the specified object version.
 
+## Azure Blob access
+
+Ignition supports fetching resources from Azure Blob Storage. The URL format for Azure Blob Storage is `https://<storageAccount>.blob.core.windows.net/<container>/<fileName>`. Ignition will recognize this format and attempt to authenticate using the [default Azure credential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential) to fetch the resource via the [Azure Blob Storage API](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#section-readme).
+
+If no credentials are found, Ignition will fall back to doing a normal HTTP fetch, which may be sufficient if the blob is public. For private blobs, ensure the environment has credentials with the necessary permissions to access the storage account and storage blob. One approach is to configure a managed identity with contributor access to the storage account and assign it to the VM during creation.
+
 ## HTTP headers
 
 When fetching data from an HTTP URL for config references, CA references and file contents, additional headers can be attached to the request using the `httpHeaders` attribute. This allows downloading data from servers that require authentication or some additional parameters from your request.

diff --git a/internal/resource/url.go b/internal/resource/url.go
@@ -151,14 +151,15 @@ func (f *Fetcher) FetchToBuffer(u url.URL, opts FetchOptions) ([]byte, error) {
 	dest := new(bytes.Buffer)
 	switch u.Scheme {
 	case "http", "https":
-		if strings.HasSuffix(u.Host, ".blob.core.windows.net") {
+		isAzureBlob := strings.HasSuffix(u.Host, ".blob.core.windows.net")
+		if isAzureBlob {
 			err = f.fetchFromAzureBlob(u, dest, opts)
 			if err != nil {
 				f.Logger.Info("could not authenticate using azure default credentials: %v", err)
-				f.Logger.Debug("falling back to fetchFromHTTP")
-				err = f.fetchFromHTTP(u, dest, opts)
+				f.Logger.Info("falling back to HTTP fetch")
 			}
-		} else {
+		}
+		if !isAzureBlob || err != nil {
 			err = f.fetchFromHTTP(u, dest, opts)
 		}
 	case "tftp":
@@ -218,19 +219,20 @@ func (f *Fetcher) Fetch(u url.URL, dest *os.File, opts FetchOptions) error {
 	if f.Offline && util.UrlNeedsNet(u) {
 		return ErrNeedNet
 	}
-
+	var err error
 	switch u.Scheme {
 	case "http", "https":
-		if strings.HasSuffix(u.Host, ".blob.core.windows.net") {
-			err := f.fetchFromAzureBlob(u, dest, opts)
+		isAzureBlob := strings.HasSuffix(u.Host, ".blob.core.windows.net")
+		if isAzureBlob {
+			err = f.fetchFromAzureBlob(u, dest, opts)
 			if err != nil {
 				f.Logger.Info("could not authenticate using azure default credentials: %v", err)
-				f.Logger.Debug("falling back to fetchFromHTTP")
-				err = f.fetchFromHTTP(u, dest, opts)
+				f.Logger.Info("falling back to HTTP fetch")
 			}
-			return err
 		}
-		return f.fetchFromHTTP(u, dest, opts)
+		if !isAzureBlob || err != nil {
+			err = f.fetchFromHTTP(u, dest, opts)
+		}
 	case "tftp":
 		return f.fetchFromTFTP(u, dest, opts)
 	case "data":
@@ -598,8 +600,8 @@ func (f *Fetcher) fetchFromAzureBlob(u url.URL, dest io.Writer, opts FetchOption
 		return fmt.Errorf("failed to obtain Azure credential: %w", err)
 	}
 
-	// Create a context with timeout
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	// Create a context
+	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
 	storageAccount, container, file, err := f.parseAzureStorageUrl(u)