add support for workload identity #442
Conversation
cgroschupp
force-pushed
the
workload-identity-support
branch
2 times, most recently
from
e894157 to
9ae4954
Compare
cgroschupp
force-pushed
the
workload-identity-support
branch
from
9ae4954 to
0797f06
Compare
There was a problem hiding this comment.
@cgroschupp Thank you so much for you effort, this looks amazing! 😌
|
After some testing this looks promising, will release a beta version to test further |
|
Released chart version 2.3.1 for label support on service account and images with tag 1.5.0-beta.1. Upgraded azidentity sdk to 1.3.0-beta.1 in hope for better handling of workload identity, but message on startup is still present |
|
Example of values for anyone looking. Need to get the docs updated global:
keyVaultAuth: environment-azidentity
controller:
image:
tag: 1.5.0-beta.1
podLabels:
azure.workload.identity/use: "true"
serviceAccount:
labels:
azure.workload.identity/use: "true"
annotations:
azure.workload.identity/client-id: <managed-client-id>
env_injector:
image:
tag: 1.5.0-beta.1
podLabels:
azure.workload.identity/use: "true"
envImage:
tag: 1.5.0-beta.1
serviceAccount:
labels:
azure.workload.identity/use: "true"
annotations:
azure.workload.identity/client-id: <managed-client-id> |
|
Does this let you override the clientId / specify it manually? As far as AZWI is concerned, The reason for the optionality is because you can have multiple federated credentials/identities associated with a single service account. In those instances you wouldn't specify the annotation, but would rather rely on an application-defined/dependant mechanism for specifying the clientId in lieu of the annotation/environment variable. The PR that was closed over this, accounted for that. I haven't had a chance to review this PR but wanted to check that this was covered (or acknowledged and intentionally omitted) |
|
@pinkfloydx33 Yes, If the client-id annotation is not used you will need to provide the Example with annotations global:
keyVaultAuth: environment-azidentity
controller:
image:
tag: 1.5.0-beta.1
serviceAccount:
labels:
azure.workload.identity/use: "true"
annotations:
azure.workload.identity/client-id: <managed-client-id>
env_injector:
image:
tag: 1.5.0-beta.1
envImage:
tag: 1.5.0-beta.1
serviceAccount:
labels:
azure.workload.identity/use: "true"
annotations:
azure.workload.identity/client-id: <managed-client-id>Example with env variable set for both controller and env-injector global:
keyVaultAuth: environment-azidentity
env:
AZURE_CLIENT_ID: <managed-client-id>
controller:
image:
tag: 1.5.0-beta.1
serviceAccount:
labels:
azure.workload.identity/use: "true"
env_injector:
image:
tag: 1.5.0-beta.1
envImage:
tag: 1.5.0-beta.1
serviceAccount:
labels:
azure.workload.identity/use: "true"If you were to use different managed client ids for both service accounts you will need to set it separate for the controller and env-injector. Environment variables will take precedence over the webhook annotation |
|
@181192 Can you please also build an image for 1.5.0-beta.2 and push it to the docker hub. |
|
Hi, @cgroschupp 1.5.0-beta.2 was only released for azure-keyvault-env, no changes for controller or webhook from 1.5.0-beta.1 But just released 1.5.0-beta.4 for all three components now |
|
"Breaking change" from Azure pod labels are now required additional to service account label for the |
|
Hi Everyone, is there a projected release for the workload identity integration? The beta controller image seems to work pretty well. If there is anything that needs to be done to get this in a release, I'd be happy to help. Thanks. |
|
Oh. I'm sorry. That's embarassing :) Thank you. |
Implementation details
use the azidentity sdk because it provides built-in support for workload identity and adal will discontinue support on March 31, 2023.
Added a new AuthType
environment-azidentitythat uses the DefaultAzureCredential helper to get the Azure credentials. This credential helper tries all possible mechisms for authentication, it uses the AZURE_* environment variables.Tests
Helm values:
Addtionals nodes