-
Notifications
You must be signed in to change notification settings - Fork 614
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Azure Workload Identity #3041
Comments
@pjbgf If FluxCD team accepts the usage of azidentity v1.3.0-beta.2, then we can quickly add support for Workload Identity to several controllers by bumping deps:
Please, let me know what you think. If you would accept such change, I can prepare a PR with all the instructions and a terraform test lab. Logssource-controller-57774ccfc5-64bvd manager {"level":"info","ts":"2023-01-14T23:33:34.841Z","msg":"logging in to Azure ACR for fluxcdtestacr123.azurecr.io/charts","controller":"helmrepository","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"HelmRepository","HelmRepository":{"name":"charts","namespace":"flux-system"},"namespace":"flux-system","name":"charts","reconcileID":"8c61bb40-7a54-40a4-b7b0-e3a1fbe9b875"} source-controller-57774ccfc5-64bvd manager {"level":"info","ts":"2023-01-14T23:33:35.400Z","msg":"Helm repository is ready","controller":"helmrepository","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"HelmRepository","HelmRepository":{"name":"charts","namespace":"flux-system"},"namespace":"flux-system","name":"charts","reconcileID":"8c61bb40-7a54-40a4-b7b0-e3a1fbe9b875"} source-controller-57774ccfc5-64bvd manager {"level":"info","ts":"2023-01-14T23:38:35.444Z","msg":"logging in to Azure ACR for fluxcdtestacr123.azurecr.io/charts","controller":"helmrepository","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"HelmRepository","HelmRepository":{"name":"charts","namespace":"flux-system"},"namespace":"flux-system","name":"charts","reconcileID":"bb59958b-0c44-4b35-871f-f7679c37d097"} source-controller-57774ccfc5-64bvd manager {"level":"info","ts":"2023-01-14T23:39:01.314Z","msg":"logging in to Azure ACR for fluxcdtestacr123.azurecr.io/charts","controller":"helmchart","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"HelmChart","HelmChart":{"name":"default-podinfo","namespace":"flux-system"},"namespace":"flux-system","name":"default-podinfo","reconcileID":"a0faa635-370a-4ad8-bb37-e60e16f3607c"} source-controller-57774ccfc5-64bvd manager {"level":"info","ts":"2023-01-14T23:39:02.021Z","msg":"pulled 'base' chart with version '0.3.2'","controller":"helmchart","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"HelmChart","HelmChart":{"name":"default-podinfo","namespace":"flux-system"},"namespace":"flux-system","name":"default-podinfo","reconcileID":"a0faa635-370a-4ad8-bb37-e60e16f3607c"} |
Workload identity has been added in each of the relevant controllers: See: fluxcd/kustomize-controller#813, fluxcd/source-controller#1048, fluxcd/image-reflector-controller#363. |
How can we use this for Azure devops git repositories? |
@Poltergeisen I was wondering the same thing! Have you figured it out? I don't think there's a way, currently, to do it. I've thought about putting together a PR, but am not familiar with Go (I AM pretty familiar with the AZDO method of hooking this up). |
Hello, support for Azure Devops Git repositories is planned and being worked on. |
@aryan9600 Is this something I can help with? Anything I can follow a little closer? I would love to get involved, but mostly want to be aware of when this might be landing. |
Hi, I'm a bit confused over the Azure documentation for this feature. I'm trying to migrate from pod-identity to workload-identity for image automation with ACR and I've implemented the patches as suggested here Workload Indentity for |
Hey @andywilde , That documentation is for using cronjobs to generate short-lived credentials
If you have set up workload identity on your aks cluster and have labelled the image-reflector-controller and pod correctly, workload identity should work. The only extra you need is |
Hi @somtochiama, do you have an example of ImageRepository? With this code:
I get the error |
yes, what version of flux are you on? |
2.0.0 |
yes, please upgrade to v1beta2 |
I guess this errors mean the authentication is fixed but I have to configure something else?
|
what do you see when you run |
Do you have image automation set up? https://fluxcd.io/flux/guides/image-update/ |
It's working now. The problem was I hadn't added the policy marker:
@somtochiama thanks for all your help. Have a great weekend! |
@aryan9600 do you happen to know how long it might take? Or is there an issue I can subscribe to that tracks that functionality? |
@aryan9600 bumping this question back up to you since this is a topic of interest for my team as well. |
@Poltergeisen @b-rand hello, i was on vacation and then busy with kubecon. i have resumed work on this. the PR which enables support for this is: fluxcd/pkg#664. there's a lot of work still remaining before the new package can be used in the controllers. i'm targeting the next to next minor release of flux, i.e. flux v2.3.0 |
Azure Workload Identity is the next generation of workload contextual authentication, which replaces the existing Azure Pod Identity.
The features in which Flux has Azure Workload Identity supported and documented:
Relates to #3003.
The text was updated successfully, but these errors were encountered: