[identity] AKS live tests (#28939)

### Packages impacted by this PR

@azure/identity

### Issues associated with this PR

Contributes to #26434

### Describe the problem that is addressed by this PR

Adds AKS managed identity integration tests

.gitignore

@@ -188,5 +188,5 @@ sdk/template/template-dpg/src/src
 .tshy-build-tmp
 
 # sshkey
-sdk/**/sshkey
-sdk/**/sshkey.pub
+sdk/**/sshKey
+sdk/**/sshKey.pub

sdk/identity/identity/.gitignore

@@ -1,5 +1,6 @@
 src/**/*.js
 integration/AzureFunctions/app.zip
 integration/AzureWebApps/.azure/
+integration/kubeconfig.yaml
 !assets/fake-cert.pem
 !assets/fake-cert-password.pem

sdk/identity/identity/integration/AzureFunctions/RunTest/src/functions/authenticateToStorageFunction.ts

@@ -1,11 +1,13 @@
-
 import { BlobServiceClient } from "@azure/storage-blob";
 import { ManagedIdentityCredential } from "@azure/identity";
 import { app, HttpRequest, HttpResponseInit, InvocationContext } from "@azure/functions";
 
-export async function authenticateStorage(request: HttpRequest, context: InvocationContext): Promise<HttpResponseInit> {
+export async function authenticateStorage(
+  request: HttpRequest,
+  context: InvocationContext,
+): Promise<HttpResponseInit> {
   try {
-    context.log('Http function was triggered.');
+    context.log("Http function was triggered.");
     //parse the request body
     await authToStorageHelper(context);
 
@@ -20,26 +22,26 @@ export async function authenticateStorage(request: HttpRequest, context: Invocat
       body: error,
     };
   }
-};
+}
 
-app.http('authenticateStorage', {
-  methods: ['GET', 'POST'],
+app.http("authenticateStorage", {
+  methods: ["GET", "POST"],
   authLevel: "anonymous",
-  handler: authenticateStorage
+  handler: authenticateStorage,
 });
 
 async function authToStorageHelper(context: InvocationContext): Promise<void> {
   // This will use the system managed identity
   const credential1 = new ManagedIdentityCredential();
 
-  const clientId = process.env.IDENTITY_USER_DEFINED_IDENTITY_CLIENT_ID!;
+  const clientId = process.env.IDENTITY_USER_DEFINED_CLIENT_ID!;
   const account1 = process.env.IDENTITY_STORAGE_NAME_1;
   const account2 = process.env.IDENTITY_STORAGE_NAME_2;
 
-  const credential2 = new ManagedIdentityCredential({ "clientId": clientId });
+  const credential2 = new ManagedIdentityCredential({ clientId });
   const client1 = new BlobServiceClient(`https://${account1}.blob.core.windows.net`, credential1);
   const client2 = new BlobServiceClient(`https://${account2}.blob.core.windows.net`, credential2);
-  context.log("Getting containers for storage account client: system managed identity")
+  context.log("Getting containers for storage account client: system managed identity");
   let iter = client1.listContainers();
   let i = 1;
   context.log("Client with system assigned identity");
@@ -49,13 +51,12 @@ async function authToStorageHelper(context: InvocationContext): Promise<void> {
     containerItem = await iter.next();
   }
 
-  context.log("Getting properties for storage account client: user assigned managed identity")
+  context.log("Getting properties for storage account client: user assigned managed identity");
   iter = client2.listContainers();
   context.log("Client with user assigned identity");
   containerItem = await iter.next();
   while (!containerItem.done) {
     context.log(`Container ${i++}: ${containerItem.value.name}`);
     containerItem = await iter.next();
   }
-
 }

sdk/identity/identity/integration/AzureKubernetes/Dockerfile

@@ -10,11 +10,12 @@ ARG NODE_VERSION=20
 ARG REGISTRY=""
 
 FROM ${REGISTRY}node:${NODE_VERSION}-alpine as repo
-RUN apk --no-cache add git
-RUN git clone https://github.com/azure/azure-sdk-for-js --single-branch --branch main --depth 1 /azure-sdk-for-js
+WORKDIR /app
 
-WORKDIR /azure-sdk-for-js/sdk/identity/identity/test/integration/AzureKubernetes
-RUN npm install
-RUN npm install -g typescript
-RUN tsc -p .
-CMD ["node", "index"]
+COPY . .
+
+# Install the latest nightly build of identity
+RUN npm install --no-package-lock
+
+# Wait for the test to `exec` into the container and run the script
+CMD ["sleep", "infinity"]

sdk/identity/identity/integration/AzureKubernetes/index.js

@@ -0,0 +1,51 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+const { BlobServiceClient } = require("@azure/storage-blob");
+const { ManagedIdentityCredential, WorkloadIdentityCredential } = require("@azure/identity");
+
+async function main() {
+  const storageAccount = process.env.IDENTITY_STORAGE_NAME_2;
+  if (!storageAccount) {
+    throw new Error("Missing IDENTITY_STORAGE_NAME_2 env var");
+  }
+
+  const clientId = process.env.IDENTITY_USER_DEFINED_CLIENT_ID;
+  if (!clientId) {
+    throw new Error("Missing IDENTITY_USER_DEFINED_CLIENT_ID env var");
+  }
+
+  const blobUrl = `https://${storageAccount}.blob.core.windows.net`;
+
+  try {
+    const blobServiceClient = new BlobServiceClient(
+      blobUrl,
+      new ManagedIdentityCredential({
+        clientId,
+      }),
+    );
+    await blobServiceClient.getProperties();
+
+    // The test looks for this line in the output
+    console.log("ManagedIdentity: Successfully authenticated with storage");
+  } catch (e) {
+    console.error(e);
+  }
+
+  try {
+    const blobServiceClient = new BlobServiceClient(
+      blobUrl,
+      new WorkloadIdentityCredential({
+        clientId,
+      }),
+    );
+    await blobServiceClient.getProperties();
+
+    // The test looks for this line in the output
+    console.log("WorkloadIdentity: Successfully authenticated with storage");
+  } catch (e) {
+    console.error(e);
+  }
+}
+
+main().then(console.log).catch(console.error);

sdk/identity/identity/integration/AzureKubernetes/package.json

@@ -1,22 +1,13 @@
 {
-    "name": "@azure-samples/azure-kubernetes-test",
-    "version": "1.0.0",
-    "description": "",
-    "main": "index.js",
-    "scripts": {
-        "build": "tsc",
-        "start": "ts-node src/index.ts",
-        "test": "echo \"Error: no test specified\" && exit 1"
-    },
-    "author": "",
-    "license": "ISC",
-    "dependencies": {
-      "@azure/identity": "^4.0.0",
-      "@azure/storage-blob": "^12.17.0",
-      "tslib": "^1.10.0",
-      "ts-node": "10.9.2"
-    },
-    "devDependencies": {
-      "typescript": "^5.3.3"
-    }
+  "name": "@azure-samples/azure-kubernetes-test",
+  "version": "1.0.0",
+  "description": "A simple node JS script that can be used to test MSI on Kubernetes",
+  "main": "index.js",
+  "scripts": {},
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "@azure/identity": "dev",
+    "@azure/storage-blob": "^12.17.0"
   }
+}

sdk/identity/identity/integration/AzureWebApps/package.json

@@ -12,7 +12,7 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "@azure/identity": "^4.0.0",
+    "@azure/identity": "dev",
     "@azure/storage-blob": "^12.17.0",
     "express": "^4.18.2",
     "tslib": "^1.10.0"

sdk/identity/identity/integration/AzureWebApps/src/index.ts

@@ -10,15 +10,18 @@ dotenv.config();
 const app = express();
 
 app.get("/", (req: express.Request, res: express.Response) => {
-  res.send("Ok")
-})
+  res.send("Ok");
+});
 
 app.get("/sync", async (req: express.Request, res: express.Response) => {
   let systemSuccessMessage = "";
   try {
     const account1 = process.env.IDENTITY_STORAGE_NAME_1;
     const credentialSystemAssigned = new ManagedIdentityCredential();
-    const client1 = new BlobServiceClient(`https://${account1}.blob.core.windows.net`, credentialSystemAssigned);
+    const client1 = new BlobServiceClient(
+      `https://${account1}.blob.core.windows.net`,
+      credentialSystemAssigned,
+    );
     let iter = client1.listContainers();
     let i = 0;
     console.log("Client with system assigned identity");
@@ -29,31 +32,35 @@ app.get("/sync", async (req: express.Request, res: express.Response) => {
     }
     console.log("Client with system assigned identity");
     console.log("Properties of the 1st client =", iter);
-    systemSuccessMessage = "Successfully acquired token with system-assigned ManagedIdentityCredential"
+    systemSuccessMessage =
+      "Successfully acquired token with system-assigned ManagedIdentityCredential";
     console.log(systemSuccessMessage);
-  }
-  catch (e) {
+  } catch (e) {
     console.error(e);
   }
   try {
     const account2 = process.env.IDENTITY_STORAGE_NAME_2;
-    const credentialUserAssigned = new ManagedIdentityCredential({ clientId: process.env.IDENTITY_USER_DEFINED_IDENTITY_CLIENT_ID })
-    const client2 = new BlobServiceClient(`https://${account2}.blob.core.windows.net`, credentialUserAssigned);
+    const credentialUserAssigned = new ManagedIdentityCredential({
+      clientId: process.env.IDENTITY_USER_DEFINED_CLIENT_ID,
+    });
+    const client2 = new BlobServiceClient(
+      `https://${account2}.blob.core.windows.net`,
+      credentialUserAssigned,
+    );
     let iter = client2.listContainers();
     let i = 0;
-    console.log("Client with user assigned identity")
+    console.log("Client with user assigned identity");
     let containerItem = await iter.next();
     while (!containerItem.done) {
       console.log(`Container ${i++}: ${containerItem.value.name}`);
       containerItem = await iter.next();
     }
-    res.status(200).send("Successfully acquired tokens with async ManagedIdentityCredential")
-  }
-  catch (e) {
+    res.status(200).send("Successfully acquired tokens with async ManagedIdentityCredential");
+  } catch (e) {
     console.error(e);
     res.status(500).send(`${e} \n ${systemSuccessMessage}`);
   }
-})
+});
 
 app.listen(8080, () => {
   console.log(`Authorization code redirect server listening on port 8080`);

sdk/identity/identity/package.json

@@ -55,7 +55,7 @@
     "format": "dev-tool run vendored prettier --write --config ../../../.prettierrc.json --ignore-path ../../../.prettierignore \"src/**/*.ts\" \"test/**/*.ts\" \"samples-dev/**/*.ts\" \"*.{js,json}\"",
     "check-format": "dev-tool run vendored prettier --list-different --config ../../../.prettierrc.json --ignore-path ../../../.prettierignore \"src/**/*.ts\" \"test/**/*.ts\" \"samples-dev/**/*.ts\" \"*.{js,json}\"",
     "integration-test:browser": "echo skipped",
-    "integration-test:node": "dev-tool run test:node-ts-input -- --timeout 180000 'test/public/node/*.spec.ts' 'test/internal/node/*.spec.ts' 'test/integration/*.spec.ts'",
+    "integration-test:node": "dev-tool run test:node-ts-input -- --timeout 180000 'test/public/node/*.spec.ts' 'test/internal/node/*.spec.ts' 'test/integration/**/*.spec.ts'",
     "integration-test": "npm run integration-test:node && npm run integration-test:browser",
     "lint:fix": "eslint package.json api-extractor.json src test --ext .ts --fix --fix-type [problem,suggestion]",
     "lint": "eslint package.json api-extractor.json src test --ext .ts",