Azure Workload Identity E2E #144
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Azure Workload Identity E2E | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: '0 0 * * *' # nightly | |
push: | |
branches: | |
- main | |
- release-** | |
permissions: | |
id-token: write | |
contents: read | |
jobs: | |
azwi_e2e: | |
env: | |
AZURE_CLIENT_ID: 0dcfc182-7b36-4e23-b53f-a27c929a9e4e | |
AZURE_TENANT_ID: bc2d60ab-9b1d-45bd-8a3b-3a18ae865e3a | |
SERVICE_ACCOUNT_ISSUER: "https://azwi.blob.core.windows.net/oidc-test/" | |
strategy: | |
fail-fast: false | |
matrix: | |
# TODO(chewong): add windows and macos test env | |
env: [ubuntu-20.04] | |
runs-on: ${{ matrix.env }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | |
with: | |
egress-policy: audit | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
with: | |
fetch-depth: 0 | |
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: "1.22" | |
check-latest: true | |
- name: Azure CLI | |
run: | | |
echo "Azure CLI Current installed version" | |
az version | |
- name: Set variables | |
id: variables | |
run: | | |
echo "AAD_APPLICATION_NAME=azwi-e2e-app-$(openssl rand -hex 2)" >> "${GITHUB_ENV}" | |
SERVICE_ACCOUNT_NAMESPACE="azwi-$(openssl rand -hex 2)" | |
echo "SERVICE_ACCOUNT_NAMESPACE=${SERVICE_ACCOUNT_NAMESPACE}" >> "${GITHUB_ENV}" | |
echo "SERVICE_ACCOUNT_NAME=${SERVICE_ACCOUNT_NAMESPACE}-sa" >> "${GITHUB_ENV}" | |
- name: Create kind cluster | |
run: | | |
openssl genrsa -out sa.key 2048 | |
openssl rsa -in sa.key -pubout -out sa.pub | |
make kind-create | |
- name: Build azwi | |
run: make bin/azwi | |
- uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v1.4.6 | |
with: | |
client-id: ${{ env.AZURE_CLIENT_ID }} | |
tenant-id: ${{ env.AZURE_TENANT_ID }} | |
allow-no-subscriptions: true | |
- name: E2E test | |
run: | | |
kubectl create namespace "${SERVICE_ACCOUNT_NAMESPACE}" | |
./bin/azwi serviceaccount create \ | |
--aad-application-name "${AAD_APPLICATION_NAME}" \ | |
--service-account-namespace "${SERVICE_ACCOUNT_NAMESPACE}" \ | |
--service-account-name "${SERVICE_ACCOUNT_NAME}" \ | |
--service-account-issuer-url "${SERVICE_ACCOUNT_ISSUER}" \ | |
--service-account-token-expiration 10h \ | |
--skip-phases role-assignment | |
# get the service account object | |
kubectl describe serviceaccount "${SERVICE_ACCOUNT_NAME}" --namespace "${SERVICE_ACCOUNT_NAMESPACE}" > sa.yaml | |
APPLICATION_CLIENT_ID="$(az ad sp list --display-name "${AAD_APPLICATION_NAME}" --query '[0].appId' -otsv)" | |
cat sa.yaml | grep "azure.workload.identity/client-id: ${APPLICATION_CLIENT_ID}" | |
cat sa.yaml | grep "azure.workload.identity/service-account-token-expiration: 36000" | |
cat sa.yaml | grep "azure.workload.identity/tenant-id: ${AZURE_TENANT_ID}" | |
# get the federated identity | |
APPLICATION_OBJECT_ID="$(az ad app show --id "${APPLICATION_CLIENT_ID}" --query id -otsv)" | |
az rest --method GET --uri "https://graph.microsoft.com/beta/applications/${APPLICATION_OBJECT_ID}/federatedIdentityCredentials" | |
- name: Cleanup | |
if: ${{ always() }} | |
run: | | |
set +e | |
# this should delete the underlying federated identity | |
./bin/azwi serviceaccount delete phase app \ | |
--aad-application-name "${AAD_APPLICATION_NAME}" | |
./bin/azwi serviceaccount delete phase sa \ | |
--service-account-namespace "${SERVICE_ACCOUNT_NAMESPACE}" \ | |
--service-account-name "${SERVICE_ACCOUNT_NAME}" | |
azwi_build: | |
strategy: | |
fail-fast: false | |
matrix: | |
# TODO(aramase): add windows test env | |
env: [ubuntu-20.04, macos-11] | |
runs-on: ${{ matrix.env }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | |
with: | |
egress-policy: audit | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
with: | |
fetch-depth: 0 | |
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: "1.22" | |
check-latest: true | |
- name: Build azwi | |
run: | | |
make bin/azwi | |
- name: Validate azwi commands | |
run: | | |
./bin/azwi version | |
./bin/azwi -h | |
./bin/azwi serviceaccount -h | |
./bin/azwi serviceaccount create -h | |
./bin/azwi serviceaccount delete -h | |
./bin/azwi jwks -h |