Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Workload Identity for Azure Vault #813

Merged
merged 1 commit into from
Apr 3, 2023

Conversation

somtochiama
Copy link
Member

@somtochiama somtochiama commented Mar 8, 2023

This pull request adds support for using Azure Workload Identity when decrypting secrets in Kustomization

It updates azidentity dependencies to v1.3.0-beta.4 and uses defaultCredentials from environment variables when no secret is set when decrypting with Azure KMS

Closes #795

Part of: fluxcd/flux2#3041

@somtochiama somtochiama changed the title Update azidentity v1.3.0-beta.3 to support Workload Identity Update azidentity v1.3.0-beta.4 to support Workload Identity Mar 29, 2023
@somtochiama somtochiama requested a review from hiddeco March 29, 2023 23:06
creds := key.token
if key.token == nil {
// if there is no token credential set, use the DefaultAzureCredential
newCreds, err := azidentity.NewDefaultAzureCredential(nil)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member Author

@somtochiama somtochiama Mar 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still get the attempt to shell out to the CLI when key.token isn't set and we use the server from sops
https://github.com/mozilla/sops/blob/master/azkv/keysource.go#L142

By using the NewDefaultAzureCredential, we attempt all the other methods(including Workload Identity) before trying to shell out

Copy link
Member

@stefanprodan stefanprodan Mar 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that there are no CLIs in the controller container, this only confuses people. Locally if you run the tests on a dev machine, it will find az, but it will always fail in-cluster.

@hiddeco
Copy link
Member

hiddeco commented Mar 30, 2023

Am not sure what is going on in the last commit, why does the Decrypt do an on-demand request for default credentials instead of the Server being configured properly?

@somtochiama
Copy link
Member Author

Am not sure what is going on in the last commit, why does the Decrypt do an on-demand request for default credentials instead of the Server being configured properly?

So we can use credentials from the environment variable if there was nothing configured in the secret. This is basically the approach we use by returning the default server (it checks the environment variables and the CLI last), but in this case, we are using the function provided by Azure which also checks for workload identity environment variables.

With this change, users don't have to set a client id in the secret to use Workload Identity(this is also the same way GCP Workload Identity works)

@somtochiama somtochiama changed the title Update azidentity v1.3.0-beta.4 to support Workload Identity Support Azure Workload Identity Mar 30, 2023
@stefanprodan stefanprodan changed the title Support Azure Workload Identity Support Workload Identity for Azure Vault Mar 31, 2023
@stefanprodan stefanprodan added enhancement New feature or request area/sops SOPS related issues and pull requests labels Mar 31, 2023
@stefanprodan
Copy link
Member

@somtochiama can you please move the docs to the v1 API spec? Thanks

Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @somtochiama 🏅

@somtochiama somtochiama force-pushed the azidentity branch 2 times, most recently from 5a1b325 to 20d5c3d Compare April 3, 2023 10:15
Signed-off-by: Somtochi Onyekwere <[email protected]>
Co-authored-by: Hidde Beydals <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/sops SOPS related issues and pull requests enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add support for Azure Workload Identity to secrets decryption
3 participants