Added support for azure workload identity #5390
Conversation
k8s-ci-robot
added
kind/feature
|
Welcome @stijndehaes! |
k8s-ci-robot
added
the
size/M
stijndehaes
force-pushed
the
feature/add-support-for-workload-identity
branch
3 times, most recently
from
f8126b7 to
8b045b1
Compare
| if tenantId := os.Getenv("AZURE_TENANT_ID"); tenantId != "" { | ||
| cfg.TenantID = tenantId | ||
| } | ||
| cfg.AADClientID = os.Getenv("ARM_CLIENT_ID") | ||
| if clientId := os.Getenv("AZURE_CLIENT_ID"); clientId != "" { | ||
| cfg.AADClientID = clientId | ||
| } |
There was a problem hiding this comment.
This lets one override ARM_TENANT/CLIENT_ID with AZURE_TENANT/CLIENT_ID. It is not clear why supporting this is needed (if there is a good reason, please explain) and it introduces (an admittedly small) risk of breaking existing deployments. Most importantly, this is not related to introducing workload identity, which is the target of this PR. Please remove, and - if there is a good reason - introduce in a separate PR.
There was a problem hiding this comment.
These override are here because of the project https://github.com/Azure/azure-workload-identity,
The default environment values it sets are:
- AZURE_TENANT_ID
- AZURE_CLIENT_ID
- AZURE_FEDERATED_TOKEN_FILE
- AZURE_AUTHORITY_HOST
To have better interoperability I added these aliases. I can remove them though and add them in a new PR
There was a problem hiding this comment.
Thanks for sharing the contexts, it makes sense.
There was a problem hiding this comment.
@feiskyer thank you for the feedback!
| # azureUseWorkloadIdentityExtension -- Whether to use Azure's workload identity extension for credentials. | ||
| azureUseWorkloadIdentityExtension: false | ||
|
|
||
| # azureUseManagedIdentityExtension -- Whether to use Azure's managed identity extension for credentials. If using MSI, ensure subscription ID, resource group, and azure AKS cluster name are set. | ||
| azureUseManagedIdentityExtension: false |
There was a problem hiding this comment.
Only one of these can be used at a time (if both are set, the current implementation will use workload identity). Please document (and consider adding a check in code that both are not set at the same time).
There was a problem hiding this comment.
I added an error in the code, and added documentation that you should not set both
|
/label area/provider/azure |
|
@tallaxes: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/area provider/azure |
k8s-ci-robot
added
the
area/provider/azure
| @@ -95,6 +95,9 @@ azureClusterName: "" | |||
| # Required if `cloudProvider=azure` | |||
| azureNodeResourceGroup: "" | |||
|
|
|||
| # azureUseWorkloadIdentityExtension -- Whether to use Azure's workload identity extension for credentials. | |||
| azureUseWorkloadIdentityExtension: false | |||
There was a problem hiding this comment.
+1 to mention here WorkloadIdentity couldn't be used together with other author approaches.
There was a problem hiding this comment.
And how AADFederatedTokenFile could be set in the helm chart?
There was a problem hiding this comment.
I added documentation to the readme
stijndehaes
force-pushed
the
feature/add-support-for-workload-identity
branch
from
8b045b1 to
2f3fb3f
Compare
k8s-ci-robot
added
size/L
stijndehaes
force-pushed
the
feature/add-support-for-workload-identity
branch
2 times, most recently
from
24a3d4b to
e9366fd
Compare
k8s-ci-robot
added
the
lgtm
|
@gjtempleton could you help to review the charts changes? |
stijndehaes
requested review from
tallaxes
and removed request for
gjtempleton
|
@gjtempleton friendly reminder to help with the review of the chart changes :) |
|
/lgtm |
|
/assign @gjtempleton |
|
/assign @gjtempleton |
stijndehaes
force-pushed
the
feature/add-support-for-workload-identity
branch
from
e9366fd to
5959e07
Compare
k8s-ci-robot
removed
the
lgtm
@gjtempleton I implemented the changes! Thank you for the review. |
|
@gjtempleton @tallaxes @feiskyer Can you guys give me a last LGTM or tell me what needs to be changed still? :) |
k8s-ci-robot
added
the
lgtm
k8s-ci-robot
added
needs-rebase
stijndehaes
force-pushed
the
feature/add-support-for-workload-identity
branch
from
704857d to
ef295a3
Compare
k8s-ci-robot
removed
the
needs-rebase
|
@gjtempleton thank you for checking, I have made the changes. If ok can you approve? @feiskyer I am going to need your approval again sorry for this. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: feiskyer, gjtempleton, stijndehaes, tallaxes The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Which component this PR applies to?
What type of PR is this?
/kind feature
What this PR does / why we need it:
It adds support for workload identity to the cluster autoscaler on azure
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: