Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Workload Identity for Azure Vault #813

Merged
merged 1 commit into from
Apr 3, 2023
Merged

Support Workload Identity for Azure Vault #813

merged 1 commit into from
Apr 3, 2023

Conversation

somtochiama
Copy link
Member

@somtochiama somtochiama commented Mar 8, 2023
edited by stefanprodan
Loading

This pull request adds support for using Azure Workload Identity when decrypting secrets in Kustomization

It updates azidentity dependencies to v1.3.0-beta.4 and uses defaultCredentials from environment variables when no secret is set when decrypting with Azure KMS

Closes #795

Part of: fluxcd/flux2#3041

@somtochiama somtochiama changed the title Update azidentity v1.3.0-beta.3 to support Workload Identity Update azidentity v1.3.0-beta.4 to support Workload Identity Mar 29, 2023
hiddeco
hiddeco reviewed Mar 30, 2023
View reviewed changes
internal/sops/azkv/keysource.go Outdated
creds := key.token
if key.token == nil {
// if there is no token credential set, use the DefaultAzureCredential
newCreds, err := azidentity.NewDefaultAzureCredential(nil)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK, this attempts to shell-out: https://github.com/Azure/azure-sdk-for-go/blob/sdk/azidentity/v1.3.0-beta.4/sdk/azidentity/azure_cli_credential.go#L95

Copy link
Member Author

@somtochiama somtochiama Mar 30, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still get the attempt to shell out to the CLI when key.token isn't set and we use the server from sops
https://github.com/mozilla/sops/blob/master/azkv/keysource.go#L142

By using the NewDefaultAzureCredential, we attempt all the other methods(including Workload Identity) before trying to shell out

Copy link
Member

@stefanprodan stefanprodan Mar 30, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that there are no CLIs in the controller container, this only confuses people. Locally if you run the tests on a dev machine, it will find az, but it will always fail in-cluster.

@hiddeco
Copy link
Member

hiddeco commented Mar 30, 2023

Am not sure what is going on in the last commit, why does the Decrypt do an on-demand request for default credentials instead of the Server being configured properly?

@somtochiama
Copy link
Member Author

Am not sure what is going on in the last commit, why does the Decrypt do an on-demand request for default credentials instead of the Server being configured properly?

So we can use credentials from the environment variable if there was nothing configured in the secret. This is basically the approach we use by returning the default server (it checks the environment variables and the CLI last), but in this case, we are using the function provided by Azure which also checks for workload identity environment variables.

With this change, users don't have to set a client id in the secret to use Workload Identity(this is also the same way GCP Workload Identity works)

@somtochiama somtochiama changed the title Update azidentity v1.3.0-beta.4 to support Workload Identity Support Azure Workload Identity Mar 30, 2023
@stefanprodan stefanprodan changed the title Support Azure Workload Identity Support Workload Identity for Azure Vault Mar 31, 2023
@stefanprodan stefanprodan added enhancement New feature or request area/sops SOPS related issues and pull requests labels Mar 31, 2023
@stefanprodan stefanprodan mentioned this pull request Mar 31, 2023
Closed
15 tasks
@stefanprodan
Copy link
Member

@somtochiama can you please move the docs to the v1 API spec? Thanks

stefanprodan
stefanprodan approved these changes Apr 3, 2023
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @somtochiama 🏅

@somtochiama somtochiama force-pushed the azidentity branch 2 times, most recently from 5a1b325 to 20d5c3d Compare April 3, 2023 10:15
@somtochiama @hiddeco
Add Workload Identity support for Azure Vault
45ad400 
Signed-off-by: Somtochi Onyekwere <[email protected]>
Co-authored-by: Hidde Beydals <[email protected]>
@stefanprodan stefanprodan merged commit 0ee92a5 into fluxcd:main Apr 3, 2023
@darkowlzz darkowlzz mentioned this pull request Apr 25, 2023
Merged
@somtochiama somtochiama mentioned this pull request May 25, 2023
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hiddeco hiddeco hiddeco left review comments

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees
No one assigned
Labels
area/sops SOPS related issues and pull requests enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for Azure Workload Identity to secrets decryption
3 participants
@somtochiama @hiddeco @stefanprodan