feat(oci): Add support for Azure Workload Identity #450
Conversation
|
@stefanprodan I see that the |
|
@phillebaba might be something of your interest since we had a brief discussion on workload identity for external-dns and cert-manager. |
|
@weisdd can you please rebase your PR with the main branch. |
weisdd
force-pushed
the
feat/azure-oci-workload-identity
branch
from
3c45a34
to
051443a
Compare
|
@stefanprodan done |
weisdd
force-pushed
the
feat/azure-oci-workload-identity
branch
from
051443a
to
b0760ad
Compare
|
@stefanprodan I've just rebased my branch again to resolve another round of merge conflicts (azidentity got recently updated in |
|
Will ensure this gets in after #472, and before we tag the new package version. |
hiddeco
force-pushed
the
feat/azure-oci-workload-identity
branch
from
b0760ad
to
016294a
Compare
|
@hiddeco I think we need to do the same in kustomize-controller for SOPS decryption to work with workload identity. |
|
@stefanprodan please fill an issue for this in kustomize-controller as it would require changing some additional logic as well I think (https://github.com/fluxcd/kustomize-controller/blob/main/internal/sops/azkv/config.go#L67), and I won't be able to make time for it this week. |
|
Need to test if the bump of |
|
@hiddeco I think we should delay this further, I don't feel comfortable with shipping this in Flux v0.40.0 without any E2E tests. |
|
Matches my thinking as I am concerned we would have issues with https://github.com/fluxcd/source-controller/blob/main/pkg/azure/blob.go#L87 as well. |
hiddeco
added
hold
stefanprodan
changed the title
To add support for Workload Identities. Signed-off-by: Igor Beliakov <[email protected]>
hiddeco
force-pushed
the
feat/azure-oci-workload-identity
branch
from
1186e0d
to
99152a0
Compare
- github.com/aws/aws-sdk-go-v2 to v1.17.7 - github.com/aws/aws-sdk-go-v2/config to v1.18.19 - github.com/aws/aws-sdk-go-v2/credentials to v1.13.18 - github.com/aws/aws-sdk-go-v2/service/ecr to v1.18.7 - github.com/google/go-containerregistry to v0.14.0 - github.com/onsi/gomega to v1.27.4 Signed-off-by: Hidde Beydals <[email protected]>
hiddeco
force-pushed
the
feat/azure-oci-workload-identity
branch
from
99152a0
to
a8d276c
Compare
As I pointed out here, we can add support for Azure Workload Identity to several controllers that rely on the
ocipackage by just bumping theazidentitylibrary tov1.3.0-beta.2. That is possible because theocipackage itself relies onNewDefaultAzureCredentialin case credentials are not passed explicitly while the updated function offers support for Workload Identity:pkg/oci/auth/azure/auth.go
Lines 65 to 69 in 946d9ac
The question is whether FluxCD team would accept the usage of
v1.3.0-beta.2(which is very likely to land tov1.3.0as is) or would rather prefer to wait for several months till the Workload Identity AKS extension turns GA (as explained below,azidentitywill havev1.3.0tag only after the extension is considered GA).This PR is meant to either have the change accepted or, if not, explicitly indicate the fact that the project is waiting for
v1.3.0.Details
Logs
source-controller-57774ccfc5-64bvd manager {"level":"info","ts":"2023-01-14T23:33:34.841Z","msg":"logging in to Azure ACR for fluxcdtestacr123.azurecr.io/charts","controller":"helmrepository","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"HelmRepository","HelmRepository":{"name":"charts","namespace":"flux-system"},"namespace":"flux-system","name":"charts","reconcileID":"8c61bb40-7a54-40a4-b7b0-e3a1fbe9b875"} source-controller-57774ccfc5-64bvd manager {"level":"info","ts":"2023-01-14T23:33:35.400Z","msg":"Helm repository is ready","controller":"helmrepository","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"HelmRepository","HelmRepository":{"name":"charts","namespace":"flux-system"},"namespace":"flux-system","name":"charts","reconcileID":"8c61bb40-7a54-40a4-b7b0-e3a1fbe9b875"} source-controller-57774ccfc5-64bvd manager {"level":"info","ts":"2023-01-14T23:38:35.444Z","msg":"logging in to Azure ACR for fluxcdtestacr123.azurecr.io/charts","controller":"helmrepository","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"HelmRepository","HelmRepository":{"name":"charts","namespace":"flux-system"},"namespace":"flux-system","name":"charts","reconcileID":"bb59958b-0c44-4b35-871f-f7679c37d097"} source-controller-57774ccfc5-64bvd manager {"level":"info","ts":"2023-01-14T23:39:01.314Z","msg":"logging in to Azure ACR for fluxcdtestacr123.azurecr.io/charts","controller":"helmchart","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"HelmChart","HelmChart":{"name":"default-podinfo","namespace":"flux-system"},"namespace":"flux-system","name":"default-podinfo","reconcileID":"a0faa635-370a-4ad8-bb37-e60e16f3607c"} source-controller-57774ccfc5-64bvd manager {"level":"info","ts":"2023-01-14T23:39:02.021Z","msg":"pulled 'base' chart with version '0.3.2'","controller":"helmchart","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"HelmChart","HelmChart":{"name":"default-podinfo","namespace":"flux-system"},"namespace":"flux-system","name":"default-podinfo","reconcileID":"a0faa635-370a-4ad8-bb37-e60e16f3607c"}