Use workload identity for azure cli when Federated token file is present #4939
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
release-note
nawazkh
changed the title
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4939 +/- ##
==========================================
- Coverage 62.25% 62.24% -0.02%
==========================================
Files 201 201
Lines 16912 16912
==========================================
- Hits 10529 10527 -2
- Misses 5590 5592 +2
Partials 793 793 ☔ View full report in Codecov by Sentry. |
k8s-ci-robot
added
size/XS
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 1ad89fce498c9d1e5d73f4822f4df9d3cc83499e
|
|
/test ls |
|
@jackfrancis: The specified target(s) for
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/test pull-cluster-api-provider-azure-capi-e2e |
|
This isn't a bugfix per se, but still I think we may want to cherry-pick this change in order to test it through test-infra. |
|
/test pull-cluster-api-provider-azure-e2e-optional |
|
/test pull-cluster-api-provider-azure-e2e-with-wi-optional |
- use AZURE_FEDERATED_TOKEN_FILE while logging in via wi - overload Azure client ID with Azure workload ID for WI based auth - use auth mode for azure storage commands when using federated identity - SC2086 use unquoted expansion with alt value
- use auth mode for azure storage commands when using federated identity - SC2086 use unquoted expansion with alt value Signed-off-by: James Sturtevant <[email protected]>
|
/test pull-cluster-api-provider-azure-e2e-with-wi-optional |
| @@ -69,16 +68,16 @@ main() { | |||
| echo "Building and pushing Linux and Windows amd64 Azure ACR credential provider" | |||
| make -C "${AZURE_CLOUD_PROVIDER_ROOT}" bin/azure-acr-credential-provider bin/azure-acr-credential-provider.exe | |||
|
|
|||
| if [[ "$(az storage container exists --name "${AZURE_BLOB_CONTAINER_NAME}" --query exists --output tsv)" == "false" ]]; then | |||
| if [[ "$(az storage container exists ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} --name "${AZURE_BLOB_CONTAINER_NAME}" --query exists --output tsv)" == "false" ]]; then | |||
There was a problem hiding this comment.
${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} is the penultimate workaround in the list of exceptions.
SC2086#exceptions
Note that the value of ENABLE_AUTH_MODE_LOGIN immaterial as long as it is set for ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} evaluate to "--auth-mode login"
|
/test pull-cluster-api-provider-azure-windows-custom-builds |
|
Created and closed the PR kubernetes/test-infra#32938. Adding here for my reference. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 3866d1706d03a0465758caa8c982783d9830e1a8
|
|
/retitle Use workload identity for azure cli when Federated token file is present |
k8s-ci-robot
changed the title
|
/unhold |
k8s-ci-robot
removed
the
do-not-merge/hold
|
|
||
| # Use --auth-mode "login" in az storage commands. | ||
| ENABLE_AUTH_MODE_LOGIN="true" | ||
| export ENABLE_AUTH_MODE_LOGIN |
There was a problem hiding this comment.
You can assign and export in one line, just fyi:
export ENABLE_AUTH_MODE_LOGIN="true"There was a problem hiding this comment.
I got a diff to use in the upcoming CAPZ test migration PR :)
There was a problem hiding this comment.
Sometimes linter complains about assign + export in one line though!
|
@nawazkh: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Timed out.. :( /test pull-cluster-api-provider-azure-e2e |
Signed-off-by: James Sturtevant <[email protected]>
What type of PR is this?
/kind feature
What this PR does / why we need it:
ensure-azcli.shwill log in usingAZURE_WORKLOAD_IDand--federated-tokenwhenAZURE_FEDERATED_TOKEN_FILEis available in the env.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):POC as part of https://github.com/kubernetes/test-infra/blob/master/docs/job-migration-todo.md and #4976
Special notes for your reviewer:
Once this PR merges
preset-azure-cred-wi: "true"preset and dropping any unrelated credential presets.cherry-pick candidate
TODOs:
Release note: