Resurrect Workload Identity Work

[ledbutter]

Why the changes in this PR are needed?

To allow for Azure kubernetes deployments to utilize workload identity, their newer approach to federating with identity providers.

What are the changes in this PR?

Adding new client credential attributes to support workload identity.

Notes to assist PR review:

Based on discussion in #6012

Further comments:

This is resurrecting the work started in #6014 and closed without explanation. Given the specialized support for AWS KMS, I could foresee the original approach here should be changed to more closely follow that approach.

[netlify]

✅ Deploy Preview for openpolicyagent ready!

Name	Link
🔨 Latest commit	23a9f9a
🔍 Latest deploy log	https://app.netlify.com/sites/openpolicyagent/deploys/6682c2be479cc10008692d86
😎 Deploy Preview	https://deploy-preview-6802--openpolicyagent.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[anderseknert]

Thanks for working on this! The change looks good to me. I'll assume you've tested this against Azure :)

[ledbutter]

Thanks for working on this! The change looks good to me. I'll assume you've tested this against Azure :)

Actually an unsafe assumption: we are still in the evaluation phase for OPA so no established deployments but we do have Azure environments with workload identity configured so I will try this out tomorrow.

[ledbutter]

Thanks for working on this! The change looks good to me. I'll assume you've tested this against Azure :)

Actually an unsafe assumption: we are still in the evaluation phase for OPA so no established deployments but we do have Azure environments with workload identity configured so I will try this out tomorrow.

I'm struggling to get the docker image to build locally (Mac M1, corporate network blocking download of the chainguard base images), so I've been trying to grab the image generated via the workflow and deploy it to my AKS cluster, but I'm seeing unexpected behavior (leading me to believe it isn't actually my work):

services:
  azure_storage_account:
    url: ${STORAGE_ACCOUNT_URL}
    headers:
      x-ms-version: 2017-11-09
    response_header_timeout_seconds: 5
    credentials:
      oauth2:
        grant_type: client_credentials
        client_id: ${AZURE_CLIENT_ID}
        client_assertion_path: /var/run/secrets/azure/tokens/azure-identity-token
        token_url: https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token
        scopes:
          - https://storage.azure.com/.default

bundles:
  authz:
    service: azure_storage_account
    resource: opa/policy.rego
    persist: true
    polling:
      min_delay_seconds: 60
      max_delay_seconds: 120

Is there a reliable image tag generated from my PR branch that I can reference?

I've pushed the latest tests to try to validate the rest-level config is getting picked up properly.

[ledbutter]

Further confirming this, if I just run the binary locally, I get an expected error (since I don't have that file locally):

[ledbutter]

@anderseknert Ok, after much finagling, I got this working (with the latest changes to include client_id in the body):

Service config:

services:
  azure_storage_account:
    url: https://${MY_STORAGE_ACCOUNT}.blob.core.windows.net/
    headers:
      x-ms-version: 2017-11-09
    response_header_timeout_seconds: 5
    credentials:
      oauth2:
        grant_type: client_credentials
        client_id: "${AZURE_CLIENT_ID}"
        client_assertion_path: "${AZURE_FEDERATED_TOKEN_FILE}"
        token_url: "${AZURE_AUTHORITY_HOST}/${AZURE_TENANT_ID}/oauth2/v2.0/token"
        scopes:
          - https://storage.azure.com/.default

bundles:
  authz:
    service: azure_storage_account
    resource: opa/policies.tar.gz
    persist: true
    polling:
      min_delay_seconds: 60
      max_delay_seconds: 120

deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: opa
  labels:
    app: opa
spec:
  replicas: 1
  selector:
    matchLabels:
      app: opa
  template:
    metadata:
      labels:
        app: opa
        azure.workload.identity/use: "true"
      name: opa
    spec:
      serviceAccountName: ${my_workload_identity_service}
      containers:
      - name: opa
        image: ${OPA_IMAGE}
        imagePullPolicy: Always
        ports:
        - name: http
          containerPort: 8181
        args:
        - "run"
        - "--ignore=.*"  # exclude hidden dirs created by Kubernetes
        - "--server"
        - "--config-file=/config/service.yml"
        volumeMounts:
        - readOnly: true
          mountPath: /config
          name: config
        - mountPath: /.opa
          name: opa-volume
      volumes:
      - name: config
        configMap:
          name: workload-config
      - name: opa-volume
        emptyDir: {}

[anderseknert]

@ledbutter sorry for my delayed response! Happy to hear that! I'll take a closer look tonight 👍

[anderseknert]

Code looks good to me! There's no documentation provided in this PR though. Could you please add docs for the new configuration attributes, and perhaps something like the example you provided here for how to set this up? Thanks!

[ledbutter]

Code looks good to me! There's no documentation provided in this PR though. Could you please add docs for the new configuration attributes, and perhaps something like the example you provided here for how to set this up? Thanks!

I added some docs, I tried to follow the existing layout/format, let me know if you want something more involved.

[anderseknert]

Looks great! Thank you @ledbutter 👏