skip using azwi mwh which is optional

Signed-off-by: Ashutosh Kumar <[email protected]>

Tiltfile

@@ -23,7 +23,6 @@ settings = {
     "cert_manager_version": "v1.11.1",
     "kubernetes_version": "v1.25.6",
     "aks_kubernetes_version": "v1.25.6",
-    "azwi_version": "v1.1.0",
     "flatcar_version": "3374.2.1",
 }
 
@@ -47,13 +46,6 @@ if "allowed_contexts" in settings:
 if "default_registry" in settings:
     default_registry(settings.get("default_registry"))
 
-# deploy AZWI webhook
-def deploy_azwi():
-    version = settings.get("azwi_version")
-    azwi_uri = "https://github.com/Azure/azure-workload-identity/releases/download/{}/azure-wi-webhook.yaml".format(version)
-    cmd = "curl -sSL {} | {} | {} apply -f -".format(azwi_uri, envsubst_cmd, kubectl_cmd)
-    local(cmd, quiet = True)
-
 # deploy CAPI
 def deploy_capi():
     version = settings.get("capi_version")
@@ -443,8 +435,6 @@ load("ext://cert_manager", "deploy_cert_manager")
 if settings.get("deploy_cert_manager"):
     deploy_cert_manager(version = settings.get("cert_manager_version"))
 
-deploy_azwi()
-
 deploy_capi()
 
 create_identity_secret()

azure/scope/workload_identity.go

@@ -56,6 +56,8 @@ const (
 	AzureClientIDEnvKey = "AZURE_CLIENT_ID"
 	// AzureTenantIDEnvKey is the env key for AZURE_TENANT_ID.
 	AzureTenantIDEnvKey = "AZURE_TENANT_ID"
+	// AzureTokenFilePath is the path of the projected token.
+	AzureTokenFilePath = "/var/run/secrets/azure/tokens/azure-identity-token" // #nosec G101
 )
 
 type workloadIdentityCredential struct {
@@ -94,7 +96,7 @@ func (w *WorkloadIdentityCredentialOptions) WithTenantID(tenantID string) *Workl
 func GetProjectedTokenPath() (string, error) {
 	tokenPath := os.Getenv(AzureFedratedTokenFileEnvKey)
 	if strings.TrimSpace(tokenPath) == "" {
-		return "", errors.New("projected token path not injected")
+		return AzureTokenFilePath, nil
 	}
 	return tokenPath, nil
 }

config/manager/manager.yaml

@@ -31,6 +31,10 @@ spec:
           image: controller:latest
           imagePullPolicy: Always
           name: manager
+          volumeMounts:
+            - mountPath: /var/run/secrets/azure/tokens
+              name: azure-identity-token
+              readOnly: true
           ports:
             - containerPort: 9440
               name: healthz
@@ -78,3 +82,13 @@ spec:
           key: node-role.kubernetes.io/master
         - effect: NoSchedule
           key: node-role.kubernetes.io/control-plane
+      volumes:
+      - name: azure-identity-token
+        projected:
+          defaultMode: 420
+          sources:
+          - serviceAccountToken:
+              audience: api://AzureADTokenExchange
+              expirationSeconds: 3600
+              path: azure-identity-token
+

test/e2e/e2e_suite_test.go

@@ -179,10 +179,6 @@ func setupBootstrapCluster(config *clusterctl.E2EConfig, useExistingCluster bool
 }
 
 func initBootstrapCluster(bootstrapClusterProxy framework.ClusterProxy, config *clusterctl.E2EConfig, clusterctlConfig, artifactFolder string) {
-	// This deploys azwi webhook. It is important that azwi webhook config gets deployed before capz config as capz
-	// depends on env var and projected service account token volume.
-	// ToDo: @sonasingh46 : deploy azwi as part of init mgmt cluster.
-	deployAzwiWebhook(bootstrapClusterProxy)
 	clusterctl.InitManagementClusterAndWatchControllerLogs(context.TODO(), clusterctl.InitManagementClusterAndWatchControllerLogsInput{
 		ClusterProxy:            bootstrapClusterProxy,
 		ClusterctlConfigPath:    clusterctlConfig,
@@ -199,12 +195,3 @@ func tearDown(bootstrapClusterProvider bootstrap.ClusterProvider, bootstrapClust
 		bootstrapClusterProvider.Dispose(context.TODO())
 	}
 }
-
-func deployAzwiWebhook(bootstrapClusterProxy framework.ClusterProxy) {
-	path, _ := os.Getwd()
-	yamlBytes, err := os.ReadFile("config/azwi.yaml")
-	Expect(err).To(BeNil(), "failed to read workload identity webhook config: %s: %s", err, path)
-
-	err = bootstrapClusterProxy.Apply(context.TODO(), yamlBytes)
-	Expect(err).To(BeNil(), "failed to deploy workload identity webhook: %s", err)
-}