(feat): add workload identity in capz #3583
Conversation
k8s-ci-robot
added
do-not-merge/release-note-label-needed
k8s-ci-robot
added
size/XL
sonasingh46
force-pushed
the
add_workload_identity_feature
branch
from
7b69287 to
093f50e
Compare
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #3583 +/- ##
==========================================
+ Coverage 53.74% 53.86% +0.11%
==========================================
Files 185 186 +1
Lines 18595 18768 +173
==========================================
+ Hits 9994 10109 +115
- Misses 8059 8116 +57
- Partials 542 543 +1
☔ View full report in Codecov by Sentry. |
sonasingh46
force-pushed
the
add_workload_identity_feature
branch
from
093f50e to
4bca1fc
Compare
|
/test pull-cluster-api-provider-azure-e2e-optional |
|
/test pull-cluster-api-provider-azure-e2e-optional |
sonasingh46
force-pushed
the
add_workload_identity_feature
branch
2 times, most recently
from
6675f0c to
65bd725
Compare
|
/test pull-cluster-api-provider-azure-e2e-optional |
sonasingh46
force-pushed
the
add_workload_identity_feature
branch
from
65bd725 to
49e1b0b
Compare
| } | ||
| w.TokenFilePath = tokenFilePath | ||
|
|
||
| // Fallback to using client ID from env variable if not set. |
There was a problem hiding this comment.
Is this the workaround for #3409?
I'm looking at that but not sure what needs to be fixed (yet).
There was a problem hiding this comment.
No.
It is still allowed to leave client ID and tenant ID fields on AzureClusterIdentity object to be empty. So this is fallback for cases where those fields are not set on AzureClusterIdentity.
So the behaviour is like this:
- CAPZ uses the tenant Id and the client ID as specified on AzureClusterIdentity.
- If client ID is not specified, it tries to read from the env.
- If tenant ID is not specified, it tries to read from the env.
There was a problem hiding this comment.
Is it not possible to make client ID and tenant ID mandatory if identity type is WorkloadIdentity? IMO having fallbacks to env vars could cause confusion and requires additional documentation on the behavior when both CRD and env vars are configured.
There was a problem hiding this comment.
Couple of things here:
- AzureClusterIdentity is referenced by AzureCluster.
- So if I want to create a workload cluster by using/referencing a AzureClusterIdentity capz should always use the IDs from it.
Also, I do not know why client ID and tenant ID are optionally required and not strictly required on AzureClusterIdentity.
So I am not sure if we should make a special case for workload identity, though it is possible to do so.
Having said that, if I leave the workload identity discussion aside, then still it makes more sense to use IDs present on AzureClusterIdentity. (e.g ManualServicePrincipal )
I am also thinking about the following in deciding the priority:
- Read IDs from AzureClusterIdentity and fall back to read ID from env if not present on it. Or
- Read IDs from env and fall back to using IDs present on AzureClusterIdentity.
Here [2] looks semantically confusing/incorrect to me.
There was a problem hiding this comment.
There was a problem hiding this comment.
I think it would make sense to make client ID and tenant ID required, AFAIK there is not Identity type that doesn't need them. Can we create an issue and do this as a follow up?
| } | ||
| w.TokenFilePath = tokenFilePath | ||
|
|
||
| // Fallback to using client ID from env variable if not set. |
There was a problem hiding this comment.
Is it not possible to make client ID and tenant ID mandatory if identity type is WorkloadIdentity? IMO having fallbacks to env vars could cause confusion and requires additional documentation on the behavior when both CRD and env vars are configured.
sonasingh46
force-pushed
the
add_workload_identity_feature
branch
from
49e1b0b to
26975ea
Compare
|
/test pull-cluster-api-provider-azure-e2e-optional |
|
/milestone v1.10 |
| @@ -169,7 +169,11 @@ E2E_CONF_FILE ?= $(ROOT_DIR)/test/e2e/config/azure-dev.yaml | |||
| E2E_CONF_FILE_ENVSUBST := $(ROOT_DIR)/test/e2e/config/azure-dev-envsubst.yaml | |||
| SKIP_CLEANUP ?= false | |||
| SKIP_LOG_COLLECTION ?= false | |||
| SKIP_CREATE_MGMT_CLUSTER ?= false | |||
| # @sonasingh46: Skip creating mgmt cluster for ci as workload identity needs kind cluster | |||
| # to be created with extra mounts for key pairs which is not yet supported | |||
There was a problem hiding this comment.
with extra mounts for key pairs which is not yet supported by existing e2e framework
did you open an issue in CAPI to add this support?
There was a problem hiding this comment.
I did not file it yet. I will file that.
There was a problem hiding this comment.
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 5f307cb6c4ca69db3a5c37049b9193be98a62d5f
|
|
Same here, looks good but please squash the commits. |
sonasingh46
force-pushed
the
add_workload_identity_feature
branch
from
7cc5115 to
1e8894c
Compare
k8s-ci-robot
removed
the
lgtm
k8s-ci-robot
added
the
needs-rebase
Signed-off-by: Ashutosh Kumar <[email protected]>
sonasingh46
force-pushed
the
add_workload_identity_feature
branch
from
1e8894c to
5f39919
Compare
k8s-ci-robot
removed
the
needs-rebase
|
/test pull-cluster-api-provider-azure-e2e-optional |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: ee587a12aa7c6454ed6db4650935832ffec7feec
|
|
@mboersma -- I created one here |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CecileRobertMichon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/override coverage |
|
@mboersma: /override requires failed status contexts, check run or a prowjob name to operate on.
Only the following failed contexts/checkruns were expected:
If you are trying to override a checkrun that has a space in it, you must put a double quote on the context. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@mboersma the PR might need a rebase to get past the codecov changes since we moved to the app now? cc @willie-yao |
|
@sonasingh46 force-pushed it 6 hours ago, was it not rebased on |
|
There's no rebasing to be done here AFAICT, it's already based on the last commit from July 9 (yesterday). Edit: I just had to run the codecov action again. 🤦🏻 Congratulations @sonasingh46!! Great work, and thanks for your dedication! |
What type of PR is this?
This PR enables Workload Identity capability in capz.
What this PR does / why we need it:
Implementation of proposal #2814
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #3588
Partly fixes #2205
Special notes for your reviewer:
TODOs:
Release note: