Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adding workload identity support for vn2 #67

Merged
merged 1 commit into from
Oct 21, 2024
Merged

adding workload identity support for vn2 #67

merged 1 commit into from
Oct 21, 2024

Conversation

SethHollandsworth
Copy link
Owner

Adding workload identity support. There are 4 env vars and 1 mount. The mount is already added by default at /serviceaccount so all we needed to do was add the env vars.

@SethHollandsworth SethHollandsworth added the enhancement New feature or request label Oct 21, 2024
@SethHollandsworth SethHollandsworth self-assigned this Oct 21, 2024
ksayid
ksayid reviewed Oct 21, 2024
View reviewed changes
Copy link
Collaborator

@ksayid ksayid left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in diff mode, if the difference in policy is due to the workload identity label, the user will get a list of the env vars that are added due to workload identity.

{
  "skr2": {
    "env_rules": [
      "environment variable with rule 'AZURE_CLIENT_ID=.+' is not in the policy",
      "environment variable with rule 'AZURE_TENANT_ID=.+' is not in the policy",
      "environment variable with rule 'AZURE_FEDERATED_TOKEN_FILE=.+' is not in the policy",
      "environment variable with rule 'AZURE_AUTHORITY_HOST=.+' is not in the policy"
    ]
  }
}

do you think the error message should make it more clear that these env vars are linked to the workload identity label azure.workload.identity/use: "true"

@SethHollandsworth
Copy link
Owner Author

in diff mode, if the difference in policy is due to the workload identity label, the user will get a list of the env vars that are added due to workload identity.

{
  "skr2": {
    "env_rules": [
      "environment variable with rule 'AZURE_CLIENT_ID=.+' is not in the policy",
      "environment variable with rule 'AZURE_TENANT_ID=.+' is not in the policy",
      "environment variable with rule 'AZURE_FEDERATED_TOKEN_FILE=.+' is not in the policy",
      "environment variable with rule 'AZURE_AUTHORITY_HOST=.+' is not in the policy"
    ]
  }
}

do you think the error message should make it more clear that these env vars are linked to the workload identity label azure.workload.identity/use: "true"

That sounds like a whole feature in itself. It would need to be done for other things like privileged/unprivileged, debug mode, stdio, zero sidecars, etc. I'll put it on the list of big things to do if there's time available

ksayid
ksayid approved these changes Oct 21, 2024
View reviewed changes
Copy link
Collaborator

@ksayid ksayid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@SethHollandsworth SethHollandsworth merged commit 18d10a4 into main Oct 21, 2024
@SethHollandsworth SethHollandsworth deleted the vn2_workload_identity branch October 21, 2024 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hgarvison hgarvison hgarvison approved these changes

@ksayid ksayid ksayid approved these changes

@stevendongatmsft stevendongatmsft Awaiting requested review from stevendongatmsft stevendongatmsft is a code owner

Assignees

@SethHollandsworth SethHollandsworth

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@SethHollandsworth @hgarvison @ksayid