Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use Azure Workload Identity, AZURE_CLIENT_ID and AZURE_TENANT_ID are overritten by chart. #1304

Closed
maciej-umanski opened this issue May 14, 2024 · 3 comments · Fixed by #1305
Closed

Unable to use Azure Workload Identity, AZURE_CLIENT_ID and AZURE_TENANT_ID are overritten by chart. #1304

maciej-umanski opened this issue May 14, 2024 · 3 comments · Fixed by #1305
Labels
bug Something isn't working triage all new issues awaiting classification

Comments

@maciej-umanski
Copy link
Contributor

maciej-umanski commented May 14, 2024
edited
Loading

Describe the bug

While deploying EDC using "tractusx-connector-azure-vault" on Azure utilizing workload identity, charts are overriding the values that are attached automatically by Azure webhook.

To Reproduce

Try to deploy EDC using tractusx-connector-azure-vault chart.

Expected behavior

Variables should be optional to allow for webhook to be attached properly.

Screenshots/Error Messages

Cause:
image

Actual behaviour:
image

Expected behaviour:
image

Context Information

n/a

Possible Implementation

Make variables "AZURE_CLIENT_ID" and "AZURE_TENANT_ID" optional.
@maciej-umanski maciej-umanski added bug Something isn't working triage all new issues awaiting classification labels May 14, 2024
@maciej-umanski maciej-umanski mentioned this issue May 14, 2024
Merged
@paullatzelsperger
Copy link
Contributor

paullatzelsperger commented May 14, 2024
edited
Loading

I took a brief look at the PR, and it looks OK, but before we move forward, could you pls explain a bit more what the use case is? I haven't fully understood it. Is this because some Azure deployment mechanism writes the same env vars (AZURE_CLIENT_ID and AZURE_TENANT_ID)? Could you maybe point me to some documentation explaining this?

@maciej-umanski
Copy link
Contributor Author

maciej-umanski commented May 14, 2024
edited
Loading

Hello, sure :)

Generally EDC updated the Azure libraries that allows Azure Federated Credential authorization with use of managed identities. This is automatic mechanism for Azure to authorize without any secrets and is fully managed by Kubernetes webhook.
When you annotate the pod with label: azure.workload.identity/use: "true" the variables are automatically set to pod that allows Azure libraries (example for Java) to authorize with these credentials.

https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview
https://learn.microsoft.com/en-us/azure/aks/learn/tutorial-kubernetes-workload-identity

The problem there is, that tractus-x with update to 0.7.0 changed Azure authentication variables from EDC_VAULT_CLIENTID, EDC_VAULT_TENANTID to AZURE_CLIENT_ID and AZURE_TENANT_ID (source, point 6). Charts are overriding the variables that are created automatically via workload identity webhook.

@paullatzelsperger
Copy link
Contributor

ok got it. Just for the sake of completeness, this example shows the goings-on best I think.

paullatzelsperger pushed a commit that referenced this issue May 14, 2024
@maciej-umanski
fix: make azure vault related variables in deployment chart optional #…
b47551b 
…1304 (#1305)

* fix: make azure vault related variables in deployment chart optional

* docs: update tractus-connector-azure-vault chart README
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triage all new issues awaiting classification
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: make azure vault related variables in deployment chart optional #1304 boschglobal/tractusx-edc
2 participants
@paullatzelsperger @maciej-umanski