Support Azure Workload Identities #5085
Comments
jetstack-bot
added
the
kind/feature
|
We should keep an eye on Azure/go-autorest#680. Once this PR is merged it should be fairly straightforward to implement in cert-manager. |
|
Azure/go-autorest#680 has been merged. The latest version (github.com/Azure/go-autorest/autorest/adal v0.9.20) includes it. I have previously hacked together an implementation using the feature branch. I can try to have a go at doing a proper PR on this, but I'll only be able to do so in a few weeks' time. This is how I did it though (in pkg/issuer/acme/dns/azuredns/azuredns.go) if someone wants to have a go: logf.Log.V(logf.InfoLevel).Info("azuredns authenticating with Azure Workload Identity")
awiClientId := os.Getenv("AZURE_CLIENT_ID")
awiTenantId := os.Getenv("AZURE_TENANT_ID")
jwtBytes, err := ioutil.ReadFile(os.Getenv("AZURE_FEDERATED_TOKEN_FILE"))
if err != nil {
return nil, fmt.Errorf("Failed to get Azure Workload Identity token for file: %v", err)
}
jwt := string(jwtBytes)
oauthConfig, err := adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, awiTenantId)
if err != nil {
return nil, fmt.Errorf("failed to retrieve OAuth config: %v", err)
}
spt, err := adal.NewServicePrincipalTokenFromFederatedToken(*oauthConfig, awiClientId, jwt, env.ResourceManagerEndpoint) |
Nice - maybe do a PR and it can get merged? |
|
Related Slack conversation https://kubernetes.slack.com/archives/C4NV3DWUC/p1655641139820009 |
irbekrm
added
the
priority/important-longterm
|
I've been testing out the preview of AWI and hitting blocks like this with various tooling that doesn't yet support the federated auth. Looking forward to this support in cert-manager |
|
Issues go stale after 90d of inactivity. |
jetstack-bot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. |
jetstack-bot
added
lifecycle/rotten
|
@karlschriek sorry to bother you, but I was wondering if you could shed some light on this issue? I'm looking for replacing deprecated aad pod identity. Thanks! |
Azure recently added Azure Workload Identities (see https://github.com/Azure/azure-workload-identity and https://azure.github.io/azure-workload-identity/docs/) to AKS. Officially the functionality is still in Preview, but the approach is quite stable and we are already using it in various production situations.
AWI is essentially the equivalent of AWS's IAM Roles for Service Accounts and works the same. I.e, your cluster becomes an OIDC identity provider and a specific service account in a specific namespace can be designated as federated principal to which Azure IAM roles can be attached. This is significantly more secure than using credentials (i.e. Service Principals with client secrets) or Managed Service Identities (for which the whole Node is able to assume the identity).
Also similarly to IRSA, AWI works by annotating a Service Account, as follows:
By attaching this ServiceAccount to a Pod, we get the following env vars in the Pod:
At the location
AZURE_FEDERATED_TOKEN_FILEa temporary token is mounted. To be able to use this we would just need to configure Azure authentication to use theAZURE_FEDERATED_TOKEN_FILEfor login.I would really love to see this supported in cert-manager.
/kind feature
The text was updated successfully, but these errors were encountered: