Add new format for AKS OIDC issuer #971
Conversation
config/fulcio-config.yaml
Outdated
| @@ -52,6 +52,10 @@ data: | |||
| "https://oidc.prod-aks.azure.com/*": { | |||
There was a problem hiding this comment.
Do you have any documentation from Azure about this? Is there a migration ongoing? I would assume this has to do with providing regionalized OIDC providers.
There was a problem hiding this comment.
There are a few references in the Azure org to this new URL - https://cs.github.com/?scopeName=All+repos&scope=&q=oic.prod-aks.azure.com+org%3Aazure
Contrast to https://cs.github.com/?scopeName=All+repos&scope=&q=https%3A%2F%2Foidc.prod-aks.azure.com+org%3Aazure, with more references in code.
I can't find any public documentation about this, but seems fine to me.
There was a problem hiding this comment.
Unfortunately I couldn't find any documentation on this. I actually don't have much more information than what you could find (I'm not associated with Azure/Microsoft).
The only thing I do know is that:
- I created the AKS cluster on December 20th in the East US region, following the same steps referenced in Add AKS as a meta issuer #384 (these docs)
- The OIDC issuer URL that I got is different from what's currently configured:
https://eastus.oic.prod-aks.azure.com/**** - When I tried to use
cosignin keyless mode with the projected service account token, it failed with a 401, and I suspected this was the reason.
I posted a question on their discussion forum (https://learn.microsoft.com/en-us/answers/questions/1162598/what-is-the-canonical-format-of-the-oidc-issuer-ur) asking about this. Hopefully someone from Microsoft can answer and give us some concrete info we can rely on!
There was a problem hiding this comment.
Also posted on their main AKS issue for the feature (since that pings the right team): Azure/AKS#1480 (comment)
There was a problem hiding this comment.
UPDATE: I got a response from Microsoft support on the learn Q&A ticket which isn't definitive, but is another data point that the format appears to be https://REGION.oic.prod-aks.azure.com/***.
Is that sufficient data for adding this in? If not, is there something else I can do to unblock myself (e.g., is there a way for me to run a custom fulcio instance and link with the public rekor. I think in theory that's possible but not sure...)?
FWIW, I've also opened a ticket on the Microsoft docs page requesting for the format to be documented.
There was a problem hiding this comment.
Yes it is, thanks for checking!
Can you fix the failing test? I believe you need to update another file
There was a problem hiding this comment.
Ah didn't realize I needed to update another place! Done!
Can you kick off another build please? Thanks!
Codecov Report
@@ Coverage Diff @@
## main #971 +/- ##
==========================================
+ Coverage 53.37% 53.50% +0.12%
==========================================
Files 37 37
Lines 2325 2325
==========================================
+ Hits 1241 1244 +3
+ Misses 992 990 -2
+ Partials 92 91 -1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Signed-off-by: Yoriyasu Yano <430092+yorinasub17@users.noreply.github.com>
…erated Signed-off-by: Yoriyasu Yano <430092+yorinasub17@users.noreply.github.com>
|
@haydentherapper Looks like the build failed again, and I see what I did wrong, so this time I generated the file locally and pushed the diff (3289328). I believe this should cause the test to pass now! |
|
Thanks! I'll get this checked in and rolled out to prod soon after. |
Closes #970
Summary
This adds the newly detected OIDC Issuer URL format for AKS clusters as an additional meta issuer. I added a new one instead of replacing the existing one in case that issuer URL is being used under different circumstances.
Release Note
Documentation
N/A