Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Azure Workload Identities #5085

Closed
karlschriek opened this issue May 2, 2022 · 8 comments · Fixed by #5570
Closed

Support Azure Workload Identities #5085

karlschriek opened this issue May 2, 2022 · 8 comments · Fixed by #5570
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.

Comments

@karlschriek
Copy link

karlschriek commented May 2, 2022
edited

Azure recently added Azure Workload Identities (see https://github.com/Azure/azure-workload-identity and https://azure.github.io/azure-workload-identity/docs/) to AKS. Officially the functionality is still in Preview, but the approach is quite stable and we are already using it in various production situations.

AWI is essentially the equivalent of AWS's IAM Roles for Service Accounts and works the same. I.e, your cluster becomes an OIDC identity provider and a specific service account in a specific namespace can be designated as federated principal to which Azure IAM roles can be attached. This is significantly more secure than using credentials (i.e. Service Principals with client secrets) or Managed Service Identities (for which the whole Node is able to assume the identity).

Also similarly to IRSA, AWI works by annotating a Service Account, as follows:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: external-dns
  namespace: external-dns
  labels:
    azure.workload.identity/use: 'true'
  annotations:
    azure.workload.identity/client-id: bbbbbbbb-xxx-yyyyy-mmmm-rrrrrrrrrr
    azure.workload.identity/service-account-token-expiration: '86400'
    azure.workload.identity/tenant-id: yyyyyyy-xxx-zzzz-xxxx-rrrrrrrrrrrrr

By attaching this ServiceAccount to a Pod, we get the following env vars in the Pod:

AZURE_AUTHORITY_HOST: https://login.microsoftonline.com/
AZURE_CLIENT_ID: bbbbbbbb-xxx-yyyyy-mmmm-rrrrrrrrrr
AZURE_FEDERATED_TOKEN_FILE: /var/run/secrets/azure/tokens/azure-identity-token
AZURE_TENANT_ID: yyyyyyy-xxx-zzzz-xxxx-rrrrrrrrrrrrr

At the location AZURE_FEDERATED_TOKEN_FILE a temporary token is mounted. To be able to use this we would just need to configure Azure authentication to use the AZURE_FEDERATED_TOKEN_FILE for login.

I would really love to see this supported in cert-manager.

/kind feature
@jetstack-bot jetstack-bot added the kind/feature Categorizes issue or PR as related to a new feature. label May 2, 2022
@karlschriek
Copy link
Author

We should keep an eye on Azure/go-autorest#680. Once this PR is merged it should be fairly straightforward to implement in cert-manager.

@karlschriek
Copy link
Author

karlschriek commented Jun 2, 2022
edited

Azure/go-autorest#680 has been merged. The latest version (github.com/Azure/go-autorest/autorest/adal v0.9.20) includes it.

I have previously hacked together an implementation using the feature branch. I can try to have a go at doing a proper PR on this, but I'll only be able to do so in a few weeks' time.

This is how I did it though (in pkg/issuer/acme/dns/azuredns/azuredns.go) if someone wants to have a go:

logf.Log.V(logf.InfoLevel).Info("azuredns authenticating with Azure Workload Identity")

awiClientId := os.Getenv("AZURE_CLIENT_ID")
awiTenantId := os.Getenv("AZURE_TENANT_ID")

jwtBytes, err := ioutil.ReadFile(os.Getenv("AZURE_FEDERATED_TOKEN_FILE"))
if err != nil {
    return nil, fmt.Errorf("Failed to get Azure Workload Identity token for file: %v", err)
}

jwt := string(jwtBytes)

oauthConfig, err := adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, awiTenantId)
if err != nil {
    return nil, fmt.Errorf("failed to retrieve OAuth config: %v", err)
}

spt, err := adal.NewServicePrincipalTokenFromFederatedToken(*oauthConfig, awiClientId, jwt, env.ResourceManagerEndpoint)

@davidkarlsen
Copy link

Azure/go-autorest#680 has been merged. The latest version (github.com/Azure/go-autorest/autorest/adal v0.9.20) includes it.

I have previously hacked together an implementation using the feature branch. I can try to have a go at doing a proper PR on this, but I'll only be able to do so in a few weeks' time.

Nice - maybe do a PR and it can get merged?

@irbekrm
Copy link
Collaborator

irbekrm commented Jun 23, 2022

Related Slack conversation https://kubernetes.slack.com/archives/C4NV3DWUC/p1655641139820009

@irbekrm irbekrm added the priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. label Jun 23, 2022
@pinkfloydx33
Copy link

I've been testing out the preview of AWI and hitting blocks like this with various tooling that doesn't yet support the federated auth. Looking forward to this support in cert-manager

@pinkfloydx33 pinkfloydx33 mentioned this issue Jul 3, 2022
Open
@karlschriek karlschriek mentioned this issue Jul 15, 2022
Closed
@darkn3rd darkn3rd mentioned this issue Jul 15, 2022
Closed
@chrisghill chrisghill mentioned this issue Aug 21, 2022
Merged
@jetstack-bot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 1, 2022
@jetstack-bot
Copy link
Collaborator

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

@jetstack-bot jetstack-bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 31, 2022
@MarcinGrinberg
Copy link

@karlschriek sorry to bother you, but I was wondering if you could shed some light on this issue? I'm looking for replacing deprecated aad pod identity.

Thanks!

@sathyanarays sathyanarays mentioned this issue Nov 4, 2022
Closed
@weisdd weisdd mentioned this issue Nov 9, 2022
Merged
@karlschriek karlschriek mentioned this issue Jan 23, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
No milestone
6 participants
@davidkarlsen @pinkfloydx33 @irbekrm @karlschriek @jetstack-bot @MarcinGrinberg