Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove unnecessary Azure workload identity setting: DisableInstanceDiscovery: true #6679

Merged
merged 2 commits into from
Jan 30, 2024
Merged

Remove unnecessary Azure workload identity setting: DisableInstanceDiscovery: true #6679

merged 2 commits into from
Jan 30, 2024

Conversation

wallrj
Copy link
Member

@wallrj wallrj commented Jan 30, 2024

In #5452 (comment) @weisdd wrote:

  • Earlier, you asked whether "DisableInstanceDiscovery" should be set to true or false. - I think it's better to not use DisableInstanceDiscovery: true (like in the code now), better to stick to defaults. I haven't seen it being disabled in other projects.

So I've removed it.

The field is documented as follows: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientAssertionCredentialOptions

// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
// private clouds such as Azure Stack. It determines whether the credential requests Microsoft Entra instance metadata
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
// the application responsible for ensuring the configured authority is valid and trustworthy.
DisableInstanceDiscovery bool

Which further convinces me that this should not be set to true by default.
Perhaps it should be configurable in some circumstances though?
And if so we can tackle that in another PR.

/kind cleanup

NONE

@wallrj
Remove unnecessary Azure workload identity setting: DisableInstanceDi…
420d311 
…scovery: true

Signed-off-by: Richard Wall <richard.wall@venafi.com>
@jetstack-bot jetstack-bot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. release-note-none Denotes a PR that doesn't merit a release note. area/acme Indicates a PR directly modifies the ACME Issuer code dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. area/acme/dns01 Indicates a PR modifies ACME DNS01 provider code labels Jan 30, 2024
@wallrj wallrj requested a review from inteon January 30, 2024 15:57
@jetstack-bot jetstack-bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jan 30, 2024
@wallrj wallrj mentioned this pull request Jan 30, 2024
Merged
@wallrj
A hack to DisableInstanceDiscovery during tests
67e06fc 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@jetstack-bot jetstack-bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jan 30, 2024
@wallrj
Copy link
Member Author

wallrj commented Jan 30, 2024

@inteon PTAL. Let me know if you can find a way to override that endpoint rather than disabling it.

@inteon
Copy link
Member

inteon commented Jan 30, 2024

Looks good @wallrj!
I think the workaround you found is very acceptable.
Based on the feedback we got, it seems like a good idea to remove this DisableInstanceDiscovery: true option.
/approve
/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 30, 2024
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 30, 2024
@jetstack-bot jetstack-bot merged commit 0b33337 into cert-manager:master Jan 30, 2024
7 checks passed
@wallrj wallrj deleted the remove-DisableInstanceDiscovery-field branch January 31, 2024 08:10
@wallrj
Copy link
Member Author

wallrj commented Jan 31, 2024

/cherrypick release-1.14

@jetstack-bot
Copy link
Contributor

@wallrj: new pull request created: #6681

In response to this:

/cherrypick release-1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot jetstack-bot mentioned this pull request Jan 31, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weisdd weisdd weisdd left review comments

@inteon inteon Awaiting requested review from inteon

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/acme/dns01 Indicates a PR modifies ACME DNS01 provider code area/acme Indicates a PR directly modifies the ACME Issuer code dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@wallrj @inteon @jetstack-bot @weisdd