Thanks to visit codestin.com
Credit goes to github.com

Skip to content

chore: remove variables for workload identity#256

Merged
gossion merged 3 commits intomainfrom
mainred/remove-variable-for-workload-identity
Dec 1, 2025
Merged

chore: remove variables for workload identity#256
gossion merged 3 commits intomainfrom
mainred/remove-variable-for-workload-identity

Conversation

@mainred
Copy link
Member

@mainred mainred commented Nov 26, 2025

when --enable-oidc-issuer and --enable-workload-identity is turned on the AKS cluster, and the application enable the workload identity by azure.workload.identity/use: "true", the workload identity webhook will addEnvironmentVariables and addProjectedTokenVolumeMount. For example, the following spec are auto injected to the workload identity pod.
We don't have to add the related environment variables and projected service account into aks-mcp pod spec.

  - env:
    - name: AZURE_CLIENT_ID
      value: ******
    - name: AZURE_TENANT_ID
      value: *****
    - name: AZURE_FEDERATED_TOKEN_FILE
      value: /var/run/secrets/azure/tokens/azure-identity-token
    - name: AZURE_AUTHORITY_HOST
      value: https://login.microsoftonline.com/
    volumeMounts:
    - mountPath: /var/run/secrets/azure/tokens
      name: azure-identity-token
      readOnly: true
  volumes:
  - name: azure-identity-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: api://AzureADTokenExchange
          expirationSeconds: 3600
          path: azure-identity-token

mainred
mainred commented Nov 26, 2025
View reviewed changes
chart/templates/deployment.yaml
{{- end }}
- name: AZURE_FEDERATED_TOKEN_FILE
value: "/var/run/secrets/azure/tokens/azure-identity-token"
{{- if .Values.azure.subscriptionId }}
Copy link
Member Author

@mainred mainred Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How will AZURE_SUBSCRIPTION_ID be used? It's not necessary for workload identity.

Copy link
Member

@gossion gossion Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we will set the default sub for az using AZURE_SUBSCRIPTION_ID if it is set, please keep it.

Copy link
Member Author

@mainred mainred Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AZURE_SUBSCRIPTION_ID env seems to be wrapped around by if .Values.workloadIdentity.enabled, should we move it outside of it, so that it can be used to set the default sub for other scenarios?

Copy link
Member

@gossion gossion Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good point, could you please move it?

Copy link
Member Author

@mainred mainred Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done already. Now AZURE_SUBSCRIPTION_ID env does not rely on workload identity's enablement.

mainred
mainred commented Nov 26, 2025
View reviewed changes
docs/helm-workload-identity.md Outdated
| `workloadIdentity.enabled` | Enable Azure Workload Identity | `false` |
| `azure.tenantId` | Azure Tenant ID (required for Workload Identity) | `""` |
| `azure.clientId` | Azure Client ID (required for Workload Identity) | `""` |
| `azure.subscriptionId` | Azure Subscription ID | `""` |
Copy link
Member Author

@mainred mainred Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can remove azure.subscriptionId from the table when it's confirmed that azure.subscriptionId is not used.

gossion
gossion approved these changes Nov 27, 2025
View reviewed changes
docs/helm-workload-identity.md
--set workloadIdentity.enabled=true \
--set azure.tenantId=$TENANT_ID \
--set azure.clientId=$IDENTITY_CLIENT_ID \
--set azure.subscriptionId=$SUBSCRIPTION_ID
Copy link
Member

@gossion gossion Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is better to keep sub id

mainred
mainred commented Nov 27, 2025
View reviewed changes
chart/templates/serviceaccount.yaml
labels:
{{- include "aks-mcp.labels" . | nindent 4 }}
{{- if .Values.workloadIdentity.enabled }}
azure.workload.identity/use: "true"
Copy link
Member Author

@mainred mainred Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

azure.workload.identity/use: "true" is only required for pod

@gossion gossion added this pull request to the merge queue Dec 1, 2025
Merged via the queue into main with commit e342d9b Dec 1, 2025
9 checks passed
@gossion gossion deleted the mainred/remove-variable-for-workload-identity branch December 1, 2025 01:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gossion gossion gossion approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mainred @gossion

Comments