devops-lab icon indicating copy to clipboard operation
devops-lab copied to clipboard
verified publisher icon adamrushuk

Install and configure Azure AD Workload Identity

Open adamrushuk opened this issue 4 years ago • 5 comments

UPDATE: Workload Identity support is not ready yet for the tools used in my repo. Review again in the future.

Test Azure AD Workload Identity

  • [ ] Azure AD Workload Identity is meant to be an improved alternative to Azure AD Pod Identity
  • [ ] https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure#adding-the-federated-credentials-to-azure
  • [ ] https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview
  • [ ] https://contos.io/getting-rid-of-credentials-in-azure-part-4-kubernetes-644e5e3e1a9b
name: Convert kubeconfig for non-interactive use 
run: kubelogin convert-kubeconfig -l workloadidentity

Switch aad-pod-identity workloads to Azure AD Workload Identity

Current aad-pod-identity Config

AzureIdentity and AzureIdentityBinding CRDs are configured for:

  • [ ] external-dns
  • [ ] velero

AzurePodIdentityException CRDs are configured for:

  • [ ] aks-addon-exception
  • [ ] akv2k8s-controller-exception
  • [ ] aad-pod-identity

Steps to enable Azure AD Workload Identity

  1. Add ServiceAccount annotation to helm chart service account: azure.workload.identity/client-id: ${USER_ASSIGNED_CLIENT_ID}
  2. Add ServiceAccount label to helm chart service account: azure.workload.identity/use: "true"
  3. Ensure ServiceAccount is used on the workload
  4. User assigned managed identity requires federated credential to be configured

Velero yaml settings for WI: https://github.com/vmware-tanzu/velero/issues/5116#issuecomment-1296820592

adamrushuk avatar Jan 15 '22 19:01 adamrushuk

Workload Identity support is not ready yet for the tools used in my repo. Review again in the future.

adamrushuk avatar Jan 28 '23 18:01 adamrushuk

Is this feature available? if yes,provide us helm configuration details. i have tried the given configuration but not working and getting below error

time="2023-03-21T17:40:52Z" level=error msg="Error getting backup store for this location" backupLocation=velero/default controller=backup-sync error="rpc error: code = Unknown desc = azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/e80e99a4-f3d7-44f5-82e1-77ceaef31baf/resourceGroups/POC-RG/providers/Microsoft.Storage/storageAccounts/veleroc3ba26992a57/listKeys?%24expand=kerb&api-version=2019-06-01: StatusCode=404 -- Original Error: adal: Refresh request failed. Status Code = '404'. Response body: getting assigned identities for pod velero/velero-76dfdc59dc-lhprq in CREATED state failed after 16 attempts, retry duration [5]s, error: . Check MIC pod logs for identity assignment errors\n Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F" error.file="/go/src/velero-plugin-for-microsoft-azure/velero-plugin-for-microsoft-azure/object_store.go:217" error.function=main.getStorageAccountKey logSource="pkg/controller/backup_sync_controller.go:100"

Also log a issue https://github.com/vmware-tanzu/velero/issues/6011 for the same

vikrantoct7 avatar Mar 21 '23 18:03 vikrantoct7

@vikrantoct7 this is just an issue in my own repo to track work I'd like to work on in my own time. Workload Identity support was not ready when I last looked, but you've raised a ticket with velero too, so they will be able to assist better I'm sure 👍🏼

adamrushuk avatar Mar 22 '23 09:03 adamrushuk

@adamrushuk Thanks for your response. Did you get chance to work on PR https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/pull/111...Any idea if feature is fixed in this PR

vikrantoct7 avatar Mar 22 '23 14:03 vikrantoct7

@vikrantoct7 You may have me confused with someone else. I don't work for vmware, and I've not been involved with that PR, sorry.

adamrushuk avatar Mar 23 '23 07:03 adamrushuk