Merge pull request #2233 from cvvz/fix-workload-identity

fix: Workload identity is not working.
kubernetes-sigs · Mar 23, 2024 · 86f17d5 · 86f17d5
2 parents 1dd4f49 + f270e57
commit 86f17d5
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 0 deletions.
diff --git a/pkg/azuredisk/azuredisk_test.go b/pkg/azuredisk/azuredisk_test.go
@@ -203,6 +203,49 @@ func TestRun(t *testing.T) {
 				assert.Nil(t, err)
 			},
 		},
+		{
+			name: "Successful run with federated workload identity azure client",
+			testFunc: func(t *testing.T) {
+				if err := os.WriteFile(fakeCredFile, []byte(fakeCredContent), 0666); err != nil {
+					t.Error(err)
+				}
+
+				defer func() {
+					if err := os.Remove(fakeCredFile); err != nil {
+						t.Error(err)
+					}
+				}()
+
+				t.Setenv(consts.DefaultAzureCredentialFileEnv, fakeCredFile)
+				t.Setenv("AZURE_TENANT_ID", "1234")
+				t.Setenv("AZURE_CLIENT_ID", "123456")
+				t.Setenv("AZURE_FEDERATED_TOKEN_FILE", "fake-token-file")
+
+				d := newDriverV1(&DriverOptions{
+					NodeID:                 "",
+					DriverName:             consts.DefaultDriverName,
+					EnableListVolumes:      true,
+					EnableListSnapshots:    true,
+					EnablePerfOptimization: true,
+					VMSSCacheTTLInSeconds:  10,
+					VMType:                 "vmss",
+					Endpoint:               "tcp://127.0.0.1:0",
+				})
+
+				ctx, cancel := context.WithCancel(context.Background())
+				ch := make(chan error)
+				go func() {
+					err := d.Run(ctx)
+					ch <- err
+				}()
+				cancel()
+				assert.Nil(t, <-ch)
+				assert.Equal(t, d.cloud.UseFederatedWorkloadIdentityExtension, true)
+				assert.Equal(t, d.cloud.AADFederatedTokenFile, "fake-token-file")
+				assert.Equal(t, d.cloud.AADClientID, "123456")
+				assert.Equal(t, d.cloud.TenantID, "1234")
+			},
+		},
 	}
 
 	for _, tc := range testCases {

diff --git a/pkg/azureutils/azure_disk_utils.go b/pkg/azureutils/azure_disk_utils.go
@@ -234,6 +234,17 @@ func GetCloudProviderFromClient(ctx context.Context, kubeClient clientset.Interf
 			klog.V(2).Infof("set ResourceManagerEndpoint as %s", trafficMgrAddr)
 			config.ResourceManagerEndpoint = trafficMgrAddr
 		}
+		// these environment variables are injected by workload identity webhook
+		if tenantID := os.Getenv("AZURE_TENANT_ID"); tenantID != "" {
+			config.TenantID = tenantID
+		}
+		if clientID := os.Getenv("AZURE_CLIENT_ID"); clientID != "" {
+			config.AADClientID = clientID
+		}
+		if federatedTokenFile := os.Getenv("AZURE_FEDERATED_TOKEN_FILE"); federatedTokenFile != "" {
+			config.AADFederatedTokenFile = federatedTokenFile
+			config.UseFederatedWorkloadIdentityExtension = true
+		}
 		if err = az.InitializeCloudFromConfig(ctx, config, fromSecret, false); err != nil {
 			klog.Warningf("InitializeCloudFromConfig failed with error: %v", err)
 		}