-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Azure Workload Identity to authenticate the driver #1651
Comments
Similar to kubernetes-sigs/azurefile-csi-driver#1138, OpenShift is seeking support for Azure Workload Identity in azuredisk-csi-driver. cc @andyzhangx |
Hi, @primeroz @abutcher , We recently filed a pr(kubernetes-sigs/azurefile-csi-driver#1193) to support workload identity in Azurefile CSI driver, could you please kindly take a look at it? Especially the document, and make sure whether it satisfies your need? If so, we will soon support it in Azuredisk CSI driver, thanks! |
@cvvz I took a look at the changes and I think they will satisfy our need. Added a comment about how we pass credentials to the azurefile deployment using env vars and if I understand the changes correctly I believe we can set |
@cvvz I noticed that the changes rely on ADAL implementation which is end of life. Are there plans to migrate the backend lib to azidentity, do you know? |
@abutcher According to this article the azidentity package is no longer in preview mode. The current implementation in Azure file uses ADAL: kubernetes-sigs/azurefile-csi-driver#1138 @cvvz @andyzhangx Can we expect transition to the new SDK any time soon? And if the transitions happens can we expect any behavior changes? |
@RomanBednar we have just completed the workload identity support for azure file driver, and @cvvz will work on azure disk driver next. Transition to new sdk would require quite a few months, we will use adal lib first. And we don't expect behavior change even we have migrated to new sdk. |
Is your feature request related to a problem?/Why is this needed
While testing AzureWorkloadIdentity i tried switching azuredisk controller ( and node ) to it but it does not seem supported.
Once i removed the
AZURE_CREDENTIAL_FILE
env and the volumes for it i getDescribe the solution you'd like in detail
Support authenticating the
csi controller
and thecsi node
using azure workload identity so i can have them use a restricted identityDescribe alternatives you've considered
Keep using the
VM Identity UserAssigned
Additional context
The text was updated successfully, but these errors were encountered: