feat: Support workload identity

[cvvz]

What type of PR is this?
/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #1138

Requirements:

• uses conventional commit messages
• includes documentation
• adds unit tests
• tested upgrade from previous version

Special notes for your reviewer:

Release note:

none

[k8s-ci-robot]

Hi @cvvz. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cvvz]

workload identity failed to inject to csi driver when csi driver was deployed in kube-system namespace. @karataliu is confirming.

[andyzhangx]

/ok-to-test

[andyzhangx]

cc @RomanBednar for this PR, let me know if you have any concern.

[andyzhangx]

also we need to check how to enable workload identity on capz, there is a draft PR to support workload identity on CAPZ: kubernetes-sigs/cluster-api-provider-azure#2814

[RomanBednar]

cc @RomanBednar for this PR, let me know if you have any concern.

Thank you @andyzhangx and @cvvz for the PR. The proposed changes look great for the purposes of our storage operator I believe. We don't use helm to deploy the driver but we can implement something similar.

[RomanBednar]

@cvvz I gave it a bit more thought and believe it would be much cleaner for deployments and enabling/disabling workload identity authentication feature if the auth lib could also decide about the method used based on cloud config. Keeping the env variables for the sake of webhook is still ok - we could have both.

It makes sense for us in OpenShift enhancement but I'd like you to weight in on that. Here's the enhancement discussion: openshift/enhancements#1301 (comment)

[cvvz]

@RomanBednar It seems good to me to support federated workload identity in cloud auth config, which is a global configuration can effect both cloud-provider-azure and azure csi driver. And we should still keep using the env variables and webhook in csi driver, since some users may want to configure workload identity separately.

[cvvz]

Hi, @RomanBednar I just checked again, and I think we already support workload identity based on cloud config in this PR.

You can set aadClientId, tenantId, aadFederatedTokenFile, and useFederatedWorkloadIdentityExtension in auth config file, which will eventually be parsed as AzureAuthConfig, and don't set any env, so the configuration won't be overwrited.

[RomanBednar]

You can set aadClientId, tenantId, aadFederatedTokenFile, and useFederatedWorkloadIdentityExtension in auth config file

Ah I see, initially I misunderstood the config parsing, thanks for pointing that out! @cvvz

[cvvz]

/retest

[andyzhangx]

pls squash all commits, thanks.

[cvvz]

/retest

[andyzhangx]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andyzhangx, cvvz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [andyzhangx]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment