Skip to content

feat(cert-manager): add Azure Workload Identity support#272

Merged
gdrojas merged 9 commits intomainfrom
feat/external-dns-azure-workload-identity
Apr 6, 2026
Merged

feat(cert-manager): add Azure Workload Identity support#272
gdrojas merged 9 commits intomainfrom
feat/external-dns-azure-workload-identity

Conversation

@gdrojas
Copy link
Copy Markdown
Collaborator

@gdrojas gdrojas commented Mar 30, 2026

Summary

  • Add podLabels with azure.workload.identity/use=true to cert-manager pod for Azure WI token injection
  • Set useWorkloadIdentity: true in azure values template so ClusterIssuer uses managedIdentity.clientID
  • Bump nullplatform-cert-manager-config chart version from 2.34.0 to 2.35.0 (fixes invalid config.useWorkloadIdentityExtension field — see fix(cert-manager-config): use managedIdentity.clientID for Azure Workload Identity helm-charts#134)
  • Allow passing custom description to nullplatform_service_specification in scope_definition module (default: "")

Related

Test plan

  • cert-manager deployed on AKS with Workload Identity — both ClusterIssuers Ready: True
  • cert-manager deployed with Service Principal — both ClusterIssuers Ready: True
  • Switched between WI and SP on same cluster without issues

gdrojas added 2 commits March 27, 2026 17:20
@gdrojas
feat(external-dns): add Azure Workload Identity support
38e22e4 
Add azure as a supported DNS provider in external-dns module using
AKS Workload Identity for passwordless authentication.

- Add azure to dns_provider_name validation
- Add azure_client_id, azure_subscription_id, azure_resource_group, azure_tenant_id variables
- Create azure.json secret with useWorkloadIdentityExtension: true
- Configure service account annotation and pod label for WI webhook injection
@gdrojas
feat(cert-manager): add Azure Workload Identity support and bump char…
2564481 
…t to 2.35.0

- Add podLabels azure.workload.identity/use=true to cert-manager pod
- Set useWorkloadIdentity=true in azure values template
- Bump nullplatform-cert-manager-config chart from 2.34.0 to 2.35.0
- Allow passing description to nullplatform_service_specification
@gdrojas gdrojas force-pushed the feat/external-dns-azure-workload-identity branch from 6aa897a to 2564481 Compare March 30, 2026 18:26
gdrojas added 5 commits March 30, 2026 15:39
@gdrojas
revert(scope-definition): move description change to separate PR
19ffa13
@gdrojas
fix(external-dns): update cross provider test to use invalid provider…
c88a281 
… name

Azure is now a valid provider, so the test must use a truly invalid
value to verify dns_provider_name validation rejects unknown providers.
@gdrojas
Merge branch 'main' into feat/external-dns-azure-workload-identity
546f395
@gdrojas
feat(azure/iam): add Azure Workload Identity IAM module
18f3699 
Creates User Assigned Managed Identity, Federated Identity Credential,
and Role Assignment needed for AKS Workload Identity setup.

Also fix service_spec_description default to avoid API validation failure.
@gdrojas
Merge branch 'main' into feat/external-dns-azure-workload-identity
70716b4
@gdrojas gdrojas requested a review from violenti April 6, 2026 13:52
@gdrojas gdrojas merged commit 800249c into main Apr 6, 2026
42 checks passed
@gdrojas gdrojas deleted the feat/external-dns-azure-workload-identity branch April 6, 2026 13:58
@github-actions github-actions Bot mentioned this pull request Apr 6, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@violenti violenti violenti approved these changes

@sebastiancorrea81 sebastiancorrea81 Awaiting requested review from sebastiancorrea81

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gdrojas @violenti