Skip to content

Add secrets support and workload identity to Deploy application flow #467

New issue
New issue
Open
#468
Open
Add secrets support and workload identity to Deploy application flow#467
#468
Labels
enhancementNew feature or requesttriage
@gambtho

Description

@gambtho
gambtho
opened on Mar 18, 2026

Summary

Add two features to the Deploy Wizard's Container configuration path:

1. Secrets Support

Allow users to mark individual environment variables as "secret" so that:

  • Values are masked in the UI (password-style input)
  • They are stored as a Kubernetes Secret resource (not inline in the Deployment manifest)
  • Referenced via valueFrom.secretKeyRef in the Deployment's env section

Currently all env vars are embedded as plain text in the generated Deployment manifest, which is undesirable for sensitive values like API keys.

2. Workload Identity Integration

Add a "Workload Identity" step to the container configuration stepper that:

  • Provides a toggle to enable Azure Workload Identity
  • Lets the user create a new or select an existing user-assigned managed identity
  • Creates federated credentials for the AKS cluster's OIDC issuer + namespace + service account
  • Generates a ServiceAccount resource with azure.workload.identity/client-id annotation
  • Adds azure.workload.identity/use: "true" label to the pod template
  • Sets serviceAccountName on the pod spec

3. GitHub Pipeline Integration

Both features need to be reflected in the generated GitHub Pipeline:

  • Agent template (agentTemplates.ts) should include workload identity instructions (ServiceAccount manifest, pod labels)
  • Workflow instructions should create the ServiceAccount before applying manifests
  • Env var secret handling remains compatible (all env vars already become GH secrets)

Key Files

  • plugins/aks-desktop/src/components/DeployWizard/hooks/useContainerConfiguration.ts — ContainerConfig type
  • plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx — UI form
  • plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts — YAML generation
  • plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.ts — Edit round-tripping
  • plugins/aks-desktop/src/utils/azure/az-cli.ts — Azure CLI integration
  • plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.ts — Pipeline agent config

Motivation

Users deploying apps that integrate with Azure services (e.g., Azure OpenAI) need to pass API keys without exposing them as plain text. Workload Identity provides a more secure, keyless alternative for Azure service authentication.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesttriage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions