Merge pull request #42 from arashnd/support-aks-workload-identity

Add support for AKS workload identity

Author: JoeDupuis

.github/workflows/test.yml

@@ -35,7 +35,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-terraform
       - name: Terraform apply
-        run: terraform apply -auto-approve -var "create_vm=true" -var "create_app_service=true" -var "ssh_key=${{ secrets.SSH_PUBLIC_KEY }}"
+        run: terraform apply -auto-approve -var "create_vm=true" -var "create_app_service=true" -var "create_aks=true" -var "ssh_key=${{ secrets.SSH_PUBLIC_KEY }}"
 
   app_service_test:
     needs: deploy-infrastructure
@@ -97,6 +97,45 @@ jobs:
           SSH_AUTH_SOCK: /tmp/ssh_agent.sock
         run: bundle exec rake test_azure_vm
 
+  aks_test:
+    needs: deploy-infrastructure
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y libvips sshuttle sqlite3 libsqlite3-dev
+      - name: SSH key
+        env:
+          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+        run: |
+          mkdir -p /home/runner/.ssh
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > /home/runner/.ssh/id_rsa
+          chmod 600 /home/runner/.ssh/id_rsa
+          ssh-agent -a $SSH_AUTH_SOCK > /dev/null
+          ssh-add /home/runner/.ssh/id_rsa
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-terraform
+      - name: Azure login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v4
+      - name: Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+      - name: Tests
+        env:
+          AZURE_ACCOUNT_NAME: ${{secrets.AZURE_ACCOUNT_NAME}}
+          AZURE_PRIVATE_CONTAINER: ${{secrets.AZURE_PRIVATE_CONTAINER}}
+          AZURE_PUBLIC_CONTAINER: ${{secrets.AZURE_PUBLIC_CONTAINER}}
+          USE_MANAGED_IDENTITIES: true
+          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+        run: bundle exec rake test_aks
+
   azurite_test:
     runs-on: ubuntu-latest
     steps:

.terraform.lock.hcl

@@ -1,5 +1,7 @@
 ## [Unreleased]
 
+- Add support for AKS workload identity
+
 ## [0.5.9.1] 2025-06-30
 
 - Fix a regression in #13 + fix add a test

CHANGELOG.md

@@ -0,0 +1,40 @@
+FROM ruby:3.2.3-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential \
+    git \
+    curl \
+    unzip \
+    sshuttle \
+    iptables \
+    openssh-client \
+    libsqlite3-dev \
+    libvips-dev \
+    python3 \
+    gnupg \
+    lsb-release \
+    lsof \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+
+RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
+    && install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl \
+    && rm kubectl
+
+RUN TERRAFORM_VERSION="1.9.8" \
+    && curl -fsSL "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" -o terraform.zip \
+    && unzip terraform.zip \
+    && install -o root -g root -m 0755 terraform /usr/local/bin/terraform \
+    && rm terraform.zip
+
+WORKDIR /app
+
+COPY Gemfile Gemfile.lock azure-blob.gemspec ./
+COPY lib/azure_blob/version.rb ./lib/azure_blob/version.rb
+
+RUN bundle install
+
+COPY . .
+
+ENTRYPOINT ["/app/bin/docker-vpn-test"]

Dockerfile.vpn-test

@@ -82,6 +82,7 @@ GEM
     base64 (0.2.0)
     bcrypt_pbkdf (1.1.1)
     bcrypt_pbkdf (1.1.1-arm64-darwin)
+    bcrypt_pbkdf (1.1.1-x86_64-darwin)
     benchmark (0.4.0)
     bigdecimal (3.1.9)
     builder (3.3.0)
@@ -97,6 +98,7 @@ GEM
     erb (5.0.1)
     erubi (1.13.1)
     ffi (1.17.2-arm64-darwin)
+    ffi (1.17.2-x86_64-darwin)
     ffi (1.17.2-x86_64-linux-gnu)
     globalid (1.2.1)
       activesupport (>= 6.1)
@@ -140,11 +142,13 @@ GEM
       timeout
     net-smtp (0.5.1)
       net-protocol
-    net-ssh (7.2.3)
+    net-ssh (7.3.0)
     nio4r (2.7.4)
-    nokogiri (1.18.8-arm64-darwin)
+    nokogiri (1.18.10-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-linux-gnu)
+    nokogiri (1.18.10-x86_64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.18.10-x86_64-linux-gnu)
       racc (~> 1.4)
     parallel (1.24.0)
     parser (3.3.1.0)
@@ -244,6 +248,7 @@ GEM
       logger
     securerandom (0.4.1)
     sqlite3 (2.6.0-arm64-darwin)
+    sqlite3 (2.6.0-x86_64-darwin)
     sqlite3 (2.6.0-x86_64-linux-gnu)
     stringio (3.1.7)
     strscan (3.1.0)
@@ -262,6 +267,7 @@ GEM
 
 PLATFORMS
   arm64-darwin-24
+  x86_64-darwin-23
   x86_64-linux
 
 DEPENDENCIES

Gemfile.lock

@@ -26,14 +26,13 @@ microsoft:
 
 ### Managed Identity (Entra ID)
 
-AzureBlob supports managed identities on :
+AzureBlob supports managed identities on:
 - Azure VM
 - App Service
+- AKS (Azure Kubernetes Service) with workload identity
 - Azure Functions (Untested but should work)
 - Azure Containers (Untested but should work)
 
-AKS support will likely require more work. Contributions are welcome.
-
 To authenticate through managed identities instead of a shared key, omit `storage_access_key` from your `storage.yml` file and pass in the identity `principal_id`.
 
 ActiveStorage config example:
@@ -46,6 +45,21 @@ prod:
   principal_id: 71b34410-4c50-451d-b456-95ead1b18cce
 ```
 
+#### AKS with Workload Identity
+
+ActiveStorage config example:
+
+```
+prod:
+  service: AzureBlob
+  container: container_name
+  storage_account_name: account_name
+  use_managed_identities: true
+```
+
+> uses `AZURE_CLIENT_ID`, `AZURE_TENANT_ID` and `AZURE_FEDERATED_TOKEN_FILE` environment variables, made available by AKS cluster when Azure AD Workload Identity is set up properly.
+
+
 ### Azurite
 
 To use Azurite, pass the `storage_blob_host` config key with the Azurite URL (`http://127.0.0.1:10000/devstoreaccount1` by default)
@@ -126,20 +140,26 @@ A dev environment is supplied through Nix with [devenv](https://devenv.sh/).
 
 To test with Entra ID, the `AZURE_ACCESS_KEY` environment variable must be unset and the code must be ran or proxied through a VPS with the proper roles.
 
-For cost saving, the terraform variable `create_vm` and `create_app_service` are false by default.
-To create the VPS and App service, Create a var file `var.tfvars` containing:
+For cost saving, the terraform variables `create_vm`, `create_app_service`, and `create_aks` are false by default.
+To create the VM, App Service, and/or AKS cluster, create a var file `var.tfvars` containing:
 
 ```
 create_vm = true
 create_app_service = true
+create_aks = true
 ```
 and re-apply terraform: `terraform apply -var-file=var.tfvars`.
 
-This will create the VPS and required managed identities.
+This will create the infrastructure and required managed identities.
+
+**Testing:**
+- `bin/rake test_azure_vm` - Establishes a VPN connection to the Azure VM and runs tests using node identity
+- `bin/rake test_app_service` - Establishes a VPN connection to the App Service container and runs tests
+- `bin/rake test_aks` - Establishes a VPN connection to the AKS cluster and runs tests using workload identity
 
-`bin/rake test_azure_vm` and `bin/rake test_app_service` will establish a VPN connection to the VM or App service container and run the test suite. You might be prompted for a sudo password when the VPN starts (sshuttle).
+You might be prompted for a sudo password when the VPN starts (sshuttle).
 
-After you are done, run terraform again without the var file (`terraform apply`) to destroy the VPS and App service application.
+After you are done, run terraform again without the var file (`terraform apply`) to destroy all resources.
 
 #### Cleanup
 

README.md

@@ -5,6 +5,7 @@ require "minitest/test_task"
 require "azure_blob"
 require_relative "test/support/app_service_vpn"
 require_relative "test/support/azure_vm_vpn"
+require_relative "test/support/aks_vpn"
 require_relative "test/support/azurite"
 
 Minitest::TestTask.create(:test_rails) do
@@ -49,6 +50,16 @@ ensure
   vpn.kill
 end
 
+task :test_aks do |t|
+  vpn = AksVpn.new
+  ENV["AZURE_CLIENT_ID"] = vpn.client_id
+  ENV["AZURE_TENANT_ID"] = vpn.tenant_id
+  ENV["AZURE_FEDERATED_TOKEN_FILE"] = vpn.token_file
+  Rake::Task["test_entra_id"].execute
+ensure
+  vpn.kill
+end
+
 task :test_azurite do |t|
   azurite = Azurite.new
   # Azurite well-known credentials

Rakefile

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -e
+
+usage() {
+  echo "Usage: $0 <test_type>"
+  echo ""
+  echo "Test types:"
+  echo "  aks          - Run AKS VPN tests"
+  echo "  azure_vm     - Run Azure VM VPN tests"
+  echo "  app_service  - Run App Service VPN tests"
+  exit 1
+}
+
+if [ -z "$1" ]; then
+  usage
+fi
+
+TEST_TYPE="$1"
+
+case "$TEST_TYPE" in
+  aks|azure_vm|app_service)
+    ;;
+  *)
+    echo "Unknown test type: $TEST_TYPE"
+    usage
+    ;;
+esac
+
+cd "$(dirname "$0")/.."
+
+bundle exec rake "test_${TEST_TYPE}"

bin/docker-vpn-test

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Get Terraform outputs
+resource_group=$(terraform output --raw "resource_group")
+cluster_name=$(terraform output --raw "aks_cluster_name")
+ssh_username=$(terraform output --raw "aks_ssh_username")
+
+# Setup kubectl config
+echo "Setting up kubectl config..."
+az aks get-credentials --resource-group "$resource_group" --name "$cluster_name" --overwrite-existing --only-show-errors 2>/dev/null
+
+# Wait for pod to be ready
+echo "Waiting for SSH pod to be ready..."
+kubectl wait --for=condition=ready pod -l app=azure-blob-test --timeout=300s
+
+# Extract workload identity token
+echo "Extracting workload identity token..."
+POD_NAME=$(kubectl get pod -l app=azure-blob-test -o jsonpath='{.items[0].metadata.name}')
+kubectl exec "$POD_NAME" -- cat /var/run/secrets/azure/tokens/azure-identity-token > /tmp/azure-identity-token
+
+# Kill any existing process on port 2222
+lsof -ti:2222 | xargs kill -9 2>/dev/null || true
+
+# Start port forward in the background
+echo "Setting up port forward..."
+kubectl port-forward service/azure-blob-test-ssh 2222:22 &
+PORT_FORWARD_PID=$!
+
+# Cleanup function
+cleanup() {
+  echo "Cleaning up..."
+  kill $PORT_FORWARD_PID 2>/dev/null || true
+}
+trap cleanup EXIT
+
+# Wait for port forward to be established
+sleep 3
+
+# Establish sshuttle VPN
+echo "Establishing VPN connection..."
+exec sshuttle -e "ssh -o CheckHostIP=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" --python=python3 -r "$ssh_username@127.0.0.1:2222" 0/0