Skip to content

Add support for AKS workload identity #42

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

Add support for AKS workload identity #42

wants to merge 17 commits into from

Conversation

@arashnd
Copy link
Contributor

@arashnd arashnd commented Oct 24, 2025
edited
Loading

@JoeDupuis thanks again for great work!

This PR is attempts to add support for AKS/k8s workload/pod identity,
I can write some tests but not sure where to start / what kind of test coverage is required.

@arashnd arashnd force-pushed the support-aks-workload-identity branch from 7d4c9d6 to 9db665e Compare October 24, 2025 14:31
@arashnd arashnd force-pushed the support-aks-workload-identity branch from 2a8bbbc to 11753c5 Compare October 27, 2025 09:08
@arashnd arashnd marked this pull request as ready for review October 27, 2025 12:51
@arashnd arashnd force-pushed the support-aks-workload-identity branch from ce52722 to cec0127 Compare October 27, 2025 13:05
@arashnd arashnd mentioned this pull request Nov 7, 2025
Open
@JoeDupuis
Copy link
Member

JoeDupuis commented Nov 10, 2025

Hi! 👋 I answered you on the CGRP slack, but slack is struggling today so I am writing here too just in case.
I wanted to review this over the weekend, but I got busy 😅
I am hoping to merge this week. I just need to look into an AKS setup for the tests.

@arashnd
Copy link
Contributor Author

arashnd commented Nov 11, 2025

Thanks a lot, highly appreciate it 🙏

claude and others added 14 commits November 11, 2025 20:55
@claude
Add AKS (Azure Kubernetes Service) test environment support
96f857f 
This commit adds full support for testing Azure Blob storage with managed
identities on AKS. The implementation follows the same patterns as the
existing VM and App Service test environments.

Key changes:

Infrastructure (Terraform):
- Add AKS cluster with OIDC issuer and workload identity enabled
- Configure both node identity (kubelet) and workload identity (federated credentials)
- Deploy SSH-enabled pod using linuxserver/openssh-server
- Expose SSH service via LoadBalancer for VPN tunneling
- Add variables: create_aks, aks_node_count, aks_ssh_username
- Add outputs: aks_cluster_name, aks_ssh_ip, aks_ssh_username, aks_ssh_password

Testing Infrastructure:
- Add AksVpn class to establish VPN connection via kubectl port-forward
- Add bin/proxy-aks script for manual testing
- Add test_aks Rake task following existing patterns
- Add aks_test job to GitHub Actions workflow
- Extract MSI credentials from pod for testing both identity types

Development Environment:
- Add kubectl to devenv.nix packages
- Update README with comprehensive AKS testing documentation
- Document both node identity and workload identity support

The setup supports on-demand infrastructure creation and automatic teardown
via the existing GitHub Actions workflow, minimizing costs.
@claude
Switch AKS SSH authentication from password to SSH keys
94b2045 
Updates the AKS test setup to use SSH key authentication instead of
password authentication, making it consistent with the VM test setup.

Changes:
- Remove random_password resource for AKS
- Update container env to use PUBLIC_KEY instead of USER_PASSWORD
- Remove PASSWORD_ACCESS env var (defaults to key-based auth)
- Remove aks_ssh_password output from Terraform
- Update bin/proxy-aks to use SSH keys with sshuttle
- Update AksVpn Ruby class to use publickey auth_method
- Add SSH key setup step to aks_test GitHub Actions job
- Remove sshpass dependency from devenv.nix and workflow

This brings AKS authentication in line with the existing VM pattern.
@JoeDupuis
k8s Provider init
52057cb
@JoeDupuis
Update net-ssh
0820efd
@JoeDupuis
Fix aks ssh tunnel
bfbed08
@JoeDupuis
Merge remote-tracking branch 'arashnd/support-aks-workload-identity' …
b56cd56 
…into megatest
@JoeDupuis
Remove x25519
f6cc9b9
@JoeDupuis
Fix tests to run with aks workload identity
8edcf73
@JoeDupuis
Fix a moved constant
c790a50
@JoeDupuis
Merge remote-tracking branch 'origin/main' into claude/setup-aks-test…
a2e69ba 
…-environment-011CV2i8qn3iyGrD2TdiU7Cs
@JoeDupuis
Fix aks_test CI: add apt-get update and use managed identities
af10ecf
@JoeDupuis
Ignore AKS default_node_pool upgrade_settings drift
87536aa
@JoeDupuis
Remove debug print statements from AKS VPN
197fc6c
@JoeDupuis
Fix rubocop offenses
154bbfb
@JoeDupuis
Copy link
Member

JoeDupuis commented Nov 12, 2025

I added support running the tests on AKS with workload identity. They pass: https://github.com/testdouble/azure-blob/actions/runs/19283901033

I'll try to review the rest this week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@arashnd @JoeDupuis @claude