Update local tests and CI tests to use az login token or managed identity, not service principal #4003
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
matthchr
requested review from
davefellows,
theunrepentantgeek,
babbageclunk and
super-harsh
as code owners
matthchr
force-pushed
the
feature/ci-refactoring-azure
branch
from
bc0da92
to
63e7767
Compare
3 tasks
matthchr
force-pushed
the
feature/ci-refactoring-azure
branch
4 times, most recently
from
0e076e1
to
a039421
Compare
super-harsh
reviewed
May 14, 2024
matthchr
force-pushed
the
feature/ci-refactoring-azure
branch
from
a039421
to
14f3a17
Compare
theunrepentantgeek
approved these changes
May 15, 2024
| @@ -802,6 +823,8 @@ tasks: | |||
| - az-login | |||
| cmds: | |||
| - "az group delete --name {{.RESOURCE_GROUP_NAME}} -y" | |||
| - "{{.SCRIPTS_ROOT}}/delete-role-assignment.sh -d {{.AKS_WORKLOAD_IDENTITY_PATH}}" | |||
| - "rm -rf {{.AKS_WORKLOAD_IDENTITY_PATH}}" | |||
There was a problem hiding this comment.
Do we need -rf here? The combination can be dangerous if AKS_WORKLOAD_IDENTITY_PATH happens to get an odd value.
There was a problem hiding this comment.
Unfortunately yes I think we do need -rf here. -r because there's 2 levels of subfolder to remove and -f because otherwise it'll prompt which doesn't work in unattended scenarios.
I did some digging though and realized that now rm's default is:
--preserve-root[=all] do not remove '/' (default); with 'all', reject any command line argument on a separate device from its parent
Which means actually, you can't blat your whole system with this anymore so it's much safer than it used to be. You can still accidentally delete directories you didn't mean to, but in this case I think we're pretty safe because we've hardcoded it to a specific variable .AKS_WORKLOAD_IDENTITY_PATH and this path won't ever be unset unless we delete that variable.
There was a problem hiding this comment.
and if the variable is just deleted, we'll get this:
rm: missing operand
Try 'rm --help' for more information.
super-harsh
approved these changes
May 15, 2024
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
- Update az login step to use an interactive login, rather than an SP. Interactive login is good for 12 hours. - Remove SP-based kind cluster helpers and replace usages with workload-identity based. - Refactor make-mi-fic.sh to Python. This is required to manage the more limited permissions that an interactive token has with repsect to calling 'az role assignment list'.
Tested to ensure that az login allows tests to be re-recorded
The idea is that this will replace actual live testing of the various authentication modes. We trust that, if we call the azidentity SDK with the correct parameters, it does the correct thing.
We documented the AUTH_MODE: "workloadidentity" for workload identity, but in actuality the code doesn't require this be set for WI on any secret but the global secret.
Now using a dynamically created UserAssignedIdentity instead of a hardcoded static multitenant secret. There are two advantages here: 1. Less setup to run a test on a new subscription because fewer inputs to the CI job. 2. No static secrets that can possibly be leaked or compromised.
- Updated cipool BICEP to provision a managed identity and give it the required roles. - Updated Taskfile to support MSI-based az login when running in the context of a GitHub action. - Removed all reference to AZURE_CLIENT_ID and AZURE_CLIENT_SECRET from GitHub workflows.
Be explicit about which mode we're using in the various installation instructions, and provide links to the detailed authentication documentation so that users are more easily exposed to other authentication options (formats and scopes). Also update devcontainer raw cmdline to map azcli token into container to reduce number of required az logins
matthchr
force-pushed
the
feature/ci-refactoring-azure
branch
from
14f3a17
to
fa04f79
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Interactive login is good for 12 hours.
workload-identity based.
more limited permissions that an interactive token has with repsect
to calling 'az role assignment list'.
authentication modes. We trust that, if we call the azidentity SDK with
the correct parameters, it does the correct thing.
but in actuality the code doesn't require this be set for WI on any
secret but the global secret.
hardcoded static multitenant secret.
to the CI job.
required roles.
context of a GitHub action.
GitHub workflows.
instructions, and provide links to the detailed authentication
documentation so that users are more easily exposed to other
authentication options (formats and scopes).
Closes #3930
If applicable: