Merge Azure Managed Identity support from mattmancel-azure-workload/main

Author: ehrnst

.codespell.ignorewords

@@ -0,0 +1 @@
+AKS

.gitignore

@@ -47,6 +47,11 @@ inference-extension-conformance-test-report.yaml
 .claude/
 .env
 .mcp.json
+.serena/
+CLAUDE.md
 
 .goose
 /aigw
+
+# Go test binaries
+*.test

api/v1alpha1/backendsecurity_policy.go

@@ -229,14 +229,18 @@ type BackendSecurityPolicyGCPCredentials struct {
 }
 
 // BackendSecurityPolicyAzureCredentials contains the supported authentication mechanisms to access Azure.
-// Only one of ClientSecretRef or OIDCExchangeToken must be specified. Credentials will not be generated if
-// neither are set.
+// One of ClientSecretRef, OIDCExchangeToken, or UseManagedIdentity must be specified.
+// When UseManagedIdentity is true, neither ClientSecretRef nor OIDCExchangeToken should be set.
+// Otherwise, exactly one of ClientSecretRef or OIDCExchangeToken must be specified.
 //
-// +kubebuilder:validation:XValidation:rule="(has(self.clientSecretRef) && !has(self.oidcExchangeToken)) || (!has(self.clientSecretRef) && has(self.oidcExchangeToken))",message="Exactly one of clientSecretRef or oidcExchangeToken must be specified"
+// +kubebuilder:validation:XValidation:rule="has(self.useManagedIdentity) && self.useManagedIdentity ? (!has(self.clientSecretRef) && !has(self.oidcExchangeToken)) : ((has(self.clientSecretRef) && !has(self.oidcExchangeToken)) || (!has(self.clientSecretRef) && has(self.oidcExchangeToken)))",message="When useManagedIdentity is true, clientSecretRef and oidcExchangeToken must not be specified. Otherwise, exactly one of clientSecretRef or oidcExchangeToken must be specified"
+// +kubebuilder:validation:XValidation:rule="has(self.useManagedIdentity) && self.useManagedIdentity && !has(self.clientID) ? true : has(self.clientID)",message="clientID is optional for system-assigned managed identity but required otherwise"
 type BackendSecurityPolicyAzureCredentials struct {
 	// ClientID is a unique identifier for an application in Azure.
+	// This field is optional when using system-assigned managed identity,
+	// but required for user-assigned managed identity and other authentication methods.
 	//
-	// +kubebuilder:validation:Required
+	// +optional
 	// +kubebuilder:validation:MinLength=1
 	ClientID string `json:"clientID"`
 
@@ -258,6 +262,16 @@ type BackendSecurityPolicyAzureCredentials struct {
 	//
 	// +optional
 	OIDCExchangeToken *AzureOIDCExchangeToken `json:"oidcExchangeToken,omitempty"`
+
+	// UseManagedIdentity enables Azure Managed Identity authentication.
+	// When set to true, the gateway will use DefaultAzureCredential which supports:
+	// - Environment variables (AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, AZURE_FEDERATED_TOKEN_FILE)
+	// - AKS Workload Identity (via service account annotations)
+	// - System-assigned managed identity (when clientID is not specified)
+	// - User-assigned managed identity (when clientID is specified)
+	//
+	// +optional
+	UseManagedIdentity *bool `json:"useManagedIdentity,omitempty"`
 }
 
 // AzureOIDCExchangeToken specifies credentials to obtain oidc token from a sso server.

api/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,117 @@
+# Copyright Envoy AI Gateway Authors
+# SPDX-License-Identifier: Apache-2.0
+# The full text of the Apache license is available in the LICENSE file at
+# the root of the repo.
+
+# This example demonstrates Azure OpenAI integration using Managed Identity authentication.
+#
+# Prerequisites for AKS Workload Identity:
+# 1. Enable OIDC Issuer and Workload Identity on your AKS cluster
+# 2. Create a User-Assigned Managed Identity in Azure
+# 3. Grant the Managed Identity "Cognitive Services OpenAI User" role on your Azure OpenAI resource
+# 4. Create a federated identity credential associating the managed identity with your Kubernetes service account
+# 5. Annotate your Kubernetes service account with the managed identity client ID
+#
+# Example service account:
+# apiVersion: v1
+# kind: ServiceAccount
+# metadata:
+#   name: ai-gateway-sa
+#   namespace: envoy-gateway-system
+#   annotations:
+#     azure.workload.identity/client-id: "YOUR_USER_ASSIGNED_IDENTITY_CLIENT_ID"
+#
+# Then configure your gateway deployment to use this service account.
+
+---
+apiVersion: aigateway.envoyproxy.io/v1alpha1
+kind: AIGatewayRoute
+metadata:
+  name: envoy-ai-gateway-basic-azure-mi
+  namespace: default
+spec:
+  parentRefs:
+    - name: envoy-ai-gateway-basic
+      kind: Gateway
+      group: gateway.networking.k8s.io
+  rules:
+    - matches:
+        - headers:
+            - type: Exact
+              name: x-ai-eg-model
+              value: gpt-4o-preview
+      backendRefs:
+        - name: envoy-ai-gateway-basic-azure-mi
+---
+apiVersion: aigateway.envoyproxy.io/v1alpha1
+kind: AIServiceBackend
+metadata:
+  name: envoy-ai-gateway-basic-azure-mi
+  namespace: default
+spec:
+  schema:
+    name: AzureOpenAI
+    version: 2025-01-01-preview
+  backendRef:
+    name: envoy-ai-gateway-basic-azure-mi
+    kind: Backend
+    group: gateway.envoyproxy.io
+---
+# User-Assigned Managed Identity Example
+apiVersion: aigateway.envoyproxy.io/v1alpha1
+kind: BackendSecurityPolicy
+metadata:
+  name: envoy-ai-gateway-basic-azure-mi-credentials
+  namespace: default
+spec:
+  targetRefs:
+    - group: aigateway.envoyproxy.io
+      kind: AIServiceBackend
+      name: envoy-ai-gateway-basic-azure-mi
+  type: AzureCredentials
+  azureCredentials:
+    clientID: YOUR_USER_ASSIGNED_IDENTITY_CLIENT_ID   # Replace with your User-Assigned Managed Identity Client ID
+    tenantID: YOUR_AZURE_TENANT_ID                    # Replace with your Azure Tenant ID
+    useManagedIdentity: true
+---
+# Alternative: System-Assigned Managed Identity Example (uncomment and use instead of above)
+# apiVersion: aigateway.envoyproxy.io/v1alpha1
+# kind: BackendSecurityPolicy
+# metadata:
+#   name: envoy-ai-gateway-basic-azure-mi-credentials
+#   namespace: default
+# spec:
+#   targetRefs:
+#     - group: aigateway.envoyproxy.io
+#       kind: AIServiceBackend
+#       name: envoy-ai-gateway-basic-azure-mi
+#   type: AzureCredentials
+#   azureCredentials:
+#     # No clientID specified for system-assigned managed identity
+#     tenantID: YOUR_AZURE_TENANT_ID                  # Replace with your Azure Tenant ID
+#     useManagedIdentity: true
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: Backend
+metadata:
+  name: envoy-ai-gateway-basic-azure-mi
+  namespace: default
+spec:
+  endpoints:
+    - fqdn:
+        hostname: your-azure-openai-resource.openai.azure.com  # Replace with your Azure OpenAI resource
+        port: 443
+---
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
+metadata:
+  name: envoy-ai-gateway-basic-azure-mi-tls
+  namespace: default
+spec:
+  targetRefs:
+    - group: 'gateway.envoyproxy.io'
+      kind: Backend
+      name: envoy-ai-gateway-basic-azure-mi
+  validation:
+    wellKnownCACertificates: "System"
+    hostname: your-azure-openai-resource.openai.azure.com  # Replace with your Azure OpenAI resource

examples/basic/azure_openai_managed_identity.yaml

@@ -136,8 +136,13 @@ func (c *BackendSecurityPolicyController) rotateCredential(ctx context.Context,
 		var provider tokenprovider.TokenProvider
 		options := policy.TokenRequestOptions{Scopes: []string{azureScopeURL}}
 
-		oidc := getBackendSecurityPolicyAuthOIDC(bsp.Spec)
-		if oidc != nil {
+		if bsp.Spec.AzureCredentials.UseManagedIdentity != nil && *bsp.Spec.AzureCredentials.UseManagedIdentity {
+			// Use managed identity authentication (DefaultAzureCredential).
+			provider, err = tokenprovider.NewAzureManagedIdentityTokenProvider(ctx, clientID, options)
+			if err != nil {
+				return ctrl.Result{}, err
+			}
+		} else if oidc := getBackendSecurityPolicyAuthOIDC(bsp.Spec); oidc != nil {
 			var oidcProvider tokenprovider.TokenProvider
 			oidcProvider, err = tokenprovider.NewOidcTokenProvider(ctx, c.client, oidc)
 			if err != nil {
@@ -169,7 +174,7 @@ func (c *BackendSecurityPolicyController) rotateCredential(ctx context.Context,
 				return ctrl.Result{}, err
 			}
 		} else {
-			return ctrl.Result{}, fmt.Errorf("one of secret ref or oidc must be defined, namespace %s name %s", bsp.Namespace, bsp.Name)
+			return ctrl.Result{}, fmt.Errorf("one of secret ref, oidc, or managed identity must be defined, namespace %s name %s", bsp.Namespace, bsp.Name)
 		}
 
 		rotator, err = rotators.NewAzureTokenRotator(c.client, c.kube, c.logger, bsp.Namespace, bsp.Name, preRotationWindow, provider)

internal/controller/backend_security_policy.go

@@ -1270,3 +1270,152 @@ func TestGetBSPGeneratedSecretName(t *testing.T) {
 		})
 	}
 }
+
+func TestBackendSecurityPolicyController_ManagedIdentity(t *testing.T) {
+	t.Run("Azure managed identity authentication", func(t *testing.T) {
+		eventCh := internaltesting.NewControllerEventChan[*aigv1a1.AIServiceBackend]()
+		fakeClient := requireNewFakeClientWithIndexes(t)
+		c := NewBackendSecurityPolicyController(fakeClient, fake2.NewClientset(), ctrl.Log, eventCh.Ch)
+
+		namespace := "default"
+		bspName := "azure-mi-bsp"
+		asbName := "azure-mi-asb"
+
+		// Create AIServiceBackend.
+		asb := &aigv1a1.AIServiceBackend{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      asbName,
+				Namespace: namespace,
+			},
+		}
+		require.NoError(t, fakeClient.Create(context.Background(), asb))
+
+		// Create BackendSecurityPolicy with user-assigned managed identity.
+		bsp := &aigv1a1.BackendSecurityPolicy{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      bspName,
+				Namespace: namespace,
+			},
+			Spec: aigv1a1.BackendSecurityPolicySpec{
+				TargetRefs: []gwapiv1a2.LocalPolicyTargetReference{
+					{
+						Group: "aigateway.envoyproxy.io",
+						Kind:  "AIServiceBackend",
+						Name:  gwapiv1.ObjectName(asbName),
+					},
+				},
+				Type: aigv1a1.BackendSecurityPolicyTypeAzureCredentials,
+				AzureCredentials: &aigv1a1.BackendSecurityPolicyAzureCredentials{
+					ClientID:           "test-user-assigned-mi-client-id",
+					TenantID:           "test-tenant-id",
+					UseManagedIdentity: ptr.To(true),
+				},
+			},
+		}
+		require.NoError(t, fakeClient.Create(context.Background(), bsp))
+
+		// Reconcile - expect it to succeed (token provider creation will fail but that's expected in test).
+		res, err := c.Reconcile(context.Background(), reconcile.Request{
+			NamespacedName: types.NamespacedName{
+				Name:      bspName,
+				Namespace: namespace,
+			},
+		})
+		require.NoError(t, err)
+		require.Positive(t, res.RequeueAfter) // Should requeue for token rotation.
+
+		// Verify AIServiceBackend event was sent.
+		select {
+		case event := <-eventCh.Ch:
+			receivedASB := event.Object.(*aigv1a1.AIServiceBackend)
+			require.Equal(t, asbName, receivedASB.Name)
+			require.Equal(t, namespace, receivedASB.Namespace)
+		case <-time.After(time.Second):
+			t.Fatal("expected AIServiceBackend event")
+		}
+	})
+
+	t.Run("Azure system-assigned managed identity authentication", func(t *testing.T) {
+		eventCh := internaltesting.NewControllerEventChan[*aigv1a1.AIServiceBackend]()
+		fakeClient := requireNewFakeClientWithIndexes(t)
+		c := NewBackendSecurityPolicyController(fakeClient, fake2.NewClientset(), ctrl.Log, eventCh.Ch)
+
+		namespace := "default"
+		bspName := "azure-system-mi-bsp"
+		asbName := "azure-system-mi-asb"
+
+		// Create AIServiceBackend.
+		asb := &aigv1a1.AIServiceBackend{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      asbName,
+				Namespace: namespace,
+			},
+		}
+		require.NoError(t, fakeClient.Create(context.Background(), asb))
+
+		// Create BackendSecurityPolicy with system-assigned managed identity (no clientID).
+		bsp := &aigv1a1.BackendSecurityPolicy{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      bspName,
+				Namespace: namespace,
+			},
+			Spec: aigv1a1.BackendSecurityPolicySpec{
+				TargetRefs: []gwapiv1a2.LocalPolicyTargetReference{
+					{
+						Group: "aigateway.envoyproxy.io",
+						Kind:  "AIServiceBackend",
+						Name:  gwapiv1.ObjectName(asbName),
+					},
+				},
+				Type: aigv1a1.BackendSecurityPolicyTypeAzureCredentials,
+				AzureCredentials: &aigv1a1.BackendSecurityPolicyAzureCredentials{
+					// No ClientID for system-assigned managed identity.
+					TenantID:           "test-tenant-id",
+					UseManagedIdentity: ptr.To(true),
+				},
+			},
+		}
+		require.NoError(t, fakeClient.Create(context.Background(), bsp))
+
+		// Reconcile - expect it to succeed.
+		res, err := c.Reconcile(context.Background(), reconcile.Request{
+			NamespacedName: types.NamespacedName{
+				Name:      bspName,
+				Namespace: namespace,
+			},
+		})
+		require.NoError(t, err)
+		require.Positive(t, res.RequeueAfter) // Should requeue for token rotation.
+
+		// Verify AIServiceBackend event was sent.
+		select {
+		case event := <-eventCh.Ch:
+			receivedASB := event.Object.(*aigv1a1.AIServiceBackend)
+			require.Equal(t, asbName, receivedASB.Name)
+			require.Equal(t, namespace, receivedASB.Namespace)
+		case <-time.After(time.Second):
+			t.Fatal("expected AIServiceBackend event")
+		}
+	})
+}
+
+func TestGetBackendSecurityPolicyAuthOIDC_ManagedIdentity(t *testing.T) {
+	// Azure managed identity should not return OIDC.
+	require.Nil(t, getBackendSecurityPolicyAuthOIDC(aigv1a1.BackendSecurityPolicySpec{
+		Type: aigv1a1.BackendSecurityPolicyTypeAzureCredentials,
+		AzureCredentials: &aigv1a1.BackendSecurityPolicyAzureCredentials{
+			ClientID:           "client-id",
+			TenantID:           "tenant-id",
+			UseManagedIdentity: ptr.To(true),
+		},
+	}))
+
+	// Azure managed identity should not return OIDC even with empty clientID (system-assigned).
+	require.Nil(t, getBackendSecurityPolicyAuthOIDC(aigv1a1.BackendSecurityPolicySpec{
+		Type: aigv1a1.BackendSecurityPolicyTypeAzureCredentials,
+		AzureCredentials: &aigv1a1.BackendSecurityPolicyAzureCredentials{
+			TenantID:           "tenant-id",
+			UseManagedIdentity: ptr.To(true),
+		},
+	}))
+}