Skip to content

[RFC-0010] Add multi-tenant workload identity support for Azure GitRepository #1871

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 15, 2025
Merged

[RFC-0010] Add multi-tenant workload identity support for Azure GitRepository #1871

merged 1 commit into from
Aug 15, 2025

Conversation

@dipti-pai
Copy link
Member

Part of: fluxcd/flux2#5022

Changes include :

  • Add .spec.serviceAccountName field to GitRepository
  • Controller changes to set the service account to use object-level workload identity
  • Docs and unit tests

Test Behavior

  1. Feature gate disabled
  status:
    conditions:
    - lastTransitionTime: "2025-08-14T23:26:40Z"
      message: to use spec.serviceAccountName for provider authentication please enable
        the ObjectLevelWorkloadIdentity feature gate in the controller
      observedGeneration: 5
      reason: FeatureGateDisabled
      status: "True"
      type: Stalled
    - lastTransitionTime: "2025-08-14T23:26:40Z"
      message: to use spec.serviceAccountName for provider authentication please enable
        the ObjectLevelWorkloadIdentity feature gate in the controller
      observedGeneration: 5
      reason: FeatureGateDisabled
      status: "False"
      type: Ready
    - lastTransitionTime: "2025-08-14T23:26:40Z"
      message: to use spec.serviceAccountName for provider authentication please enable
        the ObjectLevelWorkloadIdentity feature gate in the controller
      observedGeneration: 5
      reason: FeatureGateDisabled
      status: "True"
      type: FetchFailed
    lastHandledReconcileAt: "2025-08-08T00:32:04.177906951Z"
    observedGeneration: 5
  1. Controller does not have permissions to create access tokens
    - lastTransitionTime: "2025-08-14T22:41:41Z"
      message: 'failed to configure authentication options: failed to create kubernetes
        token for service account ''adoconfig/az-mi-user'': serviceaccounts "az-mi-user"
        is forbidden: User "system:serviceaccount:flux-system:source-controller" cannot
        create resource "serviceaccounts/token" in API group "" in the namespace "adoconfig"'

To fix this, the clusterrole should have the following access.

- apiGroups:
  - ""
  resources:
  - serviceaccounts/token
  verbs:
  - create
  1. Success case
  status:
    artifact:
    - lastTransitionTime: "2025-08-14T23:29:09Z"
      message: stored artifact for revision 'main@sha1:b7d5a1fa643e65b98a11828ddc1de47b61fba654'
      observedGeneration: 5
      reason: Succeeded
      status: "True"
      type: ArtifactInStorage
    lastHandledReconcileAt: "2025-08-08T00:32:04.177906951Z"
    observedGeneration: 5

@dipti-pai dipti-pai marked this pull request as draft August 14, 2025 23:51
@dipti-pai dipti-pai force-pushed the azure-obj-level-gitrepo branch from 7cdc49d to 945912f Compare August 15, 2025 01:50
@dipti-pai dipti-pai marked this pull request as ready for review August 15, 2025 02:01
stefanprodan
stefanprodan reviewed Aug 15, 2025
View reviewed changes
@stefanprodan stefanprodan added area/git Git related issues and pull requests area/security Security related issues and pull requests labels Aug 15, 2025
@dipti-pai dipti-pai force-pushed the azure-obj-level-gitrepo branch from 945912f to ae30fe5 Compare August 15, 2025 06:09
matheuscscp
matheuscscp reviewed Aug 15, 2025
View reviewed changes
Copy link
Member

@matheuscscp matheuscscp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! Thanks, @dipti-pai!

@dipti-pai dipti-pai force-pushed the azure-obj-level-gitrepo branch from ae30fe5 to 4fe3434 Compare August 15, 2025 17:10
matheuscscp
matheuscscp approved these changes Aug 15, 2025
View reviewed changes
Copy link
Member

@matheuscscp matheuscscp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 🚀

Thanks very much, @dipti-pai!

@matheuscscp matheuscscp merged commit 24412ed into fluxcd:main Aug 15, 2025
8 checks passed
@matheuscscp matheuscscp mentioned this pull request Aug 15, 2025
Closed
71 tasks
@dipti-pai dipti-pai mentioned this pull request Aug 26, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stefanprodan stefanprodan stefanprodan left review comments

@matheuscscp matheuscscp matheuscscp approved these changes

Assignees

No one assigned

Labels

area/git Git related issues and pull requests area/security Security related issues and pull requests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dipti-pai @matheuscscp @stefanprodan