Refactor Azure workload identity implementation in Velero: comment out label and annotation handling, update environment variable checks in tests

Signed-off-by: Tiger Kaovilai <[email protected]>

Author: kaovilai

internal/controller/velero_test.go

@@ -2560,20 +2560,23 @@ func TestDPAReconciler_buildVeleroDeploymentWithAzureWorkloadIdentity(t *testing
 					t.Errorf("Expected %s secret reference in envFrom", stsflow.AzureWorkloadIdentitySecretName)
 				}
 
-				// Also check that AZURE_CLIENT_ID env var is set
-				foundEnvVar := false
+				// Check that Azure environment variables are set
+				foundClientIDEnvVar := false
+				foundTokenFileEnvVar := false
 				for _, container := range tt.veleroDeployment.Spec.Template.Spec.Containers {
 					if container.Name == common.Velero {
 						for _, env := range container.Env {
 							if env.Name == "AZURE_CLIENT_ID" && env.Value == "test-client-id" {
-								foundEnvVar = true
-								break
+								foundClientIDEnvVar = true
+							}
+							if env.Name == "AZURE_FEDERATED_TOKEN_FILE" && env.Value == "/var/run/secrets/openshift/serviceaccount/token" {
+								foundTokenFileEnvVar = true
 							}
 						}
 						break
 					}
 				}
-				if !foundEnvVar {
+				if !foundClientIDEnvVar {
 					t.Errorf("Expected AZURE_CLIENT_ID environment variable to be set")
 				}
 			} else {

pkg/credentials/stsflow/stsflow.go

@@ -12,6 +12,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
+
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
@@ -320,7 +321,7 @@ func AnnotateVeleroServiceAccountForAzureWithClient(setupLog logr.Logger, client
 	// The annotation instructs the Workload Identity webhook to inject the AZURE_CLIENT_ID environment variable.
 	// Since we're manually setting the environment variable in the deployment, this is just a precaution.
 	// See: https://azure.github.io/azure-workload-identity/docs/topics/service-account-labels-and-annotations.html#service-account
-	sa.Annotations["azure.workload.identity/client-id"] = clientID
+	// sa.Annotations["azure.workload.identity/client-id"] = clientID
 
 	// Apply the patch
 	if err := clientInstance.Patch(context.Background(), sa, client.MergeFrom(originalSA)); err != nil {

pkg/credentials/stsflow/stsflow_test.go

@@ -492,7 +492,7 @@ func TestAnnotateVeleroServiceAccountForAzure(t *testing.T) {
 			},
 			expectError: false,
 			expectedAnnotations: map[string]string{
-				"azure.workload.identity/client-id": testClientID,
+				// Annotation is commented out in implementation
 			},
 		},
 		{
@@ -509,8 +509,8 @@ func TestAnnotateVeleroServiceAccountForAzure(t *testing.T) {
 			},
 			expectError: false,
 			expectedAnnotations: map[string]string{
-				"azure.workload.identity/client-id": testClientID,
-				"existing-annotation":               "existing-value",
+				// Annotation is commented out in implementation, only existing annotations should remain
+				"existing-annotation": "existing-value",
 			},
 		},
 		{
@@ -629,7 +629,8 @@ AZURE_CLOUD_NAME=AzurePublicCloud
 			Namespace: testNamespace,
 		}, saResult)
 		assert.NoError(t, err)
-		assert.Equal(t, clientID, saResult.Annotations["azure.workload.identity/client-id"])
+		// Annotation is commented out in implementation, so we shouldn't check for it
+		// assert.Equal(t, clientID, saResult.Annotations["azure.workload.identity/client-id"])
 	})
 
 	t.Run("Azure secret creation continues even if service account annotation fails", func(t *testing.T) {