feat: add workloadIdentity field to SpinApp

Mossaka · Mossaka · commit 4f8681639efe · 2025-03-06T16:55:58.000Z
This adds a new 'workloadIdentity' field to the SpinApp CRD and the controller will detect this field to determine whether or not to apply provider specific labels to enable cloud workload identity. See SKIP spinframework/skips#16 for more details Signed-off-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>
diff --git a/api/v1alpha1/spinapp_types.go b/api/v1alpha1/spinapp_types.go
@@ -86,6 +86,10 @@ type SpinAppSpec struct {
 	// If this is not provided all components are executed.
 	// +kubebuilder:validation:MinItems:=1
 	Components []string `json:"components,omitempty"`
+
+	// WorkloadIdentity defines the workload identity configuration for cloud provider authentication.
+	// +optional
+	WorkloadIdentity *WorkloadIdentity `json:"workloadIdentity,omitempty"`
 }
 
 // SpinAppStatus defines the observed state of SpinApp
@@ -287,6 +291,17 @@ type HTTPHealthProbeHeader struct {
 	Value string `json:"value"`
 }
 
+// WorkloadIdentity defines the configuration for cloud provider workload identity.
+type WorkloadIdentity struct {
+	// ServiceAccountName is the name of the Kubernetes service account to use for workload identity.
+	// +kubebuilder:validation:Required
+	ServiceAccountName string `json:"serviceAccountName"`
+
+	// ProviderMetadata contains cloud provider-specific configuration for workload identity.
+	// +kubebuilder:validation:Required
+	ProviderMetadata map[string]string `json:"providerMetadata"`
+}
+
 func init() {
 	SchemeBuilder.Register(&SpinApp{}, &SpinAppList{})
 }
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/internal/controller/spinapp_controller.go b/internal/controller/spinapp_controller.go
@@ -422,6 +422,15 @@ func constructDeployment(ctx context.Context, app *spinv1alpha1.SpinApp, config
 	}
 	maps.Copy(templateLabels, readyLabels)
 
+	// Add Azure workload identity label if configured
+	if app.Spec.WorkloadIdentity != nil {
+		if val, ok := app.Spec.WorkloadIdentity.ProviderMetadata["azure"]; ok {
+			if val == "true" {
+				templateLabels["azure.workload.identity/use"] = "true"
+			}
+		}
+	}
+
 	// TODO: Once we land admission webhooks write some validation for this e.g.
 	// don't allow setting memory limit with cyclotron runtime.
 	resources := corev1.ResourceRequirements{
@@ -508,10 +517,11 @@ func constructDeployment(ctx context.Context, app *spinv1alpha1.SpinApp, config
 					Annotations: templateAnnotations,
 				},
 				Spec: corev1.PodSpec{
-					RuntimeClassName: config.RuntimeClassName,
-					Containers:       []corev1.Container{container},
-					ImagePullSecrets: app.Spec.ImagePullSecrets,
-					Volumes:          volumes,
+					RuntimeClassName:   config.RuntimeClassName,
+					ServiceAccountName: getServiceAccountName(app),
+					Containers:         []corev1.Container{container},
+					ImagePullSecrets:   app.Spec.ImagePullSecrets,
+					Volumes:            volumes,
 				},
 			},
 		},
@@ -530,6 +540,16 @@ func constructDeployment(ctx context.Context, app *spinv1alpha1.SpinApp, config
 	return dep, nil
 }
 
+// getServiceAccountName returns the service account name to use for the deployment.
+// If workload identity is configured, it returns the configured service account name.
+// Otherwise, it returns "default" which is the Kubernetes default.
+func getServiceAccountName(app *spinv1alpha1.SpinApp) string {
+	if app.Spec.WorkloadIdentity != nil {
+		return app.Spec.WorkloadIdentity.ServiceAccountName
+	}
+	return "default"
+}
+
 // findDeploymentForApp finds the deployment for a SpinApp.
 func (r *SpinAppReconciler) findDeploymentForApp(ctx context.Context, app *spinv1alpha1.SpinApp) (*appsv1.Deployment, error) {
 	var deployment appsv1.Deployment
diff --git a/internal/controller/spinapp_controller_test.go b/internal/controller/spinapp_controller_test.go
@@ -630,3 +630,74 @@ func TestReconcile_Integration_Deployment_SpinCAInjection(t *testing.T) {
 	cancelFunc()
 	wg.Wait()
 }
+
+func TestReconcile_Integration_WorkloadIdentity_Azure(t *testing.T) {
+	t.Parallel()
+
+	envTest, mgr, _ := setupController(t)
+
+	ctx, cancelFunc := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancelFunc()
+
+	var wg sync.WaitGroup
+	wg.Add(1)
+	go func() {
+		require.NoError(t, mgr.Start(ctx))
+		wg.Done()
+	}()
+
+	// Create an executor that creates a deployment
+	executor := &spinv1alpha1.SpinAppExecutor{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "executor",
+			Namespace: "default",
+		},
+		Spec: spinv1alpha1.SpinAppExecutorSpec{
+			CreateDeployment: true,
+			DeploymentConfig: &spinv1alpha1.ExecutorDeploymentConfig{
+				RuntimeClassName: generics.Ptr("a-runtime-class"),
+			},
+		},
+	}
+
+	require.NoError(t, envTest.k8sClient.Create(ctx, executor))
+
+	spinApp := &spinv1alpha1.SpinApp{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "app",
+			Namespace: "default",
+		},
+		Spec: spinv1alpha1.SpinAppSpec{
+			Executor: "executor",
+			Image:    "ghcr.io/radu-matei/perftest:v1",
+			WorkloadIdentity: &spinv1alpha1.WorkloadIdentity{
+				ServiceAccountName: "custom-sa",
+				ProviderMetadata: map[string]string{
+					"azure": "true",
+				},
+			},
+		},
+	}
+
+	require.NoError(t, envTest.k8sClient.Create(ctx, spinApp))
+
+	// Wait for the underlying deployment to exist
+	var deployment appsv1.Deployment
+	require.Eventually(t, func() bool {
+		err := envTest.k8sClient.Get(ctx,
+			types.NamespacedName{
+				Namespace: "default",
+				Name:      "app"},
+			&deployment)
+		return err == nil
+	}, 3*time.Second, 100*time.Millisecond)
+
+	// Verify Azure workload identity label is set
+	require.Equal(t, "true", deployment.Spec.Template.ObjectMeta.Labels["azure.workload.identity/use"])
+	// Verify service account name is set
+	require.Equal(t, "custom-sa", deployment.Spec.Template.Spec.ServiceAccountName)
+
+	// Terminate the context to force the manager to shut down.
+	cancelFunc()
+	wg.Wait()
+}
diff --git a/internal/webhook/spinapp_validating.go b/internal/webhook/spinapp_validating.go
@@ -64,6 +64,9 @@ func (v *SpinAppValidator) validateSpinApp(ctx context.Context, spinApp *spinv1a
 	if err := validateAnnotations(spinApp.Spec, executor); err != nil {
 		allErrs = append(allErrs, err)
 	}
+	if err := validateWorkloadIdentity(spinApp.Spec); err != nil {
+		allErrs = append(allErrs, err)
+	}
 	if len(allErrs) == 0 {
 		return nil
 	}
@@ -137,3 +140,17 @@ func validateAnnotations(spec spinv1alpha1.SpinAppSpec, executor *spinv1alpha1.S
 
 	return nil
 }
+
+func validateWorkloadIdentity(spec spinv1alpha1.SpinAppSpec) *field.Error {
+	if spec.WorkloadIdentity == nil {
+		return nil
+	}
+
+	if spec.WorkloadIdentity.ServiceAccountName == "" {
+		return field.Required(
+			field.NewPath("spec").Child("workloadIdentity").Child("serviceAccountName"),
+			"serviceAccountName must be provided when workload identity is configured")
+	}
+
+	return nil
+}
