-
|
Hi, **TL;DR Workload Identity forces the usage of ephemeral ClientIDs, but in a CD world it's hard to maintain. The solution: allow ResourceID instead of ClientID ** Many projects are still lacking behind in the implementation of this workload identity stuff, which can covered to some extend by using a fairly unrestricted sidecar to run next to the application. (As an example, Hashicorp Vault supports AAD Pod Id Binding just fine as it seems to work like regular MSI). However, if I look at the PR that proposes the implementation of Workload Identity (just like many other implementations, e.g. azure secrets csi), it requires me to pass the ClientID again. I mean again because it is also attached to the serviceaccount... This might not seem such a big issue but I'm actually astonished that there's nobody else facing the issues that I have, namely: the ClientID is ephemeral and does therefore not sit well with CD scenarios, let me elaborate. In my case, I have a terraform script which sets up AKS and some identities as well as their authorization. A bit further down the line, I set-up ArgoCD via a helm script. In argoCD I read a JSON file, which contains the answers I provided to provide to my terraform script, this way I can keep the answers in sync with some configuration details in my helm charts under argocd. Now, my big issue... Creating identities generates a clientId. Now, how do I get this clientId in kubernetes? In the past, with aadpodidbinding, I created my link between serviceaccount and identity via the azureCLI as a part of my terraform script and all was well. This is nearly impossible to maintain in a CD world. Either I ditch argoCD and do everything from terraform but then I don't get all the benefits ArgoCD brings. Or I update my answers file, commit and push it to git from jenkins.. but that's wrong if the only thing I really wanted was to deploy a test cluster to check if my terraform script is running. What would or could be a solution? Make ClientID optional if I have the ResourceID. That doesn't change or at least, it's decoupled from ClientId. Now life becomes much, much easier! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Closing this because PEBKAC... I needed to change my way i think about identity lifecycles in my project. But creating it out of band of my script it's easy to implement Not sure how to close this thread... |
Beta Was this translation helpful? Give feedback.
Closing this because PEBKAC... I needed to change my way i think about identity lifecycles in my project. But creating it out of band of my script it's easy to implement
Not sure how to close this thread...