-
Notifications
You must be signed in to change notification settings - Fork 40.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azure: msi: add managed identity field, logic #48854
Conversation
/assign @brendandburns |
a3582ce
to
770a50a
Compare
I added a couple more commits:
|
Tried to test the ACR change:
Maybe I could just drop the last commit since the refactor could eventually be utilized whenever ACR ships some form of access token auth? edit: This comment above is not correct. There is a way to support this potentially. I will file a follow issue. |
The azure cloudprovider will now use the Managed Service Identity to retrieve access tokens for the Azure ARM APIs, rather than requiring hard-coded, user-specified credentials.
I'm stumped on this Any suggestions are appreciated, thanks. |
/sig azure |
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: brendandburns, colemickens Associated issue requirement bypassed by: brendandburns The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Automatic merge from submit-queue (batch tested with PRs 47066, 48892, 48933, 48854, 48894) |
Automatic merge from submit-queue (batch tested with PRs 48981, 47316, 49180) azure: acr: support MSI with preview ACR with AAD auth **What this PR does / why we need it**: The recently added support for Managed Identity in Azure (#48854) was incompatible with automatic ACR docker credential integration (#48980). This PR resolves that, by leveraging a feature available in Preview regions, on new managed clusters with support for AAD `access_token` authentication. Notes: * This includes code copied from [Azure/acr-docker-credential-helper](https://github.com/Azure/acr-docker-credential-helper). I copied the MIT license from that project and added a copyright line for Microsoft on it. (but one of the hack/verify-* scripts requires the Kubernetes copyright header. So there are two copyright headers in the file now...) * Eventually this should vendor [Azure/acr-docker-credential-helper](https://github.com/Azure/acr-docker-credential-helper) when it exposes the right functionality. * This includes a small, non-function-impacting workaround for a temporary service-side bug. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #48980 **Special notes for your reviewer**: Please don't LGTM it without reviewing the `azure_acr_helper.go` file's license header... **Release note**: ```release-note azure: acr: support MSI with preview ACR with AAD auth ```
Commit found in the "release-1.7" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked. |
What this PR does / why we need it: Enables managed service identity support for the Azure cloudprovider. "Managed Service Identity" allows us to ask the Azure Compute infra to provision an identity for the VM. Users can then retrieve the identity and assign it RBAC permissions to talk to Azure ARM APIs for the purpose of the cloudprovider needs.
Per the commit text:
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged): n/aSpecial notes for your reviewer: none
Release note:
cc: @brendandburns @jdumars @anhowe