Skip to content

Don't create cilium-azure secret when azure.clientID is not set #40269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 16, 2025
Merged

Don't create cilium-azure secret when azure.clientID is not set #40269

merged 1 commit into from
Jul 16, 2025

Conversation

atykhyy
Copy link
Contributor

@atykhyy atykhyy commented Jun 29, 2025
edited by squeed
Loading

When using Azure workload identity (the AKS-recommended authentication method), it is the AWI mutating admission webhook that injects client id, tenant id and so on into pods. If cilium-operator's pod spec already has the environment variable AZURE_CLIENT_ID mounted from the secret, the webhook does not overwrite it with the correct value, workload identity credential fails to acquire a token, and cilium-operator cannot sync IPAM information. And if neither client id nor client secret are specified, there is no need to create the cilium-azure secret.

This commit modifies the cilium helm chart to skip creating the cilium-azure secret and the environment variable bindings to it in cilium-operator's pod spec when azure.clientID helm value is not set.

Fixes the Operator's configuration to be compatible with Azure workload identity.

@atykhyy
Don't create cilium-azure secret when azure.clientID is not set
90d9532 
When using Azure workload identity (the AKS-recommended authentication
method), it is the AWI mutating admission webhook that injects client id,
tenant id and so on into pods. If cilium-operator's pod spec already has
the environment variable AZURE_CLIENT_ID mounted from the secret,
the webhook does not overwrite it with the correct value, workload
identity credential fails to acquire a token, and cilium-operator cannot
sync IPAM information. And if neither client id nor client secret are
specified, there is no need to create the cilium-azure secret.

This commit modifies the cilium helm chart to skip creating the cilium-azure
secret and the environment variable bindings to it in cilium-operator's
pod spec when azure.clientID helm value is not set.

Signed-off-by: Anton Tykhyy <atykhyy@gmail.com>
@atykhyy atykhyy requested review from a team as code owners June 29, 2025 21:34
@atykhyy atykhyy requested review from youngnick and squeed June 29, 2025 21:34
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 29, 2025
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Jun 29, 2025
@squeed
Copy link
Contributor

squeed commented Jun 30, 2025

/test

@squeed squeed added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Jun 30, 2025
@squeed
Copy link
Contributor

squeed commented Jun 30, 2025

Looks good.

Should this be backported? Would you call this a bug?

@squeed squeed added area/azure Impacts Azure based IPAM. and removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Jun 30, 2025
@atykhyy
Copy link
Contributor Author

atykhyy commented Jun 30, 2025

I'd say it's a minor chart bug, but given that nobody has reported it before, the setup where it occurs (Cilium with Azure IPAM authenticated using Azure workload identity) is probably not widespread, so may not be worth backporting. The documentation for setting up Cilium with Azure IPAM has not only not been updated to take advantage of Azure workload identity - it was removed in v1.16, although Cilium still works in this mode. One reason might be that Azure AKS is offering Cilium as a pre-deployed CNI option. I don't want to use it because it does not support host firewall.

@joestringer
Copy link
Member

ci-eks hit known issue #40403

@joestringer joestringer merged commit 98707f3 into cilium:main Jul 16, 2025
77 of 78 checks passed
@joestringer joestringer added affects/v1.16 This issue affects v1.16 branch affects/v1.17 This issue affects v1.17 branch affects/v1.18 This issue affects v1.18 branch labels Jul 16, 2025
@joestringer
Copy link
Member

Thanks for the fix @atykhyy . I merged this, but did not nominate it for backport based on your comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squeed squeed squeed approved these changes

@youngnick youngnick youngnick approved these changes

Assignees
No one assigned
Labels
affects/v1.16 This issue affects v1.16 branch affects/v1.17 This issue affects v1.17 branch affects/v1.18 This issue affects v1.18 branch area/azure Impacts Azure based IPAM. kind/community-contribution This was a contribution made by a community member. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@atykhyy @squeed @joestringer @youngnick