Skip to content

[RFC-0007] Enable Azure OIDC for Azure DevOps Repository #747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 26, 2024
Merged

[RFC-0007] Enable Azure OIDC for Azure DevOps Repository #747

merged 2 commits into from
Sep 26, 2024

Conversation

dipti-pai
Copy link
Member

  • Controller changes to set the provider options in git authOptions to fetch provider credentials while building git config if .spec.provider field is set to azure.

  • API docs for setting up Azure workload identity in IAC

  • Unit tests for testing provider settings in git config

dipti-pai
dipti-pai commented Sep 11, 2024
View reviewed changes
@dipti-pai dipti-pai mentioned this pull request Sep 11, 2024
Open
15 tasks
@stefanprodan stefanprodan mentioned this pull request Sep 12, 2024
Closed
57 tasks
@stefanprodan stefanprodan changed the title Enable Azure OIDC for Azure DevOps Repository in IAC [RFC-0007] Enable Azure OIDC for Azure DevOps Repository Sep 12, 2024
@dipti-pai dipti-pai force-pushed the iac-azure-oidc branch 2 times, most recently from 66fefa7 to 704c7e2 Compare September 13, 2024 23:19
@stefanprodan stefanprodan added the area/git Git related issues and pull requests label Sep 16, 2024
stefanprodan
stefanprodan reviewed Sep 16, 2024
View reviewed changes
darkowlzz
darkowlzz reviewed Sep 16, 2024
View reviewed changes
Copy link
Contributor

@darkowlzz darkowlzz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, the implementation looks good to me.
Left a few suggestions for the docs.

I tested this in an AKS cluster, similar to the manual testing of source-controller against Azure DevOps and got similar results (the results below are not in order):

Without setting the provider on the associated GitRepo, IUA fails with the following status:

status:
  conditions:
  - lastTransitionTime: "2024-09-16T13:20:54Z"
    message: reconciliation in progress
    observedGeneration: 1
    reason: ProgressingWithRetry
    status: "True"
    type: Reconciling
  - lastTransitionTime: "2024-09-16T13:20:54Z"
    message: 'failed to checkout source: unable to list remote for ''https://dev.azure.com/test-org/fluxProjinowombat/_git/fluxRepoinowombat'':
      authentication required'
    observedGeneration: 1
    reason: GitOperationFailed
    status: "False"
    type: Ready
  lastAutomationRunTime: "2024-09-16T13:20:59Z"
  lastPushCommit: 8667f22eb70c7d888b2b4f75008fe77f758dab64
  lastPushTime: "2024-09-16T13:20:53Z"
  observedGeneration: 1
  observedPolicies:
    podinfo:
      name: ghcr.io/stefanprodan/podinfo
      tag: 4.0.6
  observedSourceRevision: main@sha1:8667f22eb70c7d888b2b4f75008fe77f758dab64

With provider set as azure but removed access of the identity from the repo results in the following failure:

status:
  conditions:
  - lastTransitionTime: "2024-09-16T13:23:32Z"
    message: reconciliation in progress
    observedGeneration: 1
    reason: ProgressingWithRetry
    status: "True"
    type: Reconciling
  - lastTransitionTime: "2024-09-16T13:23:32Z"
    message: 'failed to checkout source: unable to clone: repository not found: git
      repository: ''https://dev.azure.com/test-org/fluxProjinowombat/_git/fluxRepoinowombat'''
    observedGeneration: 1
    reason: GitOperationFailed
    status: "False"
    type: Ready
  lastAutomationRunTime: "2024-09-16T13:23:35Z"
  lastPushCommit: 8667f22eb70c7d888b2b4f75008fe77f758dab64
  lastPushTime: "2024-09-16T13:20:53Z"
  observedGeneration: 1
  observedPolicies:
    podinfo:
      name: ghcr.io/stefanprodan/podinfo
      tag: 4.0.6
  observedSourceRevision: main@sha1:8667f22eb70c7d888b2b4f75008fe77f758dab64

With proper permission, it succeeds:

status:
  conditions:
  - lastTransitionTime: "2024-09-16T13:18:14Z"
    message: repository up-to-date
    observedGeneration: 1
    reason: Succeeded
    status: "True"
    type: Ready
  lastAutomationRunTime: "2024-09-16T13:19:06Z"
  lastPushCommit: a44ad49f985328762dd518496ba9670bd3143fd0
  lastPushTime: "2024-09-16T13:19:11Z"
  observedGeneration: 1
  observedPolicies:
    podinfo:
      name: ghcr.io/stefanprodan/podinfo
      tag: 5.1.4
  observedSourceRevision: main@sha1:a44ad49f985328762dd518496ba9670bd3143fd0

Everything looks as expected.

A screenshot of the commit list to show that it actually was able to push, regardless of what the status shows

image

darkowlzz
darkowlzz reviewed Sep 17, 2024
View reviewed changes
makkes
makkes reviewed Sep 18, 2024
View reviewed changes
@darkowlzz darkowlzz force-pushed the iac-azure-oidc branch 3 times, most recently from 0e7b624 to 738de6f Compare September 25, 2024 22:04
dipti-pai and others added 2 commits September 25, 2024 22:07
@dipti-pai @darkowlzz
Enable Azure OIDC for Azure DevOps Repository in IAC
b24fb41 
- Controller changes to set the provider options in git authOptions to fetch provider credentials while building git config if `.spec.provider` field is set to `azure`.

- API docs for setting up Azure workload identity in IAC

- Unit tests for testing provider settings in git  config

Signed-off-by: Dipti Pai <diptipai89@outlook.com>
@darkowlzz
Update dependencies
87bff0e 
Signed-off-by: Sunny <github@darkowlzz.space>
stefanprodan
stefanprodan approved these changes Sep 26, 2024
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @dipti-pai 🏅

@stefanprodan stefanprodan merged commit 5755a87 into fluxcd:main Sep 26, 2024
7 checks passed
@dipti-pai dipti-pai mentioned this pull request Oct 2, 2024
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@makkes makkes makkes left review comments

@stefanprodan stefanprodan stefanprodan approved these changes

+1 more reviewer

@darkowlzz darkowlzz darkowlzz left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
area/git Git related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dipti-pai @makkes @darkowlzz @stefanprodan