Skip to content

[release-1.35] test: fix workload identity e2e test#3155

Merged
andyzhangx merged 7 commits into
kubernetes-sigs:release-1.35from
andyzhangx:cherry-pick-wi-test-release-1.35
May 17, 2026
Merged

[release-1.35] test: fix workload identity e2e test#3155
andyzhangx merged 7 commits into
kubernetes-sigs:release-1.35from
andyzhangx:cherry-pick-wi-test-release-1.35

Conversation

@andyzhangx
Copy link
Copy Markdown
Member

@andyzhangx andyzhangx commented May 16, 2026

Cherry-pick of #3154 to release-1.35

Changes

  1. WI mount test: Switch StorageClass from Standard_LRS to Premium_LRS
  2. ClaimSize fix: 10Gi → 100Gi (Premium_LRS minimum share is 100GiB)
  3. AAD OIDC warm-up: Background goroutine polls AAD token exchange + JWKS key verification before running WI test
  4. Cleanup: Remove unused SetAutomountServiceAccountToken function (CSI tokenRequests handled by kubelet, no pod SA token mount needed)

Why cherry-pick

The WI e2e test on release-1.35 has the same AADSTS7000272 / CAPZ JWKS key mismatch issues as master. This fix is needed to make the WI test reliable on release-1.35 CI.

/cc @andyzhangx

andyzhangx added 6 commits May 16, 2026 14:28
@andyzhangx
test: change WI mount test to use Premium_LRS
088bd59
@andyzhangx
fix: change WI mount test ClaimSize to 100Gi for Premium_LRS
935ca08 
Premium_LRS has a minimum share size of 100GiB. The test was requesting
10Gi which Azure auto-expanded to 100Gi, causing the pvCapacity
assertion to fail.
@andyzhangx
feat: add AAD OIDC cache warm-up and JWKS key verification for worklo…
2e289bc 
…ad identity e2e test

Port critical workload identity infrastructure from blob-csi-driver PR kubernetes-sigs#2445:

1. Background AAD token exchange warm-up (waitForAADTokenExchange) - polls AAD
   for up to 45min until token exchange succeeds, running in parallel with other
   tests to avoid blocking the suite.

2. OIDC JWKS readiness check (waitForOIDCJWKS) - ensures the JWKS endpoint
   returns valid signing keys before proceeding.

3. CAPZ JWKS key mismatch detection and repair (verifyJWKSKeyMatch) - detects
   when blob-hosted JWKS has different signing keys than kube-apiserver and
   re-uploads the correct JWKS. Without this, AAD permanently rejects token
   exchanges with AADSTS7000272.

4. WI test now waits on wiReady channel for warm-up completion before running,
   preventing the 30min pod Pending timeout.

5. setupWorkloadIdentity now returns (clientID, error) to pass the client ID
   to the background warm-up goroutine.

Also adds github.com/Azure/azure-sdk-for-go/sdk/storage/azblob dependency
for blob upload operations.
@andyzhangx
chore: update go mod
bba8627
@andyzhangx
cleanup: remove unused SetAutomountServiceAccountToken, keep automoun…
6a7eebc 
…t false for WI

CSI tokenRequests for workload identity are handled by kubelet based on
the pod's service account; no in-container token mount is needed.
@andyzhangx
fix: remove extra blank line to satisfy gofmt
f9d9652
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 16, 2026

@andyzhangx: GitHub didn't allow me to request PR reviews from the following users: andyzhangx.

Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

Cherry-pick of #3154 to release-1.35

Changes

  1. WI mount test: Switch StorageClass from Standard_LRS to Premium_LRS
  2. ClaimSize fix: 10Gi → 100Gi (Premium_LRS minimum share is 100GiB)
  3. AAD OIDC warm-up: Background goroutine polls AAD token exchange + JWKS key verification before running WI test
  4. Cleanup: Remove unused SetAutomountServiceAccountToken function (CSI tokenRequests handled by kubelet, no pod SA token mount needed)

Why cherry-pick

The WI e2e test on release-1.35 has the same AADSTS7000272 / CAPZ JWKS key mismatch issues as master. This fix is needed to make the WI test reliable on release-1.35 CI.

/cc @andyzhangx

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 16, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andyzhangx

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 16, 2026
@andyzhangx andyzhangx changed the title test: cherry-pick #3154 - add AAD OIDC warm-up for workload identity e2e test [release-1.35] test: fix workload identity e2e test May 16, 2026
@andyzhangx
Copy link
Copy Markdown
Member Author

andyzhangx commented May 17, 2026

/retest

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 17, 2026

@andyzhangx: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-azurefile-csi-driver-e2e-capz-windows-2019-hostprocess 9ed9890 link true /test pull-azurefile-csi-driver-e2e-capz-windows-2019-hostprocess

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@andyzhangx andyzhangx merged commit 937f865 into kubernetes-sigs:release-1.35 May 17, 2026
20 of 22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andyzhangx @k8s-ci-robot