fix: propagate SERVICE_ACCOUNT_ISSUER to workload cluster template#6306
Conversation
kind-with-registry.sh creates an OIDC storage account and sets
SERVICE_ACCOUNT_ISSUER, but this value was lost when
create-workload-cluster runs envsubst in a separate shell context.
The workload cluster template has:
service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local}
Without the propagation, the fallback value is used, which is
unreachable by AAD for OIDC discovery, breaking Workload Identity
on CAPZ workload clusters.
Fix: persist SERVICE_ACCOUNT_ISSUER to a .env file in
kind-with-registry.sh and source it in the create-workload-cluster
Makefile target before running envsubst.
k8s-ci-robot
added
the
do-not-merge/release-note-label-needed
k8s-ci-robot
added
cncf-cla: yes
|
/assign @mboersma |
k8s-ci-robot
added
release-note-none
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #6306 +/- ##
=======================================
Coverage 43.84% 43.84%
=======================================
Files 289 289
Lines 25346 25346
=======================================
Hits 11114 11114
Misses 13458 13458
Partials 774 774 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. DetailsGit tree hash: 909e491eabc3f357b8ca857ead6da1547859086e |
|
/cherry-pick release-1.24 |
|
@mboersma: once the present PR merges, I will cherry-pick it on top of DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mboersma The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/cherry-pick release-1.23 |
|
@mboersma: once the present PR merges, I will cherry-pick it on top of DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@mboersma: new pull request created: #6307 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@mboersma: new pull request created: #6308 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
4 participants
What this PR does
kind-with-registry.shcreates an OIDC storage account and exportsSERVICE_ACCOUNT_ISSUER, but this value is lost whencreate-workload-clusterrunsenvsubstin a separate Make recipe (each recipe line runs in its own shell).The workload cluster template (#6288) has:
Without propagation, the fallback
https://kubernetes.default.svc.cluster.localis used — which is not publicly accessible, causing AAD Workload Identity token validation to fail withAADSTS501661.Changes
scripts/kind-with-registry.sh: PersistSERVICE_ACCOUNT_ISSUERto${REPO_ROOT}/.service-account-issuer.envafter OIDC setupMakefile: Source.service-account-issuer.envincreate-workload-clustertarget before runningenvsubst.gitignore: Add.service-account-issuer.env(contains environment-specific values)Related
Release note: