[release-1.23] fix: propagate SERVICE_ACCOUNT_ISSUER to workload cluster template by k8s-infra-cherrypick-robot · Pull Request #6308 · kubernetes-sigs/cluster-api-provider-azure

k8s-infra-cherrypick-robot · 2026-05-13T13:53:16Z

This is an automated cherry-pick of #6306

/assign mboersma

none

kind-with-registry.sh creates an OIDC storage account and sets SERVICE_ACCOUNT_ISSUER, but this value was lost when create-workload-cluster runs envsubst in a separate shell context. The workload cluster template has: service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} Without the propagation, the fallback value is used, which is unreachable by AAD for OIDC discovery, breaking Workload Identity on CAPZ workload clusters. Fix: persist SERVICE_ACCOUNT_ISSUER to a .env file in kind-with-registry.sh and source it in the create-workload-cluster Makefile target before running envsubst.

mboersma

/lgtm
/approve

k8s-ci-robot · 2026-05-13T13:54:06Z

LGTM label has been added.

Details

Git tree hash: e8b20bd427a5f4846537c3f4690edb9105f7bb53

k8s-ci-robot · 2026-05-13T13:54:19Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mboersma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [mboersma]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

codecov · 2026-05-13T14:02:43Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.74%. Comparing base (fb3a7a8) to head (c9a9cf9).
⚠️ Report is 3 commits behind head on release-1.23.

Additional details and impacted files

@@              Coverage Diff              @@
##           release-1.23    #6308   +/-   ##
=============================================
  Coverage         43.74%   43.74%           
=============================================
  Files               289      289           
  Lines             25475    25475           
=============================================
+ Hits              11143    11145    +2     
+ Misses            13529    13527    -2     
  Partials            803      803

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

mboersma · 2026-05-13T15:42:42Z

/override pull-cluster-api-provider-azure-e2e-workload-upgrade-v1beta1

Unrelated flake.

k8s-ci-robot · 2026-05-13T15:42:47Z

@mboersma: Overrode contexts on behalf of mboersma: pull-cluster-api-provider-azure-e2e-workload-upgrade-v1beta1

Details

In response to this:

/override pull-cluster-api-provider-azure-e2e-workload-upgrade-v1beta1

Unrelated flake.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

github-project-automation Bot added this to CAPZ Planning May 13, 2026

k8s-ci-robot assigned mboersma May 13, 2026

k8s-ci-robot added the release-note-none Denotes a PR that doesn't merit a release note. label May 13, 2026

github-project-automation Bot moved this to Todo in CAPZ Planning May 13, 2026

k8s-infra-cherrypick-robot mentioned this pull request May 13, 2026

fix: propagate SERVICE_ACCOUNT_ISSUER to workload cluster template #6306

Merged

k8s-ci-robot requested review from mboersma and nojnhuh May 13, 2026 13:53

k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 13, 2026

mboersma approved these changes May 13, 2026

View reviewed changes

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 13, 2026

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 13, 2026

k8s-ci-robot merged commit 20b51a9 into kubernetes-sigs:release-1.23 May 13, 2026
21 checks passed

github-project-automation Bot moved this from Todo to Done in CAPZ Planning May 13, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[release-1.23] fix: propagate SERVICE_ACCOUNT_ISSUER to workload cluster template#6308

[release-1.23] fix: propagate SERVICE_ACCOUNT_ISSUER to workload cluster template#6308
k8s-ci-robot merged 1 commit into
kubernetes-sigs:release-1.23from
k8s-infra-cherrypick-robot:cherry-pick-6306-to-release-1.23

k8s-infra-cherrypick-robot commented May 13, 2026

Uh oh!

mboersma left a comment

Uh oh!

k8s-ci-robot commented May 13, 2026

Uh oh!

k8s-ci-robot commented May 13, 2026

Uh oh!

codecov Bot commented May 13, 2026 •

edited

Loading

Uh oh!

mboersma commented May 13, 2026

Uh oh!

k8s-ci-robot commented May 13, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

k8s-infra-cherrypick-robot commented May 13, 2026

Uh oh!

mboersma left a comment

Choose a reason for hiding this comment

Uh oh!

k8s-ci-robot commented May 13, 2026

Uh oh!

k8s-ci-robot commented May 13, 2026

Uh oh!

codecov Bot commented May 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

mboersma commented May 13, 2026

Uh oh!

k8s-ci-robot commented May 13, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

codecov Bot commented May 13, 2026 •

edited

Loading