BUG: using Azure Workload Identity

[deggja]

What happened?

Installed the provider following the documentation here. Trying to add the providerConfig and this fails due to missing support for the identity type AzureWorkloadIdentityCredentials.

This results in the following error message:

The ProviderConfig "kubernetes-provider" is invalid: spec.identity.type: Unsupported value: "AzureWorkloadIdentityCredentials": supported values: "GoogleApplicationCredentials", "AzureServicePrincipalCredentials"

Editing the CRD and adding this gets you one step further, but it still fails with:

Warning  CannotConnectToProvider  48s (x7 over 109s)  managed/object.kubernetes.crossplane.io  cannot create new Kubernetes client: unknown identity type: AzureWorkloadIdentityCredentials

How can we reproduce it?

Install the provider with:

apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-kubernetes
spec:
  package: xpkg.upbound.io/crossplane-contrib/provider-kubernetes:v0.13.0

Follow the Azure Workload Identity example and configure the providerConfig as such:

apiVersion: kubernetes.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: kubernetes-provider
spec:
  credentials:
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: cluster-config
      key: kubeconfig
  identity:
    type: AzureWorkloadIdentityCredentials
    source: Secret
    secretRef:
      name: azure-credentials
      namespace: crossplane-system
      key: credentials.json
---
apiVersion: v1
kind: Secret
metadata:
  name: azure-credentials
  namespace: crossplane-system
stringData:
  # serverId hardcoded to AKS ID, see https://azure.github.io/kubelogin/concepts/aks.html#azure-kubernetes-service-aad-server
  credentials.json: |
    {
      "tenantId": "<aad-tenant-id>",
      "serverId": "6dae42f8-4368-4678-94ff-3960e28e3630",
      "clientId": "<client-id>",
      "federatedTokenFile": "/var/run/secrets/azure/tokens/azure-identity-token",
      "authorityHost": "https://login.microsoftonline.com/"
     }

What environment did it happen in?

Crossplane version: 1.15.1

I also dont understand why we need to refer to a cluster-config secret in the credentials block, seeing as we are going to use workload identity? I might be misunderstanding something here.

Thank you.

[jbw976]

I believe this could be happening because this new functionality to support Azure Workload Identity was just added recently in #210, but there has not been a release since then.

I know there should be a release coming pretty soon, so keep an eye on https://github.com/crossplane-contrib/provider-kubernetes/releases for the new release where you can use this functionality. Thanks for your patience :)

[deggja]

I see @jbw976.
That makes sense. I did not realize there had not been a release after the code was merged.

[lsviben]

Just released v0.14.0! 🎉

[deggja]

Nice. Thank you for the work! Closing this issue.