Skip to content

Azure Workload Identity E2E #1385

Azure Workload Identity E2E

Azure Workload Identity E2E #1385

Workflow file for this run

name: Azure Workload Identity E2E
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * *' # nightly
push:
branches:
- main
- release-**
permissions:
id-token: write
contents: read
jobs:
azwi_e2e:
env:
AZURE_CLIENT_ID: 0dcfc182-7b36-4e23-b53f-a27c929a9e4e
AZURE_TENANT_ID: bc2d60ab-9b1d-45bd-8a3b-3a18ae865e3a
SERVICE_ACCOUNT_ISSUER: "https://azwi.blob.core.windows.net/oidc-test/"
strategy:
fail-fast: false
matrix:
# TODO(chewong): add windows and macos test env
env: [ubuntu-20.04]
runs-on: ${{ matrix.env }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version: "1.20"
- name: Azure CLI
run: |
echo "Azure CLI Current installed version"
az version
- name: Set variables
id: variables
run: |
echo "AAD_APPLICATION_NAME=azwi-e2e-app-$(openssl rand -hex 2)" >> "${GITHUB_ENV}"
SERVICE_ACCOUNT_NAMESPACE="azwi-$(openssl rand -hex 2)"
echo "SERVICE_ACCOUNT_NAMESPACE=${SERVICE_ACCOUNT_NAMESPACE}" >> "${GITHUB_ENV}"
echo "SERVICE_ACCOUNT_NAME=${SERVICE_ACCOUNT_NAMESPACE}-sa" >> "${GITHUB_ENV}"
- name: Create kind cluster
run: |
openssl genrsa -out sa.key 2048
openssl rsa -in sa.key -pubout -out sa.pub
make kind-create
- name: Build azwi
run: make bin/azwi
- uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.6
with:
client-id: ${{ env.AZURE_CLIENT_ID }}
tenant-id: ${{ env.AZURE_TENANT_ID }}
allow-no-subscriptions: true
- name: E2E test
run: |
kubectl create namespace "${SERVICE_ACCOUNT_NAMESPACE}"
./bin/azwi serviceaccount create \
--aad-application-name "${AAD_APPLICATION_NAME}" \
--service-account-namespace "${SERVICE_ACCOUNT_NAMESPACE}" \
--service-account-name "${SERVICE_ACCOUNT_NAME}" \
--service-account-issuer-url "${SERVICE_ACCOUNT_ISSUER}" \
--service-account-token-expiration 10h \
--skip-phases role-assignment
# get the service account object
kubectl describe serviceaccount "${SERVICE_ACCOUNT_NAME}" --namespace "${SERVICE_ACCOUNT_NAMESPACE}" > sa.yaml
APPLICATION_CLIENT_ID="$(az ad sp list --display-name "${AAD_APPLICATION_NAME}" --query '[0].appId' -otsv)"
cat sa.yaml | grep "azure.workload.identity/client-id: ${APPLICATION_CLIENT_ID}"
cat sa.yaml | grep "azure.workload.identity/service-account-token-expiration: 36000"
cat sa.yaml | grep "azure.workload.identity/tenant-id: ${AZURE_TENANT_ID}"
# get the federated identity
APPLICATION_OBJECT_ID="$(az ad app show --id "${APPLICATION_CLIENT_ID}" --query id -otsv)"
az rest --method GET --uri "https://graph.microsoft.com/beta/applications/${APPLICATION_OBJECT_ID}/federatedIdentityCredentials"
- name: Cleanup
if: ${{ always() }}
run: |
set +e
# this should delete the underlying federated identity
./bin/azwi serviceaccount delete phase app \
--aad-application-name "${AAD_APPLICATION_NAME}"
./bin/azwi serviceaccount delete phase sa \
--service-account-namespace "${SERVICE_ACCOUNT_NAMESPACE}" \
--service-account-name "${SERVICE_ACCOUNT_NAME}"
azwi_build:
strategy:
fail-fast: false
matrix:
# TODO(aramase): add windows test env
env: [ubuntu-20.04, macos-11]
runs-on: ${{ matrix.env }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version: "1.20"
- name: Build azwi
run: |
make bin/azwi
- name: Validate azwi commands
run: |
./bin/azwi version
./bin/azwi -h
./bin/azwi serviceaccount -h
./bin/azwi serviceaccount create -h
./bin/azwi serviceaccount delete -h
./bin/azwi jwks -h