Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RFC-0007] Enable Azure OIDC for Azure DevOps Repository #747

Merged
merged 2 commits into from
Sep 26, 2024

Conversation

dipti-pai
Copy link
Member

  • Controller changes to set the provider options in git authOptions to fetch provider credentials while building git config if .spec.provider field is set to azure.

  • API docs for setting up Azure workload identity in IAC

  • Unit tests for testing provider settings in git config

@stefanprodan stefanprodan changed the title Enable Azure OIDC for Azure DevOps Repository in IAC [RFC-0007] Enable Azure OIDC for Azure DevOps Repository Sep 12, 2024
@dipti-pai dipti-pai force-pushed the iac-azure-oidc branch 2 times, most recently from 66fefa7 to 704c7e2 Compare September 13, 2024 23:19
@stefanprodan stefanprodan added the area/git Git related issues and pull requests label Sep 16, 2024
go.mod Outdated Show resolved Hide resolved
go.mod Outdated Show resolved Hide resolved
Copy link
Contributor

@darkowlzz darkowlzz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, the implementation looks good to me.
Left a few suggestions for the docs.

I tested this in an AKS cluster, similar to the manual testing of source-controller against Azure DevOps and got similar results (the results below are not in order):

Without setting the provider on the associated GitRepo, IUA fails with the following status:

status:
  conditions:
  - lastTransitionTime: "2024-09-16T13:20:54Z"
    message: reconciliation in progress
    observedGeneration: 1
    reason: ProgressingWithRetry
    status: "True"
    type: Reconciling
  - lastTransitionTime: "2024-09-16T13:20:54Z"
    message: 'failed to checkout source: unable to list remote for ''https://dev.azure.com/test-org/fluxProjinowombat/_git/fluxRepoinowombat'':
      authentication required'
    observedGeneration: 1
    reason: GitOperationFailed
    status: "False"
    type: Ready
  lastAutomationRunTime: "2024-09-16T13:20:59Z"
  lastPushCommit: 8667f22eb70c7d888b2b4f75008fe77f758dab64
  lastPushTime: "2024-09-16T13:20:53Z"
  observedGeneration: 1
  observedPolicies:
    podinfo:
      name: ghcr.io/stefanprodan/podinfo
      tag: 4.0.6
  observedSourceRevision: main@sha1:8667f22eb70c7d888b2b4f75008fe77f758dab64

With provider set as azure but removed access of the identity from the repo results in the following failure:

status:
  conditions:
  - lastTransitionTime: "2024-09-16T13:23:32Z"
    message: reconciliation in progress
    observedGeneration: 1
    reason: ProgressingWithRetry
    status: "True"
    type: Reconciling
  - lastTransitionTime: "2024-09-16T13:23:32Z"
    message: 'failed to checkout source: unable to clone: repository not found: git
      repository: ''https://dev.azure.com/test-org/fluxProjinowombat/_git/fluxRepoinowombat'''
    observedGeneration: 1
    reason: GitOperationFailed
    status: "False"
    type: Ready
  lastAutomationRunTime: "2024-09-16T13:23:35Z"
  lastPushCommit: 8667f22eb70c7d888b2b4f75008fe77f758dab64
  lastPushTime: "2024-09-16T13:20:53Z"
  observedGeneration: 1
  observedPolicies:
    podinfo:
      name: ghcr.io/stefanprodan/podinfo
      tag: 4.0.6
  observedSourceRevision: main@sha1:8667f22eb70c7d888b2b4f75008fe77f758dab64

With proper permission, it succeeds:

status:
  conditions:
  - lastTransitionTime: "2024-09-16T13:18:14Z"
    message: repository up-to-date
    observedGeneration: 1
    reason: Succeeded
    status: "True"
    type: Ready
  lastAutomationRunTime: "2024-09-16T13:19:06Z"
  lastPushCommit: a44ad49f985328762dd518496ba9670bd3143fd0
  lastPushTime: "2024-09-16T13:19:11Z"
  observedGeneration: 1
  observedPolicies:
    podinfo:
      name: ghcr.io/stefanprodan/podinfo
      tag: 5.1.4
  observedSourceRevision: main@sha1:a44ad49f985328762dd518496ba9670bd3143fd0

Everything looks as expected.

A screenshot of the commit list to show that it actually was able to push, regardless of what the status shows

image

docs/spec/v1beta2/imageupdateautomations.md Outdated Show resolved Hide resolved
docs/spec/v1beta2/imageupdateautomations.md Show resolved Hide resolved
internal/source/git.go Outdated Show resolved Hide resolved
@darkowlzz darkowlzz force-pushed the iac-azure-oidc branch 3 times, most recently from 0e7b624 to 738de6f Compare September 25, 2024 22:04
dipti-pai and others added 2 commits September 25, 2024 22:07
- Controller changes to set the provider options in git authOptions to fetch provider credentials while building git config if `.spec.provider` field is set to `azure`.

- API docs for setting up Azure workload identity in IAC

- Unit tests for testing provider settings in git  config

Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Signed-off-by: Sunny <github@darkowlzz.space>
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @dipti-pai 🏅

@stefanprodan stefanprodan merged commit 5755a87 into fluxcd:main Sep 26, 2024
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/git Git related issues and pull requests
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants