AZURE_CLIENT_ID environment variable is not set, other variables (AZURE_TENANT_ID, AZURE_AUTHORITY_HOST, AZURE_FEDERATED_TOKEN_FILE) are set

[dipti-pai]

Describe the bug I am using workload identity on a deployment running on AKS cluster, setting the required annotations and labels on the svc and deployment. The webhook pods are running in the kube-system namespace and injecting all environment variables except AZURE_CLIENT_ID.

Steps To Reproduce

• Enable workload identity and oidc issuer on AKS cluster
• Setup SVC account, deployment and federated credential to the service account.
• AZURE_CLIENT_ID env variable is not set in the running pod

• Expected behavior AZURE_CLIENT_ID env variable should be set.

Logs

Describe output of svc:

dipti@dipti-Virtual-Machine-2:~$ kubectl describe svc  source-controller -n source-system
Name:              source-controller
Namespace:         source-system
**Labels:            azure.workload.identity/use=true**
                   control-plane=controller
**Annotations:       azure.workload.identity/client-id: 7cf74c18-b3aa-4eb0-8f34-b42774390e6a**
Selector:          app=source-controller
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                10.0.165.13
IPs:               10.0.165.13
Port:              http  80/TCP
TargetPort:        http/TCP
Endpoints:         10.244.1.28:9090
Session Affinity:  None
Events:            <none>

Describe output of pod:

dipti@dipti-Virtual-Machine-2:~$ kubectl describe pod  source-controller-c69445fb-xc95n -n source-system
Name:             source-controller-c69445fb-xc95n
Namespace:        source-system
Priority:         0
Service Account:  default
Node:             aks-nodepool1-90542042-vmss000000/10.224.0.5
Start Time:       Wed, 22 May 2024 15:20:10 -0700
Labels:           app=source-controller
                  **azure.workload.identity/use=true**
                  pod-template-hash=c69445fb
Annotations:      prometheus.io/port: 8080
                  prometheus.io/scrape: true
Status:           Running
IP:               10.244.1.28
IPs:
  IP:           10.244.1.28
Controlled By:  ReplicaSet/source-controller-c69445fb
Containers:
  manager:
    Container ID:    containerd://ae86627c9aebc6693387e63ea5b910558aac0c95288e7c38437100c670dcace0
    Image:           diptipaiacr.azurecr.io/source-controller:6.3
    Image ID:        diptipaiacr.azurecr.io/source-controller@sha256:8fe0a6da38c86d8ce11c8de952ca34d3da4742faf24c2399778399a1815d94dd
    Ports:           9090/TCP, 8080/TCP, 9440/TCP
    Host Ports:      0/TCP, 0/TCP, 0/TCP
    SeccompProfile:  RuntimeDefault
    Args:
      --watch-all-namespaces
      --log-level=info
      --log-encoding=json
      --enable-leader-election
      --storage-path=/data
      --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.cluster.local.
    State:          Running
      Started:      Wed, 22 May 2024 15:20:10 -0700
    Ready:          True
    Restart Count:  0
    Limits:
      cpu:     1
      memory:  1Gi
    Requests:
      cpu:     50m
      memory:  64Mi
    Environment:
      RUNTIME_NAMESPACE:           source-system (v1:metadata.namespace)
      TUF_ROOT:                    /tmp/.sigstore
      XDG_CONFIG_HOME:             /tmp/dlv
      AZURE_CONFIG_DIR:            /tmp/.azure
      **AZURE_CLIENT_ID:
      AZURE_TENANT_ID:             72f988bf-86f1-41af-91ab-2d7cd011db47
      AZURE_FEDERATED_TOKEN_FILE:  /var/run/secrets/azure/tokens/azure-identity-token
      AZURE_AUTHORITY_HOST:        https://login.microsoftonline.com/**
    Mounts:
      /data from data (rw)
      /tmp from tmp (rw)
      /var/run/secrets/azure/tokens from azure-identity-token (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-zlhf8 (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  data:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  tmp:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  kube-api-access-zlhf8:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
  azure-identity-token:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3600
QoS Class:                   Burstable
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/memory-pressure:NoSchedule op=Exists
                             node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  15s   default-scheduler  Successfully assigned source-system/source-controller-c69445fb-xc95n to aks-nodepool1-90542042-vmss000000
  Normal  Pulled     15s   kubelet            Container image "diptipaiacr.azurecr.io/source-controller:6.3" already present on machine
  Normal  Created    15s   kubelet            Created container manager
  Normal  Started    15s   kubelet            Started container manager

Environment

• Kubernetes version (use kubectl version):

• dipti@dipti-Virtual-Machine-2:~$ kubectl version Client Version: v1.30.1 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.28.9 WARNING: version difference between client (1.30) and server (1.28) exceeds the supported minor version skew of +/-1

• Cloud provider or hardware configuration: AKS

• OS (e.g: cat /etc/os-release): dipti@dipti-Virtual-Machine-2:~$ cat /etc/os-release PRETTY_NAME="Ubuntu 22.04.4 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.4 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy

• Kernel (e.g. uname -a): Linux dipti-Virtual-Machine-2 6.5.0-1021-azure #22~22.04.1-Ubuntu SMP Tue Apr 30 16:08:18 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

• Install tools:

• Network plugin and version (if this is a network-related bug):

• Others:

Additional context

[dipti-pai]

Misconfiguration on svc instead of sa, closing..