Open LaurentLesle opened 4 weeks ago
Hi @LaurentLesle, thank you for opening this issue - and for explaining the issue so well. We are currently working on this and it will be included in one of the upcoming releases!
Oh that's a great news and will unblock lot of our customers! Thanks
contributors should take notes of how you presented your issue. Really good stuff! @LaurentLesle
Description
Azurerm provider support OIDC (Workload Identities) which is a password-less and Microsoft recommended approach to run Terraform jobs. When using TFE or HPC self hosted agents on an AKS with OIDC enabled I want to run terraform jobs in this setup.
Currently it is possible to set the serviceAccountName but the azure workload identity admission controller requires as well the labels and (optional) annotations to the added into the template spec.
Therefore I am proposing the add in the AgentPool schema 2 new attributes to support labels and annotations.
Potential YAML Configuration
References
https://azure.github.io/azure-workload-identity/docs/topics/service-account-labels-and-annotations.html
Additional context on how OIDC is used (https://techcommunity.microsoft.com/t5/fasttrack-for-azure/use-azure-ad-workload-identity-for-kubernetes-with-a-user/ba-p/3654928)
Expected state of the pod created by the agentPool (Service Assount and Labels (optionally annotations) set. Here a manual pod crafted. Note the env AZURE_* added by the admission controller based on the label and service account:
We can see only the agent pool name is added. The ask of this feature is to inject (and merge) also the spec.agentDeployment.labels and spec.agentDeployment.annotations:
https://github.com/hashicorp/hcp-terraform-operator/blob/main/controllers/agentpool_controller_deployment.go
https://github.com/hashicorp/hcp-terraform-operator/blob/6127ef00412aad4852198581e0181b204fa3eb58/api/v1alpha2/agentpool_types.go#L93
Community Note