timja
commented
1 year ago Sounds great, let me know if you need any pointers.
Open UXabre opened 1 year ago
timja
commented
1 year ago Sounds great, let me know if you need any pointers.
bsloan-icl
commented
1 month ago +1 for this.
We've recently switched to workload identity for AKS but when a managed identity is assigned to the Jenkins controller pod, it's not recognised by the Jenkins application. This means we have to assign the managed identity to the vmss which gives ALL pods running on that vmss access to Azure resources (e.g. Key Vault) rather than just the Jenkins controller pod.
timja
commented
1 month ago It works just fine for us (AKS, WI and MI)
I don't think anything is needed for Workload Identity when you are using a managed identity.
A service principal would need changes as there's no password or certificate
bsloan-icl
commented
1 month ago Is that when using other Jenkins plugins such as Azure Key Vault and Azure VM Agents as well? What we're trying to do is use the workload identity of the pod for these 2 plugins. But when we try to add the workload identity to Jenkins as a managed identity credential, we get the following error:
My assumption was this is because Jenkins is looking for a managed identity on the Azure resource (in our case VMSS) rather than the pod's workload identity. When we add the identity to the VMSS, everything works fine. When we remove the identity from the VMSS, we get the error above.
The Jenkins controller pod is definitely running under this identity because it uses it to retrieve secrets from Azure Key Vault via the Azure Key Vault Secrets Provider and sync them as k8s secrets.
timja
commented
1 month ago Yes Azure VM Agents / Key Vault.
I do see that we have the identity on the VMSS.
bsloan-icl
commented
1 month ago That probably explains why it's working for your instance then. When the identity is removed from the VMSS and assigned to the Jenkins controller pod only, it no longer works.
kostyaplis
commented
1 week ago Are there any plans to implement Workload Identity support? It is less secure to assign a User Managed Identity to the VMSS.
timja
commented
1 week ago At some point yes, but a pull request is welcome if someone has time to do it
What feature do you want to see added?
When running Jenkins inside a kubernetes environment, we need to be able to support Azure Workload Identity as AAD Pod Identity is being deprecated. In march this (workload identity) will go GA so it's a hot topic.
The benefits are that it will be easy to link a service account to an azure identity. And that it is supported in a kubernetes deployment.
It will probably require a new uility class to be written, which I'm willing to investigate how a federated identity can be loaded.
Upstream changes
No response