Open UXabre opened 1 year ago
Sounds great, let me know if you need any pointers.
+1 for this.
We've recently switched to workload identity for AKS but when a managed identity is assigned to the Jenkins controller pod, it's not recognised by the Jenkins application. This means we have to assign the managed identity to the vmss which gives ALL pods running on that vmss access to Azure resources (e.g. Key Vault) rather than just the Jenkins controller pod.
It works just fine for us (AKS, WI and MI)
I don't think anything is needed for Workload Identity when you are using a managed identity.
A service principal would need changes as there's no password or certificate
Is that when using other Jenkins plugins such as Azure Key Vault and Azure VM Agents as well? What we're trying to do is use the workload identity of the pod for these 2 plugins. But when we try to add the workload identity to Jenkins as a managed identity credential, we get the following error:
My assumption was this is because Jenkins is looking for a managed identity on the Azure resource (in our case VMSS) rather than the pod's workload identity. When we add the identity to the VMSS, everything works fine. When we remove the identity from the VMSS, we get the error above.
The Jenkins controller pod is definitely running under this identity because it uses it to retrieve secrets from Azure Key Vault via the Azure Key Vault Secrets Provider and sync them as k8s secrets.
Yes Azure VM Agents / Key Vault.
I do see that we have the identity on the VMSS.
That probably explains why it's working for your instance then. When the identity is removed from the VMSS and assigned to the Jenkins controller pod only, it no longer works.
Are there any plans to implement Workload Identity support? It is less secure to assign a User Managed Identity to the VMSS.
At some point yes, but a pull request is welcome if someone has time to do it
What feature do you want to see added?
When running Jenkins inside a kubernetes environment, we need to be able to support Azure Workload Identity as AAD Pod Identity is being deprecated. In march this (workload identity) will go GA so it's a hot topic.
The benefits are that it will be easy to link a service account to an azure identity. And that it is supported in a kubernetes deployment.
It will probably require a new uility class to be written, which I'm willing to investigate how a federated identity can be loaded.
Upstream changes
No response