[aks-agent] Add Microsoft Entra ID authentication support for Azure OpenAI

This commit adds support for keyless authentication using Microsoft Entra ID (formerly Azure AD) for Azure OpenAI. Users can now skip providing an API key during initialization to enable workload identity-based authentication.

Changes:
- Bump version to 1.0.0b22 and aks-agent to v0.7.0
- Allow empty API key during Azure OpenAI configuration
- Configure aks-agent pod to use workload identity with the same service account as aks-mcp
- Add helm values: workloadIdentity.enabled=true, serviceAccount.create=false
- Skip creating secrets and environment variables when API key is empty
- Enable azureADTokenAuth flag in helm when API key is not provided

Author: mainred

src/aks-agent/HISTORY.rst

@@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 +++++++
 
+1.0.0b22
+++++++++
+* Feature: Add Microsoft Entra ID (formerly Azure AD) authentication support for Azure OpenAI
+
 1.0.0b21
 ++++++++
 * Bump aks-agent to v0.6.0

src/aks-agent/azext_aks_agent/_consts.py

@@ -52,7 +52,7 @@
 AKS_MCP_LABEL_SELECTOR = "app.kubernetes.io/name=aks-mcp"
 
 # AKS Agent Version (shared by helm chart and docker image)
-AKS_AGENT_VERSION = "0.6.0"
+AKS_AGENT_VERSION = "0.7.0"
 
 # Helm Configuration
 HELM_VERSION = "3.16.0"

src/aks-agent/azext_aks_agent/agent/k8s/aks_agent_manager.py

@@ -927,6 +927,22 @@ def _create_helm_values(self):
             "create": False,
         }
 
+        # Configure aks-agent pod to use the same service account as aks-mcp for workload identity
+        helm_values["workloadIdentity"] = {
+            "enabled": True,
+        }
+        helm_values["serviceAccount"] = {
+            "create": False,
+            "name": self.aks_mcp_service_account_name,
+        }
+
+        has_empty_api_key = any(
+            not model_config.get("api_key") or not model_config.get("api_key").strip()
+            for model_config in self.llm_config_manager.model_list.values()
+        )
+        if has_empty_api_key:
+            helm_values["azureADTokenAuth"] = True
+
         return helm_values
 
     def save_llm_config(self, provider: LLMProvider, params: dict) -> None:

src/aks-agent/azext_aks_agent/agent/llm_config_manager.py

@@ -50,8 +50,10 @@ def get_env_vars(self, secret_name: str) -> List[Dict[str, str]]:
         """
         env_vars_list = []
         for _, model_config in self.model_list.items():
-            env_var = LLMProvider.to_env_vars(secret_name, model_config)
-            env_vars_list.append(env_var)
+            api_key = model_config.get("api_key")
+            if api_key and api_key.strip():
+                env_var = LLMProvider.to_env_vars(secret_name, model_config)
+                env_vars_list.append(env_var)
         return env_vars_list
 
 

src/aks-agent/azext_aks_agent/agent/llm_providers/azure_provider.py

@@ -43,8 +43,8 @@ def parameter_schema(self):
             "api_key": {
                 "secret": True,
                 "default": None,
-                "hint": None,
-                "validator": non_empty
+                "hint": "press enter to enable keyless authentication with Microsoft Entra ID",
+                "validator": lambda v: True
             },
             "api_base": {
                 "secret": False,
@@ -65,9 +65,12 @@ def validate_connection(self, params: dict) -> Tuple[str, str]:
         api_version = params.get("api_version")
         deployment_name = params.get("model")
 
-        if not all([api_key, api_base, api_version, deployment_name]):
+        if not all([api_base, api_version, deployment_name]):
             return "Missing required Azure parameters.", "retry_input"
 
+        if not api_key or not api_key.strip():
+            return None, "save"
+
         # REST API reference: https://learn.microsoft.com/en-us/azure/ai-foundry/openai/api-version-lifecycle?tabs=rest
         url = urljoin(api_base, f"openai/deployments/{deployment_name}/chat/completions")
 

src/aks-agent/azext_aks_agent/agent/llm_providers/base.py

@@ -175,6 +175,8 @@ def to_k8s_secret_data(cls, params: dict):
         """
         secret_key = cls.sanitize_k8s_secret_key(params)
         secret_value = params.get("api_key")
+        if not secret_value or not secret_value.strip():
+            return {}
         secret_data = {
             secret_key: base64.b64encode(secret_value.encode("utf-8")).decode("utf-8"),
         }
@@ -206,9 +208,13 @@ def to_secured_model_list_config(cls, params: dict) -> Dict[str, dict]:
         """Create a model config dictionary for the model list from the provider parameters.
         Returns a copy of params with the api_key replaced by environment variable reference.
         """
-        secret_key = cls.sanitize_k8s_secret_key(params)
         secured_params = params.copy()
-        secured_params.update({"api_key": f"{{{{ env.{secret_key} }}}}"})
+        api_key = params.get("api_key")
+        if api_key and api_key.strip():
+            secret_key = cls.sanitize_k8s_secret_key(params)
+            secured_params.update({"api_key": f"{{{{ env.{secret_key} }}}}"})
+        else:
+            secured_params.pop("api_key", None)
         return secured_params
 
     @classmethod

src/aks-agent/setup.py

@@ -9,7 +9,7 @@
 
 from setuptools import find_packages, setup
 
-VERSION = "1.0.0b21"
+VERSION = "1.0.0b22"
 
 CLASSIFIERS = [
     "Development Status :: 4 - Beta",