Skip to content

[RFC-0010] Add multi-tenant workload identity support for Azure Blob Storage#1875

Merged
dipti-pai merged 1 commit intofluxcd:mainfrom
dipti-pai:azure-blob-oidc
Sep 2, 2025
Merged

[RFC-0010] Add multi-tenant workload identity support for Azure Blob Storage#1875
dipti-pai merged 1 commit intofluxcd:mainfrom
dipti-pai:azure-blob-oidc

Conversation

@dipti-pai
Copy link
Copy Markdown
Member

@dipti-pai dipti-pai commented Aug 26, 2025
edited by matheuscscp
Loading

Part of: fluxcd/flux2#5022

Changes include:

  • Use auth pkg to create Azure token credential to enable controller/object-level workload identity and pass this to Azure SDK.
  • Doc update to remove deprecated AAD pod identity docs for buckets.

Tested controller-level/object-level scenario, caching - metrics shared below.

  1. If object level workload identity feature gate is disabled, the Bucket source goes into a Stalled state.
Status:
  Conditions:
    Last Transition Time:  2025-08-26T16:52:35Z
    Message:               to use spec.serviceAccountName for provider authentication please enable the ObjectLevelWorkloadIdentity feature gate in the controller
    Observed Generation:   6
    Reason:                FeatureGateDisabled
    Status:                True
    Type:                  Stalled
    Last Transition Time:  2025-08-26T16:52:35Z
    Message:               to use spec.serviceAccountName for provider authentication please enable the ObjectLevelWorkloadIdentity feature gate in the controller
    Observed Generation:   6
    Reason:                FeatureGateDisabled
    Status:                False
    Type:                  Ready
    Last Transition Time:  2025-08-26T16:52:35Z
    Message:               to use spec.serviceAccountName for provider authentication please enable the ObjectLevelWorkloadIdentity feature gate in the controller
    Observed Generation:   6
    Reason:                FeatureGateDisabled
    Status:                True
    Type:                  FetchFailed
  1. Cache metrics for success scenarios.
# TYPE gotk_token_cache_events_total counter
gotk_token_cache_events_total{event_type="cache_hit",kind="Bucket",name="azure-public",namespace="default",operation="reconcile"} 42
gotk_token_cache_events_total{event_type="cache_miss",kind="Bucket",name="azure-public",namespace="default",operation="reconcile"} 1

cappyzawa
cappyzawa approved these changes Aug 28, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@cappyzawa cappyzawa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with a nit

Comment thread api/v1/bucket_types.go
Comment thread internal/bucket/azure/blob_test.go Outdated
matheuscscp
matheuscscp approved these changes Sep 1, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@matheuscscp matheuscscp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 🚀

@dipti-pai
[RFC-0010] Add multi-tenant workload identity support for Azure Blob …
995f353 
…Storage

Signed-off-by: Dipti Pai <diptipai89@outlook.com>
@dipti-pai dipti-pai merged commit 04ab27b into fluxcd:main Sep 2, 2025
8 checks passed
@matheuscscp matheuscscp mentioned this pull request Sep 2, 2025
Closed
71 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matheuscscp matheuscscp matheuscscp approved these changes

+1 more reviewer

@cappyzawa cappyzawa cappyzawa approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dipti-pai @matheuscscp @cappyzawa