Skip to content

cleanup: clientID should be optional when mount with workload identity token #2271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
andyzhangx wants to merge 3 commits into
base: master
Choose a base branch
from
Open

cleanup: clientID should be optional when mount with workload identity token #2271

andyzhangx wants to merge 3 commits into from
+165 −17

Conversation

@andyzhangx
Copy link
Member

@andyzhangx andyzhangx commented Dec 13, 2025
edited
Loading

What type of PR is this?
/kind cleanup

What this PR does / why we need it:
cleanup: clientID should be optional when mount with workload identity token, it's default to kubelet identity

Which issue(s) this PR fixes:

Fixes #2272

Requirements:

Special notes for your reviewer:

Release note:

none

@andyzhangx andyzhangx requested a review from Copilot December 13, 2025 09:10
@k8s-ci-robot k8s-ci-robot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Dec 13, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Dec 13, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andyzhangx

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Dec 13, 2025
Copilot AI reviewed Dec 13, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the workload identity authentication logic in the blob driver to make clientID optional when mountWithWorkloadIdentityToken is enabled. The change restructures the control flow so that when workload identity token mounting is requested, the code will fall back to using UserAssignedIdentityID from the cloud config if no explicit clientID is provided, rather than requiring clientID to be explicitly specified.

Key changes:

  • The workload identity token mounting logic is now handled first (before the explicit clientID check), enabling the fallback behavior
  • When mountWithWorkloadIdentityToken is true and clientID is empty, the code now uses d.cloud.Config.AzureAuthConfig.UserAssignedIdentityID as a fallback
  • The explicit clientID check has been moved below the workload identity block to handle service account token authentication separately

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

pkg/blob/blob.go
Comment on lines 593 to 618
if mountWithWIToken {
if clientID == "" {
clientID = d.cloud.Config.AzureAuthConfig.UserAssignedIdentityID
}
klog.V(2).Infof("mountWithWorkloadIdentity is specified, use workload identity auth mount, clientID: %s, tenantID: %s", clientID, tenantID)

authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_ID="+clientID)
if tenantID != "" {
authEnv = append(authEnv, "AZURE_STORAGE_SPN_TENANT_ID="+tenantID)
}
authEnv = append(authEnv, "AZURE_OAUTH_TOKEN_FILE="+azureOAuthTokenFile)
klog.V(2).Infof("workload identity auth: %v", authEnv)
workloadIdentityToken, err := parseServiceAccountToken(serviceAccountToken)
if err != nil {
return rgName, accountName, accountKey, containerName, authEnv, err
}
azureOAuthTokenFile := filepath.Join(defaultAzureOAuthTokenDir, clientID+accountName)
if err := os.WriteFile(azureOAuthTokenFile, []byte(workloadIdentityToken), 0600); err != nil {
return rgName, accountName, accountKey, containerName, authEnv, fmt.Errorf("failed to write workload identity token file %s: %v", azureOAuthTokenFile, err)
}

authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_ID="+clientID)
if tenantID != "" {
authEnv = append(authEnv, "AZURE_STORAGE_SPN_TENANT_ID="+tenantID)
}
authEnv = append(authEnv, "AZURE_OAUTH_TOKEN_FILE="+azureOAuthTokenFile)
klog.V(2).Infof("workload identity auth: %v", authEnv)
return rgName, accountName, accountKey, containerName, authEnv, err
}
Copy link

Copilot AI Dec 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new workload identity authentication flow when mountWithWIToken is true lacks test coverage. Consider adding tests to verify the behavior when: 1) clientID is provided, 2) clientID is empty and falls back to UserAssignedIdentityID, and 3) both clientID and UserAssignedIdentityID are empty. This is especially important given that other auth flows in this file have comprehensive test coverage in blob_test.go.

Copilot uses AI. Check for mistakes.
Copy link
Member Author

@andyzhangx andyzhangx Dec 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot open a new pull request to apply changes based on this feedback

@andyzhangx andyzhangx force-pushed the clientID-not-required branch from b7d5f19 to d9e0752 Compare December 13, 2025 09:35
@andyzhangx andyzhangx force-pushed the clientID-not-required branch from d9e0752 to d7231a6 Compare December 13, 2025 09:40
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Dec 13, 2025
@andyzhangx
fix: add token file name validation check
de76d14 
refine useWorkloadIdentity logic
@andyzhangx andyzhangx force-pushed the clientID-not-required branch from b22f2be to de76d14 Compare December 14, 2025 03:51
@andyzhangx
Copy link
Member Author

andyzhangx commented Dec 14, 2025

/retest

@andyzhangx andyzhangx changed the title cleanup: clientID is not required when mountWithWorkloadIdentityToken cleanup: clientID should be optional when mount with workload identity token Dec 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cvvz cvvz Awaiting requested review from cvvz

@feiskyer feiskyer Awaiting requested review from feiskyer

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

refine tokenFile write logic

2 participants

@andyzhangx @k8s-ci-robot