Flux and Azure - Pod Identity deprecation by Sept 23

[adeturner]

Looking to understand what people are doing... and future plans wrt the below

In Azure environments Flux supports sealed secrets and SOPS with AAD Pod Identity.

MS are deprecating pod identity by Sept 23 citing the move to Workload Identity.

SOPS doesnt support Workload Identity and is under a development freeze. There is an outstanding issue which indicates the CNCF sandbox request, approved last week.

There is a flux issue adding support for Workload Identity. This works (yay), but doesn't seem to help with providing secrets to kustomized helm chart values (pls let me know if I have this wrong!)

[stefanprodan]

Azure Workload Identity has been fully integrated in Flux, we have support for ACR (Container images, OCI artifacts, Helm charts), Azure Blob Storage and Azure Key Vault across all controllers.

@hiddeco may know what plans are for porting the changes from Flux (https://github.com/fluxcd/kustomize-controller/tree/main/internal/sops/azkv) to SOPS CLI.

[reespozzi]

@stefanprodan is there an easy way to check a flux deployment is now entirely using workload identity?

[matheuscscp]

Yes, list objects from all the APIs that should be using WI and check e.g. k get ocirepo -A -o yaml | grep secretRef should show no hits

[reespozzi]

We have a kustomize-controller pod that still has aadpodidbinding label, but thinking this may just be leftover from our own code definitions and not used anymore. Could you please elaborate a little @matheuscscp on why this command you gave will confirm we are no longer using aad pod identity in flux?

[stefanprodan]

If you are running the latest version of Flux, then Azure Key Vault with Workload Identity should work. Docs for Flux 2.4 are here https://fluxcd.io/flux/components/kustomize/kustomizations/#azure-key-vault

[matheuscscp]

Sorry I assumed whatever was not WI used secrets. Looks like aad pod identity is also secretless?

[adeturner]

Thanks @stefanprodan

Just to be sure of my understanding... please can you confirm that without the SOPS change I cannot meet my immediate use case

• keyvault secret holding an azure storage access key
• provide encrypted value in a patch to a third party helm chart