Skip to content

Deploy: Add secrets, workload identity, ACR support, and fix identity role assignments#468

Merged
sniok merged 9 commits intoAzure:mainfrom
gambtho:thgamble/managedidentity
Mar 25, 2026
Merged

Deploy: Add secrets, workload identity, ACR support, and fix identity role assignments#468
sniok merged 9 commits intoAzure:mainfrom
gambtho:thgamble/managedidentity

Conversation

@gambtho
Copy link
Copy Markdown
Collaborator

@gambtho gambtho commented Mar 18, 2026

Summary

  • Add per-variable secret toggle in the Deploy Wizard environment variables step — secret values are masked in the UI, stored as a Kubernetes Secret resource, and referenced via valueFrom.secretKeyRef in the Deployment manifest
  • Add a new "Workload Identity" stepper step that creates (or selects existing) Azure managed identities, configures federated credentials against the cluster's OIDC issuer, and generates a ServiceAccount with azure.workload.identity/client-id annotation plus pod labels/serviceAccountName on the Deployment
  • Update GitHub Pipeline agent templates to include workload identity ServiceAccount creation and pod configuration in generated workflows
  • Fix managed identity role assignments: assign the full required role matrix (AcrPush, Container Registry Tasks Contributor, AKS RBAC Writer, AKS Namespace User) scoped correctly for both normal and managed namespaces
  • Add ACR selection/creation to the pipeline wizard so the generated workflow can build and push container images
  • Extract shared identity setup logic into reusable utilities, eliminating duplication between the GitHub Pipeline and Deploy Wizard flows

Type of Change

  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)

Related Issues

Closes #467

Changes Made

Secrets support

  • Extended ContainerConfig.envVars type with isSecret: boolean
  • Added lock icon toggle and password masking in ConfigureContainer.tsx
  • Updated yamlGenerator.ts to emit a Secret resource and secretKeyRef entries for secret env vars
  • Updated extractContainerConfig.ts to round-trip secretKeyRef entries

Workload Identity

  • Added getAksOidcIssuerUrl, listManagedIdentities, createK8sFederatedCredential to az-cli.ts
  • Created useDeployWorkloadIdentity hook (adapts existing GitHub Pipeline pattern)
  • Added new stepper step with "Create new" / "Use existing" identity modes
  • Updated yamlGenerator.ts to emit ServiceAccount, pod label, and serviceAccountName
  • Threaded Azure context from ClusterDeployCard through DeployWizard to ConfigureContainer

Identity role assignment fixes

  • Added assignRolesToIdentity() — generalized multi-role assignment function replacing the single hardcoded role
  • Added computeRequiredRoles() in new identityRoles.ts — computes the correct role set based on namespace type (normal vs managed), ACR presence, and Azure RBAC status
  • Normal namespace roles: AcrPush (ACR), Container Registry Tasks Contributor (ACR), AKS Cluster User Role (cluster), AKS RBAC Writer (cluster, if Azure RBAC enabled)
  • Managed namespace roles: AcrPush (ACR), Container Registry Tasks Contributor (ACR), AKS RBAC Writer (MNS scope), AKS Namespace User (MNS scope)
  • Extracted ensureIdentityAndResourceGroup() into shared identitySetup.ts — eliminates ~80% duplication between the two identity hooks
  • Added getManagedNamespaceResourceId() and buildClusterScope() helpers to az-cli.ts

ACR support in pipeline wizard

  • Added AcrSelector component — lists existing ACRs, supports creating new registries, shows a warning if skipped
  • Added createContainerRegistry() to az-cli.ts
  • Added acrResourceId and acrLoginServer to PipelineConfig
  • Agent templates now include az acr build instructions when ACR is configured
  • Pipeline secrets now include AZURE_ACR_NAME when ACR is selected

Pipeline integration

  • Added generateWorkloadIdentityWorkflowInstructions to agentTemplates.ts
  • Included workload identity config summary in generated agent markdown

Testing

  • Unit tests pass
  • Manual testing completed

Test Cases

  1. All 208 related tests pass (identity roles, identity setup, pipeline hooks, pipeline components, agent templates, pipeline orchestration)
  2. TypeScript type check passes
  3. ESLint and Prettier pass
  4. No new test failures introduced
  5. New test files: identityRoles.test.ts (10 tests), identitySetup.test.ts (8 tests)

Checklist

  • My code follows the project's style guidelines
  • I have performed a self-review of my own code
  • My changes generate no new warnings
  • New and existing unit tests pass locally with my changes

Performance Impact

  • No performance impact

Reviewer Notes

  • The workload identity step is disabled when Azure context is unavailable (non-Azure clusters or not signed in)
  • Secret values are visible in the YAML preview step (acceptable since this is a local desktop app and the user just typed them)
  • The Secret resource is placed first in the generated YAML so it exists before the Deployment that references it
  • ACR selection is optional with a warning — pipelines can still be created without an ACR for pre-built image scenarios
  • The old assignRoleToIdentity() function is preserved for backward compatibility but should be removed once all callers are migrated
  • getClusterCapabilities() already returns azureRbacEnabled — callers just need to thread it through to the identity hooks

Copilot AI review requested due to automatic review settings March 18, 2026 03:27
@gambtho gambtho changed the title Deploy: Add secrets support and workload identity to Deploy Wizard Deploy: add secrets support and workload identity to Deploy Wizard Mar 18, 2026
@gambtho gambtho marked this pull request as draft March 18, 2026 03:28
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Deploy Wizard support for (1) marking environment variables as secrets (emitted as a Kubernetes Secret + valueFrom.secretKeyRef) and (2) configuring Azure Workload Identity (managed identity + federated credential flow), plus updates to pipeline agent templates/tests to account for the expanded container config shape.

Changes:

  • Extend ContainerConfig to include envVars[].isSecret and Workload Identity fields, and update fixtures/stories/tests accordingly.
  • Update Deploy Wizard UI + YAML generator to create Secret/ServiceAccount manifests and label/pod spec wiring for workload identity.
  • Add Azure CLI helpers and a new hook to automate managed identity + role assignment + OIDC issuer lookup + federated credential creation.

Reviewed changes

Copilot reviewed 33 out of 33 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
plugins/aks-desktop/src/utils/azure/az-cli.ts Adds AKS OIDC issuer lookup, managed identity listing, and K8s federated credential creation helpers.
plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.test.ts Updates tests to include the new envVars[].isSecret field.
plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.ts Adds pipeline workflow instructions for workload identity and surfaces it in generated agent config.
plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.test.ts Updates agent template tests for the new env var shape.
plugins/aks-desktop/src/components/GitHubPipeline/fixtures/pipelineConfig.ts Extends fixture defaults with isSecret and workload identity fields.
plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Emits Secret + Workload Identity ServiceAccount/labels/serviceAccountName into generated YAML.
plugins/aks-desktop/src/components/DeployWizard/hooks/useDeployWorkloadIdentity.ts New hook to set up managed identity + role assignment + federated credentials for a K8s service account.
plugins/aks-desktop/src/components/DeployWizard/hooks/useContainerConfiguration.ts Extends ContainerConfig type and default state to include secrets + workload identity fields.
plugins/aks-desktop/src/components/DeployWizard/components/DeployWizardPure.stories.tsx Updates story stub config for new fields.
plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx Adds env var secret toggle UI and a new Workload Identity step with “create”/“existing” identity flows.
plugins/aks-desktop/src/components/DeployWizard/DeployWizard.tsx Passes Azure context/namespace into ConfigureContainer for workload identity configuration.
plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.ts Extracts secret env vars and workload identity label/serviceAccountName from live deployments.
plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.test.ts Updates extraction tests for isSecret.
plugins/aks-desktop/src/components/DeployTab/components/ClusterDeployCard.tsx Supplies Azure context to Deploy Wizard from the Deploy Tab.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx Outdated
@gambtho gambtho force-pushed the thgamble/managedidentity branch 3 times, most recently from 2e27c8d to 1517b6b Compare March 18, 2026 17:34
@gambtho gambtho changed the title Deploy: add secrets support and workload identity to Deploy Wizard Deploy: Add secrets, workload identity, ACR support, and fix identity role assignments Mar 18, 2026
@gambtho gambtho force-pushed the thgamble/managedidentity branch 3 times, most recently from 7d3dc54 to ec8f6f5 Compare March 19, 2026 01:54
@gambtho gambtho marked this pull request as ready for review March 19, 2026 02:01
Copilot AI review requested due to automatic review settings March 19, 2026 02:01
@gambtho gambtho force-pushed the thgamble/managedidentity branch 2 times, most recently from 55d85f2 to 10a4895 Compare March 19, 2026 02:02
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends AKS Desktop’s Deploy Wizard and GitHub Pipeline flows to support per-env-var Kubernetes Secrets, Azure Workload Identity (with shared identity/role setup utilities), and optional Azure Container Registry (ACR) integration for build/push workflows, while correcting managed identity role assignment behavior.

Changes:

  • Introduces shared Azure identity setup utilities (identitySetup, identityRoles, identityWithRoles) and updates pipeline/deploy hooks to use multi-role assignment.
  • Adds Workload Identity configuration to deploy/pipeline flows (OIDC issuer discovery, federated credential creation, ServiceAccount + pod config generation).
  • Adds ACR selection/creation support and threads ACR context into pipeline secrets and agent instructions; adds per-variable secret env var support in YAML generation + extraction.

Reviewed changes

Copilot reviewed 48 out of 48 changed files in this pull request and generated 9 comments.

Show a summary per file
File Description
plugins/aks-desktop/src/utils/azure/identityWithRoles.ts New shared orchestration for identity creation + required role assignments
plugins/aks-desktop/src/utils/azure/identitySetup.ts New utility to ensure RG + identity exist
plugins/aks-desktop/src/utils/azure/identitySetup.test.ts Tests for identity setup utility
plugins/aks-desktop/src/utils/azure/identityRoles.ts New role-matrix computation for normal vs managed namespaces + ACR + Azure RBAC
plugins/aks-desktop/src/utils/azure/identityRoles.test.ts Tests for role computation
plugins/aks-desktop/src/utils/azure/az-cli.ts Adds ACR typing, multi-role assignment, OIDC issuer discovery, identity listing, K8s federated credential creation, ACR creation helpers
plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.ts Adds ACR name secret creation for workflows
plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.test.ts Updates env var fixtures for new isSecret field
plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.ts Adds workload identity + ACR build/push instructions and summary output
plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.test.ts Updates env var fixtures for new isSecret field
plugins/aks-desktop/src/components/GitHubPipeline/types.ts Extends pipeline config with ACR fields
plugins/aks-desktop/src/components/GitHubPipeline/hooks/useWorkloadIdentitySetup.ts Switches to shared identity+roles utility; adds cluster/ACR/namespace context
plugins/aks-desktop/src/components/GitHubPipeline/hooks/useWorkloadIdentitySetup.test.ts Updates mocks/expectations for multi-role assignment + shared utility
plugins/aks-desktop/src/components/GitHubPipeline/components/WorkloadIdentitySetup.tsx Updates UI step wording/status for role assignments and threads new inputs
plugins/aks-desktop/src/components/GitHubPipeline/components/WorkloadIdentitySetup.test.tsx Adds clusterName prop to fixture
plugins/aks-desktop/src/components/GitHubPipeline/components/AcrSelector.tsx New UI component to select/create/skip ACR
plugins/aks-desktop/src/components/GitHubPipeline/fixtures/pipelineConfig.ts Updates fixture for isSecret and workload identity fields
plugins/aks-desktop/src/components/GitHubPipeline/GitHubPipelineWizard.tsx Threads clusterName into workload identity setup component
plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Emits Secret + secretKeyRef env vars; emits ServiceAccount + WI pod config
plugins/aks-desktop/src/components/DeployWizard/hooks/useDeployWorkloadIdentity.ts New deploy-side workload identity setup hook (OIDC issuer + K8s federated cred)
plugins/aks-desktop/src/components/DeployWizard/hooks/useContainerConfiguration.ts Extends container config with isSecret env vars and workload identity fields
plugins/aks-desktop/src/components/DeployWizard/components/DeployWizardPure.stories.tsx Updates stub config for new fields
plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx Adds env var secret toggle/masking; adds workload identity step (create/select identity)
plugins/aks-desktop/src/components/DeployWizard/DeployWizard.tsx Threads Azure context + namespace into container configuration UI
plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.ts Adds round-trip support for secretKeyRef env vars and WI pod config detection
plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.test.ts Updates expected env var structure with isSecret
plugins/aks-desktop/src/components/DeployTab/components/ClusterDeployCard.tsx Threads Azure context into Deploy Wizard
Localize/locales/en/plugin-translation.json Updates localized strings set
Localize/locales/en/frontend-translation.json Adds new localized string key

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx Outdated
Comment thread plugins/aks-desktop/src/utils/azure/identityWithRoles.ts Outdated
Comment thread plugins/aks-desktop/src/utils/azure/az-cli.ts Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx Outdated
Comment thread plugins/aks-desktop/src/utils/azure/identityWithRoles.ts
Comment thread plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Outdated
@gambtho gambtho force-pushed the thgamble/managedidentity branch from 63b2ba2 to e77bd6e Compare March 19, 2026 04:57
Copilot AI review requested due to automatic review settings March 19, 2026 05:19
@gambtho gambtho force-pushed the thgamble/managedidentity branch from e77bd6e to 4fcf525 Compare March 19, 2026 05:19
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the AKS Desktop deploy and GitHub pipeline wizards with Kubernetes secret-backed env vars, Azure Workload Identity setup, ACR selection/creation, and a more complete/accurate managed-identity role assignment matrix—extracting shared identity setup logic into reusable utilities.

Changes:

  • Add per-env-var “secret” handling (UI masking + YAML generation of Secret + valueFrom.secretKeyRef) and round-trip extraction support.
  • Add Workload Identity setup for deploy + pipeline flows (managed identity creation/selection, federated credential creation, ServiceAccount/pod config generation).
  • Add ACR support for pipeline creation and generalize identity role assignment to compute/assign the required multi-role set with correct scopes.

Reviewed changes

Copilot reviewed 49 out of 49 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
plugins/aks-desktop/src/utils/azure/identityWithRoles.ts New shared helper to ensure identity + compute/assign required roles.
plugins/aks-desktop/src/utils/azure/identityWithRoles.test.ts Unit tests for ensureIdentityWithRoles scenarios.
plugins/aks-desktop/src/utils/azure/identitySetup.ts New shared helper to ensure RG + managed identity existence.
plugins/aks-desktop/src/utils/azure/identitySetup.test.ts Unit tests for identity setup helper.
plugins/aks-desktop/src/utils/azure/identityRoles.ts New role-matrix computation for NS vs MNS, ACR, Azure RBAC.
plugins/aks-desktop/src/utils/azure/identityRoles.test.ts Unit tests for role computation logic.
plugins/aks-desktop/src/utils/azure/az-cli.ts Add ACR typing/listing, multi-role assignment, scope helpers, OIDC issuer lookup, MI listing, k8s federated credential creation, ACR creation.
plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.ts Add AZURE_ACR_NAME pipeline secret derivation.
plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.test.ts Update fixtures for env var isSecret field.
plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.ts Add workload identity and ACR build/push instructions + config summary.
plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.test.ts Update fixtures for env var isSecret field.
plugins/aks-desktop/src/components/GitHubPipeline/types.ts Extend PipelineConfig with ACR resource ID + login server.
plugins/aks-desktop/src/components/GitHubPipeline/hooks/useWorkloadIdentitySetup.ts Switch pipeline WI setup to shared ensureIdentityWithRoles; add new inputs (clusterName, ACR, MNS, Azure RBAC).
plugins/aks-desktop/src/components/GitHubPipeline/hooks/useWorkloadIdentitySetup.test.ts Update mocks/assertions for new shared role assignment path.
plugins/aks-desktop/src/components/GitHubPipeline/components/WorkloadIdentitySetup.tsx UI updates for new “assigning-roles” step and passing new WI config inputs.
plugins/aks-desktop/src/components/GitHubPipeline/components/WorkloadIdentitySetup.test.tsx Update props to include clusterName.
plugins/aks-desktop/src/components/GitHubPipeline/components/AcrSelector.tsx New component for selecting/creating/skipping an ACR.
plugins/aks-desktop/src/components/GitHubPipeline/fixtures/pipelineConfig.ts Extend container config fixture with isSecret and WI fields.
plugins/aks-desktop/src/components/GitHubPipeline/GitHubPipelineWizard.tsx Pass clusterName into WorkloadIdentitySetup.
plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Generate Secret + secretKeyRef env vars; generate ServiceAccount + WI pod/serviceAccount config.
plugins/aks-desktop/src/components/DeployWizard/hooks/useDeployWorkloadIdentity.ts New deploy-flow WI hook using shared identity+roles and AKS OIDC issuer lookup.
plugins/aks-desktop/src/components/DeployWizard/hooks/useContainerConfiguration.ts Extend ContainerConfig with env var isSecret and WI fields + defaults.
plugins/aks-desktop/src/components/DeployWizard/components/DeployWizardPure.stories.tsx Update story fixture with new ContainerConfig fields.
plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx Add env var secret toggle/masking and new Workload Identity step (create/select identity).
plugins/aks-desktop/src/components/DeployWizard/DeployWizard.tsx Thread Azure context into ConfigureContainer.
plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.ts Round-trip env var secretKeyRef + detect WI label/serviceAccountName.
plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.test.ts Update expected env var shape with isSecret.
plugins/aks-desktop/src/components/DeployTab/components/ClusterDeployCard.tsx Pass azureContext into DeployWizard from cluster context.
plugins/aks-desktop/locales/zh-Hans/translation.json Add/update translations for new WI/ACR/secret strings and wording changes.
plugins/aks-desktop/locales/tr/translation.json Add/update translations for new WI/ACR/secret strings and wording changes.
plugins/aks-desktop/locales/sv/translation.json Add/update translations for new WI/ACR/secret strings and wording changes.
plugins/aks-desktop/locales/pt-PT/translation.json Add/update translations for new WI/ACR/secret strings and wording changes.
plugins/aks-desktop/locales/nl/translation.json Add/update translations for new WI/ACR/secret strings and wording changes.
plugins/aks-desktop/locales/id/translation.json Add/update translations for new WI/ACR/secret strings and wording changes.
plugins/aks-desktop/locales/hu/translation.json Add/update translations for new WI/ACR/secret strings and wording changes.
plugins/aks-desktop/locales/en/translation.json Add English strings for WI/ACR/secret UI and updated wording.
Localize/locales/en/plugin-translation.json Update localization keys for new strings and removed/renamed ones.
Localize/locales/en/frontend-translation.json Add new frontend localization key (“Debug Image”).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx Outdated
Comment thread plugins/aks-desktop/src/utils/azure/az-cli.ts Outdated
Comment thread plugins/aks-desktop/src/components/GitHubPipeline/components/AcrSelector.tsx Outdated
@gambtho gambtho force-pushed the thgamble/managedidentity branch from 4fcf525 to ef6d10d Compare March 19, 2026 10:14
Copilot AI review requested due to automatic review settings March 20, 2026 19:53
@gambtho gambtho force-pushed the thgamble/managedidentity branch from ef6d10d to 353ba15 Compare March 20, 2026 19:53
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds shared Azure identity + role assignment utilities and integrates workload identity, per-env-var secrets, and optional ACR support into the Deploy Wizard and GitHub Pipeline flows (per #467).

Changes:

  • Introduces reusable identity setup utilities (ensureIdentityAndResourceGroup, ensureIdentityWithRoles) and role computation (computeRequiredRoles).
  • Extends Deploy Wizard YAML generation to emit Secret + secretKeyRef for secret env vars, and optionally emits ServiceAccount + WI pod wiring.
  • Updates GitHub Pipeline workflow instructions and secret creation to account for workload identity and ACR configuration.

Reviewed changes

Copilot reviewed 29 out of 29 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
plugins/aks-desktop/src/utils/azure/identityWithRoles.ts Shared “ensure identity + assign required roles” utility used across flows.
plugins/aks-desktop/src/utils/azure/identityWithRoles.test.ts Unit tests for identity+roles orchestration.
plugins/aks-desktop/src/utils/azure/identitySetup.ts Shared “ensure RG + ensure identity” building block.
plugins/aks-desktop/src/utils/azure/identitySetup.test.ts Unit tests for RG/identity setup logic.
plugins/aks-desktop/src/utils/azure/identityRoles.ts Computes required Azure RBAC role assignments for NS vs MNS + optional ACR.
plugins/aks-desktop/src/utils/azure/identityRoles.test.ts Unit tests covering role matrix composition.
plugins/aks-desktop/src/utils/azure/az-cli.ts Adds ACR typing + create ACR, cluster scope helper, multi-role assignment, OIDC issuer lookup, managed identity listing, K8s federated credential creation.
plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Emits Secret + secretKeyRef for secret env vars; emits ServiceAccount + WI pod wiring.
plugins/aks-desktop/src/components/DeployWizard/hooks/useDeployWorkloadIdentity.ts New hook to configure workload identity for Deploy Wizard via shared identity+roles utility.
plugins/aks-desktop/src/components/DeployWizard/hooks/useContainerConfiguration.ts Extends ContainerConfig for isSecret env vars and WI fields.
plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx UI support for per-var secrets + new Workload Identity step (create/select identity).
plugins/aks-desktop/src/components/DeployWizard/DeployWizard.tsx Threads Azure context + namespace into container configuration UI.
plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.ts Round-trips secretKeyRef env vars and detects WI label/serviceAccountName.
plugins/aks-desktop/src/components/DeployTab/components/ClusterDeployCard.tsx Passes Azure context into DeployWizard for WI setup.
plugins/aks-desktop/src/components/GitHubPipeline/hooks/useWorkloadIdentitySetup.ts Refactors to use shared ensureIdentityWithRoles; status renamed to assigning-roles.
plugins/aks-desktop/src/components/GitHubPipeline/components/WorkloadIdentitySetup.tsx UI text/step updates for multi-role assignment; threads additional config fields.
plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.ts Adds workload identity and ACR build/push instructions to generated agent docs.
plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.ts Adds AZURE_ACR_NAME secret creation based on selected ACR.
plugins/aks-desktop/src/components/GitHubPipeline/types.ts Adds acrResourceId/acrLoginServer to PipelineConfig.
plugins/aks-desktop/src/components/GitHubPipeline/components/AcrSelector.tsx New UI component to select/create/skip ACR for pipelines.
plugins/aks-desktop/src/components/GitHubPipeline/GitHubPipelineWizard.tsx Passes clusterName into workload identity setup step.
Localize/locales/en/plugin-translation.json Adds i18n strings for secrets/WI/ACR UI text.
Comments suppressed due to low confidence (1)

plugins/aks-desktop/src/components/GitHubPipeline/GitHubPipelineWizard.tsx:244

  • WorkloadIdentitySetup now accepts acrResourceId, isManagedNamespace, namespaceName, and azureRbacEnabled to compute/assign the correct role matrix, but the wizard doesn’t pass any of these (only clusterName). This means identity setup will miss ACR roles and may scope AKS roles incorrectly. Please thread the needed values into this component (or drop the unused props and keep the role computation local until wiring is complete).
      case 'WorkloadIdentitySetup': {
        if (!selectedRepo) return <LoadingSpinner message={t('Loading...')} />;
        return (
          <WorkloadIdentitySetup
            subscriptionId={subscriptionId}
            resourceGroup={resourceGroup}
            clusterName={clusterName}
            repo={selectedRepo}
            identitySetup={identitySetup}
            projectName={resolvedProjectName ?? namespace}
          />

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Outdated
Comment thread plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.ts Outdated
Copilot AI review requested due to automatic review settings March 20, 2026 20:53
@gambtho gambtho force-pushed the thgamble/managedidentity branch from feea0b5 to e2d2605 Compare March 20, 2026 20:53
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 5 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts Outdated
Comment thread plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx Outdated
Comment thread plugins/aks-desktop/src/components/DeployTab/components/ClusterDeployCard.tsx Outdated
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 51 out of 68 changed files in this pull request and generated 1 comment.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread plugins/aks-desktop/src/utils/azure/az-identity.ts
@gambtho gambtho force-pushed the thgamble/managedidentity branch from adc3bf8 to 9d9e68b Compare March 24, 2026 02:46
@gambtho gambtho requested a review from sniok March 25, 2026 13:54
gambtho added 8 commits March 25, 2026 10:12
Extract identity management, federated credentials, and container
registry operations into focused modules instead of growing az-cli.ts:

- az-identity.ts: managed identity CRUD, role assignment, namespace
  resource ID lookup
- az-federation.ts: GitHub Actions and K8s service account federated
  credentials, OIDC issuer URL retrieval
- az-acr.ts: container registry creation with validation
- k8sNames.ts: DNS-1123 label helpers (sanitizeDnsName, normalizeK8sName,
  sanitizeLabelValue)
- serviceAccountNames.ts: derives K8s ServiceAccount names from app names

Also exports getContainerRegistries and getClusterCapabilities from
az-cli.ts for use by the new ACR and namespace capability features.
Add the shared orchestration layer used by both the Deploy Wizard and
GitHub Pipeline flows for workload identity provisioning:

- identityRoles.ts: computes required Azure RBAC roles based on whether
  the target is a normal or managed namespace, using a discriminated
  union (NormalNamespaceRoleContext | ManagedNamespaceRoleContext) to
  enforce managedNamespaceResourceId at compile time
- identitySetup.ts: ensures resource group and managed identity exist,
  creating them if needed
- identityWithRoles.ts: composes identity setup with role assignment
- useNamespaceCapabilities.ts: hook that detects managed namespace
  status and Azure RBAC enablement in parallel, aggregating errors
  from both API calls
Extend ContainerConfig with workload identity fields (enableWorkloadIdentity,
workloadIdentityClientId, workloadIdentityServiceAccount) and update
the YAML generator to emit ServiceAccount manifests with the
azure.workload.identity/client-id annotation and pod-level WI labels.

- useContainerConfiguration: add WI fields and WORKLOAD_IDENTITY step
- yamlGenerator: emit ServiceAccount when WI is enabled with a client
  ID; preserve pod-level WI config even without client ID (edit flows)
- extractContainerConfig: read WI labels and serviceAccountName from
  existing deployments for edit-flow pre-population
- Update test fixtures and storybook for new config fields
Break the monolithic ConfigureContainer component (~1700 lines) into
focused per-step components, each independently maintainable:

- BasicsStep: app name, container image, replicas
- NetworkingStep: ports, service type
- HealthchecksStep: liveness, readiness, startup probes
- ResourcesStep: CPU/memory requests and limits
- EnvVarsStep: plain and secret environment variables
- HpaStep: horizontal pod autoscaler configuration
- AdvancedStep: security context, anti-affinity, topology spread
- configureContainerUtils: shared LabelWithInfo component,
  ContainerConfigProp and DeployAzureContext types, ENV_VAR_KEY_PATTERN

ConfigureContainer is now a thin Stepper shell that renders each step.
Add the ability to configure Azure Workload Identity directly from the
Deploy Wizard, creating or selecting a managed identity with the
correct RBAC roles and K8s federated credentials:

- useDeployWorkloadIdentity: hook that orchestrates identity creation,
  role assignment, OIDC issuer lookup, and K8s federated credential
  creation via the shared identityWithRoles utility
- WorkloadIdentityStep: UI for creating new or selecting existing
  managed identities, with validation using isValidAzResourceName
- DeployWizard/ClusterDeployCard: thread azureContext prop through
  to ConfigureContainer, using useNamespaceCapabilities to detect
  managed namespace and Azure RBAC status
Add Azure Container Registry selection and creation to the GitHub
Pipeline wizard, enabling ACR-based container image builds:

- AcrSelector: component for browsing existing registries, creating
  new ones, or skipping ACR configuration
- PipelineConfig.acrResourceId/acrLoginServer: new optional fields
- agentTemplates: include ACR login server in agent config when set
- pipelineOrchestration: pass ACR secrets to GitHub repo configuration
Replace the GitHub Pipeline's inline identity provisioning with the
shared ensureIdentityWithRoles utility, adding ACR role support and
managed namespace awareness:

- useWorkloadIdentitySetup: delegate to ensureIdentityWithRoles for
  identity creation and role assignment, use sanitizeDnsName for
  identity name derivation
- WorkloadIdentitySetup: pass ACR, managed namespace, and Azure RBAC
  context through to the setup hook
- GitHubPipelineWizard: thread namespace capabilities to identity setup
- useDeploymentHealth: import sanitizeLabelValue from shared k8sNames
Copilot AI review requested due to automatic review settings March 25, 2026 14:12
@gambtho gambtho force-pushed the thgamble/managedidentity branch from 9d9e68b to 3ca6e4f Compare March 25, 2026 14:12
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 51 out of 68 changed files in this pull request and generated 4 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread plugins/aks-desktop/src/utils/azure/identityWithRoles.ts
Comment thread plugins/aks-desktop/src/utils/azure/az-acr.ts Outdated
sniok
sniok previously approved these changes Mar 25, 2026
@gambtho
Copy link
Copy Markdown
Collaborator Author

gambtho commented Mar 25, 2026

found an issue with the acr selection, fixing now

Copilot AI review requested due to automatic review settings March 25, 2026 15:33
@gambtho gambtho force-pushed the thgamble/managedidentity branch from 6249c20 to cbd12c5 Compare March 25, 2026 15:37
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 56 out of 73 changed files in this pull request and generated 4 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread plugins/aks-desktop/src/hooks/useNamespaceCapabilities.ts
Comment thread plugins/aks-desktop/src/utils/azure/identitySetup.ts
Comment thread plugins/aks-desktop/src/utils/kubernetes/serviceAccountNames.ts
@gambtho gambtho force-pushed the thgamble/managedidentity branch from cbd12c5 to 87372fc Compare March 25, 2026 15:43
Copilot AI review requested due to automatic review settings March 25, 2026 16:27
@gambtho gambtho force-pushed the thgamble/managedidentity branch from 87372fc to 3cf490d Compare March 25, 2026 16:27
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 56 out of 73 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (6)

plugins/aks-desktop/src/components/GitHubPipeline/components/AcrSelector.tsx:1

  • getResourceGroupLocation()can return an empty/undefined location (the identity setup flow in this PR explicitly guards for this), but AcrSelector passeslocationstraight intocreateContainerRegistry. Add an explicit check (and user-facing error) when locationis falsy before callingcreateContainerRegistry`, so the failure is deterministic and actionable.
    plugins/aks-desktop/src/components/GitHubPipeline/components/AcrSelector.tsx:1
  • On initial render selectedValue is set to '' when no ACR is selected, but there is no <MenuItem value="">... option. MUI Select typically logs an “out-of-range value” warning and may render inconsistently. Consider adding an explicit empty option (e.g., “Select a registry…”) using displayEmpty, or initialize selectedValue to SKIP_VALUE/CREATE_NEW_VALUE depending on intended default behavior.
    plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.ts:1
  • The error message hard-codes the azurecr.io suffix, but ACR login servers can vary by cloud (e.g., azurecr.us, azurecr.cn). Since the derivation logic only needs a non-empty first DNS label, consider making the message suffix-agnostic (e.g., “Expected format: .”) or validating against *.azurecr.* if that’s the intent.
    plugins/aks-desktop/src/utils/kubernetes/serviceAccountNames.ts:1
  • The || 'app-sa' fallback is effectively unreachable because normalizeK8sName() delegates to sanitizeDnsName() which already provides a non-empty fallback ('app'). This also makes the JSDoc and behavior diverge for edge cases (e.g., empty appName yields sa, not app-sa). Consider either (a) letting callers pass an explicit fallback and wiring it through sanitizeDnsName, or (b) removing the unreachable fallback and updating the comment to match the actual behavior.
    plugins/aks-desktop/src/hooks/useNamespaceCapabilities.ts:1
  • On API rejection, the hook sets isManagedNamespace to false, which can misclassify a managed namespace as “regular” during transient/auth/network failures. Since this value is used to drive role scope selection (MNS vs cluster scope), misclassification can lead to incorrect role assignments and downstream failures that are harder to diagnose. Consider keeping isManagedNamespace as undefined on rejection (indeterminate) and forcing the caller UI to block/ask the user to retry when capabilities can’t be resolved.
    plugins/aks-desktop/src/components/GitHubPipeline/components/AcrSelector.tsx:1
  • The helper text says “5-50 alphanumeric characters”, but the validation (ACR_NAME_PATTERN) requires lowercase alphanumeric only. Updating the helper text to explicitly mention lowercase would make the UI guidance consistent with the actual rules and prevent confusion.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@sniok sniok merged commit 80e9749 into Azure:main Mar 25, 2026
12 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add secrets support and workload identity to Deploy application flow

3 participants