Add support for Azure AD workload identity
The gitlab-runner container in aks using the azure fleet plugin does not correctly use the credentials that are generated by Azure AD Workload Indetity.
This is the error that is generated when trying to use credentials for the service account and reach the vmss resource.
WARNING: Failed to process runner builds=0 error=failed to update executor: initializing taskscaler: creating taskscaler: initializing provisioner: instance group init: rpc error: code = Unknown desc = getting scale set size: DefaultAzureCredential authentication failed
GET http://169.254.169.254/metadata/identity/oauth2/token
--------------------------------------------------------------------------------
RESPONSE 400 Bad Request
--------------------------------------------------------------------------------
{
"error": "invalid_request",
"error_description": "Identity not found"
}
--------------------------------------------------------------------------------
executor=docker-autoscaler max_builds=20 runner=rZDN-DQyj-
When I use a ServicePrincipal with classic credentials and exposing the variables, it connects correctly.
-
The permissions are the same for the two different types of authentication.
-
I also tested with another pod using the Azure cli and using the service account credentials and it worked correctly.
Edited by Mario Pardo