Skip to content

Support for Azure workload identity in AKS and Arc clusters (#141)#508

Merged
elookpotts-nvidia merged 1 commit into
release/6.1from
elookpotts/cp-azure-iam
Feb 24, 2026
Merged

Support for Azure workload identity in AKS and Arc clusters (#141)#508
elookpotts-nvidia merged 1 commit into
release/6.1from
elookpotts/cp-azure-iam

Conversation

@elookpotts-nvidia
Copy link
Copy Markdown
Contributor

@elookpotts-nvidia elookpotts-nvidia commented Feb 24, 2026

Cherry-pick #141

  • feat(src): add Azure service account and extra pod labels configuration
  • implement service account creation with customizable name and annotations
  • enhance service templates to support extra pod labels for various services
  • update Azure backend to utilize DefaultAzureCredential for authentication
  • add tests for Azure credential extraction and client creation
  • feat(src): extract account key from connection string for Azure Blob Storage
  • add function to extract AccountKey from connection string
  • update AzureBlobStorageClient to handle different credential types

  • feat(test): add tests for account key extraction from Azure connection strings

  • chore: clean up linting issues for tests

  • refactor(src): update data credential types in PostgresConnector and TaskGroup

  • change StaticDataCredential to DataCredential in get_all_data_creds method
  • update fetch_creds function signature to use DataCredential
  • feat(src): update Azure client creation to include storage account and account URL
  • remove deprecated storage account extraction function
  • modify create_client to accept storage_account and account_url parameters
  • update AzureBlobStorageClientFactory to use new parameters
  • adjust tests to reflect changes in client creation

🔒 - Generated by Copilot

  • refactor(src): mark storage_account parameter as unused in create_client function

🔧 - Generated by Copilot

  • refactor(src): remove unused storage_account parameter from client creation

🔧 - Generated by Copilot

Description

Issue #None

Checklist

  • I am familiar with the Contributing Guidelines.
  • New or existing tests cover these changes.
  • The documentation is up to date with these changes.

@agreaves-ms @elookpotts-nvidia
Support for Azure workload identity in AKS and Arc clusters (#141)
f70a5c4 
* feat(src): add Azure service account and extra pod labels configuration

- implement service account creation with customizable name and annotations
- enhance service templates to support extra pod labels for various services
- update Azure backend to utilize DefaultAzureCredential for authentication
- add tests for Azure credential extraction and client creation

* feat(src): extract account key from connection string for Azure Blob Storage

- add function to extract AccountKey from connection string
- update AzureBlobStorageClient to handle different credential types

* feat(test): add tests for account key extraction from Azure connection strings

* chore: clean up linting issues for tests

* refactor(src): update data credential types in PostgresConnector and TaskGroup

- change StaticDataCredential to DataCredential in get_all_data_creds method
- update fetch_creds function signature to use DataCredential

* feat(src): update Azure client creation to include storage account and account URL

- remove deprecated storage account extraction function
- modify create_client to accept storage_account and account_url parameters
- update AzureBlobStorageClientFactory to use new parameters
- adjust tests to reflect changes in client creation

🔒 - Generated by Copilot

* refactor(src): mark storage_account parameter as unused in create_client function

🔧 - Generated by Copilot

* refactor(src): remove unused storage_account parameter from client creation

🔧 - Generated by Copilot
@elookpotts-nvidia elookpotts-nvidia requested a review from a team February 24, 2026 19:08
@elookpotts-nvidia elookpotts-nvidia requested a review from a team as a code owner February 24, 2026 19:08
@elookpotts-nvidia elookpotts-nvidia enabled auto-merge (squash) February 24, 2026 19:13
@elookpotts-nvidia elookpotts-nvidia merged commit 0e00e84 into release/6.1 Feb 24, 2026
10 checks passed
@elookpotts-nvidia elookpotts-nvidia deleted the elookpotts/cp-azure-iam branch February 24, 2026 19:13
This was referenced Mar 29, 2026
Open
Closed
@vvnpn-nv vvnpn-nv mentioned this pull request May 26, 2026
Merged
3 tasks
vvnpn-nv added a commit that referenced this pull request May 26, 2026
@vvnpn-nv @claude
release notes: 6.3.0 — add workload identity support (#1042)
4ea492e 
* release notes: 6.3.0 — add workload identity support

PR #508 (Feb 2026) added a cloud-neutral workload-identity hook to the
service chart — top-level serviceAccount block (create, name, annotations)
plus per-component extraPodLabels on agent, api, worker, logger, router,
and delayedJobMonitor. The Azure storage backend gained DefaultAzureCredential
fallback in the same PR; the S3 backend already supported keyless auth via
boto3's default credential chain.

End-to-end this enables:
- Azure: AKS Workload Identity / Arc clusters via UAMI annotation + WI label
- AWS: EKS IRSA / Pod Identity via role-arn annotation

GCS/Swift/TOS backends still require static credentials — flagged as a
caveat so users don't assume keyless works everywhere.

These were in 6.3.0 code but missing from the release notes — adding a
Highlights bullet and a detailed Helm Charts entry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* update

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fernandol-nvidia fernandol-nvidia fernandol-nvidia approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@elookpotts-nvidia @fernandol-nvidia @agreaves-ms