Azure China Workload Identity unsupported (issuer mismatch)

[noel-vincent-cde]

• Trying to upgrade ESO to 1.0.0
• Created a Clustersecretstore for China Env with workload identity as per the CRD to Azure Key Vaults with Service account as reference

apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: kv-abc-keyvault
spec:
  controller: ""
  provider:
    azurekv:
      authType: WorkloadIdentity
      environmentType: ChinaCloud
      vaultUrl: https://kv-abc-keyvault.vault.azure.cn
      serviceAccountRef:
        name: example
        namespace: test

apiVersion: v1
kind: ServiceAccount
metadata:
    name: example
    namespace: test
    annotations:
        azure.workload.identity/client-id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        azure.workload.identity/tenant-id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    labels:
        azure.workload.identity/use: "true"

• But clustersecret store is showing error (The tenant ID is correct. I have confirmed)

unable to resolve an endpoint: ResolveEndpoints(): TenantDiscoveryResponse: issuer from OIDC discovery 'https://login.partner.microsoftonline.cn/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/v2.0' does not match authority 'https://login.chinacloudapi.cn/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx/' or a known pattern

• AKS in Azure China uses the OIDC issuer https://login.partner.microsoftonline.cn/<tenant>/v2.0, but ESO ChinaCloud environment hardcodes the Azure AD authority https://login.chinacloudapi.cn.

• CRD does not expose fields like: aadEndpoint servicePrincipalEndpoint resourceManagerEndpoint So it is currently impossible to use Workload Identity in Azure China.

• Is it possible to fix this?

• Or possible to add support for overriding AAD endpoints for Azure China, or update the ChinaCloud configuration to match the AKS Workload Identity issuer (login.partner.microsoftonline.cn)

[Skarlso]

It should be possible to add extra, optional fields and then set those if the SDK permits it.

[gusfcarvalho]

I wonder what caused the regression here 🤔

[Skarlso]

@gusfcarvalho What do you mean regression? Was this working at some point? :)

In that case, most likely candidate is the switch to the new SDK.

[gusfcarvalho]

Nvm me - the user editted the info where "It worked on 0.9"

[noel-vincent-cde]

@gusfcarvalho @Skarlso

• We were using version 0.9.13 and there were no issues. Everything was working fine as expected.
• We wanted to upgrade ESO as we were using old version. So we tried upgrading to version 0.16.1 (currently we are using 0.16.1), however we are getting error in China intermittently
• Error

InvalidProviderConfig
unable to resolve an endpoint: server response error: Get "https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https%3A%2F%2Flogin.chinacloudapi.cn%2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%2Foauth2%2Fv2.0%2Fauthorize": context deadline exceeded

• Since we are getting this error and also as there was latest major version 1.0.0 available, we thought of upgrading to the same hoping it would fix the intermittent error but unfortunately it is not working and showing issues as I mentioned in the first update :)

[Skarlso]

0.9.13..0.16.1 has so many changes. But 1.0.0 had aws sdk 2 migration. So there is that also.

I'm going to need you to confirm to atleast going from one version to another breaking change. so like 0.9.14 or 0.10.0 even. Something more closer to pinpoint the location better to look for changes.

[noel-vincent-cde]

Sure, we will try to update to 0.9.14 or 0.10.0 from 0.9.13 and update you.

[mdmsua]

Hi @noel-vincent-cde, I've just faced exctly the same issue as yours, had to workaround it with the custom cloud config until the official fix:

azurekv:
  authType: WorkloadIdentity
  environmentType: AzureStackCloud # instead of ChinaCloud
  useAzureSDK: true
  vaultUrl: ...
  customCloudConfig:
    activeDirectoryEndpoint: https://login.partner.microsoftonline.cn/
    keyVaultEndpoint: https://vault.azure.cn/
    resourceManagerEndpoint: https://management.core.chinacloudapi.cn/

[noel-vincent-cde]

Oh okay. Thank you @mdmsua I will try this as well and will provide an update :)

[noel-vincent-cde]

I have tested and using useAzureSDK as mentioned by @mdmsua

This is working fine till now

[Skarlso]

So, it looks like the old SDK was using a different active directory endpoint that was working fine. And then there was an update that was trying to access the global active directory endpoint and that's what caused the mismatch.

As @mdmsua pointed out the "fix" is actually to expose the active directory link to make it customizable.

I'll push a PR that exposes this config instead of relying on the SDK values.