azure: Add Workload Identity support

cmd/kops/integration_test.go

@@ -330,6 +330,17 @@ func TestMinimalAzure(t *testing.T) {
 		runTestTerraformAzure(t)
 }
 
+// TestMinimalAzureWi runs the test on a minimum Azure configuration with
+// Workload Identity (useServiceAccountExternalPermissions) enabled. This pins
+// the rendered CCM and azuredisk-csi addon manifests on the workload-identity
+// branch so future refactors can't silently break the aadClientID secret or
+// the projected ServiceAccountToken volume.
+func TestMinimalAzureWi(t *testing.T) {
+	newIntegrationTest("minimal-azure.example.com", "minimal_azure_wi").
+		withVersion("v1alpha3").
+		runTestTerraformAzure(t)
+}
+
 // TestMinimal_NoneDNS runs the test on a minimum configuration with --dns=none
 func TestMinimal_NoneDNS(t *testing.T) {
 	newIntegrationTest("minimal.example.com", "minimal-dns-none").

go.mod

@@ -11,6 +11,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.3.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1

go.sum

@@ -28,6 +28,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0 h1:2qsI
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0/go.mod h1:AW8VEadnhw9xox+VaVd9sP7NjzOAnaZBLRH6Tq3cJ38=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/managementgroups/armmanagementgroups v1.0.0 h1:pPvTJ1dY0sA35JOeFq6TsY2xj6Z85Yo23Pj4wCCvu4o=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/managementgroups/armmanagementgroups v1.0.0/go.mod h1:mLfWfj8v3jfWKsL9G4eoBoXVcsqcIUTapmdKy7uGOp0=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.3.0 h1:L7G3dExHBgUxsO3qpTGhk/P2dgnYyW48yn7AO33Tbek=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.3.0/go.mod h1:Ms6gYEy0+A2knfKrwdatsggTXYA2+ICKug8w7STorFw=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0 h1:QM6sE5k2ZT/vI5BEe0r7mqjsUSnhVBFbOsVkEuaEfiA=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0/go.mod h1:243D9iHbcQXoFUtgHJwL7gl2zx1aDuDMjvBZVGr2uW0=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 h1:Dd+RhdJn0OTtVGaeDLZpcumkIVCtA/3/Fo42+eoYvVM=

pkg/apis/kops/cluster.go

@@ -18,6 +18,7 @@ package kops
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/blang/semver/v4"
 	corev1 "k8s.io/api/core/v1"
@@ -922,15 +923,31 @@ func (c *Cluster) AzureRouteTableName() string {
 	return c.Name
 }
 
-// AzureNetworkSecurityGroupName returns the name of the network security group for the cluster.
-// The NSG shares its name with the virtual network.
-func (c *Cluster) AzureNetworkSecurityGroupName() string {
+// AzureNetworkName returns the name of the Azure Virtual Network for the cluster.
+// If Networking.NetworkID is set (shared network), that is used; otherwise the
+// cluster name is used.
+func (c *Cluster) AzureNetworkName() string {
 	if c.Spec.Networking.NetworkID != "" {
 		return c.Spec.Networking.NetworkID
 	}
 	return c.Name
 }
 
+// AzureNetworkSecurityGroupName returns the name of the network security group for the cluster.
+// The NSG shares its name with the virtual network; callers relying on this invariant
+// should prefer this helper over re-deriving the name inline.
+func (c *Cluster) AzureNetworkSecurityGroupName() string {
+	return c.AzureNetworkName()
+}
+
+// AzureWorkloadIdentityName returns the name of the User-Assigned Managed Identity
+// used for Azure Workload Identity. Both the pre-flight in apply_cluster.go and the
+// task-graph entry in the azuremodel must compute the identical string — callers
+// should delegate here rather than re-deriving it inline.
+func (c *Cluster) AzureWorkloadIdentityName() string {
+	return "wi-" + strings.ReplaceAll(c.Name, ".", "-")
+}
+
 func (c *Cluster) PublishesDNSRecords() bool {
 	if c.UsesNoneDNS() || dns.IsGossipClusterName(c.Name) {
 		return false

pkg/apis/kops/componentconfig.go

@@ -958,6 +958,10 @@ type AzureSpec struct {
 	RouteTableName string `json:"routeTableName,omitempty"`
 	// AdminUser specifies the admin user of VMs.
 	AdminUser string `json:"adminUser,omitempty"`
+	// WorkloadIdentityClientID is the client ID of the User-Assigned Managed Identity
+	// used for Azure Workload Identity. This is populated automatically by kops
+	// when UseServiceAccountExternalPermissions is enabled.
+	WorkloadIdentityClientID string `json:"workloadIdentityClientID,omitempty"`
 }
 
 // CloudConfiguration defines the cloud provider configuration

pkg/apis/kops/v1alpha2/componentconfig.go

@@ -964,6 +964,10 @@ type AzureSpec struct {
 	RouteTableName string `json:"routeTableName,omitempty"`
 	// AdminUser specifies the admin user of VMs.
 	AdminUser string `json:"adminUser,omitempty"`
+	// WorkloadIdentityClientID is the client ID of the User-Assigned Managed Identity
+	// used for Azure Workload Identity. This is populated automatically by kops
+	// when UseServiceAccountExternalPermissions is enabled.
+	WorkloadIdentityClientID string `json:"workloadIdentityClientID,omitempty"`
 }
 
 // CloudConfiguration defines the cloud provider configuration

pkg/apis/kops/v1alpha3/componentconfig.go

@@ -955,6 +955,10 @@ type AzureSpec struct {
 	RouteTableName string `json:"routeTableName,omitempty"`
 	// AdminUser specifies the admin user of VMs.
 	AdminUser string `json:"adminUser,omitempty"`
+	// WorkloadIdentityClientID is the client ID of the User-Assigned Managed Identity
+	// used for Azure Workload Identity. This is populated automatically by kops
+	// when UseServiceAccountExternalPermissions is enabled.
+	WorkloadIdentityClientID string `json:"workloadIdentityClientID,omitempty"`
 }
 
 // CloudConfiguration defines the cloud provider configuration

pkg/apis/kops/validation/legacy.go

@@ -238,14 +238,16 @@ func validateServiceAccountIssuerDiscovery(c *kops.Cluster, said *kops.ServiceAc
 				}
 			case *vfs.GSPath:
 				// No known restrictions currently. Added here to avoid falling into the default catch all below.
+			case *vfs.AzureBlobPath:
+				// Azure Blob Storage is supported as a discovery store.
 			case *vfs.MemFSPath:
 				// memfs is ok for tests; not OK otherwise
 				if !base.IsClusterReadable() {
 					// (If this _is_ a test, we should call MarkClusterReadable)
 					allErrs = append(allErrs, field.Invalid(saidStoreField, discoveryStore, "S3 is the only supported VFS for discoveryStore"))
 				}
 			default:
-				allErrs = append(allErrs, field.Invalid(saidStoreField, discoveryStore, "S3 is the only supported VFS for discoveryStore"))
+				allErrs = append(allErrs, field.Invalid(saidStoreField, discoveryStore, "S3, GCS, and Azure Blob are the only supported VFS types for discoveryStore"))
 			}
 		}
 	}

pkg/model/azuremodel/workloadidentity.go

@@ -0,0 +1,98 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azuremodel
+
+import (
+	"fmt"
+
+	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/kops/upup/pkg/fi/cloudup/azuretasks"
+)
+
+// Azure built-in role definition IDs.
+// See: https://learn.microsoft.com/azure/role-based-access-control/built-in-roles
+const (
+	// azureContributorRoleDefID is the ID of the built-in "Contributor" role.
+	azureContributorRoleDefID = "b24988ac-6180-42a0-ab88-20f7382dd24c"
+)
+
+// WorkloadIdentityModelBuilder configures Azure Workload Identity resources
+// (UAMI, federated identity credentials, and role assignments).
+type WorkloadIdentityModelBuilder struct {
+	*AzureModelContext
+	Lifecycle fi.Lifecycle
+}
+
+var _ fi.CloudupModelBuilder = &WorkloadIdentityModelBuilder{}
+
+func (b *WorkloadIdentityModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
+	if !b.UseServiceAccountExternalPermissions() {
+		return nil
+	}
+
+	issuerURL := fi.ValueOf(b.Cluster.Spec.KubeAPIServer.ServiceAccountIssuer)
+	if issuerURL == "" {
+		return fmt.Errorf("serviceAccountIssuer must be set for Azure Workload Identity")
+	}
+
+	rgName := b.Cluster.AzureResourceGroupName()
+	subscriptionID := b.Cluster.Spec.CloudProvider.Azure.SubscriptionID
+	identityName := b.Cluster.AzureWorkloadIdentityName()
+
+	// UAMI task — idempotent, may already exist from pre-flight in apply_cluster.go.
+	uami := &azuretasks.ManagedIdentity{
+		Name:          fi.PtrTo(identityName),
+		Lifecycle:     b.Lifecycle,
+		ResourceGroup: b.LinkToResourceGroup(),
+		Tags:          map[string]*string{},
+	}
+	c.AddTask(uami)
+
+	// Role assignment: Contributor on the resource group.
+	resourceGroupScope := fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", subscriptionID, rgName)
+	c.AddTask(&azuretasks.RoleAssignment{
+		Name:            fi.PtrTo("wi-uami-contributor"),
+		Lifecycle:       b.Lifecycle,
+		Scope:           fi.PtrTo(resourceGroupScope),
+		ManagedIdentity: uami,
+		RoleDefID:       fi.PtrTo(azureContributorRoleDefID),
+	})
+
+	// Federated Identity Credentials — one per service account.
+	saBindings := []struct {
+		name      string
+		namespace string
+		sa        string
+	}{
+		{name: "fic-ccm", namespace: "kube-system", sa: "cloud-controller-manager"},
+		{name: "fic-csi-azuredisk", namespace: "kube-system", sa: "csi-azuredisk-controller-sa"},
+	}
+
+	for _, binding := range saBindings {
+		c.AddTask(&azuretasks.FederatedIdentityCredential{
+			Name:            fi.PtrTo(binding.name),
+			Lifecycle:       b.Lifecycle,
+			ManagedIdentity: uami,
+			ResourceGroup:   b.LinkToResourceGroup(),
+			Issuer:          fi.PtrTo(issuerURL),
+			Subject:         fi.PtrTo(fmt.Sprintf("system:serviceaccount:%s:%s", binding.namespace, binding.sa)),
+			Audiences:       []*string{fi.PtrTo("api://AzureADTokenExchange")},
+		})
+	}
+
+	return nil
+}

pkg/model/components/discovery.go

@@ -66,6 +66,11 @@ func (b *DiscoveryOptionsBuilder) BuildOptions(o *kops.Cluster) error {
 				if err != nil {
 					return err
 				}
+			case *vfs.AzureBlobPath:
+				serviceAccountIssuer, err = base.GetHTTPsUrl()
+				if err != nil {
+					return err
+				}
 			case *vfs.MemFSPath:
 				if !base.IsClusterReadable() {
 					// If this _is_ a test, we should call MarkClusterReadable

pkg/model/issuerdiscovery.go

@@ -123,6 +123,20 @@ func (b *IssuerDiscoveryModelBuilder) Build(c *fi.CloudupModelBuilderContext) er
 			klog.Infof("using user managed serviceAccountIssuers")
 		}
 
+	case *vfs.AzureBlobPath:
+		// Azure Blob Storage uses container-level public access (Private / Blob /
+		// Container), not per-object ACLs like S3 or GCS, so kops cannot flip a
+		// PublicACL on the individual discovery files. The user must pre-configure
+		// the container with anonymous "Blob" access before running kops; otherwise
+		// the OIDC discovery endpoint is unreachable and AAD token exchange fails.
+		isPublic, err := discoveryStore.IsBucketPublic(ctx)
+		if err != nil {
+			return fmt.Errorf("checking if Azure Blob container was public: %w", err)
+		}
+		if !isPublic {
+			return fmt.Errorf("serviceAccountIssuers Azure Blob storage %q is not public", discoveryStore.Path())
+		}
+
 	case *vfs.MemFSPath:
 		// ok