Skip to content

fix(cert-manager-config): use managedIdentity.clientID for Azure Workload Identity#134

Merged
gdrojas merged 2 commits intomainfrom
fix/cert-manager-azure-workload-identity
Mar 30, 2026
Merged

fix(cert-manager-config): use managedIdentity.clientID for Azure Workload Identity#134
gdrojas merged 2 commits intomainfrom
fix/cert-manager-azure-workload-identity

Conversation

@gdrojas
Copy link
Copy Markdown
Contributor

@gdrojas gdrojas commented Mar 30, 2026
edited
Loading

Summary

  • Replace invalid config.useWorkloadIdentityExtension: true with correct managedIdentity.clientID in azureDNS solver spec (both public and private ClusterIssuer)
  • Remove invalid clientID and tenantID direct fields from azureDNS in the private issuer — those fields don't exist in cert-manager's spec for any auth method
  • Add azure.useWorkloadIdentity (default: true) to support both Workload Identity and Service Principal auth methods

Why

config.useWorkloadIdentityExtension is not a valid field in cert-manager's azureDNS spec. Any cluster using this had a ClusterIssuer that failed silently to issue certificates. The correct approach per cert-manager docs is managedIdentity.clientID.

Compatibility

  • GCP, AWS, Cloudflare, OCI: no impact — changes are inside {{- if eq .Values.cloudProvider "azure" }}
  • Azure WI (useWorkloadIdentity: true, default): uses managedIdentity.clientID — requires cert-manager >= 1.8
  • Azure SP (useWorkloadIdentity: false): uses clientID + tenantID + clientSecretSecretRef — requires azure.clientSecret.secretName to be set
  • azure.clientID is now required when cloudProvider=azure — previously the field existed in values.yaml but was unused in the public issuer, causing silent failures

Test plan

  • WI: deployed ClusterIssuer on AKS — status Ready: True, ACME account registered
  • SP: deployed ClusterIssuer with Service Principal + K8s secret — status Ready: True, ACME account registered
  • Switched between both modes on the same cluster without issues

gdrojas added 2 commits March 30, 2026 14:09
@gdrojas
fix(cert-manager-config): use managedIdentity.clientID for Azure Work…
ea4fd36 
…load Identity

Replace invalid config.useWorkloadIdentityExtension with the correct
managedIdentity.clientID field in azureDNS solver spec. Also remove
clientID and tenantID as direct azureDNS fields in the private issuer
as they are not valid cert-manager spec fields for any auth method.
@gdrojas
feat(cert-manager-config): support both Workload Identity and Service…
9a206da 
… Principal for Azure

Add azure.useWorkloadIdentity (default: true) to allow switching between
Workload Identity (managedIdentity.clientID) and Service Principal
(clientID + tenantID + clientSecretSecretRef) auth methods.
@gdrojas gdrojas merged commit ca76c31 into main Mar 30, 2026
3 checks passed
@gdrojas gdrojas deleted the fix/cert-manager-azure-workload-identity branch March 30, 2026 17:58
@gdrojas gdrojas mentioned this pull request Mar 30, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@violenti violenti violenti approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gdrojas @violenti