From ea4fd36a782d66c6a5f63b987635df85c617461c Mon Sep 17 00:00:00 2001 From: Gonzalo Rojas Date: Mon, 30 Mar 2026 14:09:13 -0300 Subject: [PATCH 1/2] fix(cert-manager-config): use managedIdentity.clientID for Azure Workload Identity Replace invalid config.useWorkloadIdentityExtension with the correct managedIdentity.clientID field in azureDNS solver spec. Also remove clientID and tenantID as direct azureDNS fields in the private issuer as they are not valid cert-manager spec fields for any auth method. --- .../templates/cluster-issuer-private.yaml | 6 ++---- .../templates/cluster-issuer-public.yaml | 4 ++-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/charts/cert-manager-config/templates/cluster-issuer-private.yaml b/charts/cert-manager-config/templates/cluster-issuer-private.yaml index 78820b0..2b91bd6 100644 --- a/charts/cert-manager-config/templates/cluster-issuer-private.yaml +++ b/charts/cert-manager-config/templates/cluster-issuer-private.yaml @@ -20,14 +20,12 @@ spec: project: "{{ .Values.gcp.projectId }}" {{- else if eq .Values.cloudProvider "azure" }} azureDNS: - clientID: {{ .Values.azure.clientID }} subscriptionID: {{ .Values.azure.subscriptionID }} - tenantID: {{ .Values.azure.tenantID }} resourceGroupName: {{ .Values.azure.resourceGroupName }} hostedZoneName: {{ .Values.azure.hostedZoneName }} environment: AzurePublicCloud - config: - useWorkloadIdentityExtension: true + managedIdentity: + clientID: {{ required "azure.clientID is required" .Values.azure.clientID | quote }} {{- else if eq .Values.cloudProvider "cloudflare" }} cloudflare: apiTokenSecretRef: diff --git a/charts/cert-manager-config/templates/cluster-issuer-public.yaml b/charts/cert-manager-config/templates/cluster-issuer-public.yaml index f18c3bb..7dc27b1 100644 --- a/charts/cert-manager-config/templates/cluster-issuer-public.yaml +++ b/charts/cert-manager-config/templates/cluster-issuer-public.yaml @@ -23,8 +23,8 @@ spec: resourceGroupName: {{ required "azure.resourceGroupName is required" .Values.azure.resourceGroupName | quote }} hostedZoneName: {{ .Values.hostedZoneName }} environment: AzurePublicCloud - config: - useWorkloadIdentityExtension: true + managedIdentity: + clientID: {{ required "azure.clientID is required" .Values.azure.clientID | quote }} {{- else if eq .Values.cloudProvider "cloudflare" }} cloudflare: apiTokenSecretRef: From 9a206dab0461c448cbd324330ab4abf61afce0b0 Mon Sep 17 00:00:00 2001 From: Gonzalo Rojas Date: Mon, 30 Mar 2026 14:26:10 -0300 Subject: [PATCH 2/2] feat(cert-manager-config): support both Workload Identity and Service Principal for Azure Add azure.useWorkloadIdentity (default: true) to allow switching between Workload Identity (managedIdentity.clientID) and Service Principal (clientID + tenantID + clientSecretSecretRef) auth methods. --- .../templates/cluster-issuer-private.yaml | 8 ++++++++ .../templates/cluster-issuer-public.yaml | 8 ++++++++ charts/cert-manager-config/values.yaml | 4 ++++ 3 files changed, 20 insertions(+) diff --git a/charts/cert-manager-config/templates/cluster-issuer-private.yaml b/charts/cert-manager-config/templates/cluster-issuer-private.yaml index 2b91bd6..21146f8 100644 --- a/charts/cert-manager-config/templates/cluster-issuer-private.yaml +++ b/charts/cert-manager-config/templates/cluster-issuer-private.yaml @@ -24,8 +24,16 @@ spec: resourceGroupName: {{ .Values.azure.resourceGroupName }} hostedZoneName: {{ .Values.azure.hostedZoneName }} environment: AzurePublicCloud + {{- if .Values.azure.useWorkloadIdentity }} managedIdentity: clientID: {{ required "azure.clientID is required" .Values.azure.clientID | quote }} + {{- else }} + tenantID: {{ required "azure.tenantID is required" .Values.azure.tenantID | quote }} + clientID: {{ required "azure.clientID is required" .Values.azure.clientID | quote }} + clientSecretSecretRef: + name: {{ required "azure.clientSecret.secretName is required" .Values.azure.clientSecret.secretName | quote }} + key: {{ .Values.azure.clientSecret.secretKey | default "client-secret" | quote }} + {{- end }} {{- else if eq .Values.cloudProvider "cloudflare" }} cloudflare: apiTokenSecretRef: diff --git a/charts/cert-manager-config/templates/cluster-issuer-public.yaml b/charts/cert-manager-config/templates/cluster-issuer-public.yaml index 7dc27b1..4c5033a 100644 --- a/charts/cert-manager-config/templates/cluster-issuer-public.yaml +++ b/charts/cert-manager-config/templates/cluster-issuer-public.yaml @@ -23,8 +23,16 @@ spec: resourceGroupName: {{ required "azure.resourceGroupName is required" .Values.azure.resourceGroupName | quote }} hostedZoneName: {{ .Values.hostedZoneName }} environment: AzurePublicCloud + {{- if .Values.azure.useWorkloadIdentity }} managedIdentity: clientID: {{ required "azure.clientID is required" .Values.azure.clientID | quote }} + {{- else }} + tenantID: {{ required "azure.tenantID is required" .Values.azure.tenantID | quote }} + clientID: {{ required "azure.clientID is required" .Values.azure.clientID | quote }} + clientSecretSecretRef: + name: {{ required "azure.clientSecret.secretName is required" .Values.azure.clientSecret.secretName | quote }} + key: {{ .Values.azure.clientSecret.secretKey | default "client-secret" | quote }} + {{- end }} {{- else if eq .Values.cloudProvider "cloudflare" }} cloudflare: apiTokenSecretRef: diff --git a/charts/cert-manager-config/values.yaml b/charts/cert-manager-config/values.yaml index f80642c..c6d8a0b 100644 --- a/charts/cert-manager-config/values.yaml +++ b/charts/cert-manager-config/values.yaml @@ -12,6 +12,10 @@ azure: clientID: "" tenantID: "" hostedZoneName: "" + useWorkloadIdentity: true + clientSecret: + secretName: "" + secretKey: "client-secret" cloudflare: secretName: "cloudflare-api-token-secret" apiToken: ""