feat: add Azure Managed Identity token provider support #1183
Conversation
This commit adds comprehensive support for Azure Managed Identity authentication for AI Gateway backends through the BackendSecurityPolicy. Changes include: - New AzureManagedIdentityTokenProvider with system and user-assigned identity support - Support for OIDC token exchange and Kubernetes secret-based authentication - Comprehensive test coverage including integration tests - Example configurations and CRD validation test data - Updated API documentation and CRD schemas - Added *.test pattern to .gitignore to exclude Go test binaries 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Matt Mencel <matt@techminer.net>
There was a problem hiding this comment.
Pull Request Overview
This PR adds comprehensive Azure Managed Identity authentication support to the AI Gateway, enabling seamless authentication with Azure OpenAI and other Azure AI services using both system-assigned and user-assigned managed identities.
- Adds AzureManagedIdentityTokenProvider for managed identity authentication
- Updates BackendSecurityPolicy API to support managed identity configuration
- Includes comprehensive validation rules to ensure proper authentication method selection
Reviewed Changes
Copilot reviewed 17 out of 18 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| api/v1alpha1/backendsecurity_policy.go | Adds UseManagedIdentity field and updated validation rules for Azure credentials |
| internal/controller/tokenprovider/azure_managed_identity_token_provider.go | Implements Azure managed identity token provider using DefaultAzureCredential |
| internal/controller/backend_security_policy.go | Updates controller to handle managed identity authentication flow |
| tests/controller/azure_managed_identity_test.go | Adds integration tests for user-assigned and system-assigned managed identity scenarios |
| examples/basic/azure_openai_managed_identity.yaml | Provides example configurations for managed identity authentication |
| manifests/charts//crds/.yaml | Updates CRD schemas with new managed identity field and validation rules |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Remove omitempty from ClientID field in BackendSecurityPolicyAzureCredentials to maintain consistency with other ID fields and avoid breaking existing integrations that expect the field to always be present in JSON output. This addresses the GitHub Copilot review comment in PR envoyproxy#1183. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Matt Mencel <matt@techminer.net>
|
Hey, do you think this will be merged - i want to implement envoy, however, i dont want to make auth changes straight after implementation, so if this is scheduled to be merged and released, i can hold off |
|
so the thing about this PR is that we don't have an e2e test environment for AKS. @MattMencel @ehrnst if either of you can confirm with 100% confidence that the current code works fine, then I could allocate some time to review properly. |
|
@mathetake, I switched to another solution, so I won't be able to test this further. Happy to hand it off to someone else or just close it. @ehrnst are you able to test these changes and make modifications if needed? |
@mathetake Well i'm not a developer. But if someone can hold my hand, i have all the infrastructure in place to test it. What would be the process of it? i assume i have to build locally and do some manual deployment, not relying on the helm charts. @MattMencel curious to know what other solution you went for as well. |
LiteLLM. It seems to be meeting the requirement for now. |
|
feel free to reopen! |
3 participants
Description
This commit adds comprehensive support for Azure Managed Identity authentication for AI Gateway backends through the BackendSecurityPolicy.
The new AzureManagedIdentityTokenProvider enables seamless authentication with Azure OpenAI and other Azure AI services using both system-assigned and user-assigned managed identities. This eliminates the need to manage API keys or secrets for Azure-hosted workloads, improving security and operational simplicity.
Key features:
Related Issues/PRs (if applicable)
#1180
Special notes for reviewers (if applicable)
This PR includes extensive test coverage with both unit tests and integration tests using envtest. The implementation follows the existing token provider pattern and integrates cleanly with the current BackendSecurityPolicy architecture.