How to integrate Bitbucket self-hosted runner with Azure workload identity / AD authentication?

Michael Schlarb November 14, 2022

Hi there,

we are currently looking at moving our CI/CD from Azure DevOps to Bitbucket and also start using other Atlassian products for our development.

Part of our automated tests require access to the used infrastructure, e.g. databases, EventHubs, to enter the data for the test. Since we do not want to handle everything with passwords we are using managed identities in our current setup. The Azure DevOps build agents are regular VMs which have an authorized managed identity and the access from the test scripts works fine.

For the tests with Bitbucket we have setup a self-hosted runner in our Kubernetes cluster. It is running using an authorized service account with the workload identity hook. The runner as well as the Docker-in-Docker sidecar have the federated token from the workload identity successfully mounted however these files are not visible from within the pipeline script. 

Would this even be possible? If yes how?

One other approach I can see is that the pipeline deploys a job to the K8s cluster which then runs the tests.

But how do we then get the test results back and can fail the pipeline on test failures?

We don't have any test management plugin like X-Ray in use at the moment. Deployments to the cluster always go via Flux, i.e. GitOps, so no direct kubectl calls from CI/CD are used.

 

Does anyone have experience with such kind of setup? 

Any other suggestions for how to set this up?

It does not have to be with workload identity per se but the access to the infrastructure is only possible via Azure AD authentication. So this is a must.

 

Many thanks in advance for your tips and thoughts.

0 answers

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events