Merge branch 'main' into patch-1

.github/workflows/azwi-build.yaml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.env }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
 
@@ -35,7 +35,8 @@ jobs:
           fetch-depth: 0
       - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
-          go-version: "1.20"
+          go-version: "1.21"
+          check-latest: true
       - name: Build azwi
         run: |
           make bin/azwi

.github/workflows/azwi-e2e.yaml

@@ -27,7 +27,7 @@ jobs:
     runs-on: ${{ matrix.env }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
 
@@ -37,7 +37,8 @@ jobs:
           fetch-depth: 0
       - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
-          go-version: "1.20"
+          go-version: "1.21"
+          check-latest: true
       - name: Azure CLI
         run: |
           echo "Azure CLI Current installed version"
@@ -105,7 +106,7 @@ jobs:
     runs-on: ${{ matrix.env }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
 
@@ -115,7 +116,8 @@ jobs:
           fetch-depth: 0
       - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
-          go-version: "1.20"
+          go-version: "1.21"
+          check-latest: true
       - name: Build azwi
         run: |
           make bin/azwi

.github/workflows/chart.yaml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
 

.github/workflows/codecov.yaml

@@ -14,14 +14,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
 
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
-          go-version: "^1.20"
+          go-version: "^1.21"
+          check-latest: true
       - name: Run tests
         run: make test
       - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d

.github/workflows/codeql.yaml

@@ -21,20 +21,20 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
 
       - name: Checkout repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@a09933a12a80f87b87005513f0abb1494c27a716
+        uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75
         with:
           languages: go
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@a09933a12a80f87b87005513f0abb1494c27a716
+        uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@a09933a12a80f87b87005513f0abb1494c27a716
+        uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75

.github/workflows/create-release-pull-request.yaml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
 
@@ -34,7 +34,8 @@ jobs:
           ref: "${{ github.event.inputs.based_on_branch }}"
       - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
-          go-version: "1.20"
+          go-version: "1.21"
+          check-latest: true
       - run: make release-manifest
         env:
           NEW_VERSION: "${{ github.event.inputs.release_version }}"

.github/workflows/create-release.yaml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
 
@@ -26,7 +26,8 @@ jobs:
           fetch-depth: 0
       - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
-          go-version: "1.20"
+          go-version: "1.21"
+          check-latest: true
       - id: get-tag
         name: Get tag
         run: echo "tag=$(echo ${{ github.event.pull_request.head.ref }} | sed -e 's/release-//g')" >> $GITHUB_OUTPUT

.github/workflows/dependency-review.yml

@@ -17,11 +17,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
 
       - name: 'Checkout Repository'
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e # v3.0.4
+        uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4 # v3.1.4

.github/workflows/markdown-link-check.yaml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
       with:
         egress-policy: audit
 

.github/workflows/patch-images.yaml

@@ -17,7 +17,7 @@ jobs:
           images: ['ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-arm64', 'ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-amd64']
       steps:
       - name: Harden Runner 
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with: 
           egress-policy: audit 
       - name: Login to ghcr.io
@@ -61,7 +61,7 @@ jobs:
       runs-on: ubuntu-latest
       steps:
       - name: Harden Runner 
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with: 
           egress-policy: audit 
       - name: Login to ghcr.io

.github/workflows/publish-images.yaml

@@ -16,7 +16,7 @@ jobs:
       registry: ${{ steps.export.outputs.registry }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
 
@@ -36,7 +36,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
 
@@ -68,7 +68,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
 

.github/workflows/scorecards.yml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
 
@@ -71,6 +71,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # v2.3.1
+        uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.3.1
         with:
           sarif_file: results.sarif

.github/workflows/website.yaml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
 

.golangci.yml

@@ -1,6 +1,6 @@
 run:
   deadline: 20m
-  go-version: "1.20"
+  go-version: "1.21"
 
 linters:
   disable-all: true

Makefile

@@ -2,7 +2,7 @@ REGISTRY ?= mcr.microsoft.com/oss/azure/workload-identity
 PROXY_IMAGE_NAME := proxy
 INIT_IMAGE_NAME := proxy-init
 WEBHOOK_IMAGE_NAME := webhook
-IMAGE_VERSION ?= v1.1.0
+IMAGE_VERSION ?= v1.2.0
 
 ORG_PATH := github.com/Azure
 PROJECT_NAME := azure-workload-identity

charts/workload-identity-webhook/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: workload-identity-webhook
 description: A Helm chart to install the azure-workload-identity webhook
 type: application
-version: 1.1.0
-appVersion: v1.1.0
+version: 1.2.0
+appVersion: v1.2.0
 home: https://github.com/Azure/azure-workload-identity
 sources:
   - https://github.com/Azure/azure-workload-identity

charts/workload-identity-webhook/README.md

@@ -34,7 +34,7 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
 | replicaCount                       | The number of azure-workload-identity replicas to deploy for the webhook                                                          | `2`                                                     |
 | image.repository                   | Image repository                                                                                                                  | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
 | image.pullPolicy                   | Image pullPolicy                                                                                                                  | `IfNotPresent`                                          |
-| image.release                      | The image release tag to use                                                                                                      | Current release version: `v1.1.0`                       |
+| image.release                      | The image release tag to use                                                                                                      | Current release version: `v1.2.0`                       |
 | imagePullSecrets                   | Image pull secrets to use for retrieving images from private registries                                                           | `[]`                                                    |
 | nodeSelector                       | The node selector to use for pod scheduling                                                                                       | `kubernetes.io/os: linux`                               |
 | resources                          | The resource request/limits for the container image                                                                               | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi        |

charts/workload-identity-webhook/values.yaml

@@ -7,7 +7,7 @@ image:
   repository: mcr.microsoft.com/oss/azure/workload-identity/webhook
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  release: v1.1.0
+  release: v1.2.0
 imagePullSecrets: []
 nodeSelector:
   kubernetes.io/os: linux

config/manager/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: manager
   newName: mcr.microsoft.com/oss/azure/workload-identity/webhook
-  newTag: v1.1.0
+  newTag: v1.2.0
 configMapGenerator:
 - literals:
   - AZURE_TENANT_ID="${AZURE_TENANT_ID}"

deploy/azure-wi-webhook.yaml

@@ -162,7 +162,7 @@ spec:
         envFrom:
         - configMapRef:
             name: azure-wi-webhook-config
-        image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.1.0
+        image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.2.0
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 6

docker/proxy-init.Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=${TARGETPLATFORM:-linux/amd64} registry.k8s.io/build-image/distroless-iptables:v0.4.1
+FROM --platform=${TARGETPLATFORM:-linux/amd64} registry.k8s.io/build-image/distroless-iptables:v0.4.2
 
 COPY ./init/init-iptables.sh /bin/
 RUN chmod +x /bin/init-iptables.sh

docker/proxy.Dockerfile

@@ -1,4 +1,4 @@
-ARG BUILDER=mcr.microsoft.com/oss/go/microsoft/golang:1.20-bullseye
+ARG BUILDER=mcr.microsoft.com/oss/go/microsoft/golang:1.21-bullseye
 ARG BASEIMAGE=gcr.io/distroless/static:nonroot
 
 FROM ${BUILDER} as builder

docker/webhook.Dockerfile

@@ -1,4 +1,4 @@
-ARG BUILDER=mcr.microsoft.com/oss/go/microsoft/golang:1.20-bullseye
+ARG BUILDER=mcr.microsoft.com/oss/go/microsoft/golang:1.21-bullseye
 ARG BASEIMAGE=gcr.io/distroless/static:nonroot
 
 # Build the manager binary

docs/book/src/installation/mutating-admission-webhook.md

@@ -73,7 +73,7 @@ The deployment YAML contains the environment variables we defined above and we r
 Install the webhook using the deployment YAML via `kubectl apply -f` and `envsubst`:
 
 ```bash
-curl -sL https://github.com/Azure/azure-workload-identity/releases/download/v1.1.0/azure-wi-webhook.yaml | envsubst | kubectl apply -f -
+curl -sL https://github.com/Azure/azure-workload-identity/releases/download/v1.2.0/azure-wi-webhook.yaml | envsubst | kubectl apply -f -
 ```
 
 <details>

examples/migration/pod-with-proxy-init-and-proxy-sidecar.yaml

@@ -8,7 +8,7 @@ spec:
   serviceAccountName: workload-identity-sa
   initContainers:
   - name: init-networking
-    image: mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v1.1.0
+    image: mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v1.2.0
     securityContext:
       capabilities:
         add:
@@ -26,6 +26,6 @@ spec:
     ports:
     - containerPort: 80
   - name: proxy
-    image: mcr.microsoft.com/oss/azure/workload-identity/proxy:v1.1.0
+    image: mcr.microsoft.com/oss/azure/workload-identity/proxy:v1.2.0
     ports:
     - containerPort: 8000

examples/msal-go/Dockerfile

@@ -1,4 +1,4 @@
-ARG BUILDER=mcr.microsoft.com/oss/go/microsoft/golang:1.20-bullseye
+ARG BUILDER=mcr.microsoft.com/oss/go/microsoft/golang:1.21-bullseye
 ARG BASEIMAGE=gcr.io/distroless/static:nonroot
 
 FROM ${BUILDER} as builder

examples/msal-go/go.mod

@@ -3,16 +3,16 @@ module github.com/Azure/azure-workload-identity/example/msal-go
 go 1.19
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.0
-	k8s.io/klog/v2 v2.100.1
+	k8s.io/klog/v2 v2.110.1
 )
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
-	github.com/go-logr/logr v1.2.0 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect