🧪 WIF test suites (#1441)

* 🧹 Update spelling list to include envsubst and gettext

* 🧪 WIF test suite - GKE (GCP)

* 🧹Moving GKE tests into separate `gke` directory to enable other testing on other platforms

* 🧪 WIF test suite - EKS (AWS)

* 🧪 Add AKS Workload Identity support in deployment handler tests and resource definitions

* 🐛 Add Azure CLI login with federated token for AKS Workload Identity

* 🧪 WIF test suite - AKS (Azure)

Author: slntopp

.github/actions/spelling/expect.txt

@@ -1,4 +1,6 @@
+AAD
 AADSTS
+ACR
 artifactory
 bak
 bitnami
@@ -8,13 +10,16 @@ deepcopy
 deletecollection
 dockerconfigjson
 eksctl
+envsubst
 fullname
+gettext
 iamidentitymapping
 irsa
 kustomization
 mcr
 mondoooperatorconfig
 nginx
+NSG
 oidc
 openssl
 psat
@@ -27,4 +32,5 @@ SResources
 SVIDs
 tekton
 tpl
+westeurope
 wif

.gitignore

@@ -63,7 +63,7 @@ terraform.tfvars
 terraform.tfstate.backup
 
 # tests artifacts
-tests/e2e/terraform/kubeconfig
-tests/e2e/terraform/kubeconfig-target
-tests/e2e/terraform/gke_gcloud_auth_plugin_cache
-tests/e2e/terraform/mondoo.json
+tests/e2e/**/kubeconfig
+tests/e2e/**/kubeconfig-target
+tests/e2e/**/gke_gcloud_auth_plugin_cache
+tests/e2e/**/mondoo.json

controllers/k8s_scan/deployment_handler_test.go

@@ -401,6 +401,56 @@ func (s *DeploymentHandlerSuite) TestReconcile_ExternalCluster_WorkloadIdentity_
 	s.Contains(initContainers[0].Image, "google-cloud-cli")
 }
 
+func (s *DeploymentHandlerSuite) TestReconcile_ExternalCluster_WorkloadIdentity_AKS() {
+	// Configure external cluster with AKS Workload Identity
+	s.auditConfig.Spec.KubernetesResources.ExternalClusters = []mondoov1alpha2.ExternalCluster{
+		{
+			Name: "aks-prod",
+			WorkloadIdentity: &mondoov1alpha2.WorkloadIdentityConfig{
+				Provider: mondoov1alpha2.CloudProviderAKS,
+				AKS: &mondoov1alpha2.AKSWorkloadIdentity{
+					SubscriptionID: "sub-123",
+					ResourceGroup:  "my-rg",
+					ClusterName:    "prod-cluster",
+					ClientID:       "client-123",
+					TenantID:       "tenant-456",
+				},
+			},
+		},
+	}
+
+	d := s.createDeploymentHandler()
+	s.NoError(d.KubeClient.Create(s.ctx, &s.auditConfig))
+
+	result, err := d.Reconcile(s.ctx)
+	s.NoError(err)
+	s.True(result.IsZero())
+
+	// Verify WIF ServiceAccount was created with correct annotation and label
+	wifSA := &corev1.ServiceAccount{}
+	wifSA.Name = WIFServiceAccountName(s.auditConfig.Name, "aks-prod")
+	wifSA.Namespace = s.auditConfig.Namespace
+	s.NoError(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(wifSA), wifSA))
+	s.Equal("client-123", wifSA.Annotations["azure.workload.identity/client-id"])
+	s.Equal("true", wifSA.Labels["azure.workload.identity/use"])
+
+	// Verify external cluster CronJob was created with init container
+	externalCronJob := &batchv1.CronJob{}
+	externalCronJob.Name = ExternalClusterCronJobName(s.auditConfig.Name, "aks-prod")
+	externalCronJob.Namespace = s.auditConfig.Namespace
+	s.NoError(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(externalCronJob), externalCronJob))
+
+	// Verify init container exists and uses azure-cli
+	initContainers := externalCronJob.Spec.JobTemplate.Spec.Template.Spec.InitContainers
+	s.Len(initContainers, 1)
+	s.Equal("generate-kubeconfig", initContainers[0].Name)
+	s.Contains(initContainers[0].Image, "azure-cli")
+
+	// Verify pod template has the AKS WI label for webhook injection
+	podLabels := externalCronJob.Spec.JobTemplate.Spec.Template.Labels
+	s.Equal("true", podLabels["azure.workload.identity/use"])
+}
+
 func (s *DeploymentHandlerSuite) TestReconcile_ExternalCluster_SPIFFE() {
 	// Create trust bundle secret for remote cluster CA
 	trustBundleSecret := &corev1.Secret{

controllers/k8s_scan/resources.go

@@ -340,6 +340,13 @@ func ExternalClusterCronJob(image string, cluster v1alpha2.ExternalCluster, m *v
 
 		initContainers = append(initContainers, wifInitContainer(cluster))
 
+		// AKS Workload Identity webhook uses a pod-level objectSelector matching
+		// the label "azure.workload.identity/use: true" to inject federated token
+		// env vars and projected volume. Add it to the pod template labels.
+		if cluster.WorkloadIdentity.Provider == v1alpha2.CloudProviderAKS {
+			ls["azure.workload.identity/use"] = "true"
+		}
+
 	case cluster.SPIFFEAuth != nil:
 		// SPIFFE auth: use sidecar to fetch certificates, generate kubeconfig
 		serviceAccountName = m.Spec.Scanner.ServiceAccountName
@@ -695,6 +702,9 @@ retry gcloud container clusters get-credentials "$CLUSTER_NAME" \
   --project "$PROJECT_ID" \
   --location "$CLUSTER_LOCATION"
 cp ~/.kube/config /etc/opt/mondoo/kubeconfig/kubeconfig
+echo "=== DEBUG: generated kubeconfig ==="
+cat /etc/opt/mondoo/kubeconfig/kubeconfig
+echo "=== END DEBUG ==="
 `
 		env = []corev1.EnvVar{
 			{Name: "HOME", Value: "/tmp"},
@@ -710,6 +720,9 @@ retry aws eks update-kubeconfig \
   --name "$CLUSTER_NAME" \
   --region "$AWS_REGION" \
   --kubeconfig /etc/opt/mondoo/kubeconfig/kubeconfig
+echo "=== DEBUG: generated kubeconfig ==="
+cat /etc/opt/mondoo/kubeconfig/kubeconfig
+echo "=== END DEBUG ==="
 `
 		env = []corev1.EnvVar{
 			{Name: "HOME", Value: "/tmp"},
@@ -720,6 +733,13 @@ retry aws eks update-kubeconfig \
 	case v1alpha2.CloudProviderAKS:
 		image = AzureCLIImage
 		script = retryWrapper + `
+# Azure CLI requires explicit login with the federated token injected by the
+# AKS Workload Identity webhook (AZURE_CLIENT_ID, AZURE_TENANT_ID,
+# AZURE_FEDERATED_TOKEN_FILE are set as env vars by the webhook).
+retry az login --federated-token "$(cat "$AZURE_FEDERATED_TOKEN_FILE")" \
+  --service-principal \
+  -u "$AZURE_CLIENT_ID" \
+  -t "$AZURE_TENANT_ID"
 retry az aks get-credentials \
   --resource-group "$RESOURCE_GROUP" \
   --name "$CLUSTER_NAME" \
@@ -741,10 +761,11 @@ retry az aks get-credentials \
 	}
 
 	return corev1.Container{
-		Name:    "generate-kubeconfig",
-		Image:   image,
-		Command: []string{"/bin/sh", "-c", script},
-		Env:     env,
+		Name:            "generate-kubeconfig",
+		Image:           image,
+		ImagePullPolicy: corev1.PullIfNotPresent,
+		Command:         []string{"/bin/sh", "-c", script},
+		Env:             env,
 		VolumeMounts: []corev1.VolumeMount{
 			{Name: "kubeconfig", MountPath: "/etc/opt/mondoo/kubeconfig"},
 			{Name: "temp", MountPath: "/tmp"},
@@ -863,9 +884,10 @@ kill $HELPER_PID 2>/dev/null || true
 `
 
 	return corev1.Container{
-		Name:    "fetch-spiffe-certs",
-		Image:   SPIFFEHelperImage,
-		Command: []string{"/bin/sh", "-c", script},
+		Name:            "fetch-spiffe-certs",
+		Image:           SPIFFEHelperImage,
+		ImagePullPolicy: corev1.PullIfNotPresent,
+		Command:         []string{"/bin/sh", "-c", script},
 		Env: []corev1.EnvVar{
 			{Name: "SOCKET_FILE", Value: socketFile},
 			{Name: "K8S_SERVER", Value: cluster.SPIFFEAuth.Server},