Skip to content

feat: Add Azure kubelogin utility to the container image #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MaxAnderson95 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Add Azure kubelogin utility to the container image #7

MaxAnderson95 wants to merge 1 commit into from

Conversation

@MaxAnderson95
Copy link

@MaxAnderson95 MaxAnderson95 commented Dec 15, 2025

This PR adds the azure/kubelogin utility to the Scalr runner image. Kubelogin is a kubectl auth plugin that allows signing into AKS clusters using Entra ID authentication. Having this in the runner image will help us to switch to OIDC authentication when using the Kubernetes and Helm Tofu providers to configure our AKS clusters, without needing to install it on each run using a pre-init hook.

If this PR is merged and a new release is cut, you'll be able to close internal ticket CLOUD-3911 which I opened earlier this year to add the feature.

@emocharnik
Copy link

emocharnik commented Dec 18, 2025

Hi, @MaxAnderson95. I want you to consider two things:

  1. This image works only in workspaces connected to the self-hosted agents.
  2. The Golden image needs to be enabled in the account because this image does not have Terraform or OpenToFu installed (it is done during the run).
    Do you expect running kubelogin in workspaces that execute runs on Scalr-managed agents?

@MaxAnderson95
Copy link
Author

MaxAnderson95 commented Dec 19, 2025
edited
Loading

Hi @emocharnik,

It looks like I did not do my homework before submitting this PR! I was not aware of the nuanced differences between scalr/runner, scalr/agent and scalr/agent-runner images. I also did not realize there were differences between the images that run on scalr-managed runers vs on-prem runners (it also seems like on-prem has its own nuances).

All that is to say.... it would be very helpful to have kubelogin available for use across the entire platform. Perhaps I should have just been more patient on CLOUD-3911 😅. If you'd like, feel free to just close this PR, and use the work I did as a starting point if you decide to add the tool to all of the images (both open source and closed source).

EDIT:
To answer your last question directly: Our initial use case would be to use kubelogin in workspaces that use self-hosted agents (specifically Ubuntu which evidentially appear to be deprecated now), but we may wish to use the tool on Scalr-magaged agents in the future.

@emocharnik
Copy link

emocharnik commented Dec 22, 2025

@MaxAnderson95, thanks for the information. While that Ubuntu version is deprecated, you can still run agents on VMs via Docker, as it provides a universal environment across different operating systems.

Following a team discussion, we are ready to merge this PR and add kubelogin to the default runner image. We do need to conduct some performance testing first, as adding new software to the base image can impact startup times.

Looking ahead, we are working to unify our runner architecture, which will soon be available for Scalr-hosted runners. Would you like me to enable this beta feature for you once it’s ready?

@MaxAnderson95
Copy link
Author

MaxAnderson95 commented Dec 22, 2025

@emocharnik Sounds great! And yes happy to participate in your beta! Thanks for your help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MaxAnderson95 @emocharnik