Skip to content

Pipelines access key vault and storage through private endpoints #7483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kodiakhq merged 53 commits into from
Dec 12, 2025
Merged

Pipelines access key vault and storage through private endpoints #7483

kodiakhq merged 53 commits into from
Dec 12, 2025

Conversation

@damonbarry
Copy link
Member

@damonbarry damonbarry commented Nov 3, 2025
edited
Loading

As part of SFI work, we have to ensure that Azure resources used by our tests--specifically key vaults and storage accounts--are not open to the public internet. To complete the SFI work, we needed to make some updates to our test infrastructure. Specifically, this change ensures we only access key vaults from Azure Virtual Networks (vnets) so that we can use Private Link and private endpoints. This required that we move key vault access out of jobs that run from on-prem agents (e.g., Raspberry Pis used to test arm32v7 support). Note that we already take this approach when it comes to accessing storage accounts.

There was also a bit of refactoring involved so that we could optionally do the key vault access from a standalone job that always runs in Azure. In the pipelines that require it, we leveraged an existing job that generates a SAS token for accessing the test storage account.

To test, I ran the affected pipelines to ensure they pass:
CI build
CI test
Connectivity tests
End-to-end tests
Nested end-to-end tests
ISA-95 smoke tests

Azure IoT Edge PR checklist:

This checklist is used to make sure that common guidelines for a pull request are followed.

General Guidelines and Best Practices

  • I have read the contribution guidelines.
  • Title of the pull request is clear and informative.
  • Description of the pull request includes a concise summary of the enhancement or bug fix.

Testing Guidelines

  • Pull request includes test coverage for the included changes.
  • Description of the pull request includes
    • concise summary of tests added/modified
    • local testing done.

damonbarry and others added 30 commits November 3, 2025 14:06
@damonbarry
Make arm32v7 jobs minimal so they don't need to access storage
5846298
@damonbarry
Get key vault secrets once, share with other jobs
9ed2135
@damonbarry
Rename template
4ca30fb
@damonbarry
TestIotHubResourceId isn't a secret
bf4a978
@damonbarry
Use different syntax to refer to template parameters
d3eb5c6
@damonbarry
Fix task name
aa89e84
@damonbarry
Encode/decode cert and key
1d6b5e5
@damonbarry
Fix variable case
db22056
@damonbarry
Update end-to-end checkin pipeline
89de78f
@damonbarry
Remove comment
086de13
@damonbarry
Update variable case in nested e2e pipeline
fc4e0ce
@damonbarry
Only get secrets if key vault name is passed in
d5b755c
@damonbarry
Temporarily hard-code condition
b954602
@damonbarry
Fix condition logic for key vault task
3511651
@damonbarry
Remove key vault condition
d53de73
@damonbarry
Wire up more secrets in nested e2e pipeline
5d1d782
@damonbarry
Rename template
db14fa1
@damonbarry
Sprout child templates
d91b62d
@damonbarry
Update connectivity pipeline to use new templates
c0faba9
@damonbarry
Update ISA-95 pipeline to use new template
41a343a
@damonbarry
Simplify e2e checkin pipeline
7891519
@damonbarry
Fix parameters for nested e2e AMQP test run
0f278e7
@damonbarry
Fix parameters for ISA-95 test run
411c6d3
@damonbarry
Remove outdated job dependency
c62c40d
@damonbarry
Merge branch 'main' into private-endpoints
08f013d
@damonbarry
Don't create output variables for same-job use
082fd50
@damonbarry
Fix parameter reference syntax
124536e
@damonbarry
Fix sas_uri param ref syntax
df91f03
@damonbarry
Reference new template parameter in connectivity pipeline
3d44627
@damonbarry
Reduce duplication in e2e jobs
7fa63d2
damonbarry and others added 23 commits November 7, 2025 12:39
@damonbarry
Fix pool references
0ffc07b
@damonbarry
Fix parameter expression syntax
5a1976b
@damonbarry
Fix template indentation
c6de02b
@damonbarry
Try different template expression syntax
01a27f4
@damonbarry
Revert "Try different template expression syntax"
d78ad11 
This reverts commit 01a27f4.
@damonbarry
Fix another indentation problem
8e6e63d
@damonbarry
Fix snap arch args
89555ae
@damonbarry
Fix arm64 pool variable
4e118b6
@damonbarry
Revert "Fix arm64 pool variable"
00fe982 
This reverts commit 4e118b6.
@damonbarry
Revert "Fix snap arch args"
1693f23 
This reverts commit 89555ae.
@damonbarry
Revert "Fix another indentation problem"
d6319f1 
This reverts commit 8e6e63d.
@damonbarry
Revert "Revert "Try different template expression syntax""
64fc714 
This reverts commit d78ad11.
@damonbarry
Revert "Try different template expression syntax"
543254a 
This reverts commit 01a27f4.
@damonbarry
Revert "Fix template indentation"
fb8cf23 
This reverts commit c6de02b.
@damonbarry
Revert "Fix parameter expression syntax"
81a26fe 
This reverts commit 5a1976b.
@damonbarry
Revert "Fix pool references"
8c35f8b 
This reverts commit 0ffc07b.
@damonbarry
Revert "Reduce duplication in e2e jobs"
5f967b7 
This reverts commit 7fa63d2.
@damonbarry
Merge branch 'main' into private-endpoints
c19ece9
@damonbarry
Restore original "minimal" setting for Debian 12 arm32v7
ec7b35b
@damonbarry
Restore test timeout for Debian 12 arm32v7
9d68fce
@damonbarry
Disable TestUpload* tests from on-prem custom agents
6f74566
@damonbarry
Merge branch 'main' into private-endpoints
a31d32b
@damonbarry
Merge branch 'main' into private-endpoints
cd610f6
yophilav
yophilav approved these changes Dec 12, 2025
View reviewed changes
@kodiakhq kodiakhq bot merged commit 6e479ca into Azure:main Dec 12, 2025
17 checks passed
@damonbarry damonbarry deleted the private-endpoints branch December 12, 2025 17:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yophilav yophilav yophilav approved these changes

Assignees

No one assigned

Labels

ready-to-merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@damonbarry @yophilav