From 3b4085f9ea283f3b1cfd39a545872b5af1282250 Mon Sep 17 00:00:00 2001 From: jatin Date: Tue, 23 Jun 2026 16:49:49 -0400 Subject: [PATCH] support keyless auth for rr blob storage renders RR_DEFAULT_AZURE_ACCOUNT_URL when rr.blobStorage.azure.accountUrl is set with no connection string, so azure can authenticate via managed identity (DefaultAzureCredential) instead of a static connection string. s3 and gcs keyless auth already work: the chart renders credentials only when set, and the pod uses serviceAccount.annotations for its identity (eks irsa / gke workload identity). this documents that and adds the azure account-url path that the backend now understands. connection string still takes precedence over accountUrl when both are set, matching the backend. --- charts/retool/Chart.yaml | 2 +- charts/retool/templates/_helpers.tpl | 3 +++ charts/retool/values.yaml | 18 ++++++++++++++++-- 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/charts/retool/Chart.yaml b/charts/retool/Chart.yaml index 17070c85..ee9f3d17 100644 --- a/charts/retool/Chart.yaml +++ b/charts/retool/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: retool description: A Helm chart for Kubernetes type: application -version: 6.11.5 +version: 6.11.6 maintainers: - name: Retool Engineering email: engineering+helm@retool.com diff --git a/charts/retool/templates/_helpers.tpl b/charts/retool/templates/_helpers.tpl index 5cdd8adb..a00cd17c 100644 --- a/charts/retool/templates/_helpers.tpl +++ b/charts/retool/templates/_helpers.tpl @@ -975,6 +975,9 @@ directly via environmentVariables / environmentSecrets). {{- else if $bs.azure.connectionString }} - name: RR_DEFAULT_AZURE_CONNECTION_STRING value: {{ $bs.azure.connectionString | quote }} +{{- else if $bs.azure.accountUrl }} +- name: RR_DEFAULT_AZURE_ACCOUNT_URL + value: {{ $bs.azure.accountUrl | quote }} {{- end }} {{- end }} {{- if .Values.rr.gitServer.repackThreshold }} diff --git a/charts/retool/values.yaml b/charts/retool/values.yaml index 94fbba89..0c6a5cef 100644 --- a/charts/retool/values.yaml +++ b/charts/retool/values.yaml @@ -1211,11 +1211,23 @@ rr: # This block can be omitted entirely if RR_BLOB_STORAGE_PROVIDER and the # RR_DEFAULT_*_* env vars are provided directly via environmentVariables / # environmentSecrets above — the chart detects that and skips this guard. + # + # Keyless auth: each provider can authenticate as the pod's own identity + # instead of a static credential. Leave the credential field unset and set + # serviceAccount.annotations so the pod carries the right identity: + # - s3: omit accessKeyId/secret -> AWS default chain (EKS IRSA via the + # eks.amazonaws.com/role-arn annotation, instance profile, ECS role) + # - gcs: omit credentials -> Application Default Credentials (GKE Workload + # Identity via the iam.gke.io/gcp-service-account annotation) + # - azure: set accountUrl instead of a connection string -> managed identity + # (azure.workload.identity/client-id annotation + the + # azure.workload.identity/use: "true" pod label) blobStorage: {} # s3: # bucket: my-rr-bucket # region: us-east-1 # endpoint: "" # optional, for S3-compatible (MinIO, R2, etc.) + # # Omit accessKeyId + secret to use the AWS default credential chain (IAM role / IRSA). # accessKeyId: AKIA... # # Provide secretAccessKey OR the secretName/secretKey pair below. # secretAccessKey: "" @@ -1224,17 +1236,19 @@ rr: # # gcs: # bucket: my-rr-bucket - # # Provide credentials (JSON string) OR the secretName/secretKey pair below. + # # Omit credentials to use Application Default Credentials (Workload Identity). # credentials: "" # credentialsSecretName: "" # credentialsSecretKey: credentials.json # # azure: # container: my-rr-container - # # Provide connectionString OR the secretName/secretKey pair below. + # # Provide connectionString OR the secretName/secretKey pair below, OR set + # # accountUrl on its own to authenticate via managed identity. # connectionString: "" # connectionStringSecretName: "" # connectionStringSecretKey: connection-string + # accountUrl: "" # e.g. https://.blob.core.windows.net agents: # Enable AI Agents