From f39517a18a8aeb46dbbe5578f780cf547e2e3543 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= Date: Thu, 4 Sep 2025 12:44:02 -0500 Subject: [PATCH] ci: aks: Refresh OIDC token in case access token expired MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It's possible that tests take a long time to run and hence that the access token expires before we delete the cluster. In this case `az cli` will try to refresh the access token using the OIDC token (which will have definitely also expired because its lifetime is ~5 minutes). To address this we refresh the OIDC token manually instead. Automatic refresh isn't supported per Azure/azure-cli#28708. Fixes: #11758 Signed-off-by: Aurélien Bombo --- .github/workflows/run-k8s-tests-on-aks.yaml | 7 +++++++ .github/workflows/run-kata-coco-stability-tests.yaml | 7 +++++++ .github/workflows/run-kata-coco-tests.yaml | 7 +++++++ .github/workflows/run-kata-deploy-tests-on-aks.yaml | 7 +++++++ 4 files changed, 28 insertions(+) diff --git a/.github/workflows/run-k8s-tests-on-aks.yaml b/.github/workflows/run-k8s-tests-on-aks.yaml index 2ce00ab3aa..0764040d6e 100644 --- a/.github/workflows/run-k8s-tests-on-aks.yaml +++ b/.github/workflows/run-k8s-tests-on-aks.yaml @@ -147,6 +147,13 @@ jobs: timeout-minutes: 60 run: bash tests/integration/kubernetes/gha-run.sh run-tests + - name: Refresh OIDC token in case access token expired + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZ_APPID }} + tenant-id: ${{ secrets.AZ_TENANT_ID }} + subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + - name: Delete AKS cluster if: always() run: bash tests/integration/kubernetes/gha-run.sh delete-cluster diff --git a/.github/workflows/run-kata-coco-stability-tests.yaml b/.github/workflows/run-kata-coco-stability-tests.yaml index ce5bdc04c6..fb3d82adcb 100644 --- a/.github/workflows/run-kata-coco-stability-tests.yaml +++ b/.github/workflows/run-kata-coco-stability-tests.yaml @@ -139,6 +139,13 @@ jobs: timeout-minutes: 300 run: bash tests/stability/gha-stability-run.sh run-tests + - name: Refresh OIDC token in case access token expired + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZ_APPID }} + tenant-id: ${{ secrets.AZ_TENANT_ID }} + subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + - name: Delete AKS cluster if: always() run: bash tests/integration/kubernetes/gha-run.sh delete-cluster diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml index 1cd88138c5..a6a81a39ae 100644 --- a/.github/workflows/run-kata-coco-tests.yaml +++ b/.github/workflows/run-kata-coco-tests.yaml @@ -323,6 +323,13 @@ jobs: if: always() run: bash tests/integration/kubernetes/gha-run.sh report-tests + - name: Refresh OIDC token in case access token expired + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZ_APPID }} + tenant-id: ${{ secrets.AZ_TENANT_ID }} + subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + - name: Delete AKS cluster if: always() run: bash tests/integration/kubernetes/gha-run.sh delete-cluster diff --git a/.github/workflows/run-kata-deploy-tests-on-aks.yaml b/.github/workflows/run-kata-deploy-tests-on-aks.yaml index 17c8bfe757..48c6222a2e 100644 --- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml +++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml @@ -102,6 +102,13 @@ jobs: - name: Run tests run: bash tests/functional/kata-deploy/gha-run.sh run-tests + - name: Refresh OIDC token in case access token expired + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZ_APPID }} + tenant-id: ${{ secrets.AZ_TENANT_ID }} + subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + - name: Delete AKS cluster if: always() run: bash tests/functional/kata-deploy/gha-run.sh delete-cluster