Skip to content
This repository has been archived by the owner on Oct 12, 2023. It is now read-only.

Commit

Permalink
feat: use map for azureIdentities instead of list in helm chart (#899)
Browse files Browse the repository at this point in the history
  • Loading branch information
@aramase
aramase committed Dec 9, 2020
1 parent cc39f9f commit 1c4bb3c
Show file tree
Hide file tree
Showing 4 changed files with 72 additions and 18 deletions.
41 changes: 38 additions & 3 deletions manifest_staging/charts/aad-pod-identity/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ helm install aad-pod-identity/aad-pod-identity --set=installCRDs=true
## Helm chart and aad-pod-identity versions

| Helm Chart Version | AAD Pod Identity Version |
|--------------------|--------------------------|
| ------------------ | ------------------------ |
| `1.5.2` | `1.5.2` |
| `1.5.3` | `1.5.3` |
| `1.5.4` | `1.5.4` |
Expand Down Expand Up @@ -154,6 +154,41 @@ Once this is done, the helm upgrade command will succeed.
A major chart version change (like v1.6.0 -> v2.0.0) indicates that there is a backward-incompatible (breaking) change needing manual actions.
#### 3.0.0
Accessing the identities in the list is harder for the user to figure out and prone to errors if the order is changed. This version updates the `azureIdentities` to be a map instead of a list of identities.

The following is a basic example of the required change in the user-supplied values file.

```diff
-azureIdentities:
- - name: "azure-identity"
- # if not defined, then the azure identity will be deployed in the same namespace as the chart
- namespace: ""
- # type 0: MSI, type 1: Service Principal
- type: 0
- # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name
- resourceID: "resource-id"
- clientID: "client-id"
- binding:
- name: "azure-identity-binding"
- # The selector will also need to be included in labels for app deployment
- selector: "demo"
+azureIdentities:
+ "azure-identity":
+ # if not defined, then the azure identity will be deployed in the same namespace as the chart
+ namespace: ""
+ # type 0: MSI, type 1: Service Principal
+ type: 0
+ # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name
+ resourceID: "resource-id"
+ clientID: "client-id"
+ binding:
+ name: "azure-identity-binding"
+ # The selector will also need to be included in labels for app deployment
+ selector: "demo"
```

#### 2.0.0

This version removes the `azureIdentity` and `azureIdentityBinding` values in favor of `azureIdentities`, a list of identities and their respective bindings, to support the creation of multiple AzureIdentity and AzureIdentityBinding resources.
Expand Down Expand Up @@ -187,7 +222,7 @@ The following is a basic example of the required change in the user-supplied val
The following tables list the configurable parameters of the aad-pod-identity chart and their default values.

| Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------|
| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- |
| `nameOverride` | String to partially override aad-pod-identity.fullname template with a string (will prepend the release name) | `""` |
| `fullnameOverride` | String to fully override aad-pod-identity.fullname template with a string | `""` |
| `image.repository` | Image repository | `mcr.microsoft.com/oss/azure/aad-pod-identity` |
Expand Down Expand Up @@ -244,7 +279,7 @@ The following tables list the configurable parameters of the aad-pod-identity ch
| `nmi.allowNetworkPluginKubenet` | Allow running aad-pod-identity in cluster with kubenet | `false` |
| `rbac.enabled` | Create and use RBAC for all aad-pod-identity resources | `true` |
| `rbac.allowAccessToSecrets` | NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity. If using only MSI (type: 0) in AzureIdentity, secret get permission can be disabled by setting this to false. | `true` |
| `azureIdentities` | List of azure identities and azure identity bindings resources to create | `[]` |
| `azureIdentities` | Map of azure identities and azure identity bindings resources to create. The map key is the `AzureIdentity` name. | `{}` |
| `installCRDs` | If true, install necessary custom resources | `false` |

## Troubleshooting
Expand Down
25 changes: 17 additions & 8 deletions manifest_staging/charts/aad-pod-identity/templates/identities.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,27 +2,36 @@
apiVersion: v1
kind: List
items:
{{- range .Values.azureIdentities }}
{{- range $key, $value := .Values.azureIdentities }}
- apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
name: {{ .name }}
name: {{ $key }}
namespace: {{ default $.Release.Namespace .namespace }}
labels:
{{- include "aad-pod-identity.labels" $ | nindent 8 }}
spec:
type: {{ .type }}
resourceID: {{ required "resourceID is required!" .resourceID }}
clientID: {{ required "clientID is required!" .clientID }}
type: {{ $value.type }}
clientID: {{ required "clientID is required!" $value.clientID }}
{{- if eq (int $value.type) 0 }}
resourceID: {{ required "resourceID is required!" $value.resourceID }}
{{- else }}
tenantID: {{ required "tenantID is required!" $value.tenantID }}
clientPassword: {{ required "clientPassword is required!" $value.clientPassword }}
auxiliaryTenantIDs:
{{- range $value.auxiliaryTenantIDs }}
- {{ . }}
{{- end }}
{{- end }}
- apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
name: {{ .binding.name }}
name: {{ $value.binding.name }}
namespace: {{ default $.Release.Namespace .namespace }}
labels:
{{- include "aad-pod-identity.labels" $ | nindent 8 }}
spec:
azureIdentity: {{ .name }}
selector: {{ required "binding.selector is required!" .binding.selector }}
azureIdentity: {{ $key }}
selector: {{ required "binding.selector is required!" $value.binding.selector }}
{{- end }}
{{- end -}}
16 changes: 13 additions & 3 deletions manifest_staging/charts/aad-pod-identity/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -211,15 +211,25 @@ rbac:
allowAccessToSecrets: true

# Create azure identities and bindings
azureIdentities: []
# - name: "azure-identity"
# This is a map with the AzureIdentityName being the key and the rest of the blob as value in accordance
# to helm best practices: https://helm.sh/docs/chart_best_practices/values/#consider-how-users-will-use-your-values
azureIdentities:
# "azure-identity":
# # if not defined, then the azure identity will be deployed in the same namespace as the chart
# namespace: ""
# # type 0: MSI, type 1: Service Principal
# # type 0: User-assigned identity, type 1: Service Principal, type 2: Service principal with certificate
# type: 0
# # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name
# # Required for type 0
# resourceID: ""
# # Required for type 0, 1 and 2
# clientID: ""
# # Required for type 1 and 2
# tenantID: ""
# # Required for type 1 and 2
# clientPassword: "{\"name\":\"<secret name>\",\"namespace\":\"<secret namespace>\"}"
# # Optional for type 1 and 2 (multi-tenant)
# auxiliaryTenantIDs: []
# binding:
# name: "azure-identity-binding"
# # The selector will also need to be included in labels for app deployment
Expand Down
8 changes: 4 additions & 4 deletions website/content/en/docs/Concepts/azureidentity.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ linkTitle: "AzureIdentity"
weight: 1
date: 2020-11-03
description: >
Describes one of the following Azure identity resources: 0) user-assigned identity, 1) service principal, or 2) service principal with certifcate.
Describes one of the following Azure identity resources: 0) user-assigned identity, 1) service principal, or 2) service principal with certificate.
---

<details>
Expand Down Expand Up @@ -70,7 +70,7 @@ spec:
clientPassword: {"name":"<SecretName>","namespace":"<SecretNamespace>"}
```
- service principal (certifcate)
- service principal (certificate)
```yaml
apiVersion: v1
Expand Down Expand Up @@ -98,7 +98,7 @@ spec:
## `AzureIdentity`

| Field | Description |
|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ----------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `apiVersion`<br>*string* | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources. |
| `kind`<br>*string* | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds. |
| `metadata`<br>[*`ObjectMeta`*](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta) | Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata |
Expand All @@ -107,7 +107,7 @@ spec:
## `AzureIdentitySpec`

| Field | Description |
|---------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `type`<br>*integer* | `0`: user-assigned identity.<br>`1`: service principal. <br>`2`: service principal with certificate. |
| `resourceID`<br>*string* | The resource ID of the user-assigned identity (only applicable when `type` is `0`), i.e. `/subscriptions/<SubscriptionID>/resourcegroups/<ResourceGroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<UserAssignedIdentityName>`. |
| `clientID`<br>*string* | The client ID of the identity. |
Expand Down

0 comments on commit 1c4bb3c

Please sign in to comment.