Skip to content
This repository has been archived by the owner on Oct 12, 2023. It is now read-only.

Commit

Permalink
chore: support custom cloud configuration in helm chart (#1203)
Browse files Browse the repository at this point in the history 
* Support custom cloud configuration in helm chart

Add support for a custom cloud (e.g., AzureStack) in the helm chart.
This adds the configuration as described in the documentation here:
https://azure.github.io/aad-pod-identity/docs/configure/custom_cloud/

* Incorporate review feedback

* Fix whitespace issues
* Convert nested if to else if
* Add documentation for helm usage to custom_cloud.md

* Review feedback -- support custom cloud and admin secret
  • Loading branch information
@brianloss
brianloss committed Dec 8, 2021
1 parent 43e7011 commit cc8a292
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 2 deletions.
2 changes: 2 additions & 0 deletions manifest_staging/charts/aad-pod-identity/README.md
View file
Expand Up @@ -277,6 +277,8 @@ The following tables list the configurable parameters of the aad-pod-identity ch
| `mic.syncRetryDuration` | Override interval in seconds at which sync loop should periodically check for errors and reconcile | If not provided, default value is `3600s` |
| `mic.immutableUserMSIs` | List of user-defined identities that shouldn't be deleted from VM/VMSS. | If not provided, default value is empty |
| `mic.cloudConfig` | The cloud configuration used to authenticate with Azure | If not provided, default value is `/etc/kubernetes/azure.json` |
| `mic.customCloud.enabled` | Indicates whether or not a custom cloud (e.g., AzureStack) is in use | If not provided, default value is `false` |
| `mic.customCloud.configPath` | The location of the custom cloud config file | If not provided, default value is `/etc/kubernetes/akscustom.json` |
| `mic.updateUserMSIMaxRetry` | The maximum retry of UpdateUserMSI call in case of assignment errors | If not provided, default value is `2` |
| `mic.updateUserMSIRetryInterval` | The duration to wait before retrying UpdateUserMSI (batch assigning/un-assigning identity from VM/VMSS) in case of errors | If not provided, default value is `1s` |
| `mic.identityAssignmentReconcileInterval` | The interval between reconciling identity assignment on Azure based on an existing list of AzureAssignedIdentities | If not provided, default value is `3m` |
Expand Down
22 changes: 20 additions & 2 deletions manifest_staging/charts/aad-pod-identity/templates/mic-deployment.yaml
View file
Expand Up @@ -156,17 +156,28 @@ spec:
name: {{ template "aad-pod-identity.mic.fullname" . }}
{{- end }}
{{- end }}
{{- if .Values.mic.customCloud.enabled }}
- name: AZURE_ENVIRONMENT_FILEPATH
value: "{{ .Values.mic.customCloud.configPath }}"
{{- end }}
{{- if .Values.mic.prometheusPort }}
ports:
- containerPort: {{ .Values.mic.prometheusPort }}
name: metrics
protocol: TCP
{{- end }}
{{- if not .Values.adminsecret }}
{{- if or (not .Values.adminsecret) .Values.mic.customCloud.enabled }}
volumeMounts:
{{- if not .Values.adminsecret }}
- name: k8s-azure-file
mountPath: {{ .Values.mic.cloudConfig }}
readOnly: true
{{- end }}
{{- if .Values.mic.customCloud.enabled }}
- name: custom-env-file
mountPath: {{ .Values.mic.customCloud.configPath }}
readOnly: true
{{- end }}
{{- end }}
livenessProbe:
httpGet:
Expand All @@ -182,12 +193,19 @@ spec:
resources:
{{ toYaml . | indent 12 }}
{{- end }}
{{- if not .Values.adminsecret }}
{{- if or (not .Values.adminsecret) .Values.mic.customCloud.enabled }}
volumes:
{{- if not .Values.adminsecret }}
- name: k8s-azure-file
hostPath:
path: {{ .Values.mic.cloudConfig }}
{{- end }}
{{- if .Values.mic.customCloud.enabled }}
- name: custom-env-file
hostPath:
path: {{ .Values.mic.customCloud.configPath }}
{{- end }}
{{- end }}
{{- with .Values.mic.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
Expand Down
6 changes: 6 additions & 0 deletions manifest_staging/charts/aad-pod-identity/values.yaml
View file
Expand Up @@ -141,6 +141,12 @@ mic:
# cloud configuration used to authenticate with Azure
cloudConfig: "/etc/kubernetes/azure.json"

# Configures for a custom cloud per the example here:
# https://azure.github.io/aad-pod-identity/docs/configure/custom_cloud/
customCloud:
enabled: false
configPath: "/etc/kubernetes/akscustom.json"

# The maximum retry of UpdateUserMSI call. MIC updates all the identities in a batch. If a single identity contains an error
# or is invalid, then the entire operation fails. Configuring this flag will make MIC retry by removing the erroneous identities
# returned in the error
Expand Down
3 changes: 3 additions & 0 deletions website/content/en/docs/Configure/custom_cloud.md
View file
Expand Up @@ -7,6 +7,9 @@ description: >
---

This document highlights the steps to configure and use AAD Pod Identity in custom Azure cloud environments.
If you are deploying with helm, then set `mic.customCloud.enabled` to true (e.g., `--set mic.customCloud.enabled=true`
on the command line) to have the following configuration changes rendered. The custom cloud environment file
name can be changed from `/etc/kubernetes/akscustom.json` by setting `mic.customCloud.configPath`.

1. Ensure the cloud name in `/etc/kubernetes/azure.json` is set to `AzureStackCloud`

Expand Down

0 comments on commit cc8a292

Please sign in to comment.