diff --git a/manifest_staging/charts/aad-pod-identity/README.md b/manifest_staging/charts/aad-pod-identity/README.md index 14388f402..1e0c5b8cb 100755 --- a/manifest_staging/charts/aad-pod-identity/README.md +++ b/manifest_staging/charts/aad-pod-identity/README.md @@ -277,6 +277,8 @@ The following tables list the configurable parameters of the aad-pod-identity ch | `mic.syncRetryDuration` | Override interval in seconds at which sync loop should periodically check for errors and reconcile | If not provided, default value is `3600s` | | `mic.immutableUserMSIs` | List of user-defined identities that shouldn't be deleted from VM/VMSS. | If not provided, default value is empty | | `mic.cloudConfig` | The cloud configuration used to authenticate with Azure | If not provided, default value is `/etc/kubernetes/azure.json` | +| `mic.customCloud.enabled` | Indicates whether or not a custom cloud (e.g., AzureStack) is in use | If not provided, default value is `false` | +| `mic.customCloud.configPath` | The location of the custom cloud config file | If not provided, default value is `/etc/kubernetes/akscustom.json` | | `mic.updateUserMSIMaxRetry` | The maximum retry of UpdateUserMSI call in case of assignment errors | If not provided, default value is `2` | | `mic.updateUserMSIRetryInterval` | The duration to wait before retrying UpdateUserMSI (batch assigning/un-assigning identity from VM/VMSS) in case of errors | If not provided, default value is `1s` | | `mic.identityAssignmentReconcileInterval` | The interval between reconciling identity assignment on Azure based on an existing list of AzureAssignedIdentities | If not provided, default value is `3m` | diff --git a/manifest_staging/charts/aad-pod-identity/templates/mic-deployment.yaml b/manifest_staging/charts/aad-pod-identity/templates/mic-deployment.yaml index 9aff614e9..600128638 100644 --- a/manifest_staging/charts/aad-pod-identity/templates/mic-deployment.yaml +++ b/manifest_staging/charts/aad-pod-identity/templates/mic-deployment.yaml @@ -156,17 +156,28 @@ spec: name: {{ template "aad-pod-identity.mic.fullname" . }} {{- end }} {{- end }} + {{- if .Values.mic.customCloud.enabled }} + - name: AZURE_ENVIRONMENT_FILEPATH + value: "{{ .Values.mic.customCloud.configPath }}" + {{- end }} {{- if .Values.mic.prometheusPort }} ports: - containerPort: {{ .Values.mic.prometheusPort }} name: metrics protocol: TCP {{- end }} - {{- if not .Values.adminsecret }} + {{- if or (not .Values.adminsecret) .Values.mic.customCloud.enabled }} volumeMounts: + {{- if not .Values.adminsecret }} - name: k8s-azure-file mountPath: {{ .Values.mic.cloudConfig }} readOnly: true + {{- end }} + {{- if .Values.mic.customCloud.enabled }} + - name: custom-env-file + mountPath: {{ .Values.mic.customCloud.configPath }} + readOnly: true + {{- end }} {{- end }} livenessProbe: httpGet: @@ -182,12 +193,19 @@ spec: resources: {{ toYaml . | indent 12 }} {{- end }} - {{- if not .Values.adminsecret }} + {{- if or (not .Values.adminsecret) .Values.mic.customCloud.enabled }} volumes: + {{- if not .Values.adminsecret }} - name: k8s-azure-file hostPath: path: {{ .Values.mic.cloudConfig }} {{- end }} + {{- if .Values.mic.customCloud.enabled }} + - name: custom-env-file + hostPath: + path: {{ .Values.mic.customCloud.configPath }} + {{- end }} + {{- end }} {{- with .Values.mic.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/manifest_staging/charts/aad-pod-identity/values.yaml b/manifest_staging/charts/aad-pod-identity/values.yaml index 9238397ed..79f8e87bc 100644 --- a/manifest_staging/charts/aad-pod-identity/values.yaml +++ b/manifest_staging/charts/aad-pod-identity/values.yaml @@ -141,6 +141,12 @@ mic: # cloud configuration used to authenticate with Azure cloudConfig: "/etc/kubernetes/azure.json" + # Configures for a custom cloud per the example here: + # https://azure.github.io/aad-pod-identity/docs/configure/custom_cloud/ + customCloud: + enabled: false + configPath: "/etc/kubernetes/akscustom.json" + # The maximum retry of UpdateUserMSI call. MIC updates all the identities in a batch. If a single identity contains an error # or is invalid, then the entire operation fails. Configuring this flag will make MIC retry by removing the erroneous identities # returned in the error diff --git a/website/content/en/docs/Configure/custom_cloud.md b/website/content/en/docs/Configure/custom_cloud.md index 55ae274a5..5688ab2da 100644 --- a/website/content/en/docs/Configure/custom_cloud.md +++ b/website/content/en/docs/Configure/custom_cloud.md @@ -7,6 +7,9 @@ description: > --- This document highlights the steps to configure and use AAD Pod Identity in custom Azure cloud environments. +If you are deploying with helm, then set `mic.customCloud.enabled` to true (e.g., `--set mic.customCloud.enabled=true` +on the command line) to have the following configuration changes rendered. The custom cloud environment file +name can be changed from `/etc/kubernetes/akscustom.json` by setting `mic.customCloud.configPath`. 1. Ensure the cloud name in `/etc/kubernetes/azure.json` is set to `AzureStackCloud`