New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AKS Service Target: Remove automatic secret creation #2464
Conversation
Is there an issue associated to this PR? I'd like to understand why do we want to do this?, like, is there some security concern with the current approach or something which is making us introduce the break here? |
No issue logged but we've heard direct feedback from the AKS team and CSA's that this is odd behavior. This was more of a stop-gap workaround solution needed at the time to expose some azd environment variables to the AKS cluster. |
@wbreza |
Thanks for the feedback. We are proposing that we change the templating language used here. You can read more about that choice in #2455. TLDR: Syntax is the same as used in Helm which puts the user on a good path if/when they choose to adopt a more robust templating system. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Happy with the change here, and I think this is the right move. I do want to spend a few moments with @savannahostrowski when she gets back to have us talk about how we want to roll out this change (as well as #2455) due to breaking change nature of the thing. Just want to make sure we all have a credible plan for how we roll out these AZD changes + the required changes to our templates so users don't get caught off guard.
So holding off on the green check mark for now, but once we have an answer there, I will approve this. I love the diff, so much red :-)!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - As part of the release this lands in, let's make sure we produce some sort of collateral (doesn't need to be fancy) to show folks with existing deployments how to adopt these changes.
Really love having less magic in the model here. Great Change!
de67d3d
to
e095df1
Compare
Azure Dev CLI Install InstructionsInstall scriptsMacOS/Linux
bash:
pwsh:
WindowsPowerShell install
MSI install
Standalone Binary
MSIContainer
Documentationlearn.microsoft.com documentationtitle: Azure Developer CLI reference
|
Background
Our initial AKS implementation created an
azd
resource in the target k8s namespace with all the azd environment key/value pairs. These values could then be easily referenced by other resources.With the change in templating in #2455 the new recommended approach would be for apps to create their own config maps as needed and reference azd secrets via templating.
This brings azd to a more cloud native state where we aren't creating any resources that haven't been explicitly defined. If users still wanted a config map that contains all azd resources the templating system allows ranging over maps which can be used to achieve the same goal.
Breaking Change
If users were relying on this
automatic
secret generation then this would be considered a breaking change for them and users will now need to manually create any config maps that their apps/services need.Usage
Create
config.tmpl.yaml
Reference config map from deployment or other k8s resource