From e12549790272d63e755e2f6de4f72ef0fdbd2a00 Mon Sep 17 00:00:00 2001 From: Paul Bourke Date: Thu, 18 Nov 2021 16:23:18 +0000 Subject: [PATCH] Allow full kustomisation of aad-msi-binding.yaml Currently the name of the AzureIdentity/AzureIdentityBinding objects created as part of the aad-pod-identity lz addon have hardcoded names. This made it not possible to create more than one pair for one MSI. This patch applies kustomise to each field allowing for more customisation. It also adds a new 'selector' argument in the case the user doesn't want the name of the MSI used in this field: managed_identities = { ingress_msi = { lz_key = "aks" aadpodidentity_selector = "ingress" msi_keys = [ "ingress", ] } } If aadpodidentity_selector is not specified the MSI name is used as before. --- .../aad-pod-identity/aad-msi-binding.yaml | 11 +++++++---- .../aad-pod-identity/aad_pod_identity.tf | 17 ++++++++++++++++- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml b/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml index c8e5a083f..61ccbb7b6 100644 --- a/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml +++ b/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml @@ -1,9 +1,12 @@ # https://github.com/Azure/aad-pod-identity/blob/b3ee1d07209f26c47a96abf3ba20749932763de6/website/content/en/docs/Concepts/azureidentity.md +# +# Note, while the ${} values are not required for kustomize to work, they signify which values are +# eligible for configuration. apiVersion: aadpodidentity.k8s.io/v1 kind: AzureIdentity metadata: - name: podmi-caf-rover-platform-level0 + name: ${azureidentity_name} spec: type: 0 resourceID: ${resource_id} @@ -12,8 +15,8 @@ spec: apiVersion: aadpodidentity.k8s.io/v1 kind: AzureIdentityBinding metadata: - name: podmi-gitlab-runner-binding + name: ${azureidentitybinding_name} spec: - azureIdentity: podmi-caf-rover-platform-level0 - selector: podmi-caf-rover-platform-level0 + azureIdentity: ${azureidentity_name} + selector: ${azureidentity_selector} diff --git a/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf b/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf index 800058f13..2b7d63858 100644 --- a/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf +++ b/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf @@ -27,6 +27,18 @@ data "kustomization_overlay" "aad_pod_identity" { namespace = var.aad_pod_identity.namespace + patches { + patch = <<-EOF + - op: replace + path: /metadata/name + value: ${each.value.name} + EOF + + target = { + kind = "AzureIdentity" + } + } + patches { patch = <<-EOF - op: replace @@ -87,11 +99,13 @@ data "kustomization_overlay" "aad_pod_identity" { } } + # You can provide a managed_identities..aadpodidentity_selector to specify the value here, + # alternatively provide none to have the MSI name used as the selector. patches { patch = <<-EOF - op: replace path: /spec/selector - value: ${each.value.name} + value: ${each.value.selector} EOF target = { @@ -112,6 +126,7 @@ locals { for msi_key in value.msi_keys : { key = key msi_key = msi_key + selector = try(value.aadpodidentity_selector, local.remote.managed_identities[value.lz_key][msi_key].name) client_id = local.remote.managed_identities[value.lz_key][msi_key].client_id id = local.remote.managed_identities[value.lz_key][msi_key].id name = local.remote.managed_identities[value.lz_key][msi_key].name