fix docs

cvvz · Apr 24, 2023 · ba33edf · ba33edf
1 parent 2a478f5
commit ba33edf
Showing 1 changed file with 22 additions and 6 deletions.
diff --git a/docs/workload-identity.md b/docs/workload-identity.md
@@ -1,18 +1,20 @@
 # How to Use workload identity with Azurefile
 
 ## Prerequisites
-This document is mainly refer to [Azure AD Workload Identity Quick Start](https://azure.github.io/azure-workload-identity/docs/quick-start.html). Please Complete the [Installation guide](https://azure.github.io/azure-workload-identity/docs/installation.html) before the following steps. 
 
-After you finish the [Installation guide](https://azure.github.io/azure-workload-identity/docs/installation.html) of the Installation guide, you should have already:
+This document is mainly refer to [Azure AD Workload Identity Quick Start](https://azure.github.io/azure-workload-identity/docs/quick-start.html). Please Complete the [Installation guide](https://azure.github.io/azure-workload-identity/docs/installation.html) before the following steps.
+
+After you finish the Installation guide, you should have already:
 
 * installed the mutating admission webhook
 * obtained your cluster’s OIDC issuer URL
 
 ## 1. Enable Azure Workload Identity Mutating Webhook injection to Pod in the `kube-system` namespace
-Per [azure-workload-identity Known Issues](https://github.com/Azure/azure-workload-identity/blob/main/docs/book/src/known-issues.md#environment-variables-not-injected-into-pods-deployed-in-the-kube-system-namespace-in-an-aks-cluster), if you're deploying Azurefile in the `kube-system` namespace of an AKS cluster, add the `"admissions.enforcer/disabled": "true"` label or annotation in the [MutatingWebhookConfiguration](https://github.com/Azure/azure-workload-identity/blob/8644a217f09902fa1ac63e05cf04d9a3f3f1ebc3/deploy/azure-wi-webhook.yaml#L206-L235).
 
+Per [azure-workload-identity Known Issues](https://github.com/Azure/azure-workload-identity/blob/main/docs/book/src/known-issues.md#environment-variables-not-injected-into-pods-deployed-in-the-kube-system-namespace-in-an-aks-cluster), if you're deploying Azurefile in the `kube-system` namespace of an AKS cluster, add the `"admissions.enforcer/disabled": "true"` label or annotation in the [MutatingWebhookConfiguration](https://github.com/Azure/azure-workload-identity/blob/8644a217f09902fa1ac63e05cf04d9a3f3f1ebc3/deploy/azure-wi-webhook.yaml#L206-L235).
 
 ## 2. Export environment variables
+
 ```shell
 export CLUSTER_NAME="<your cluster name>"
 export CLUSTER_RESOURCE_GROUP="<cluster resource group name>"
@@ -37,17 +39,21 @@ export NAMESPACE="kube-system"
 ```
 
 ## 3. Create Azurefile resource group
-If you are using AKS, you can get the resource group where Azurefile storage class reside by running: 
+
+If you are using AKS, you can get the resource group where Azurefile storage class reside by running:
+
 ```shell
 export AZURE_FILE_RESOURCE_GROUP="$(az aks show --name $CLUSTER_NAME --resource-group $CLUSTER_RESOURCE_GROUP --query "nodeResourceGroup" -o tsv)"
 ```
 
 You can also create resource group by yourself, but you must [specify the resource group](https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/master/docs/driver-parameters.md#:~:text=current%20k8s%20cluster-,resourceGroup,No,-if%20empty%2C%20driver) in the storage class while using Azurefile.
+
 ```shell
 az group create -n $AZURE_FILE_RESOURCE_GROUP -l $LOCATION
 ```
 
 ## 4. Create an AAD application or user-assigned managed identity and grant required permissions 
+
 ```shell
 # create an AAD application if using Azure AD Application for this tutorial
 az ad sp create-for-rbac --name "${APPLICATION_NAME}"
@@ -61,21 +67,25 @@ az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${I
 Grant required permission to the AAD application or user-assigned managed identity, for simplicity, we just assign Contributor role to the resource group where Azurefile storage class reside:
 
 If using Azure AD Application:
+
 ```shell
 export APPLICATION_CLIENT_ID="$(az ad sp list --display-name "${APPLICATION_NAME}" --query '[0].appId' -otsv)"
 export AZURE_FILE_RESOURCE_GROUP_ID="$(az group show -n $AZURE_FILE_RESOURCE_GROUP --query 'id' -otsv)"
 az role assignment create --assignee $APPLICATION_CLIENT_ID --role Contributor --scope $AZURE_FILE_RESOURCE_GROUP_ID
 ```
 
 if using user-assigned managed identity:
+
 ```shell
 export USER_ASSIGNED_IDENTITY_OBJECT_ID="$(az identity show --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${IDENTITY_RESOURCE_GROUP}" --query 'principalId' -otsv)"
 export AZURE_FILE_RESOURCE_GROUP_ID="$(az group show -n $AZURE_FILE_RESOURCE_GROUP --query 'id' -otsv)"
 az role assignment create --assignee $USER_ASSIGNED_IDENTITY_OBJECT_ID --role Contributor --scope $AZURE_FILE_RESOURCE_GROUP_ID
 ```
 
 ## 5. Establish federated identity credential between the identity and the Azurefile service account issuer & subject
+
 If using Azure AD Application:
+
 ```shell
 # Get the object ID of the AAD application
 export APPLICATION_OBJECT_ID="$(az ad app show --id ${APPLICATION_CLIENT_ID} --query id -otsv)"
@@ -99,6 +109,7 @@ done
 ```
 
 If using user-assigned managed identity:
+
 ```shell
 for SERVICE_ACCOUNT_NAME in "${SA_LIST[@]}"
 do
@@ -114,6 +125,7 @@ done
 ## 6. Deploy Azurefile
 
 Deploy storageclass:
+
 ```shell
 kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/storageclass-azurefile-csi.yaml
 kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/storageclass-azurefile-nfs.yaml
@@ -122,7 +134,8 @@ kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-cs
 Deploy Azurefile(If you are using AKS, please disable the managed Azurefile CSI driver by `--disable-file-driver` first)
 
 If using Azure AD Application:
-```shell 
+
+```shell
 export CLIENT_ID="$(az ad sp list --display-name "${APPLICATION_NAME}" --query '[0].appId' -otsv)"
 export TENANT_ID="$(az ad sp list --display-name "${APPLICATION_NAME}" --query '[0].appOwnerOrganizationId' -otsv)"
 helm install azurefile-csi-driver charts/latest/azurefile-csi-driver \
@@ -132,7 +145,8 @@ helm install azurefile-csi-driver charts/latest/azurefile-csi-driver \
 ```
 
 If using user-assigned managed identity:
-```shell 
+
+```shell
 export CLIENT_ID="$(az identity show --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${IDENTITY_RESOURCE_GROUP}" --query 'clientId' -otsv)"
 export TENANT_ID="$(az identity show --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${IDENTITY_RESOURCE_GROUP}" --query 'tenantId' -otsv)"
 helm install azurefile-csi-driver charts/latest/azurefile-csi-driver \
@@ -142,8 +156,10 @@ helm install azurefile-csi-driver charts/latest/azurefile-csi-driver \
 ```
 
 ## 7. Deploy application using Azurefile
+
 ```shell
 kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/nfs/statefulset.yaml
 kubectl create -f  https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/deployment.yaml
 ```
+
 Please make sure all the Pods are running.