Skip to content

Commit

Permalink
add projected sa token config
Browse files Browse the repository at this point in the history 
Signed-off-by: Ashutosh Kumar <sonasingh46@gmail.com>
  • Loading branch information
@sonasingh46
sonasingh46 committed Oct 26, 2023
1 parent e356678 commit a016c05
Show file tree
Hide file tree
Showing 5 changed files with 39 additions and 22 deletions.
39 changes: 20 additions & 19 deletions helm/cloud-provider-azure/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,25 +59,26 @@ Below is the complete set of configuration that you may include when invoking `h

## cloud-controller-manager configuration

| configuration value | default value | description |
|------------------------------------------------------------------|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `infra.clusterName` | `"kubernetes"` | Set the cluster name appropriate for your infra provider (e.g., capz, AKS). |
| `cloudControllerManager.enabled` | `true` | Enable or disable the azure-cloud-controller-manager deployment. |
| `cloudControllerManager.caCertDir` | `"/etc/ssl"` | Specify the CA cert directory to mount on the azure-cloud-controller-manager pod. |
| `cloudControllerManager.cloudConfig` | `"/etc/kubernetes/azure.json"` | The path to the cloud provider configuration file. Empty string for no configuration file. |
| `cloudControllerManager.clusterCIDR` | `"10.244.0.0/16"` | set to the network CIDR for pod IP addresses |
| `cloudControllerManager.configureCloudRoutes` | `"true"` | if you're using Azure CNI set to `"false"` |
| `cloudControllerManager.imageRepository` | `"mcr.microsoft.com/oss/kubernetes"` | container image repository (including any image project directories) location where the Azure `cloud-controller-manager` container image is hosted |
| `cloudControllerManager.imageName` | `"azure-cloud-controller-manager"` | container image name for the Azure `cloud-controller-manager` runtime |
| `cloudControllerManager.imagePullPolicy` | `"IfNotPresent"` | you may change to`"Always"` or `"Never"` if appropriate for your environment, see [here](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) for more info |
| `cloudControllerManager.logVerbosity` | `"2"` | set to a higher number when debugging the azure-cloud-controller-manager runtime |
| `cloudControllerManager.securePort` | `"10268"` | The port on which to serve HTTPS with authentication and authorization. |
| `cloudControllerManager.replicas` | `"1"` | Number of replicas for the azure-cloud-controller-manager deployment. It should be no more than the number of control plane Nodes |
| `cloudControllerManager.routeReconciliationPeriod` | `"10s"` | how often to reconcile node routes |
| `cloudControllerManager.containerResourceManagement.requestsCPU` | `"100m"` | CPU requests configuration for the azure-cloud-controller-manager pod |
| `cloudControllerManager.containerResourceManagement.requestsMem` | `"128Mi"` | Memory requests configuration for the azure-cloud-controller-manager pod |
| `cloudControllerManager.containerResourceManagement.limitsCPU` | `"4"` | CPU limits configuration for the azure-cloud-controller-manager pod |
| `cloudControllerManager.containerResourceManagement.limitsMem` | `"2Gi"` | Memory limits configuration for the azure-cloud-controller-manager pod |
| configuration value | default value | description |
|-------------------------------------------------------------------|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `infra.clusterName` | `"kubernetes"` | Set the cluster name appropriate for your infra provider (e.g., capz, AKS). |
| `cloudControllerManager.enabled` | `true` | Enable or disable the azure-cloud-controller-manager deployment. |
| `cloudControllerManager.caCertDir` | `"/etc/ssl"` | Specify the CA cert directory to mount on the azure-cloud-controller-manager pod. |
| `cloudControllerManager.cloudConfig` | `"/etc/kubernetes/azure.json"` | The path to the cloud provider configuration file. Empty string for no configuration file. |
| `cloudControllerManager.clusterCIDR` | `"10.244.0.0/16"` | set to the network CIDR for pod IP addresses |
| `cloudControllerManager.configureCloudRoutes` | `"true"` | if you're using Azure CNI set to `"false"` |
| `cloudControllerManager.imageRepository` | `"mcr.microsoft.com/oss/kubernetes"` | container image repository (including any image project directories) location where the Azure `cloud-controller-manager` container image is hosted |
| `cloudControllerManager.imageName` | `"azure-cloud-controller-manager"` | container image name for the Azure `cloud-controller-manager` runtime |
| `cloudControllerManager.imagePullPolicy` | `"IfNotPresent"` | you may change to`"Always"` or `"Never"` if appropriate for your environment, see [here](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) for more info |
| `cloudControllerManager.logVerbosity` | `"2"` | set to a higher number when debugging the azure-cloud-controller-manager runtime |
| `cloudControllerManager.securePort` | `"10268"` | The port on which to serve HTTPS with authentication and authorization. |
| `cloudControllerManager.replicas` | `"1"` | Number of replicas for the azure-cloud-controller-manager deployment. It should be no more than the number of control plane Nodes |
| `cloudControllerManager.routeReconciliationPeriod` | `"10s"` | how often to reconcile node routes |
| `cloudControllerManager.containerResourceManagement.requestsCPU` | `"100m"` | CPU requests configuration for the azure-cloud-controller-manager pod |
| `cloudControllerManager.containerResourceManagement.requestsMem` | `"128Mi"` | Memory requests configuration for the azure-cloud-controller-manager pod |
| `cloudControllerManager.containerResourceManagement.limitsCPU` | `"4"` | CPU limits configuration for the azure-cloud-controller-manager pod |
| `cloudControllerManager.containerResourceManagement.limitsMem` | `"2Gi"` | Memory limits configuration for the azure-cloud-controller-manager pod |
| `cloudControllerManager.federatedTokenPath` | `"/var/run/secrets/azure/tokens"` | Directory path where service account token will be projected. This is used in workload identity |

## cloud-node-manager configuration

Expand Down
15 changes: 15 additions & 0 deletions helm/cloud-provider-azure/templates/cloud-provider-azure.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,11 @@ spec:
- name: msi
mountPath: /var/lib/waagent/ManagedIdentity-Settings
readOnly: true
{{- if .Values.cloudControllerManager.federatedTokenPath }}
- name: projectedToken
mountPath: {{ .Values.cloudControllerManager.federatedTokenPath }}
readOnly: true
{{ end }}
volumes:
- name: etc-kubernetes
hostPath:
Expand All @@ -303,6 +308,16 @@ spec:
- name: msi
hostPath:
path: /var/lib/waagent/ManagedIdentity-Settings
{{- if .Values.cloudControllerManager.federatedTokenPath }}
- name: azure-identity-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: api://AzureADTokenExchange
expirationSeconds: 3600
path: azure-identity-token
{{ end }}
{{- end }}
{{- if .Values.cloudNodeManager.enabled }}
---
Expand Down
1 change: 1 addition & 0 deletions helm/cloud-provider-azure/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ cloudControllerManager:
effect: NoExecute
nodeSelector:
node-role.kubernetes.io/control-plane: ""
federatedTokenPath: "/var/run/secrets/azure/tokens"
cloudNodeManager:
enabled: true
imageRepository: "mcr.microsoft.com/oss/kubernetes"
Expand Down
Binary file modified helm/repo/cloud-provider-azure-1.28.1.tgz
View file
Binary file not shown.
6 changes: 3 additions & 3 deletions helm/repo/index.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@ apiVersion: v1
entries:
cloud-provider-azure:
- apiVersion: v1
created: "2023-10-04T20:31:17.16056057Z"
created: "2023-10-26T22:47:41.053949+05:30"
description: A Helm chart for installing kubernetes-sigs/cloud-provider-azure
components
digest: 09ebbde15784512a2461a8f5d3140449ecf0a33806b4b51c0704e207d3a441d5
digest: 7114f316e94c0df2a08a36ead9dee8ae8f1f728f6a24f31f0cd16c8ffaec3c4b
home: https://raw.githubusercontent.com/kubernetes-sigs/cloud-provider-azure/master/helm/cloud-provider-azure/README.md
keywords:
- cloud-provider-azure
Expand Down Expand Up @@ -526,4 +526,4 @@ entries:
urls:
- cloud-provider-azure-1.23.8.tgz
version: 1.23.8
generated: "2023-10-04T20:31:17.159892985Z"
generated: "2023-10-26T22:47:41.053398+05:30"

0 comments on commit a016c05

Please sign in to comment.