Skip to content

Commit

Permalink
incorporate review comments
Browse files Browse the repository at this point in the history
Signed-off-by: Ashutosh Kumar <[email protected]>
  • Loading branch information
sonasingh46 committed May 6, 2023
1 parent 5e8c72c commit d65818a
Show file tree
Hide file tree
Showing 9 changed files with 28 additions and 275 deletions.
1 change: 0 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -661,7 +661,6 @@ test-e2e: ## Run "docker-build" and "docker-push" rules then run e2e tests.
create-bootstrap-cluster:
KIND_CLUSTER_NAME=capz-e2e && ./scripts/kind-with-registry.sh


.PHONY: test-e2e-skip-push
test-e2e-skip-push: ## Run "docker-build" rule then run e2e tests.
PULL_POLICY=IfNotPresent MANAGER_IMAGE=$(CONTROLLER_IMG)-$(ARCH):$(TAG) \
Expand Down
2 changes: 1 addition & 1 deletion Tiltfile
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ settings = {
"kind_cluster_name": "capz",
"capi_version": "v1.4.2",
"cert_manager_version": "v1.11.1",
"azwi_version": "v0.14.0",
"azwi_version": "v1.0.0",
"kubernetes_version": "v1.24.6",
"aks_kubernetes_version": "v1.24.6",
"flatcar_version": "3374.2.1",
Expand Down
22 changes: 11 additions & 11 deletions azure/scope/workload_identity.go
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
Copyright 2022 The Kubernetes Authors.
Copyright 2023 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -30,14 +30,14 @@ import (

/*
AZWI (Azure Workload Identity) required deploying AZWI mutating admission webhook
Azure Workload Identity (AZWI) requires deploying AZWI mutating admission webhook
for self managed clusters e.g. Kind.
The webhook injects the following environment variables to the pod that
uses a service account with a annotation `azure.workload.identity/use=true`
uses a label `azure.workload.identity/use=true`
|-----------------------------------------------------------------------------------|
|AZURE_AUTHORITY_HOST | The Azure Active Directory (AAD) endpoint. |
|AZURE_CLIENT_ID | The application/client ID of the Azure AD |
|AZURE_CLIENT_ID | The client ID of the Azure AD |
| | application or user-assigned managed identity. |
|AZURE_TENANT_ID | The tenant ID of the Azure subscription. |
|AZURE_FEDERATED_TOKEN_FILE | The path of the projected service account token file. |
Expand All @@ -51,11 +51,11 @@ which is mounted at path `/var/run/secrets/azure/tokens/azure-identity-token` to

const (
// AzureFedratedTokenFileENVKey is the env key for AZURE_FEDERATED_TOKEN_FILE.
AzureFedratedTokenFileENVKey = "AZURE_FEDERATED_TOKEN_FILE"
AzureFedratedTokenFileEnvKey = "AZURE_FEDERATED_TOKEN_FILE"
// AzureClientIDENVKey is the env key for AZURE_CLIENT_ID.
AzureClientIDENVKey = "AZURE_CLIENT_ID"
AzureClientIDEnvKey = "AZURE_CLIENT_ID"
// AzureTenantIDENVKey is the env key for AZURE_TENANT_ID.
AzureTenantIDENVKey = "AZURE_TENANT_ID"
AzureTenantIDEnvKey = "AZURE_TENANT_ID"
)

type workloadIdentityCredential struct {
Expand All @@ -67,10 +67,10 @@ type workloadIdentityCredential struct {

// WorkloadIdentityCredentialOptions contains the configurable options for azwi.
type WorkloadIdentityCredentialOptions struct {
azcore.ClientOptions
ClientID string
TenantID string
TokenFilePath string
azcore.ClientOptions
}

// NewWorkloadIdentityCredentialOptions returns an empty instance of WorkloadIdentityCredentialOptions.
Expand All @@ -92,7 +92,7 @@ func (w *WorkloadIdentityCredentialOptions) WithTenantID(tenantID string) *Workl

// GetProjectedTokenPath return projected token file path from the env variable.
func GetProjectedTokenPath() (string, error) {
tokenPath := os.Getenv(AzureFedratedTokenFileENVKey)
tokenPath := os.Getenv(AzureFedratedTokenFileEnvKey)
if strings.TrimSpace(tokenPath) == "" {
return "", errors.New("projected token path not injected")
}
Expand All @@ -110,15 +110,15 @@ func (w *WorkloadIdentityCredentialOptions) WithDefaults() (*WorkloadIdentityCre

// Fallback to using client ID from env variable if not set.
if strings.TrimSpace(w.ClientID) == "" {
w.ClientID = os.Getenv(AzureClientIDENVKey)
w.ClientID = os.Getenv(AzureClientIDEnvKey)
if strings.TrimSpace(w.ClientID) == "" {
return nil, errors.New("empty client ID")
}
}

// // Fallback to using tenant ID from env variable.
if strings.TrimSpace(w.TenantID) == "" {
w.TenantID = os.Getenv(AzureTenantIDENVKey)
w.TenantID = os.Getenv(AzureTenantIDEnvKey)
if strings.TrimSpace(w.TenantID) == "" {
return nil, errors.New("empty tenant ID")
}
Expand Down
253 changes: 0 additions & 253 deletions config/default/azwi.yaml

This file was deleted.

5 changes: 5 additions & 0 deletions config/default/mutating_webhook_patch.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# @sonasingh46: Workaround patch
# Refer: Line 58-60 in kustomization.yaml
- op: replace
path: /metadata/name
value: azure-wi-webhook-mutating-webhook-configuration
5 changes: 5 additions & 0 deletions config/default/secret_patch.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# @sonasingh46: Workaround patch
# Refer: Line 58-60 in kustomization.yaml
- op: replace
path: /metadata/name
value: azure-wi-webhook-server-cert
2 changes: 2 additions & 0 deletions config/manager/manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@ metadata:
namespace: system
labels:
control-plane: capz-controller-manager
#ToDo: (@sonasingh46): Remove this label as part of aad pod identity deprecation
aadpodidbinding: capz-controller-aadpodidentity-selector

spec:
selector:
matchLabels:
Expand Down
1 change: 0 additions & 1 deletion config/rbac/service_account.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,5 @@ apiVersion: v1
kind: ServiceAccount
metadata:
labels:
azure.workload.identity/use: "true"
name: manager
namespace: system
Loading

0 comments on commit d65818a

Please sign in to comment.