Integrating MI auth for aad-pod-identity #399
Conversation
jakiefermsft
changed the title
|
Are you advocating for switching to aa pod identity completely with this PR? Or will we still be able to allow both? |
I think it will be pretty easy to support MSI and SP indefinitely so I don't think we should remove the capability. I think the docs should advise everyone to use MSI. This pull request won't contain anything in it that switches the pipeline over to MSI. That will be coming later. |
| --from-literal=AZURE_SUBSCRIPTION_ID="$AZURE_SUBSCRIPTION_ID" \ | ||
| --from-literal=AZURE_TENANT_ID="$AZURE_TENANT_ID" | ||
| --from-literal=AZURE_TENANT_ID="$AZURE_TENANT_ID" \ | ||
| --from-literal=AZURE_USE_MSI="$AZURE_USE_MSI" | ||
| ``` |
There was a problem hiding this comment.
should probably account for both options (msi and sp)
There was a problem hiding this comment.
I can add few spots in this document with OR sections for using MSI/SP but I feel like it's going to clutter things up a bit. This document is just for deploying to an AKS cluster right? What do you think about the docs assuming you want MSI when deploying to AKS but SP when running locally?
There was a problem hiding this comment.
Talking more with @jananivMS it seems there are several things (identity just being one of them) that should be done to a cluster to protect against a malicious pod. Should I move all of this to a Securing your cluster section?
| @@ -60,6 +58,16 @@ | |||
| make install-cert-manager | |||
| ``` | |||
|
|
|||
| d. Install [aad-pod-identity](https://github.com/Azure/aad-pod-identity#1-create-the-deployment) | |||
There was a problem hiding this comment.
should incorporate this in the same way cert-manager is...ie a Make target and a deployment template
install-aad-pod-identify:
kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
create a dir in config/podidentity and put the yaml template for creating an identity...similar to certman
There was a problem hiding this comment.
Is there a place where the files in config\certmanager are used? It doesn't look like make install-cert-manager uses them to me.
There was a problem hiding this comment.
just the make file, yeah
jakiefermsft
changed the title
…ice-operator into aad-pod-identity * 'aad-pod-identity' of github.com:jakiefermsft/azure-service-operator: (79 commits) Fix devcontainer azcli install script (#459) makefile update addressing PR comments remove commented code moving sqlserver creation to suite test setup Increased timeout and check for SQL server Bugfix: Correct the tabbing in the make terraform target remove incorrect use of Update() to correctly remove finalizer Update Makefile error and status message refactor AzureError use refactor add helper function that returns a typed error linting refactors and azure error changes refactors and azure error changes some refactors and changing AzureError use fixed tests change way status is being sent and logged to new form integrate suggestions from PR review. Checking secret exists, differentiating between user secret and admin secret, better utilization of constants for logging changes based on PR comments ...
* Generated code should be gofmt'ed already * Temporarily point at Github for deploymentTemplate fixes
What this PR does / why we need it:
To support using aad-pod-identity we need to obtain a token via
NewServicePrincipalTokenFromMSIand we no longer require aClientIDorClientSecret.I had fun experimenting with go and cleaning up the env handling but I may have gone too far.
Special notes for your reviewer:
TODO:
If applicable:
closes #21