From 327ebbc1b521085d2d246e215c23db50f350cf3d Mon Sep 17 00:00:00 2001 From: Anderson Leite Date: Tue, 30 Jul 2024 12:08:08 +0100 Subject: [PATCH 1/6] Extend helm chart to create secret token and include automount toggle for service account Signed-off-by: Anderson Leite --- ...-wi-webhook-admin-serviceaccount copy.yaml | 15 +++++++ .../azure-wi-webhook-server-sa-secret.yaml | 15 +++++++ .../values copy.yaml | 43 +++++++++++++++++++ 3 files changed, 73 insertions(+) create mode 100644 manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount copy.yaml create mode 100644 manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-server-sa-secret.yaml create mode 100644 manifest_staging/charts/workload-identity-webhook/values copy.yaml diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount copy.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount copy.yaml new file mode 100644 index 000000000..1da0569be --- /dev/null +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount copy.yaml @@ -0,0 +1,15 @@ +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- toYaml .Values.imagePullSecrets | nindent 2 }} +{{- end }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +metadata: + labels: + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' + release: '{{ .Release.Name }}' + name: azure-wi-webhook-admin + namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-server-sa-secret.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-server-sa-secret.yaml new file mode 100644 index 000000000..b56c10428 --- /dev/null +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-server-sa-secret.yaml @@ -0,0 +1,15 @@ +{{- if semverCompare "<1.24.0" .Capabilities.KubeVersion.Version -}} +# Create the service account token secret for the service account if Kubernetes version is older than 1.24 +apiVersion: v1 +kind: Secret +metadata: + labels: + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' + release: '{{ .Release.Name }}' + name: azure-wi-webhook-admin-token + annotations: + kubernetes.io/service-account.name: azure-wi-webhook-admin +type: kubernetes.io/service-account-token +{{- end }} diff --git a/manifest_staging/charts/workload-identity-webhook/values copy.yaml b/manifest_staging/charts/workload-identity-webhook/values copy.yaml new file mode 100644 index 000000000..4204f2a21 --- /dev/null +++ b/manifest_staging/charts/workload-identity-webhook/values copy.yaml @@ -0,0 +1,43 @@ +# Default values for workload-identity-webhook. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 2 +image: + repository: mcr.microsoft.com/oss/azure/workload-identity/webhook + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + release: v1.3.0 +imagePullSecrets: [] +# Define if the service account can be used by default (automount property) +serviceAccount: + automountServiceAccountToken: false +nodeSelector: + kubernetes.io/os: linux +resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi +tolerations: [] +affinity: {} +service: + type: ClusterIP + port: 443 + targetPort: 9443 +azureEnvironment: AzurePublicCloud +azureTenantID: +logLevel: info +metricsAddr: ":8095" +metricsBackend: prometheus +priorityClassName: system-cluster-critical +mutatingWebhookAnnotations: {} +podLabels: {} +podAnnotations: {} +mutatingWebhookNamespaceSelector: {} +# minAvailable and maxUnavailable are mutually exclusive +podDisruptionBudget: + minAvailable: 1 + # maxUnavailable: 0 From 3da2549ade136e5c785f2b4dc14aef21df3986da Mon Sep 17 00:00:00 2001 From: Anderson Leite Date: Tue, 30 Jul 2024 12:41:04 +0100 Subject: [PATCH 2/6] Extend helm chart to create secret token and include automount toggle for service account Signed-off-by: Anderson Leite --- ...zure-wi-webhook-admin-serviceaccount copy.yaml | 15 --------------- .../azure-wi-webhook-admin-serviceaccount.yaml | 1 + ...-wi-webhook-controller-manager-deployment.yaml | 3 +++ .../azure-wi-webhook-server-sa-secret.yaml | 15 --------------- 4 files changed, 4 insertions(+), 30 deletions(-) delete mode 100644 manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount copy.yaml delete mode 100644 manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-server-sa-secret.yaml diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount copy.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount copy.yaml deleted file mode 100644 index 1da0569be..000000000 --- a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount copy.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- toYaml .Values.imagePullSecrets | nindent 2 }} -{{- end }} -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} -metadata: - labels: - app: '{{ template "workload-identity-webhook.name" . }}' - azure-workload-identity.io/system: "true" - chart: '{{ template "workload-identity-webhook.name" . }}' - release: '{{ .Release.Name }}' - name: azure-wi-webhook-admin - namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount.yaml index ef9f5c39d..1da0569be 100644 --- a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount.yaml +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount.yaml @@ -4,6 +4,7 @@ imagePullSecrets: {{- end }} apiVersion: v1 kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} metadata: labels: app: '{{ template "workload-identity-webhook.name" . }}' diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml index 09fab66b4..b34f9b5e5 100644 --- a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml @@ -92,6 +92,9 @@ spec: {{- toYaml .Values.nodeSelector | nindent 8 }} priorityClassName: {{ .Values.priorityClassName }} serviceAccountName: azure-wi-webhook-admin + {{- if .Values.serviceAccount.automountServiceAccountToken }} + automountServiceAccountToken: true + {{- end }} tolerations: {{- toYaml .Values.tolerations | nindent 8 }} volumes: diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-server-sa-secret.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-server-sa-secret.yaml deleted file mode 100644 index b56c10428..000000000 --- a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-server-sa-secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if semverCompare "<1.24.0" .Capabilities.KubeVersion.Version -}} -# Create the service account token secret for the service account if Kubernetes version is older than 1.24 -apiVersion: v1 -kind: Secret -metadata: - labels: - app: '{{ template "workload-identity-webhook.name" . }}' - azure-workload-identity.io/system: "true" - chart: '{{ template "workload-identity-webhook.name" . }}' - release: '{{ .Release.Name }}' - name: azure-wi-webhook-admin-token - annotations: - kubernetes.io/service-account.name: azure-wi-webhook-admin -type: kubernetes.io/service-account-token -{{- end }} From 5b71bccbfb9b769b944cec2dfc059876e037c1e9 Mon Sep 17 00:00:00 2001 From: Anderson Leite Date: Tue, 30 Jul 2024 12:41:50 +0100 Subject: [PATCH 3/6] Extend helm chart to create secret token and include automount toggle for service account Signed-off-by: Anderson Leite --- .../values copy.yaml | 43 ------------------- .../workload-identity-webhook/values.yaml | 3 ++ 2 files changed, 3 insertions(+), 43 deletions(-) delete mode 100644 manifest_staging/charts/workload-identity-webhook/values copy.yaml diff --git a/manifest_staging/charts/workload-identity-webhook/values copy.yaml b/manifest_staging/charts/workload-identity-webhook/values copy.yaml deleted file mode 100644 index 4204f2a21..000000000 --- a/manifest_staging/charts/workload-identity-webhook/values copy.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Default values for workload-identity-webhook. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 2 -image: - repository: mcr.microsoft.com/oss/azure/workload-identity/webhook - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - release: v1.3.0 -imagePullSecrets: [] -# Define if the service account can be used by default (automount property) -serviceAccount: - automountServiceAccountToken: false -nodeSelector: - kubernetes.io/os: linux -resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi -tolerations: [] -affinity: {} -service: - type: ClusterIP - port: 443 - targetPort: 9443 -azureEnvironment: AzurePublicCloud -azureTenantID: -logLevel: info -metricsAddr: ":8095" -metricsBackend: prometheus -priorityClassName: system-cluster-critical -mutatingWebhookAnnotations: {} -podLabels: {} -podAnnotations: {} -mutatingWebhookNamespaceSelector: {} -# minAvailable and maxUnavailable are mutually exclusive -podDisruptionBudget: - minAvailable: 1 - # maxUnavailable: 0 diff --git a/manifest_staging/charts/workload-identity-webhook/values.yaml b/manifest_staging/charts/workload-identity-webhook/values.yaml index 7430b395d..4204f2a21 100644 --- a/manifest_staging/charts/workload-identity-webhook/values.yaml +++ b/manifest_staging/charts/workload-identity-webhook/values.yaml @@ -9,6 +9,9 @@ image: # Overrides the image tag whose default is the chart appVersion. release: v1.3.0 imagePullSecrets: [] +# Define if the service account can be used by default (automount property) +serviceAccount: + automountServiceAccountToken: false nodeSelector: kubernetes.io/os: linux resources: From 0c06b599ddcd9c29f8a3e80a0c0f812cb66eb95b Mon Sep 17 00:00:00 2001 From: Anderson Leite Date: Tue, 30 Jul 2024 12:50:32 +0100 Subject: [PATCH 4/6] Extend helm chart to create secret token and include automount toggle for service account Signed-off-by: Anderson Leite --- .../azure-wi-webhook-controller-manager-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml index b34f9b5e5..0e0ca0c1c 100644 --- a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml @@ -92,7 +92,7 @@ spec: {{- toYaml .Values.nodeSelector | nindent 8 }} priorityClassName: {{ .Values.priorityClassName }} serviceAccountName: azure-wi-webhook-admin - {{- if .Values.serviceAccount.automountServiceAccountToken }} + {{- if .Values.serviceAccount.automountServiceAccountToken false }} automountServiceAccountToken: true {{- end }} tolerations: From 9258cfdbf7115ce4c4005e2822ac5fa4de244353 Mon Sep 17 00:00:00 2001 From: Anderson Leite Date: Tue, 30 Jul 2024 12:52:34 +0100 Subject: [PATCH 5/6] Extend helm chart to create secret token and include automount toggle for service account Signed-off-by: Anderson Leite --- .../azure-wi-webhook-controller-manager-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml index 0e0ca0c1c..2f9f1c03d 100644 --- a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml @@ -92,7 +92,7 @@ spec: {{- toYaml .Values.nodeSelector | nindent 8 }} priorityClassName: {{ .Values.priorityClassName }} serviceAccountName: azure-wi-webhook-admin - {{- if .Values.serviceAccount.automountServiceAccountToken false }} + {{- if eq .Values.serviceAccount.automountServiceAccountToken "false" }} automountServiceAccountToken: true {{- end }} tolerations: From 08c9a9c35aec2e4cfe7ea818bf759f5227ee2213 Mon Sep 17 00:00:00 2001 From: Anderson Leite Date: Tue, 30 Jul 2024 12:55:16 +0100 Subject: [PATCH 6/6] Extend helm chart to create secret token and include automount toggle for service account Signed-off-by: Anderson Leite --- .../azure-wi-webhook-controller-manager-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml index 2f9f1c03d..fa7f72015 100644 --- a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml @@ -92,7 +92,7 @@ spec: {{- toYaml .Values.nodeSelector | nindent 8 }} priorityClassName: {{ .Values.priorityClassName }} serviceAccountName: azure-wi-webhook-admin - {{- if eq .Values.serviceAccount.automountServiceAccountToken "false" }} + {{- if eq .Values.serviceAccount.automountServiceAccountToken false }} automountServiceAccountToken: true {{- end }} tolerations: