update manifests and helm chart for v1.6.3 (#797)

Author: aramase

CHANGELOG-1.6.md

@@ -1,5 +1,54 @@
 :warning: v1.6.0+ contains breaking changes. Please carefully review this [doc](README.md#v160-breaking-change) before upgrade from 1.x.x versions of pod-identity.
 
+# v1.6.3
+
+### Features
+
+- throttling - honor retry after header ([#742](https://github.com/Azure/aad-pod-identity/pull/742))
+- reconcile identity assignment on Azure ([#734](https://github.com/Azure/aad-pod-identity/pull/734))
+
+### Bug Fixes
+
+- add certs volume for non-rbac manifests ([#713](https://github.com/Azure/aad-pod-identity/pull/713))
+- Report original error from getPodListRetry ([#762](https://github.com/Azure/aad-pod-identity/pull/762))
+- initialize klog flags for NMI ([#767](https://github.com/Azure/aad-pod-identity/pull/767))
+- ensure stats collector doesn't aggregate stats from multiple runs ([#750](https://github.com/Azure/aad-pod-identity/pull/750))
+
+### Other Improvements
+
+- add deploy manifests and helm charts to staging dir ([#736](https://github.com/Azure/aad-pod-identity/pull/736))
+- fix miscellaneous linting problem in the codebase ([#733](https://github.com/Azure/aad-pod-identity/pull/733))
+- remove privileged: true for NMI daemonset ([#745](https://github.com/Azure/aad-pod-identity/pull/745)) 
+- Update to go1.15 ([#751](https://github.com/Azure/aad-pod-identity/pull/751))
+- automate role assignments and improve troubleshooting guide ([#754](https://github.com/Azure/aad-pod-identity/pull/754))
+- set dnspolicy to clusterfirstwithhostnet for NMI ([#776](https://github.com/Azure/aad-pod-identity/pull/776))
+- bump debian-base to v2.1.3 and debian-iptables to v12.1.2 ([#783](https://github.com/Azure/aad-pod-identity/pull/783))
+- add logs for ignored pods ([#785](https://github.com/Azure/aad-pod-identity/pull/785))
+
+### Documentation
+
+- docs: fix broken test standard link in GitHub Pull Request template ([#710](https://github.com/Azure/aad-pod-identity/pull/710))
+- Fixed typo ([#757](https://github.com/Azure/aad-pod-identity/pull/757))
+- Fixed Grammar ([#758](https://github.com/Azure/aad-pod-identity/pull/758))
+- add doc for deleting/recreating identity with same name ([#786](https://github.com/Azure/aad-pod-identity/pull/786))
+- add best practices documentation ([#779](https://github.com/Azure/aad-pod-identity/pull/779))
+
+### Helm
+
+- add release namespace to chart manifests ([#741](https://github.com/Azure/aad-pod-identity/pull/741))
+- Add imagePullSecretes to the Helm chart ([#774](https://github.com/Azure/aad-pod-identity/pull/774))
+- Expose metrics port ([#777](https://github.com/Azure/aad-pod-identity/pull/777))
+- add user managed identity support to helm charts ([#781](https://github.com/Azure/aad-pod-identity/pull/781))
+
+### Test Improvements
+
+- add e2e test for block-instance-metadata ([#715](https://github.com/Azure/aad-pod-identity/pull/715))
+- add aks as part of pr and nightly test ([#717](https://github.com/Azure/aad-pod-identity/pull/717))
+- add load test pipeline to nightly job ([#744](https://github.com/Azure/aad-pod-identity/pull/744))
+- install aad-pod-identity in kube-system namespace ([#747](https://github.com/Azure/aad-pod-identity/pull/747))
+- bump golangci-lint to v1.30.0 ([#759](https://github.com/Azure/aad-pod-identity/pull/759))
+
+
 # v1.6.2
 
 ### Features

README.md

@@ -247,7 +247,7 @@ metadata:
 spec:
   containers:
   - name: demo
-    image: mcr.microsoft.com/k8s/aad-pod-identity/demo:1.2
+    image: mcr.microsoft.com/oss/azure/aad-pod-identity/demo:v1.6.3
     args:
       - --subscriptionid=${SUBSCRIPTION_ID}
       - --clientid=${IDENTITY_CLIENT_ID}
@@ -270,7 +270,7 @@ spec:
 EOF
 ```
 
-> `mcr.microsoft.com/k8s/aad-pod-identity/demo` is an image that demostrates the use of AAD pod identity. The source code can be found [here](./cmd/demo/main.go).
+> `mcr.microsoft.com/oss/azure/aad-pod-identity/demo` is an image that demostrates the use of AAD pod identity. The source code can be found [here](./cmd/demo/main.go).
 
 To verify that the pod is indeed using the identity correctly:
 

charts/aad-pod-identity-2.0.2.tgz

@@ -1,8 +1,8 @@
 apiVersion: v1
 description: Deploy components for aad-pod-identity
 name: aad-pod-identity
-version: 2.0.1
-appVersion: 1.6.2
+version: 2.0.2
+appVersion: 1.6.3
 home: https://github.com/Azure/aad-pod-identity
 sources:
   - https://github.com/Azure/aad-pod-identity

charts/aad-pod-identity/Chart.yaml

@@ -1,5 +1,5 @@
 {{- if and .Values.rbac.enabled (eq .Values.operationMode "standard") }}
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ template "aad-pod-identity.mic.fullname" . }}

charts/aad-pod-identity/README.md

@@ -3,6 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ template "aad-pod-identity.mic.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aad-pod-identity.labels" . | nindent 4 }}
     app.kubernetes.io/component: mic
@@ -24,6 +25,10 @@ spec:
 {{ toYaml .Values.mic.podAnnotations | indent 8 }}
 {{- end }}
     spec:
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 8 }}
+      {{- end }}
       {{- if .Values.rbac.enabled }}
       serviceAccountName: {{ template "aad-pod-identity.mic.fullname" . }}
       {{- end }}
@@ -75,6 +80,9 @@ spec:
           {{- if .Values.mic.updateUserMSIRetryInterval }}
           - --update-user-msi-retry-interval={{ .Values.mic.updateUserMSIRetryInterval }}
           {{- end }}
+          {{- if .Values.mic.identityAssignmentReconcileInterval }}
+          - --identity-assignment-reconcile-interval={{ .Values.mic.identityAssignmentReconcileInterval }}
+          {{- end }}
         env:
           - name: MIC_POD_NAMESPACE
             valueFrom:
@@ -118,7 +126,25 @@ spec:
               secretKeyRef:
                 key: ClientSecret
                 name: {{ template "aad-pod-identity.mic.fullname" . }}
+          {{- if .Values.adminsecret.useMSI }}
+          - name: USE_MSI
+            valueFrom:
+              secretKeyRef:
+                key: UseMSI
+                name: {{ template "aad-pod-identity.mic.fullname" . }}
+          - name: USER_ASSIGNED_MSI_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                key: UserAssignedMSIClientID
+                name: {{ template "aad-pod-identity.mic.fullname" . }}
           {{- end }}
+          {{- end }}
+        {{- if .Values.mic.prometheusPort }}
+        ports:
+          - containerPort: {{ .Values.mic.prometheusPort }}
+            name: metrics
+            protocol: TCP
+        {{- end }}
         {{- if not .Values.adminsecret }}
         volumeMounts:
           - name: k8s-azure-file

charts/aad-pod-identity/templates/mic-clusterrolebinding.yaml

@@ -3,6 +3,7 @@ apiVersion: "aadpodidentity.k8s.io/v1"
 kind: AzurePodIdentityException
 metadata:
   name: mic
+  namespace: {{ .Release.Namespace }}
 spec:
   podLabels:
     app: mic

charts/aad-pod-identity/templates/mic-deployment.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ template "aad-pod-identity.mic.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aad-pod-identity.labels" . | nindent 4 }}
     app.kubernetes.io/component: mic
@@ -14,4 +15,8 @@ data:
   TenantID: {{ required "A valid cloud tenant id is required" .Values.adminsecret.tenantID | b64enc | quote }}
   ClientID: {{ required "A valid client id is required" .Values.adminsecret.clientID | b64enc | quote }}
   ClientSecret: {{ required "A valid client secret is required" .Values.adminsecret.clientSecret | b64enc | quote }}
+  {{- if .Values.adminsecret.useMSI }}
+  UseMSI: {{ .Values.adminsecret.useMSI | b64enc | quote }}
+  UserAssignedMSIClientID: {{ .Values.adminsecret.userAssignedMSIClientID | b64enc | quote }}
+  {{- end }}
 {{- end }}

charts/aad-pod-identity/templates/mic-exception.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "aad-pod-identity.mic.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aad-pod-identity.labels" . | nindent 4 }}
     app.kubernetes.io/component: mic

charts/aad-pod-identity/templates/mic-secret.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.rbac.enabled }}
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ template "aad-pod-identity.nmi.fullname" . }}

charts/aad-pod-identity/templates/mic-serviceaccount.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: {{ template "aad-pod-identity.nmi.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aad-pod-identity.labels" . | nindent 4 }}
     app.kubernetes.io/component: nmi
@@ -24,13 +25,18 @@ spec:
 {{ toYaml .Values.nmi.podAnnotations | indent 8 }}
 {{- end }}
     spec:
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 8 }}
+      {{- end }}
       {{- if .Values.rbac.enabled }}
       serviceAccountName: {{ template "aad-pod-identity.nmi.fullname" . }}
       {{- end }}
       {{- if .Values.nmi.priorityClassName }}
       priorityClassName: {{ .Values.nmi.priorityClassName | quote }}
       {{- end }}
       hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
       volumes:
       - hostPath:
           path: /run/xtables.lock
@@ -41,7 +47,7 @@ spec:
         image: "{{ .Values.image.repository }}/{{ .Values.nmi.image }}:{{ .Values.nmi.tag }}"
         imagePullPolicy: {{ .Values.image.imagePullPolicy }}
         args:
-          {{- if semverCompare "<= 1.6.1" .Values.nmi.tag }}
+          {{- if semverCompare "<= 1.6.1-0" .Values.nmi.tag }}
           - "--host-ip=$(HOST_IP)"
           {{- end }}
           - "--node=$(NODE_NAME)"
@@ -75,14 +81,14 @@ spec:
           {{- if .Values.nmi.metadataHeaderRequired}}
           - --metadata-header-required={{ .Values.nmi.metadataHeaderRequired }}
           {{- end }}
-          {{- if semverCompare ">= 1.6.0" .Values.nmi.tag }}
+          {{- if semverCompare ">= 1.6.0-0" .Values.nmi.tag }}
           - --operation-mode={{ .Values.operationMode }}
           {{- end}}
           {{- if eq .Values.operationMode "managed" }}
           - --forceNamespaced
           {{- end }}
         env:
-          {{- if semverCompare "<= 1.6.1" .Values.nmi.tag }}
+          {{- if semverCompare "<= 1.6.1-0" .Values.nmi.tag }}
           - name: HOST_IP
             valueFrom:
               fieldRef:
@@ -96,8 +102,13 @@ spec:
           - name: FORCENAMESPACED
             value: "{{ .Values.forceNameSpaced }}"
           {{- end }}
+        {{- if .Values.nmi.prometheusPort }}
+        ports:
+          - containerPort: {{ .Values.nmi.prometheusPort }}
+            name: metrics
+            protocol: TCP
+        {{- end }}
         securityContext:
-          privileged: true
           capabilities:
             add:
             - NET_ADMIN

charts/aad-pod-identity/templates/nmi-clusterrolebinding.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "aad-pod-identity.nmi.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aad-pod-identity.labels" . | nindent 4 }}
     app.kubernetes.io/component: nmi

charts/aad-pod-identity/templates/nmi-daemonset.yaml

@@ -6,9 +6,13 @@ nameOverride: ""
 fullnameOverride: ""
 
 image:
-  repository: mcr.microsoft.com/k8s/aad-pod-identity
+  repository: mcr.microsoft.com/oss/azure/aad-pod-identity
   imagePullPolicy: Always
 
+# One or more secrets to be used when pulling images
+# imagePullSecrets:
+#   - name: myRegistryKeySecretName
+
 # https://github.com/Azure/aad-pod-identity#4-optional-match-pods-in-the-namespace
 # By default, AAD Pod Identity matches pods to identities across namespaces.
 # To match only pods in the namespace containing AzureIdentity set this to true.
@@ -29,16 +33,17 @@ adminsecret: {}
 #   resourceGroup: <cluster resource group>
 #   vmType: <`standard` for normal virtual machine nodes, and `vmss` for cluster deployed with a virtual machine scale set>
 #   tenantID: <service principal tenant id>
-#   clientID: <service principal client id>
-#   clientSecret: <service principal client secret>
-
+#   clientID: <service principal client id. Set to `msi` when using a User Managed Identity>
+#   clientSecret: <service principal client secret. Set to `msi` when using a User Managed Identity>
+#   useMSI: <set to true when using a User Managed Identity>
+#   userAssignedMSIClientID: <client id for the User Managed Identity>
 # Operation mode for pod-identity. Default is standard mode that has MIC doing identity assignment
 # Allowed values: "standard", "managed"
 operationMode: "standard"
 
 mic:
   image: mic
-  tag: 1.6.2
+  tag: v1.6.3
 
   priorityClassName: ""
 
@@ -111,9 +116,13 @@ mic:
   # Default value is 1s
   updateUserMSIRetryInterval: ""
 
+  # The interval between reconciling identity assignment on Azure based on an existing list of AzureAssignedIdentities
+  # Default value is 3m
+  identityAssignmentReconcileInterval: ""
+
 nmi:
   image: nmi
-  tag: 1.6.2
+  tag: v1.6.3
 
   priorityClassName: ""