Skip to content
This repository was archived by the owner on Oct 12, 2023. It is now read-only.

Commit 3c00ce4

Browse files
aramasearamase
authored
chore: update helm charts, manifests and docs for 1.6 (#580)
* update docs and manifests for 1.6 * generate helm package and index * add intro to managed mode * Review feedback * update release to 1.6.0 * add changelog for 1.6 * add force namespaced mode to doc and warning for upgrade * add MIC_POD_NAMESPACE env var to all manifests
1 parent 11fa6db commit 3c00ce4

25 files changed

+309
-40
lines changed

CHANGELOG-1.6.md

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
:warning: v1.6.0 contains breaking changes. Please carefully review this [doc](README.md#v160-breaking-change) before upgrade from 1.x.x versions of pod-identity.
2+
3+
# v1.6.0
4+
5+
### Features
6+
- Add support for pod-identity managed mode ([#486](https://github.com/Azure/aad-pod-identity/pull/486))
7+
- Deny requests without metadata header to avoid SSRF ([#500](https://github.com/Azure/aad-pod-identity/pull/500))
8+
9+
### Bug Fixes
10+
- Fix issue that casued failures with long pod name > 63 chars ([#545](https://github.com/Azure/aad-pod-identity/pull/545))
11+
- Fix updating assigned identity when azure identity updated ([#559](https://github.com/Azure/aad-pod-identity/pull/559))
12+
13+
### Other Improvements
14+
- Switch to using klog for logging ([#449](https://github.com/Azure/aad-pod-identity/pull/449))
15+
- Create internal API for aadpodidentity ([#459](https://github.com/Azure/aad-pod-identity/pull/459))
16+
- Switch to using PATCH instead of CreateOrUpdate for identities ([#522](https://github.com/Azure/aad-pod-identity/pull/522))
17+
- Update client-go version to v0.17.2 ([#398](https://github.com/Azure/aad-pod-identity/pull/398))
18+
- Update to go1.14 ([#543](https://github.com/Azure/aad-pod-identity/pull/543))
19+
- Add validation for resource id format ([#548](https://github.com/Azure/aad-pod-identity/pull/548))

charts/aad-pod-identity-1.6.0.tgz

9.53 KB
Binary file not shown.

charts/aad-pod-identity/Chart.yaml

+2-2
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
apiVersion: v1
22
description: Deploy components for aad-pod-identity
33
name: aad-pod-identity
4-
version: 1.5.6
5-
appVersion: 1.5.5
4+
version: 1.6.0
5+
appVersion: 1.6.0
66
home: https://github.com/Azure/aad-pod-identity
77
sources:
88
- https://github.com/Azure/aad-pod-identity

charts/aad-pod-identity/README.md

+2-2
Original file line numberDiff line numberDiff line change
@@ -154,7 +154,7 @@ The following tables list the configurable parameters of the aad-pod-identity ch
154154
| `adminsecret.clientID` | Azure service principal clientID | ` ` |
155155
| `adminsecret.clientSecret` | Azure service principal clientSecret | ` ` |
156156
| `mic.image` | MIC image name | `mic` |
157-
| `mic.tag` | MIC image tag | `1.5.5` |
157+
| `mic.tag` | MIC image tag | `1.6.0` |
158158
| `mic.PriorityClassName` | MIC priority class (can only be set when deploying to kube-system namespace)
159159
| `mic.logVerbosity` | Log level. Uses V logs (glog) | `0` |
160160
| `mic.resources` | Resource limit for MIC | `{}` |
@@ -169,7 +169,7 @@ The following tables list the configurable parameters of the aad-pod-identity ch
169169
| `mic.syncRetryDuration` | Override interval in seconds at which sync loop should periodically check for errors and reconcile | If not provided, default value is `3600s` |
170170
| `mic.immutableUserMSIs` | List of user-defined identities that shouldn't be deleted from VM/VMSS. | If not provided, default value is empty |
171171
| `nmi.image` | NMI image name | `nmi` |
172-
| `nmi.tag` | NMI image tag | `1.5.5` |
172+
| `nmi.tag` | NMI image tag | `1.6.0` |
173173
| `nmi.PriorityClassName` | NMI priority class (can only be set when deploying to kube-system namespace)
174174
| `nmi.resources` | Resource limit for NMI | `{}` |
175175
| `nmi.podAnnotations` | Pod annotations for NMI | `{}` |

charts/aad-pod-identity/templates/identities.yaml

+4-4
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@ metadata:
88
{{- include "aad-pod-identity.labels" . | nindent 4 }}
99
spec:
1010
type: {{ .Values.azureIdentity.type }}
11-
ResourceID: {{ required ".Values.azureIdentity.resourceID is required!" .Values.azureIdentity.resourceID }}
12-
ClientID: {{ required ".Values.azureIdentity.clientID is required!" .Values.azureIdentity.clientID }}
11+
resourceID: {{ required ".Values.azureIdentity.resourceID is required!" .Values.azureIdentity.resourceID }}
12+
clientID: {{ required ".Values.azureIdentity.clientID is required!" .Values.azureIdentity.clientID }}
1313
---
1414
apiVersion: "aadpodidentity.k8s.io/v1"
1515
kind: AzureIdentityBinding
@@ -19,6 +19,6 @@ metadata:
1919
labels:
2020
{{- include "aad-pod-identity.labels" . | nindent 4 }}
2121
spec:
22-
AzureIdentity: {{ .Values.azureIdentity.name }}
23-
Selector: {{ required ".Values.azureIdentityBinding.selector is required!" .Values.azureIdentityBinding.selector }}
22+
azureIdentity: {{ .Values.azureIdentity.name }}
23+
selector: {{ required ".Values.azureIdentityBinding.selector is required!" .Values.azureIdentityBinding.selector }}
2424
{{- end }}

charts/aad-pod-identity/templates/mic-clusterrole.yaml

+8-2
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
{{- if .Values.rbac.enabled }}
1+
{{- if and .Values.rbac.enabled (eq .Values.operationMode "standard") }}
22
apiVersion: rbac.authorization.k8s.io/v1
33
kind: ClusterRole
44
metadata:
@@ -16,12 +16,18 @@ rules:
1616
- apiGroups: [""]
1717
resources: ["events"]
1818
verbs: ["create", "patch"]
19+
- apiGroups: [""]
20+
resources: ["configmaps"]
21+
verbs: ["get", "create", "update"]
1922
- apiGroups: [""]
2023
resources: ["endpoints"]
2124
verbs: [ "create", "get", "update"]
2225
- apiGroups: ["aadpodidentity.k8s.io"]
2326
resources: ["azureidentitybindings", "azureidentities"]
24-
verbs: ["get", "list", "watch", "post"]
27+
verbs: ["get", "list", "watch", "post", "update"]
28+
- apiGroups: ["aadpodidentity.k8s.io"]
29+
resources: ["azurepodidentityexceptions"]
30+
verbs: ["list", "update"]
2531
- apiGroups: ["aadpodidentity.k8s.io"]
2632
resources: ["azureassignedidentities"]
2733
verbs: ["*"]

charts/aad-pod-identity/templates/mic-clusterrolebinding.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
{{- if .Values.rbac.enabled }}
1+
{{- if and .Values.rbac.enabled (eq .Values.operationMode "standard") }}
22
apiVersion: rbac.authorization.k8s.io/v1beta1
33
kind: ClusterRoleBinding
44
metadata:

charts/aad-pod-identity/templates/mic-deployment.yaml

+6
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
{{- if eq .Values.operationMode "standard" }}
12
apiVersion: apps/v1
23
kind: Deployment
34
metadata:
@@ -69,6 +70,10 @@ spec:
6970
- --prometheus-port={{ .Values.mic.prometheusPort }}
7071
{{- end }}
7172
env:
73+
- name: MIC_POD_NAMESPACE
74+
valueFrom:
75+
fieldRef:
76+
fieldPath: metadata.namespace
7277
- name: FORCENAMESPACED
7378
value: "{{ .Values.forceNameSpaced }}"
7479
{{- if .Values.adminsecret }}
@@ -152,3 +157,4 @@ spec:
152157
tolerations:
153158
{{ toYaml . | indent 8 }}
154159
{{- end }}
160+
{{- end -}}

charts/aad-pod-identity/templates/mic-secret.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
{{- if .Values.adminsecret }}
1+
{{- if and .Values.adminsecret (eq .Values.operationMode "standard") }}
22
apiVersion: v1
33
kind: Secret
44
metadata:

charts/aad-pod-identity/templates/mic-serviceaccount.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
{{- if .Values.rbac.enabled }}
1+
{{- if and .Values.rbac.enabled (eq .Values.operationMode "standard") }}
22
apiVersion: v1
33
kind: ServiceAccount
44
metadata:

charts/aad-pod-identity/templates/nmi-clusterrole.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,9 @@ rules:
2121
- apiGroups: ["aadpodidentity.k8s.io"]
2222
resources: ["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"]
2323
verbs: ["get", "list", "watch"]
24+
{{- if eq .Values.operationMode "standard" }}
2425
- apiGroups: ["aadpodidentity.k8s.io"]
2526
resources: ["azureassignedidentities"]
2627
verbs: ["get", "list", "watch"]
28+
{{- end -}}
2729
{{- end }}

charts/aad-pod-identity/templates/nmi-daemonset.yaml

+8-2
Original file line numberDiff line numberDiff line change
@@ -69,10 +69,14 @@ spec:
6969
{{- end }}
7070
{{- if .Values.nmi.blockInstanceMetadata }}
7171
- --block-instance-metadata={{ .Values.nmi.blockInstanceMetadata }}
72-
{{- end }}
72+
{{- end }}
7373
{{- if .Values.nmi.metadataHeaderRequired}}
7474
- --metadata-header-required={{ .Values.nmi.metadataHeaderRequired }}
75-
{{- end }}
75+
{{- end }}
76+
- --operation-mode={{ .Values.operationMode }}
77+
{{- if eq .Values.operationMode "managed" }}
78+
- --forceNamespaced
79+
{{- end }}
7680
env:
7781
- name: HOST_IP
7882
valueFrom:
@@ -82,8 +86,10 @@ spec:
8286
valueFrom:
8387
fieldRef:
8488
fieldPath: spec.nodeName
89+
{{- if eq .Values.operationMode "standard" }}
8590
- name: FORCENAMESPACED
8691
value: "{{ .Values.forceNameSpaced }}"
92+
{{- end }}
8793
securityContext:
8894
privileged: true
8995
capabilities:

charts/aad-pod-identity/values.yaml

+6-2
Original file line numberDiff line numberDiff line change
@@ -32,9 +32,13 @@ adminsecret: {}
3232
# clientID: <service principal client id>
3333
# clientSecret: <service principal client secret>
3434

35+
# Operation mode for pod-identity. Default is standard mode that has MIC doing identity assignment
36+
# Allowed values: "standard", "managed"
37+
operationMode: "standard"
38+
3539
mic:
3640
image: mic
37-
tag: 1.5.5
41+
tag: 1.6.0
3842

3943
priorityClassName: ""
4044

@@ -96,7 +100,7 @@ mic:
96100

97101
nmi:
98102
image: nmi
99-
tag: 1.5.5
103+
tag: 1.6.0
100104

101105
priorityClassName: ""
102106

charts/index.yaml

+21-6
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,24 @@
11
apiVersion: v1
22
entries:
33
aad-pod-identity:
4+
- apiVersion: v1
5+
appVersion: 1.6.0
6+
created: "2020-04-24T12:12:20.536485-07:00"
7+
description: Deploy components for aad-pod-identity
8+
digest: 7753d4ca3f27f2abcf7def0733c8b3543483266435a2fb3b038b254385a1ef19
9+
home: https://github.com/Azure/aad-pod-identity
10+
maintainers:
11+
- email: anish.ramasekar@gmail.com
12+
name: aramase
13+
name: aad-pod-identity
14+
sources:
15+
- https://github.com/Azure/aad-pod-identity
16+
urls:
17+
- https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts/aad-pod-identity-1.6.0.tgz
18+
version: 1.6.0
419
- apiVersion: v1
520
appVersion: 1.5.5
6-
created: "2020-04-15T16:00:31.34537-07:00"
21+
created: "2020-04-24T12:12:20.535282-07:00"
722
description: Deploy components for aad-pod-identity
823
digest: 8cd12b380d1ae694d0c916409cd6747572f80e83bdbfec7ce806a496da37aa07
924
home: https://github.com/Azure/aad-pod-identity
@@ -18,7 +33,7 @@ entries:
1833
version: 1.5.6
1934
- apiVersion: v1
2035
appVersion: 1.5.5
21-
created: "2020-04-15T16:00:31.342757-07:00"
36+
created: "2020-04-24T12:12:20.533483-07:00"
2237
description: Deploy components for aad-pod-identity
2338
digest: a35ceab66397ef58df6b60cb446445e68baaced1d7526690896dcfba21758abb
2439
home: https://github.com/Azure/aad-pod-identity
@@ -33,7 +48,7 @@ entries:
3348
version: 1.5.5
3449
- apiVersion: v1
3550
appVersion: 1.5.4
36-
created: "2020-04-15T16:00:31.340249-07:00"
51+
created: "2020-04-24T12:12:20.531964-07:00"
3752
description: Deploy components for aad-pod-identity
3853
digest: b04a1510d3bb0f9afb5e3f7a9ba9af313027615cbb6d480050b992423819e13f
3954
home: https://github.com/Azure/aad-pod-identity
@@ -48,7 +63,7 @@ entries:
4863
version: 1.5.4
4964
- apiVersion: v1
5065
appVersion: 1.5.3
51-
created: "2020-04-15T16:00:31.333889-07:00"
66+
created: "2020-04-24T12:12:20.530686-07:00"
5267
description: Deploy components for aad-pod-identity
5368
digest: 3dab91c7f115d23123f863eeea1c93a34640a42ac1e7052600020600fbfa55ad
5469
home: https://github.com/Azure/aad-pod-identity
@@ -63,7 +78,7 @@ entries:
6378
version: 1.5.3
6479
- apiVersion: v1
6580
appVersion: 1.5.2
66-
created: "2020-04-15T16:00:31.326332-07:00"
81+
created: "2020-04-24T12:12:20.529371-07:00"
6782
description: Deploy components for aad-pod-identity
6883
digest: 58a8ea212a1461f72ce17be5b767dac920d0f56803c026320a16c22de3ed365a
6984
home: https://github.com/Azure/aad-pod-identity
@@ -76,4 +91,4 @@ entries:
7691
urls:
7792
- https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts/aad-pod-identity-1.5.2.tgz
7893
version: 1.5.2
79-
generated: "2020-04-15T16:00:31.317883-07:00"
94+
generated: "2020-04-24T12:12:20.526788-07:00"

deploy/demo/aadpodidentity-sp.yaml

+4-4
Original file line numberDiff line numberDiff line change
@@ -4,14 +4,14 @@ metadata:
44
name: demo-aad1-sp
55
type: Opaque
66
data:
7-
ClientSecret: CLIENT_SECRET
7+
clientSecret: CLIENT_SECRET
88
---
99
apiVersion: "aadpodidentity.k8s.io/v1"
1010
kind: AzureIdentity
1111
metadata:
1212
name: demo-aad1
1313
spec:
1414
type: 1
15-
TenantID: TENANT_ID
16-
ClientID: CLIENT_ID
17-
ClientPassword: {"Name":"demo-aad1-sp","Namespace":"default"}
15+
tenantID: TENANT_ID
16+
clientID: CLIENT_ID
17+
clientPassword: {"Name":"demo-aad1-sp","Namespace":"default"}

deploy/infra/deployment-rbac.yaml

+2-2
Original file line numberDiff line numberDiff line change
@@ -121,7 +121,7 @@ spec:
121121
name: iptableslock
122122
containers:
123123
- name: nmi
124-
image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.5.5"
124+
image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.6.0"
125125
imagePullPolicy: Always
126126
args:
127127
- "--host-ip=$(HOST_IP)"
@@ -233,7 +233,7 @@ spec:
233233
serviceAccountName: aad-pod-id-mic-service-account
234234
containers:
235235
- name: mic
236-
image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.5.5"
236+
image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.6.0"
237237
imagePullPolicy: Always
238238
args:
239239
- "--cloudconfig=/etc/kubernetes/azure.json"

deploy/infra/deployment.yaml

+7-2
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,7 @@ spec:
7777
name: iptableslock
7878
containers:
7979
- name: nmi
80-
image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.5.5"
80+
image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.6.0"
8181
imagePullPolicy: Always
8282
args:
8383
- "--host-ip=$(HOST_IP)"
@@ -134,12 +134,17 @@ spec:
134134
spec:
135135
containers:
136136
- name: mic
137-
image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.5.5"
137+
image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.6.0"
138138
imagePullPolicy: Always
139139
args:
140140
- "--kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig"
141141
- "--cloudconfig=/etc/kubernetes/azure.json"
142142
- "--logtostderr"
143+
env:
144+
- name: MIC_POD_NAMESPACE
145+
valueFrom:
146+
fieldRef:
147+
fieldPath: metadata.namespace
143148
resources:
144149
limits:
145150
cpu: 200m

0 commit comments

Comments
 (0)