deployment and helm charts update for release 1.5.3 (#394)

* update manifests for release 1.5.3

* add new feature flags

* update changelog for 1.5.3

* unset enable scale features in helm

* add selector as part of move to apps/v1

* remove testing changes

* update test manifests

Author: aramase

charts/aad-pod-identity-1.5.3.tgz

@@ -1,8 +1,8 @@
 apiVersion: v1
 description: Deploy components for aad-pod-identity
 name: aad-pod-identity
-version: 1.5.2
-appVersion: 1.5.2
+version: 1.5.3
+appVersion: 1.5.3
 home: https://github.com/Azure/aad-pod-identity
 sources:
   - https://github.com/Azure/aad-pod-identity

charts/aad-pod-identity/Chart.yaml

@@ -56,6 +56,12 @@ spec:
           {{- if .Values.mic.probePort }}
           - --http-probe-port={{ .Values.mic.probePort }}
           {{- end }}
+          {{- if .Values.mic.createDeleteBatch }}
+          - --createDeleteBatch={{ .Values.mic.createDeleteBatch }}
+          {{- end }}
+          {{- if .Values.mic.clientQps }}
+          - --clientQps={{ .Values.mic.clientQps }}
+          {{- end }}
         env:
           - name: FORCENAMESPACED
             value: "{{ .Values.forceNameSpaced }}"

charts/aad-pod-identity/templates/mic-deployment.yaml

@@ -15,16 +15,16 @@ rules:
   verbs: ["get", "list"]
 - apiGroups: [""]
   resources: ["pods"]
-  verbs: ["get", "list"]
+  verbs: ["get", "list", "watch"]
 {{- if .Values.rbac.allowAccessToSecrets }}
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["get"]
 {{- end }}
 - apiGroups: ["aadpodidentity.k8s.io"]
   resources: ["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"]
-  verbs: ["get", "list"]
+  verbs: ["get", "list", "watch"]
 - apiGroups: ["aadpodidentity.k8s.io"]
   resources: ["azureassignedidentities"]
-  verbs: ["get", "list"]
+  verbs: ["get", "list", "watch"]
 {{- end }}

charts/aad-pod-identity/templates/nmi-clusterrole.yaml

@@ -62,6 +62,9 @@ spec:
           {{- if .Values.nmi.findIdentityRetryIntervalInSeconds }}
           - --find-identity-retry-interval={{ .Values.nmi.findIdentityRetryIntervalInSeconds }}
           {{- end }}
+          {{- if .Values.nmi.enableScaleFeatures }}
+          - --enableScaleFeatures={{ .Values.nmi.enableScaleFeatures }}
+          {{- end }}
         env:
           - name: HOST_IP
             valueFrom:

charts/aad-pod-identity/templates/nmi-daemonset.yaml

@@ -24,7 +24,7 @@ forceNameSpaced: "false"
 
 mic:
   image: mic
-  tag: 1.5.2
+  tag: 1.5.3
 
   # log level. Uses V logs (glog)
   # logVerbosity: 0
@@ -62,9 +62,17 @@ mic:
   # Override interval in seconds at which sync loop should periodically check for errors and reconcile (default is 3600s)
   syncRetryDuration: ""
 
+  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#batch-create-delete-flag
+  # default value is 20
+  createDeleteBatch: ""
+
+  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#client-qps-flag
+  # default value is 5
+  clientQps: ""
+
 nmi:
   image: nmi
-  tag: 1.5.2
+  tag: 1.5.3
 
   resources:
     limits:
@@ -101,6 +109,10 @@ nmi:
   # Override retry interval to find assigned identities in seconds (default is 5)
   findIdentityRetryIntervalInSeconds: ""
 
+  # Enable scale features - https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#enable-scale-features-flag
+  # Accepted values are true/false. Default is false.
+  enableScaleFeatures: ""
+
 rbac:
   enabled: true
   # NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity.

charts/aad-pod-identity/values.yaml

@@ -1,9 +1,24 @@
 apiVersion: v1
 entries:
   aad-pod-identity:
+  - apiVersion: v1
+    appVersion: 1.5.3
+    created: "2019-10-11T15:59:33.322904-07:00"
+    description: Deploy components for aad-pod-identity
+    digest: 3dab91c7f115d23123f863eeea1c93a34640a42ac1e7052600020600fbfa55ad
+    home: https://github.com/Azure/aad-pod-identity
+    maintainers:
+    - email: anish.ramasekar@gmail.com
+      name: aramase
+    name: aad-pod-identity
+    sources:
+    - https://github.com/Azure/aad-pod-identity
+    urls:
+    - https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts/aad-pod-identity-1.5.3.tgz
+    version: 1.5.3
   - apiVersion: v1
     appVersion: 1.5.2
-    created: "2019-09-16T11:43:42.435047-07:00"
+    created: "2019-10-11T15:59:33.321838-07:00"
     description: Deploy components for aad-pod-identity
     digest: 58a8ea212a1461f72ce17be5b767dac920d0f56803c026320a16c22de3ed365a
     home: https://github.com/Azure/aad-pod-identity
@@ -16,4 +31,4 @@ entries:
     urls:
     - https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts/aad-pod-identity-1.5.2.tgz
     version: 1.5.2
-generated: "2019-09-16T11:43:42.434192-07:00"
+generated: "2019-10-11T15:59:33.31978-07:00"

charts/index.yaml

@@ -64,16 +64,16 @@ rules:
   verbs: ["get", "list"]
 - apiGroups: [""]
   resources: ["pods"]
-  verbs: ["get", "list"]
+  verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["get"]
 - apiGroups: ["aadpodidentity.k8s.io"]
   resources: ["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"]
-  verbs: ["get", "list"]
+  verbs: ["get", "list", "watch"]
 - apiGroups: ["aadpodidentity.k8s.io"]
   resources: ["azureassignedidentities"]
-  verbs: ["get", "list"]
+  verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
@@ -90,7 +90,7 @@ roleRef:
   name: aad-pod-id-nmi-role
   apiGroup: rbac.authorization.k8s.io
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
@@ -103,6 +103,10 @@ metadata:
 spec:
   updateStrategy:
     type: RollingUpdate
+  selector:
+    matchLabels:
+      component: nmi
+      tier: node
   template:
     metadata:
       labels:
@@ -118,7 +122,7 @@ spec:
         name: iptableslock
       containers:
       - name: nmi
-        image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.5.2"
+        image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.5.3"
         imagePullPolicy: Always
         args:
           - "--host-ip=$(HOST_IP)"
@@ -201,7 +205,7 @@ roleRef:
   name: aad-pod-id-mic-role
   apiGroup: rbac.authorization.k8s.io
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
@@ -211,6 +215,10 @@ metadata:
   namespace: default
 spec:
   replicas: 2
+  selector:
+    matchLabels:
+      component: mic
+      app: mic
   template:
     metadata:
       labels:
@@ -220,7 +228,7 @@ spec:
       serviceAccountName: aad-pod-id-mic-service-account
       containers:
       - name: mic
-        image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.5.2"
+        image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.5.3"
         imagePullPolicy: Always
         args:
           - "--cloudconfig=/etc/kubernetes/azure.json"

deploy/infra/deployment-rbac.yaml

@@ -48,7 +48,7 @@ spec:
     plural: azurepodidentityexceptions
   scope: Namespaced
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
@@ -60,6 +60,10 @@ metadata:
 spec:
   updateStrategy:
     type: RollingUpdate
+  selector:
+    matchLabels:
+      component: nmi
+      tier: node
   template:
     metadata:
       labels:
@@ -74,7 +78,7 @@ spec:
         name: iptableslock
       containers:
       - name: nmi
-        image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.5.2"
+        image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.5.3"
         imagePullPolicy: Always
         args:
           - "--host-ip=$(HOST_IP)"
@@ -112,7 +116,7 @@ spec:
       nodeSelector:
         beta.kubernetes.io/os: linux
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
@@ -121,14 +125,17 @@ metadata:
   namespace: default
 spec:
   replicas: 2
+  selector:
+    matchLabels:
+      component: mic
   template:
     metadata:
       labels:
         component: mic
     spec:
       containers:
       - name: mic
-        image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.5.2"
+        image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.5.3"
         imagePullPolicy: Always
         args:
           - "--kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig"

deploy/infra/deployment.yaml

@@ -64,16 +64,16 @@ rules:
   verbs: ["get", "list"]
 - apiGroups: [""]
   resources: ["pods"]
-  verbs: ["get", "list"]
+  verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["get"]
 - apiGroups: ["aadpodidentity.k8s.io"]
   resources: ["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"]
-  verbs: ["get", "list"]
+  verbs: ["get", "list", "watch"]
 - apiGroups: ["aadpodidentity.k8s.io"]
   resources: ["azureassignedidentities"]
-  verbs: ["get", "list"]
+  verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
@@ -90,7 +90,7 @@ roleRef:
   name: aad-pod-id-nmi-role
   apiGroup: rbac.authorization.k8s.io
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
@@ -101,6 +101,10 @@ metadata:
   name: nmi
   namespace: default
 spec:
+  selector:
+    matchLabels:
+      component: nmi
+      tier: node
   template:
     metadata:
       labels:
@@ -116,7 +120,7 @@ spec:
         name: iptableslock
       containers:
       - name: nmi
-        image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.5.2"
+        image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.5.3"
         imagePullPolicy: Always
         args:
           - "--host-ip=$(HOST_IP)"
@@ -213,7 +217,7 @@ metadata:
   name: aadpodidentity-admin-secret
   namespace: default
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
@@ -223,6 +227,9 @@ metadata:
   namespace: default
 spec:
   replicas: 2
+  selector:
+    matchLabels:
+      component: mic
   template:
     metadata:
       labels:
@@ -231,7 +238,7 @@ spec:
       serviceAccountName: aad-pod-id-mic-service-account
       containers:
       - name: mic
-        image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.5.2"
+        image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.5.3"
         imagePullPolicy: Always
         args:
           - "--logtostderr"

deploy/infra/noazurejson/deployment-rbac.yaml

@@ -58,6 +58,10 @@ metadata:
   name: nmi
   namespace: default
 spec:
+  selector:
+    matchLabels:
+      component: nmi
+      tier: node
   template:
     metadata:
       labels:
@@ -72,7 +76,7 @@ spec:
         name: iptableslock
       containers:
       - name: nmi
-        image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.5.2"
+        image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.5.3"
         imagePullPolicy: Always
         args:
           - "--host-ip=$(HOST_IP)"
@@ -133,14 +137,17 @@ metadata:
   namespace: default
 spec:
   replicas: 2
+  selector:
+    matchLabels:
+      component: mic
   template:
     metadata:
       labels:
         component: mic
     spec:
       containers:
       - name: mic
-        image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.5.2"
+        image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.5.3"
         imagePullPolicy: Always
         args:
           - "--kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig"