feat(dsb-spring-boot): support Azure Workload Identity annotations

charts/dsb-spring-boot/Chart.yaml

@@ -15,4 +15,4 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 4.2.2
+version: 4.2.3

charts/dsb-spring-boot/templates/deployment.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -27,6 +28,7 @@ spec:
         helm.sh/chart-name: {{ .Chart.Name }}
         helm.sh/chart-version: {{ .Chart.Version | replace "+" "_" }}
         helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+        azure.workload.identity/use: {{ empty .Values.azureWorkloadIdentity.clientId | ternary "false" "true" | quote }}
       annotations:
         {{- /*
         protected pod annotations:
@@ -208,3 +210,4 @@ spec:
         .Values.azureKeyVault.vaults
         ( .Values.global.azureKeyVaultDefaultValues | default .Values.azureKeyVault.defaultValues )
         .Release.Name) | indent 8 }}
+...

charts/dsb-spring-boot/templates/serviceAccount.yaml

@@ -1,7 +1,13 @@
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ .Release.Name }}-service-account
   namespace: {{ .Release.Namespace }}
   labels:
     app: {{ .Release.Name }}-app
+  {{- if empty .Values.azureWorkloadIdentity.clientId | not }}
+  annotations:
+    azure.workload.identity/client-id: {{ .Values.azureWorkloadIdentity.clientId | quote }}
+  {{- end }}
+...

charts/dsb-spring-boot/tests/__snapshot__/rendering_test.yaml.snap

@@ -146,7 +146,7 @@ Full manifest should match snapshot:
       template:
         metadata:
           annotations:
-            checksum: chart-version=4.2.2_config-hash=1950948093668f27e810845f9d87d77b73d0029b5ebcf1e0988e04196c673308
+            checksum: chart-version=4.2.3_config-hash=9b86f1aedf86c0dec1c84f337857db3a32c0182f319591bcdb0afcb7058e08c0
           labels:
             app: RELEASE-NAME-db-app
         spec:
@@ -204,7 +204,7 @@ Full manifest should match snapshot:
         metadata:
           annotations:
             apparmor.security.beta.kubernetes.io/pod: runtime/default
-            checksum: chart-version=4.2.2_config-hash=7ea574d5596882ba06de56152e37d4a2e751362a34e86879450da443f1c88366
+            checksum: chart-version=4.2.3_config-hash=1bfd548597c03b5cf4a4e9a0b0eff8913ad89f221ef19eb0ca32632db6eebfdb
             co.elastic.logs/json.add_error_key: "true"
             co.elastic.logs/json.keys_under_root: "true"
             co.elastic.logs/json.overwrite_keys: "true"
@@ -216,9 +216,10 @@ Full manifest should match snapshot:
             app.kubernetes.io/name: Rendering test
             app.kubernetes.io/part-of: Verification stuff
             app.kubernetes.io/version: greatest
-            helm.sh/chart: dsb-spring-boot-4.2.2
+            azure.workload.identity/use: "false"
+            helm.sh/chart: dsb-spring-boot-4.2.3
             helm.sh/chart-name: dsb-spring-boot
-            helm.sh/chart-version: 4.2.2
+            helm.sh/chart-version: 4.2.3
         spec:
           affinity:
             podAntiAffinity:
@@ -432,10 +433,10 @@ Full manifest should match snapshot:
         app.kubernetes.io/part-of: Verification stuff
         app.kubernetes.io/version: greatest
         chart-name: dsb-spring-boot
-        chart-version: 4.2.2
-        helm.sh/chart: dsb-spring-boot-4.2.2
+        chart-version: 4.2.3
+        helm.sh/chart: dsb-spring-boot-4.2.3
         helm.sh/chart-name: dsb-spring-boot
-        helm.sh/chart-version: 4.2.2
+        helm.sh/chart-version: 4.2.3
         management.port: "81"
         spring-boot: "true"
       name: RELEASE-NAME
@@ -495,7 +496,7 @@ Minimal manifest should match snapshot:
         metadata:
           annotations:
             apparmor.security.beta.kubernetes.io/pod: runtime/default
-            checksum: chart-version=4.2.2_config-hash=858675eb033edea5ea94c8380ae30d2ca76f44e837653bd7948afa4a6233e23b
+            checksum: chart-version=4.2.3_config-hash=a6bf400a36300fa083f941b5c5ae1743db9536b65acae6ee787a66e8bbc9510d
             co.elastic.logs/json.add_error_key: "true"
             co.elastic.logs/json.keys_under_root: "true"
             co.elastic.logs/json.overwrite_keys: "true"
@@ -507,9 +508,10 @@ Minimal manifest should match snapshot:
             app.kubernetes.io/name: RELEASE-NAME
             app.kubernetes.io/part-of: RELEASE-NAME
             app.kubernetes.io/version: latest
-            helm.sh/chart: dsb-spring-boot-4.2.2
+            azure.workload.identity/use: "false"
+            helm.sh/chart: dsb-spring-boot-4.2.3
             helm.sh/chart-name: dsb-spring-boot
-            helm.sh/chart-version: 4.2.2
+            helm.sh/chart-version: 4.2.3
         spec:
           affinity:
             podAntiAffinity:
@@ -605,10 +607,10 @@ Minimal manifest should match snapshot:
         app.kubernetes.io/part-of: RELEASE-NAME
         app.kubernetes.io/version: latest
         chart-name: dsb-spring-boot
-        chart-version: 4.2.2
-        helm.sh/chart: dsb-spring-boot-4.2.2
+        chart-version: 4.2.3
+        helm.sh/chart: dsb-spring-boot-4.2.3
         helm.sh/chart-name: dsb-spring-boot
-        helm.sh/chart-version: 4.2.2
+        helm.sh/chart-version: 4.2.3
         management.port: "8180"
         spring-boot: "true"
       name: RELEASE-NAME

charts/dsb-spring-boot/tests/workload_identity_test.yaml

@@ -0,0 +1,42 @@
+---
+suite: test workload identity (wi) config
+tests:
+  - it: wi should be disabled by default
+    template: deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.metadata.labels["azure.workload.identity/use"]
+          value: "false"
+  - it: it should be possible to enable wi by specifying a client id
+    template: deployment.yaml
+    set:
+      azureWorkloadIdentity:
+        clientId: "test-client-id"
+    asserts:
+      - equal:
+          path: spec.template.metadata.labels["azure.workload.identity/use"]
+          value: "true"
+  - it: empty wi client id should result in wi being disabled
+    template: deployment.yaml
+    set:
+      azureWorkloadIdentity:
+        clientId: ""
+    asserts:
+      - equal:
+          path: spec.template.metadata.labels["azure.workload.identity/use"]
+          value: "false"
+  - it: when wi is enabled, the client id should exist as service account annotation
+    template: serviceAccount.yaml
+    set:
+      azureWorkloadIdentity:
+        clientId: "test-client-id"
+    asserts:
+      - equal:
+          path: metadata.annotations["azure.workload.identity/client-id"]
+          value: "test-client-id"
+  - it: when wi is disabled, the client id should not exist as service account annotation
+    template: serviceAccount.yaml
+    asserts:
+      - notExists:
+          path: metadata.annotations["azure.workload.identity/client-id"]
+...

charts/dsb-spring-boot/values.yaml

@@ -43,6 +43,12 @@ podAnnotations:
 # Default Spring Profile:
 springProfiles: "kubernetes"
 
+# default is to not use workload identity
+# if clientId is specified, workload identity will be enabled for the deployment
+# the specified clientId must be an existing managed identity in the Azure tenant
+azureWorkloadIdentity:
+  clientId: ""
+
 # It is possible to use a normal yaml tree here, for example:
 # root:
 #   node1: 1