-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azure AD identity support for AzureAD-enabled AKS clusters #205
azure AD identity support for AzureAD-enabled AKS clusters #205
Conversation
fcf92bd
to
f5aa5e1
Compare
Signed-off-by: Erhan Cagirici <erhan@upbound.io>
f5aa5e1
to
8db230f
Compare
what happen if you use the kubeconfig from connectionSecret ? |
@haarchri summarizing our slack chat for reference here:
|
Signed-off-by: Erhan Cagirici <erhan@upbound.io>
tested is working:
|
one side note:
|
|
…essage Signed-off-by: Erhan Cagirici <erhan@upbound.io>
e0b38df
to
3ace72a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work @erhancagirici 💪
Left a couple of comments but nothing major.
apis/v1beta1/types.go
Outdated
@@ -50,12 +50,14 @@ type IdentityType string | |||
// Supported identity types. | |||
const ( | |||
IdentityTypeGoogleApplicationCredentials = "GoogleApplicationCredentials" | |||
|
|||
IdentityTypeAzurePrincipalCredentials = "AzurePrincipalCredentials" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IdentityTypeAzurePrincipalCredentials = "AzurePrincipalCredentials" | |
IdentityTypeAzurePrincipalCredentials = "AzureServicePrincipalCredentials" |
Not sure if there is something called as AzurePrincipal
vs AzureServicePrincipal
but more explicit would be better in the API.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Principal is a generic term for referring to an authentication subject. I named it like this in case we support other principals like MSI or workload identity and not directly suggest Service Principals. I am OK with changing to AzureServicePrincipalCredentials
or some other name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest so considering we only support ServicePrincipalLogin and to be explicit there.
Signed-off-by: Hasan Turken <turkenh@gmail.com>
f9c60fc
to
17ceb75
Compare
…eject injected identity source - update comments for opt parsing, cleanup comments Signed-off-by: Erhan Cagirici <erhan@upbound.io>
Signed-off-by: Erhan Cagirici <erhan@upbound.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @erhancagirici 🙌
Description of your changes
Enables configuring Azure AD authentication via
kubelogin
integration. Introduces the typeAzurePrincipalCredentials
inProviderConfig
.spec.identity
section.The specified Azure Service Principal credentials provided via Secret, for authenticating to AKS cluster by obtaining a token through
kubelogin
An example ProviderConfig using
AzurePrincipalCredentials
as identity for authenticating to AzureADFixes #180
I have:
make reviewable
to ensure this PR is ready for review.How has this code been tested
Tested with 2 different AKS clusters.
The provider configs consist of the following:
az aks get-credentials --resource-group myresourcegroup --name myclustername
, as described in the Azure Portal > AKS cluster >Connect
sectionFor cluster 1 (AzureAD Auth + k8s RBAC): The service principal is added to a Azure AD group, then that group is added to
Cluster admin ClusterRoleBinding
at Azure Portal > The AKS cluster > Cluster ConfigurationFor cluster 2 (AzureAD Auth + Azure RBAC): The service principal is assigned
Azure Kubernetes Service RBAC Cluster Admin
built-in role for the particular AKS cluster, throughAzure Portal > The AKS cluster > Access Control (IAM) > Add Role Assignment
. If desired, a custom role can be built that has less privileges and assigned to the service principal.Using those ProviderConfigs, an example Helm Release manifest is created and reconciled successfully.