cli: use uami for in-cluter authentication (#1820)

2025-07-30 18:48:39 -04:00 · 2023-05-26 11:45:03 +02:00 · 2023-05-26 11:45:03 +02:00 · 661f084ffa
commit 661f084ffa
parent 9502bc8ff4
13 changed files with 65 additions and 117 deletions
--- a/docs/docs/reference/config-migration.md
+++ b/docs/docs/reference/config-migration.md
@ -1,8 +1,19 @@
-# Configuration migrations
+# Migrations

-This document describes breaking changes in the configuration file format between Constellation releases.
+This document describes breaking changes and migrations between Constellation releases.
 Use [`constellation config migrate`](./cli.md#constellation-config-migrate) to automatically update an old config file to a new format.

+## Migrating from Azure's service principal authentication to managed identity authentication
+
+- The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer required and should be removed.
+- To keep using an existing UAMI add the `Owner` permission with the scope of your `resourceGroup`.
+- Otherwise, simply [create new Constellation IAM credentials](../workflows/config.md#creating-iam-credentials) and use the created UAMI.
+- To migrate the authentication for an existing Constellation on Azure to an UAMI with the necessary permissions:
+  1. Remove the `aadClientId` and `aadClientSecret` from the azureconfig secret.
+  2. Set `useManagedIdentityExtension` to `true`  and use the `userAssignedIdentity` from the Constellation config for the value of `userAssignedIdentityID`.
+  3. Restart the CSI driver, cloud controller manager, cluster autoscaler, and Constellation operator pods.
+
+
 ## Migrating from CLI versions before 2.8

 - The `measurements` field for each cloud service provider was replaced with a global `attestation` field.