Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-07-24 15:55:17 -04:00
Code Issues Projects Releases Packages Wiki Activity

bootstrapper: make Azure auth method configurable on cluster init (#1346)

Browse source 
* bootstrapper: make Azure auth method configurable on cluster init
* azure: convert uami resource ID to clientID


Co-authored-by: 3u13r <lc@edgeless.systems>
This commit is contained in:
Malte Poll 2023-04-03 15:01:25 +02:00 committed by GitHub
parent 5cb1899c27
commit d15968bed7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 307 additions and 209 deletions
Download patch file Download diff file Expand all files Collapse all files

3
cli/internal/cmd/init.go
View file

@ -451,6 +451,9 @@ func (i *initCmd) getMarshaledServiceAccountURI(provider cloudprovider.Provider,
AppClientID: config.Provider.Azure.AppClientID,
ClientSecretValue: config.Provider.Azure.ClientSecretValue,
Location: config.Provider.Azure.Location,
// TODO(malt3): Switch preferred auth method to uami as planned by AB#2961
PreferredAuthMethod: azureshared.AuthMethodServicePrincipal,
UamiResourceID: config.Provider.Azure.UserAssignedIdentity,
}
return creds.ToCloudServiceAccountURI(), nil

1
cli/internal/helm/BUILD.bazel
View file

@ -181,7 +181,6 @@ go_library(
"charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml",
"charts/edgeless/constellation-services/charts/autoscaler/templates/aws-deployment.yaml",
"charts/edgeless/constellation-services/charts/autoscaler/templates/azure-deployment.yaml",
"charts/edgeless/constellation-services/charts/autoscaler/templates/azure-secret.yaml",
"charts/edgeless/constellation-services/charts/autoscaler/templates/clusterrole.yaml",
"charts/edgeless/constellation-services/charts/autoscaler/templates/clusterrolebinding.yaml",
"charts/edgeless/constellation-services/charts/autoscaler/templates/gcp-deployment.yaml",

48
cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/templates/azure-deployment.yaml
View file

@ -24,43 +24,25 @@ spec:
- name: cluster-autoscaler
image: {{ .Values.image | quote }}
imagePullPolicy: IfNotPresent
command:
- ./cluster-autoscaler
args:
- --cloud-provider=azure
- --cloud-config=/etc/azure/azure.json
- --logtostderr=true
- --namespace=kube-system
- --stderrthreshold=info
- --v=2
volumeMounts:
- name: azureconfig
mountPath: /etc/azure
readOnly: true
livenessProbe:
httpGet:
path: /health-check
port: 8085
ports:
- containerPort: 8085
env:
- name: ARM_SUBSCRIPTION_ID
valueFrom:
secretKeyRef:
key: SubscriptionID
name: cluster-autoscaler-azure
- name: ARM_RESOURCE_GROUP
valueFrom:
secretKeyRef:
key: ResourceGroup
name: cluster-autoscaler-azure
- name: ARM_TENANT_ID
valueFrom:
secretKeyRef:
key: TenantID
name: cluster-autoscaler-azure
- name: ARM_CLIENT_ID
valueFrom:
secretKeyRef:
key: ClientID
name: cluster-autoscaler-azure
- name: ARM_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: ClientSecret
name: cluster-autoscaler-azure
- name: ARM_VM_TYPE
valueFrom:
secretKeyRef:
key: VMType
name: cluster-autoscaler-azure
resources: {}
dnsPolicy: ClusterFirst
nodeSelector:
@ -78,4 +60,8 @@ spec:
key: node.cloudprovider.kubernetes.io/uninitialized
operator: Equal
value: "true"
volumes:
- name: azureconfig
secret:
secretName: azureconfig
{{- end -}}

15
cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/templates/azure-secret.yaml
View file

@ -1,15 +0,0 @@
{{- if eq .Values.csp "Azure" -}}
apiVersion: v1
kind: Secret
metadata:
name: cluster-autoscaler-azure
namespace: {{ .Release.Namespace }}
data:
ClientID: {{ .Values.Azure.clientID | b64enc }}
ClientSecret: {{ .Values.Azure.clientSecret | b64enc }}
ResourceGroup: {{ .Values.Azure.resourceGroup | b64enc }}
SubscriptionID: {{ .Values.Azure.subscriptionID | b64enc }}
TenantID: {{ .Values.Azure.tenantID | b64enc }}
{{/* b64encode("vmss") */}}
VMType: dm1zcw==
{{- end -}}

48
cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/values.schema.json
View file

@ -16,60 +16,12 @@
"examples": [
"registry.k8s.io/autoscaling/cluster-autoscaler:v1.23.1"
]
},
"Azure": {
"description": "Config values required for deployment on Azure",
"type": "object",
"properties": {
"clientID": {
"description": "Client ID of the service account used to access the Azure API.",
"type": "string"
},
"clientSecret": {
"description": "Secret of the service account used to access the Azure API.",
"type": "string"
},
"resourceGroup": {
"description": "Resource group in which the cluster is running.",
"type": "string"
},
"subscriptionID": {
"description": "Subscription ID of the Azure subscription.",
"type": "string"
},
"tenantID": {
"description": "Tenant ID of the Azure subscription.",
"type": "string"
}
},
"required": [
"clientID",
"clientSecret",
"resourceGroup",
"subscriptionID",
"tenantID"
]
}
},
"required": [
"csp",
"image"
],
"if": {
"properties": {
"csp": {
"const": "Azure"
}
},
"required": [
"csp"
]
},
"then": {
"required": [
"Azure"
]
},
"title": "Values",
"type": "object"
}

48
cli/internal/helm/testdata/Azure/constellation-services/charts/autoscaler/templates/azure-deployment.yaml vendored
View file

@ -23,43 +23,25 @@ spec:
- name: cluster-autoscaler
image: autoscalerImage
imagePullPolicy: IfNotPresent
command:
- ./cluster-autoscaler
args:
- --cloud-provider=azure
- --cloud-config=/etc/azure/azure.json
- --logtostderr=true
- --namespace=kube-system
- --stderrthreshold=info
- --v=2
volumeMounts:
- name: azureconfig
mountPath: /etc/azure
readOnly: true
livenessProbe:
httpGet:
path: /health-check
port: 8085
ports:
- containerPort: 8085
env:
- name: ARM_SUBSCRIPTION_ID
valueFrom:
secretKeyRef:
key: SubscriptionID
name: cluster-autoscaler-azure
- name: ARM_RESOURCE_GROUP
valueFrom:
secretKeyRef:
key: ResourceGroup
name: cluster-autoscaler-azure
- name: ARM_TENANT_ID
valueFrom:
secretKeyRef:
key: TenantID
name: cluster-autoscaler-azure
- name: ARM_CLIENT_ID
valueFrom:
secretKeyRef:
key: ClientID
name: cluster-autoscaler-azure
- name: ARM_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: ClientSecret
name: cluster-autoscaler-azure
- name: ARM_VM_TYPE
valueFrom:
secretKeyRef:
key: VMType
name: cluster-autoscaler-azure
resources: {}
dnsPolicy: ClusterFirst
nodeSelector:
@ -77,3 +59,7 @@ spec:
key: node.cloudprovider.kubernetes.io/uninitialized
operator: Equal
value: "true"
volumes:
- name: azureconfig
secret:
secretName: azureconfig