From d15b4d713ad9d42b0251f780e199562e63ea5d78 Mon Sep 17 00:00:00 2001 From: David Gamero Date: Fri, 20 Oct 2023 16:46:12 -0400 Subject: [PATCH] clean up docs and dependencie --- docs/service-principal.md | 39 ++++++++++++++++------------ testing/e2e/suites/basic.go | 6 ++--- testing/e2e/suites/operatorConfig.go | 6 ++--- 3 files changed, 29 insertions(+), 22 deletions(-) diff --git a/docs/service-principal.md b/docs/service-principal.md index e6368b53..3decba9d 100644 --- a/docs/service-principal.md +++ b/docs/service-principal.md @@ -1,25 +1,32 @@ -# Service Principal Auth Support +# Service Principal Authentication Support -The app routing operator supports service-principal authentication for AKS clusters. +App routing operator supports service-principal authentication for AKS clusters. + + +> ⚠️ Warning ⚠️ +> +> Service Principals are not recommended in any environment that supports Managed Identities, as they are less secure and more difficult to manage. + +When using a Service Principal AKS Cluster, the automatically created addon identity that uses MSI is no longer available. +In this case, authentication with a provided service principal can be used instead, which requires users to provide a service principal credentials via manually creating kubernetes secrets to be read by app routing components. -When using service principal auth, the automatically created addon identity that uses MSI is no longer available. Authentication with a provided service principal is used instead which requires users to provide a service principal appId and secret as a kubernetes secret. ## Manual Secrets The following Kubernetes secrets must be manually created when using a Service Principal configuration: ### Keyvault CSI Driver Secret -A secret is needed for the placeholder pods to access keyvault, which allows mirroring of Key Vault secrets into Kubernetes secrets +A secret is needed for the placeholder pods to access keyvault, which allows mirroring of Key Vault Secrets into Kubernetes Secrets -Service Principal secrets and permissions must be configured as specified by the [keyvault csi driver documentation](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/configurations/identity-access-modes/service-principal-mode/#configure-service-principal-to-access-keyvault) +Service Principal secrets and permissions must be configured as specified by the [Key Vault CSI driver documentation](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/configurations/identity-access-modes/service-principal-mode/#configure-service-principal-to-access-keyvault) -The name of the created secret must be `keyvault-service-principal`, and it should be created in the same namespaces as the ingress. +The name of the created secret must be `keyvault-service-principal`, and it must be created in the same namespaces as the ingress. The service principal used for this secret must have the following permissions: - `get` and `list` permissions on the keyvault for the secret -The final secret should look like this: +The Key Vault CSI driver secret has the following shape: ```yaml -# keyvault-secret.yaml +# keyvault-csi-driver-secret.yaml apiVersion: v1 kind: Secret metadata: @@ -27,15 +34,15 @@ metadata: namespace: type: Opaque data: - clientid: - clientsecret: + clientid: + clientsecret: ``` One secret must be created for each namespace that has an ingress. ### ExternalDNS Secret -A secret is needed for the external dns pods to access Azure resources, which allows external dns to create dns records in Azure DNS Zones -Only a single secret is needed per externaldns deployment, and it should be created in the same namespace as the externaldns deployments (usually `app-routing-system`) +A secret is needed for the externaldns pods to access Azure resources, which allows external dns to create dns records in Azure DNS Zones. +Only a single secret is needed per externaldns deployment, and it should be created in the same namespace as the externaldns deployments (normally `app-routing-system`) There are at most two secrets needed, one for public dns zones and one for private dns zones. @@ -43,15 +50,15 @@ The secrets are named `sp-creds-external-dns` and `sp-creds-external-dns-private Both secrets should be set up following the [externaldns documentation](https://github.com/kubernetes-sigs/external-dns/blob/0725104c9e594ef6f91c380f8bdc0e21129eae70/docs/tutorials/azure.md#service-principal) -The should each contain a single entry in their `data` field with the key `azure.json` which contains the basew64 encoded version of the following JSON schema +The should each contain a single entry in their `data` field with the key `azure.json`, containing the base64 encoded version of the following JSON object ```json // azure.json { "tenantId": "", "subscriptionId": "", - "resourceGroup": "", - "aadClientId": "", - "aadClientSecret": "" + "resourceGroup": "", + "aadClientId": "", + "aadClientSecret": "" } ``` diff --git a/testing/e2e/suites/basic.go b/testing/e2e/suites/basic.go index f751d926..cec72b91 100644 --- a/testing/e2e/suites/basic.go +++ b/testing/e2e/suites/basic.go @@ -95,7 +95,7 @@ var clientServerTest = func(ctx context.Context, config *rest.Config, operator m zones = append(zones, zone{name: z.GetName(), nameserver: z.GetNameservers()[0]}) } } - if prov.AuthType == infra.AuthTypeServicePrincipal && operator.Zones.Public != manifests.DnsZoneCountNone { + if prov.AuthType == clients.AKSAuthTypeServicePrincipal && operator.Zones.Public != manifests.DnsZoneCountNone { lgr.Info("hydrating external dns secret") externalDnsSecret := &corev1.Secret{ TypeMeta: metav1.TypeMeta{ @@ -125,7 +125,7 @@ var clientServerTest = func(ctx context.Context, config *rest.Config, operator m zones = append(zones, zone{name: z.GetName(), nameserver: prov.Cluster.GetDnsServiceIp()}) } } - if prov.AuthType == infra.AuthTypeServicePrincipal && operator.Zones.Private != manifests.DnsZoneCountNone { + if prov.AuthType == clients.AKSAuthTypeServicePrincipal && operator.Zones.Private != manifests.DnsZoneCountNone { lgr.Info("hydrating external dns private secret") externalDnsSecret := &corev1.Secret{ TypeMeta: metav1.TypeMeta{ @@ -171,7 +171,7 @@ var clientServerTest = func(ctx context.Context, config *rest.Config, operator m } // Populate Service Principal credentials if needed - if prov.AuthType == infra.AuthTypeServicePrincipal { + if prov.AuthType == clients.AKSAuthTypeServicePrincipal { lgr.Info("creating service principal secrets") sp := prov.ServicePrincipal if err != nil { diff --git a/testing/e2e/suites/operatorConfig.go b/testing/e2e/suites/operatorConfig.go index 24f03354..62a39149 100644 --- a/testing/e2e/suites/operatorConfig.go +++ b/testing/e2e/suites/operatorConfig.go @@ -12,7 +12,7 @@ type cfgBuilder struct { msi string tenantId string location string - authType infra.AuthType + authType clients.AKSAuthType } func builderFromInfra(infra infra.Provisioned) cfgBuilder { @@ -67,7 +67,7 @@ func (c cfgBuilderWithOsm) withVersions(in infra.Provisioned, versions ...manife versions = []manifests.OperatorVersion{manifests.OperatorVersionLatest} } - if in.AuthType == infra.AuthTypeServicePrincipal { + if in.AuthType == clients.AKSAuthTypeServicePrincipal { // Filter for operator versions that support service principal auth spVersions := []manifests.OperatorVersion{} for _, v := range versions { @@ -128,7 +128,7 @@ func (c cfgBuilderWithZones) build() operatorCfgs { Msi: c.msi, Zones: zones, DisableOsm: !osmEnabled, - EnableServicePrincipalAuth: c.authType == infra.AuthTypeServicePrincipal, + EnableServicePrincipalAuth: c.authType == clients.AKSAuthTypeServicePrincipal, }) } }