docs: replace SERVICE_PRINCIPAL_* with APPLICATION_* and add steps for setting up OIDC URL

.pipelines/nightly.yaml

@@ -132,12 +132,12 @@ jobs:
       clean: all
     variables:
       # contains the following environment variables:
+      # - APPLICATION_CLIENT_ID
       # - AZURE_TENANT_ID
       # - KEYVAULT_NAME
       # - KEYVAULT_SECRET_NAME
       # - SERVICE_ACCOUNT_ISSUER
       # - SERVICE_ACCOUNT_KEYVAULT_NAME
-      # - SERVICE_PRINCIPAL_CLIENT_ID
       - group: e2e-environment-variables
       - name: LOCAL_ONLY
         value: "true"
@@ -157,10 +157,10 @@ jobs:
       - script: make test-e2e
         displayName: Webhook E2E test suite
         env:
+          APPLICATION_CLIENT_ID: $(APPLICATION_CLIENT_ID)
           AZURE_TENANT_ID: $(AZURE_TENANT_ID)
           KEYVAULT_NAME: $(KEYVAULT_NAME)
           KEYVAULT_SECRET_NAME: $(KEYVAULT_SECRET_NAME)
           SERVICE_ACCOUNT_ISSUER: $(SERVICE_ACCOUNT_ISSUER)
           SERVICE_ACCOUNT_KEYVAULT_NAME: $(SERVICE_ACCOUNT_KEYVAULT_NAME)
-          SERVICE_PRINCIPAL_CLIENT_ID: $(SERVICE_PRINCIPAL_CLIENT_ID)
       - template: templates/publish-logs.yaml

.pipelines/pr.yaml

@@ -56,12 +56,12 @@ jobs:
       clean: all
     variables:
       # contains the following environment variables:
+      # - APPLICATION_CLIENT_ID
       # - AZURE_TENANT_ID
       # - KEYVAULT_NAME
       # - KEYVAULT_SECRET_NAME
       # - SERVICE_ACCOUNT_ISSUER
       # - SERVICE_ACCOUNT_KEYVAULT_NAME
-      # - SERVICE_PRINCIPAL_CLIENT_ID
       - group: e2e-environment-variables
     strategy:
       matrix:
@@ -104,12 +104,12 @@ jobs:
       - script: make test-e2e
         displayName: Webhook E2E test suite
         env:
+          APPLICATION_CLIENT_ID: $(APPLICATION_CLIENT_ID)
           AZURE_TENANT_ID: $(AZURE_TENANT_ID)
           KEYVAULT_NAME: $(KEYVAULT_NAME)
           KEYVAULT_SECRET_NAME: $(KEYVAULT_SECRET_NAME)
           SERVICE_ACCOUNT_ISSUER: $(SERVICE_ACCOUNT_ISSUER)
           SERVICE_ACCOUNT_KEYVAULT_NAME: $(SERVICE_ACCOUNT_KEYVAULT_NAME)
-          SERVICE_PRINCIPAL_CLIENT_ID: $(SERVICE_PRINCIPAL_CLIENT_ID)
       - script: az group delete --name "${CLUSTER_NAME}" --yes --no-wait || true
         displayName: Cleanup
         condition: ne(variables.LOCAL_ONLY, 'true')

README.md

@@ -36,13 +36,13 @@ The repository contains the following components:
 
 [3]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
 
-[4]: https://shiny-garbanzo-db6e5930.pages.github.io/quick-start.html
+[4]: https://azure.github.io/aad-pod-managed-identity/quick-start.html
 
-[5]: https://shiny-garbanzo-db6e5930.pages.github.io/concepts.html#mutating-webhook
+[5]: https://azure.github.io/aad-pod-managed-identity/concepts.html#mutating-webhook
 
-[6]: https://shiny-garbanzo-db6e5930.pages.github.io/concepts.html#proxy-init
+[6]: https://azure.github.io/aad-pod-managed-identity/concepts.html#proxy-init
 
-[7]: https://shiny-garbanzo-db6e5930.pages.github.io/concepts.html#proxy
+[7]: https://azure.github.io/aad-pod-managed-identity/concepts.html#proxy
 
 [8]: https://azure.github.io/aad-pod-identity/docs/getting-started/role-assignment/
 

docs/book/src/concepts.md

@@ -61,9 +61,36 @@ All IMDS requests from the container are routed to this proxy server due to an e
 
 ## Trust
 
-Not all service account tokens can be exchanged for a valid AAD token. Trust between an existing service account and an AAD object (a service principal or a user-assigned identity) has to be established in advance.
+Not all service account tokens can be exchanged for a valid AAD token. Trust between an existing service account and an AAD application has to be established in advance.
 
-TODO: how to establish trust
+To establish trust, login to [Azure Cloud Shell][16] and export the following environment variables:
+
+```bash
+# Get the client and object ID of the AAD application
+export APPLICATION_CLIENT_ID="..."
+export APPLICATION_OBJECT_ID="$(az ad app show --id ${APPLICATION_CLIENT_ID} --query objectId -otsv)"
+export SERVICE_ACCOUNT_ISSUER="..."
+export SERVICE_ACCOUNT_NAMESPACE="..."
+export SERVICE_ACCOUNT_NAME="..."
+```
+
+Add the federated identity credential:
+
+```bash
+cat <<EOF > body.json
+{
+  "name": "kubernetes-federated-credential",
+  "issuer": "${SERVICE_ACCOUNT_ISSUER}",
+  "subject": "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}",
+  "description": "Kubernetes service account federated credential",
+  "audiences": [
+    "api://AzureADTokenExchange"
+  ]
+}
+EOF
+
+az rest --method POST --uri "https://graph.microsoft.com/beta/applications/${APPLICATION_OBJECT_ID}/federatedIdentityCredentials" --body @body.json
+```
 
 [1]: ./images/flow-diagram.png
 
@@ -94,3 +121,5 @@ TODO: how to establish trust
 [14]: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
 
 [15]: ../topics/labels-and-annotations.html#annotations
+
+[16]: https://portal.azure.com/#cloudshell/