diff --git a/.chglog/config.yml b/.chglog/config.yml index 9335be669..4096a773d 100755 --- a/.chglog/config.yml +++ b/.chglog/config.yml @@ -3,7 +3,7 @@ style: github template: CHANGELOG.tpl.md info: title: CHANGELOG - repository_url: https://github.com/Azure/aad-pod-managed-identity + repository_url: https://github.com/Azure/azure-workload-identity options: commits: filters: diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 340034345..0c66160e5 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -3,12 +3,12 @@ **Requirements** diff --git a/.pipelines/nightly.yaml b/.pipelines/nightly.yaml index e6985b232..1ca5abe5e 100644 --- a/.pipelines/nightly.yaml +++ b/.pipelines/nightly.yaml @@ -41,12 +41,12 @@ jobs: SERVICE_ACCOUNT_ISSUER: $(SERVICE_ACCOUNT_ISSUER) - script: | set -o errexit - sed -i "s/AZURE_TENANT_ID: .*/AZURE_TENANT_ID: ${AZURE_TENANT_ID}/" manifest_staging/deploy/aad-pi-webhook.yaml - sed -i "s/AZURE_ENVIRONMENT: .*/AZURE_ENVIRONMENT: AzurePublicCloud/" manifest_staging/deploy/aad-pi-webhook.yaml + sed -i "s/AZURE_TENANT_ID: .*/AZURE_TENANT_ID: ${AZURE_TENANT_ID}/" manifest_staging/deploy/azure-wi-webhook.yaml + sed -i "s/AZURE_ENVIRONMENT: .*/AZURE_ENVIRONMENT: AzurePublicCloud/" manifest_staging/deploy/azure-wi-webhook.yaml KUBECTL=$(pwd)/hack/tools/bin/kubectl - ${KUBECTL} apply -f manifest_staging/deploy/aad-pi-webhook.yaml - ${KUBECTL} wait --for=condition=Available --timeout=5m -n aad-pi-webhook-system deployment/aad-pi-webhook-controller-manager - ${KUBECTL} delete -f manifest_staging/deploy/aad-pi-webhook.yaml --wait --timeout=5m + ${KUBECTL} apply -f manifest_staging/deploy/azure-wi-webhook.yaml + ${KUBECTL} wait --for=condition=Available --timeout=5m -n azure-workload-identity-system deployment/azure-wi-webhook-controller-manager + ${KUBECTL} delete -f manifest_staging/deploy/azure-wi-webhook.yaml --wait --timeout=5m displayName: Verify deployment YAML in manifest_staging/ env: AZURE_TENANT_ID: $(AZURE_TENANT_ID) @@ -63,7 +63,7 @@ jobs: variables: # we can enable actual tenant id for functional e2e AZURE_TENANT_ID: "fake tenant id" - REGISTRY: upstreamk8sci.azurecr.io/aad-pod-managed-identity + REGISTRY: upstreamk8sci.azurecr.io/azure-workload-identity SOAK_CLUSTER: "true" GINKGO_SKIP: \[KindOnly\] strategy: diff --git a/.pipelines/pr.yaml b/.pipelines/pr.yaml index f66cde559..0d72dfa81 100644 --- a/.pipelines/pr.yaml +++ b/.pipelines/pr.yaml @@ -66,19 +66,19 @@ jobs: strategy: matrix: aks_windows_dockershim: - REGISTRY: upstreamk8sci.azurecr.io/aad-pod-managed-identity + REGISTRY: upstreamk8sci.azurecr.io/azure-workload-identity WINDOWS_CLUSTER: "true" GINKGO_SKIP: \[KindOnly\] aks_windows_containerd: - REGISTRY: upstreamk8sci.azurecr.io/aad-pod-managed-identity + REGISTRY: upstreamk8sci.azurecr.io/azure-workload-identity WINDOWS_CLUSTER: "true" WINDOWS_CONTAINERD: "true" GINKGO_SKIP: \[KindOnly\] aks_linux: - REGISTRY: upstreamk8sci.azurecr.io/aad-pod-managed-identity + REGISTRY: upstreamk8sci.azurecr.io/azure-workload-identity GINKGO_SKIP: \[KindOnly\] arc: - REGISTRY: upstreamk8sci.azurecr.io/aad-pod-managed-identity + REGISTRY: upstreamk8sci.azurecr.io/azure-workload-identity ARC_CLUSTER: "true" GINKGO_SKIP: \[KindOnly\] kind_v1_19_11: diff --git a/.pipelines/templates/publish-images.yaml b/.pipelines/templates/publish-images.yaml index 9fd89860d..1fce6403a 100644 --- a/.pipelines/templates/publish-images.yaml +++ b/.pipelines/templates/publish-images.yaml @@ -4,7 +4,7 @@ parameters: default: true - name: registry type: string - default: docker.pkg.github.com/azure/aad-pod-managed-identity + default: docker.pkg.github.com/azure/azure-workload-identity - name: image_version type: string default: latest diff --git a/.pipelines/templates/upgrade.yaml b/.pipelines/templates/upgrade.yaml index 640722cb0..074504ba7 100644 --- a/.pipelines/templates/upgrade.yaml +++ b/.pipelines/templates/upgrade.yaml @@ -13,7 +13,7 @@ jobs: variables: # we can enable actual tenant id for functional e2e AZURE_TENANT_ID: "fake tenant id" - REGISTRY: upstreamk8sci.azurecr.io/aad-pod-managed-identity + REGISTRY: upstreamk8sci.azurecr.io/azure-workload-identity GINKGO_SKIP: \[KindOnly\] strategy: matrix: ${{ parameters.matrix }} diff --git a/Makefile b/Makefile index 533b1efe6..b705bdaf5 100644 --- a/Makefile +++ b/Makefile @@ -1,11 +1,11 @@ -REGISTRY ?= mcr.microsoft.com/oss/azure/aad-pod-managed-identity +REGISTRY ?= mcr.microsoft.com/oss/azure/workload-identity PROXY_IMAGE_NAME := proxy INIT_IMAGE_NAME := proxy-init WEBHOOK_IMAGE_NAME := webhook IMAGE_VERSION ?= v0.3.0 ORG_PATH := github.com/Azure -PROJECT_NAME := aad-pod-managed-identity +PROJECT_NAME := azure-workload-identity BUILD_COMMIT := $(shell git rev-parse --short HEAD) REPO_PATH := "$(ORG_PATH)/$(PROJECT_NAME)" @@ -139,7 +139,7 @@ deploy: $(KUBECTL) $(KUSTOMIZE) $(ENVSUBST) $(MAKE) manifests cd config/manager && $(KUSTOMIZE) edit set image manager=$(WEBHOOK_IMAGE) $(KUSTOMIZE) build config/default | $(ENVSUBST) | $(KUBECTL) apply -f - - $(KUBECTL) wait --for=condition=Available --timeout=5m -n aad-pi-webhook-system deployment/aad-pi-webhook-controller-manager + $(KUBECTL) wait --for=condition=Available --timeout=5m -n azure-workload-identity-system deployment/azure-wi-webhook-controller-manager .PHONY: uninstall-deploy uninstall-deploy: $(KUBECTL) $(KUSTOMIZE) $(ENVSUBST) @@ -156,14 +156,14 @@ manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) rm -rf manifest_staging mkdir -p manifest_staging/deploy - mkdir -p manifest_staging/charts/pod-identity-webhook + mkdir -p manifest_staging/charts/workload-identity-webhook - $(KUSTOMIZE) build config/default -o manifest_staging/deploy/aad-pi-webhook.yaml + $(KUSTOMIZE) build config/default -o manifest_staging/deploy/azure-wi-webhook.yaml $(KUSTOMIZE) build third_party/open-policy-agent/gatekeeper/helmify | go run third_party/open-policy-agent/gatekeeper/helmify/*.go - @sed -i -e "s/AZURE_TENANT_ID: .*/AZURE_TENANT_ID: /" manifest_staging/deploy/aad-pi-webhook.yaml - @sed -i -e "s/AZURE_ENVIRONMENT: .*/AZURE_ENVIRONMENT: /" manifest_staging/deploy/aad-pi-webhook.yaml - @sed -i -e "s/-arc-cluster=.*/-arc-cluster=false/" manifest_staging/deploy/aad-pi-webhook.yaml + @sed -i -e "s/AZURE_TENANT_ID: .*/AZURE_TENANT_ID: /" manifest_staging/deploy/azure-wi-webhook.yaml + @sed -i -e "s/AZURE_ENVIRONMENT: .*/AZURE_ENVIRONMENT: /" manifest_staging/deploy/azure-wi-webhook.yaml + @sed -i -e "s/-arc-cluster=.*/-arc-cluster=false/" manifest_staging/deploy/azure-wi-webhook.yaml # Generate code .PHONY: generate @@ -280,7 +280,7 @@ test-e2e: $(KUBECTL) $(HELM) ## Kind ## -------------------------------------- -KIND_CLUSTER_NAME ?= aad-pod-managed-identity +KIND_CLUSTER_NAME ?= azure-workload-identity .PHONY: kind-create kind-create: $(KIND) $(KUBECTL) @@ -315,7 +315,7 @@ lint: $(GOLANGCI_LINT) .PHONY: helm-lint helm-lint: $(HELM) - $(HELM) lint manifest_staging/charts/pod-identity-webhook + $(HELM) lint manifest_staging/charts/workload-identity-webhook .PHONY: lint-full lint-full: $(GOLANGCI_LINT) ## Run slower linters to detect possible issues @@ -343,5 +343,5 @@ release-manifest: $(KUSTOMIZE) promote-staging-manifest: #promote staging manifests to release dir @rm -rf deploy @cp -r manifest_staging/deploy . - @rm -rf charts/pod-identity-webhook + @rm -rf charts/workload-identity-webhook @cp -r manifest_staging/charts . diff --git a/PROJECT b/PROJECT index 1cda64016..68c4cafcf 100644 --- a/PROJECT +++ b/PROJECT @@ -1,3 +1,3 @@ -domain: mpod.aad-pod-identity.io -repo: github.com/Azure/aad-pod-managed-identity +domain: azure-workload-identity.io +repo: github.com/Azure/azure-workload-identity version: "2" diff --git a/charts/pod-identity-webhook/templates/aad-pi-webhook-admin-serviceaccount.yaml b/charts/pod-identity-webhook/templates/aad-pi-webhook-admin-serviceaccount.yaml index 8f9affb2f..558590b9c 100644 --- a/charts/pod-identity-webhook/templates/aad-pi-webhook-admin-serviceaccount.yaml +++ b/charts/pod-identity-webhook/templates/aad-pi-webhook-admin-serviceaccount.yaml @@ -6,5 +6,5 @@ metadata: chart: '{{ template "pod-identity-webhook.name" . }}' mpod.aad-pod-identity.io/system: "true" release: '{{ .Release.Name }}' - name: aad-pi-webhook-admin + name: azure-wi-webhook-admin namespace: '{{ .Release.Namespace }}' diff --git a/cmd/proxy/main.go b/cmd/proxy/main.go index c76089331..fc4388858 100644 --- a/cmd/proxy/main.go +++ b/cmd/proxy/main.go @@ -3,7 +3,7 @@ package main import ( "flag" - "github.com/Azure/aad-pod-managed-identity/pkg/proxy" + "github.com/Azure/azure-workload-identity/pkg/proxy" "k8s.io/klog/v2" ) diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go index 408a220bb..70ec5c8cb 100644 --- a/cmd/webhook/main.go +++ b/cmd/webhook/main.go @@ -20,23 +20,23 @@ import ( "sigs.k8s.io/controller-runtime/pkg/manager/signals" "sigs.k8s.io/controller-runtime/pkg/webhook" - "github.com/Azure/aad-pod-managed-identity/pkg/util" - "github.com/Azure/aad-pod-managed-identity/pkg/version" - wh "github.com/Azure/aad-pod-managed-identity/pkg/webhook" + "github.com/Azure/azure-workload-identity/pkg/util" + "github.com/Azure/azure-workload-identity/pkg/version" + wh "github.com/Azure/azure-workload-identity/pkg/webhook" ) var webhooks = []rotator.WebhookInfo{ { - Name: "aad-pi-webhook-mutating-webhook-configuration", + Name: "azure-wi-webhook-mutating-webhook-configuration", Type: rotator.Mutating, }, } const ( - secretName = "aad-pi-webhook-server-cert" // #nosec - serviceName = "aad-pi-webhook-webhook-service" - caName = "aad-pod-managed-identity-ca" - caOrganization = "aad-pod-managed-identity" + secretName = "azure-wi-webhook-server-cert" // #nosec + serviceName = "azure-wi-webhook-webhook-service" + caName = "azure-workload-identity-ca" + caOrganization = "azure-workload-identity" ) var ( diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index fedbf56af..cda688815 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -1,16 +1,16 @@ # Adds namespace to all resources. -namespace: aad-pi-webhook-system +namespace: azure-workload-identity-system # Value of this field is prepended to the # names of all resources, e.g. a deployment named # "wordpress" becomes "alices-wordpress". # Note that it should also match with the prefix (text before '-') of the namespace # field above. -namePrefix: aad-pi-webhook- +namePrefix: azure-wi-webhook- # Labels to add to all resources and selectors. commonLabels: - mpod.aad-pod-identity.io/system: "true" + azure-workload-identity.io/system: "true" bases: # - ../crd diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml index fbd96f6fb..d748b2a4c 100644 --- a/config/default/manager_webhook_patch.yaml +++ b/config/default/manager_webhook_patch.yaml @@ -20,4 +20,4 @@ spec: - name: cert secret: defaultMode: 420 - secretName: aad-pi-webhook-server-cert + secretName: azure-wi-webhook-server-cert diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index ed705bc04..36f0c4401 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: manager - newName: mcr.microsoft.com/oss/azure/aad-pod-managed-identity/webhook + newName: mcr.microsoft.com/oss/azure/workload-identity/webhook newTag: v0.3.0 configMapGenerator: - literals: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index ef4beda04..8a37b75cb 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -54,6 +54,6 @@ spec: fieldPath: metadata.namespace envFrom: - configMapRef: - name: aad-pi-webhook-config + name: azure-wi-webhook-config nodeSelector: kubernetes.io/os: linux diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 080bbe1a0..567bf3eb0 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -36,7 +36,7 @@ kind: Role metadata: creationTimestamp: null name: manager-role - namespace: aad-pi-webhook-system + namespace: azure-workload-identity-system rules: - apiGroups: - "" diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml index 3f9cb1cd4..3e11c1dee 100644 --- a/config/webhook/manifests.yaml +++ b/config/webhook/manifests.yaml @@ -16,7 +16,7 @@ webhooks: path: /mutate-v1-pod failurePolicy: Ignore matchPolicy: Equivalent - name: mpod.aad-pod-identity.io + name: mutation.azure-workload-identity.io rules: - apiGroups: - "" diff --git a/docker/proxy.Dockerfile b/docker/proxy.Dockerfile index cdde0d13a..5b55edd69 100644 --- a/docker/proxy.Dockerfile +++ b/docker/proxy.Dockerfile @@ -15,7 +15,7 @@ COPY cmd/proxy/main.go main.go COPY pkg/ pkg/ # Build -RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -ldflags "${LDFLAGS:--X github.com/Azure/aad-pod-managed-identity/pkg/version.BuildVersion=latest}" -o proxy main.go +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -ldflags "${LDFLAGS:--X github.com/Azure/azure-workload-identity/pkg/version.BuildVersion=latest}" -o proxy main.go # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details diff --git a/docker/webhook.Dockerfile b/docker/webhook.Dockerfile index 2f09978e3..ad0f5a41a 100644 --- a/docker/webhook.Dockerfile +++ b/docker/webhook.Dockerfile @@ -16,7 +16,7 @@ COPY cmd/webhook/main.go main.go COPY pkg/ pkg/ # Build -RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -ldflags "${LDFLAGS:--X github.com/Azure/aad-pod-managed-identity/pkg/version.BuildVersion=latest}" -o manager main.go +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -ldflags "${LDFLAGS:--X github.com/Azure/azure-workload-identity/pkg/version.BuildVersion=latest}" -o manager main.go # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details diff --git a/docs/book/book.toml b/docs/book/book.toml index 00ed750ff..dff961395 100644 --- a/docs/book/book.toml +++ b/docs/book/book.toml @@ -7,7 +7,7 @@ title = "AAD Pod Managed Identity" [output.html] curly-quotes = true -git-repository-url = "https://github.com/Azure/aad-pod-managed-identity" +git-repository-url = "https://github.com/Azure/azure-workload-identity" [preprocessor.toc] command = "bin/mdbook-toc" diff --git a/examples/msal-go/go.mod b/examples/msal-go/go.mod index 42ebe8d91..30150753e 100644 --- a/examples/msal-go/go.mod +++ b/examples/msal-go/go.mod @@ -1,4 +1,4 @@ -module github.com/Azure/aad-pod-managed-identity/example/msal-go +module github.com/Azure/azure-workload-identity/example/msal-go go 1.16 diff --git a/examples/msal-go/token_credential.go b/examples/msal-go/token_credential.go index 51de2088d..3cb2a32ac 100644 --- a/examples/msal-go/token_credential.go +++ b/examples/msal-go/token_credential.go @@ -25,7 +25,7 @@ func clientAssertionBearerAuthorizerCallback(tenantID, resource string) (*autore // AAD Pod Identity webhook will inject the following env vars // AZURE_CLIENT_ID with the clientID set in the service account annotation // AZURE_TENANT_ID with the tenantID set in the service account annotation. If not defined, then - // the tenantID provided via aad-pi-webhook-config for the webhook will be used. + // the tenantID provided via azure-wi-webhook-config for the webhook will be used. // AZURE_FEDERATED_TOKEN_FILE is the service account token path // AZURE_AUTHORITY_HOST is the AAD authority hostname clientID := os.Getenv("AZURE_CLIENT_ID") @@ -34,7 +34,7 @@ func clientAssertionBearerAuthorizerCallback(tenantID, resource string) (*autore // generate a token using the msal confidential client // this will always generate a new token request to AAD - // TODO (aramase) consider using acquire token silent (https://github.com/Azure/aad-pod-managed-identity/issues/76) + // TODO (aramase) consider using acquire token silent (https://github.com/Azure/azure-workload-identity/issues/76) // read the service account token from the filesystem signedAssertion, err := readJWTFromFS(tokenFilePath) diff --git a/examples/msal-net/akvdotnet/TokenCredential.cs b/examples/msal-net/akvdotnet/TokenCredential.cs index 68aded9df..34d52447d 100644 --- a/examples/msal-net/akvdotnet/TokenCredential.cs +++ b/examples/msal-net/akvdotnet/TokenCredential.cs @@ -16,7 +16,7 @@ public MyClientAssertionCredential() // AAD Pod Identity webhook will inject the following env vars // AZURE_CLIENT_ID with the clientID set in the service account annotation // AZURE_TENANT_ID with the tenantID set in the service account annotation. If not defined, then - // the tenantID provided via aad-pi-webhook-config for the webhook will be used. + // the tenantID provided via azure-wi-webhook-config for the webhook will be used. // AZURE_FEDERATED_TOKEN_FILE is the service account token path var clientID = Environment.GetEnvironmentVariable("AZURE_CLIENT_ID"); var tokenPath = Environment.GetEnvironmentVariable("AZURE_FEDERATED_TOKEN_FILE"); diff --git a/go.mod b/go.mod index 66026b2dd..1776f968c 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/Azure/aad-pod-managed-identity +module github.com/Azure/azure-workload-identity go 1.16 diff --git a/hack/generate-jwks/go.mod b/hack/generate-jwks/go.mod index 81fe431b8..0c4c373b8 100644 --- a/hack/generate-jwks/go.mod +++ b/hack/generate-jwks/go.mod @@ -1,4 +1,4 @@ -module github.com/Azure/aad-pod-managed-identity/hack/generate-jwks +module github.com/Azure/azure-workload-identity/hack/generate-jwks go 1.16 diff --git a/manifest_staging/charts/pod-identity-webhook/Chart.yaml b/manifest_staging/charts/pod-identity-webhook/Chart.yaml deleted file mode 100644 index e80b889d0..000000000 --- a/manifest_staging/charts/pod-identity-webhook/Chart.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v2 -name: pod-identity-webhook -description: A Helm chart to install the aad-pod-managed-identity webhook -type: application -version: 0.3.0 -appVersion: v0.3.0 -home: https://github.com/Azure/aad-pod-managed-identity -sources: - - https://github.com/Azure/aad-pod-managed-identity diff --git a/manifest_staging/charts/pod-identity-webhook/README.md b/manifest_staging/charts/pod-identity-webhook/README.md deleted file mode 100644 index acb61456d..000000000 --- a/manifest_staging/charts/pod-identity-webhook/README.md +++ /dev/null @@ -1,52 +0,0 @@ -# AAD Managed Pod Identity Helm Chart - -## Get Repo - -```console -helm repo add aad-pod-managed-identity https://azure.github.io/aad-pod-managed-identity/charts -helm repo update -``` - -## Install Chart - -```console -# Helm install with aad-pi-webhook-system namespace already created -helm install -n aad-pi-webhook-system [RELEASE_NAME] aad-pod-managed-identity/pod-identity-webhook - -# Helm install and create namespace -helm install -n aad-pi-webhook-system [RELEASE_NAME] aad-pod-managed-identity/pod-identity-webhook --create-namespace -``` - -_See [parameters](#parameters) below._ - -_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ - -## Upgrade Chart - -```console -helm upgrade -n aad-pi-webhook-system [RELEASE_NAME] aad-pod-managed-identity/pod-identity-webhook -``` - -## Parameters - -| Parameter | Description | Default | -| :----------------- | :------------------------------------------------------------------------ | :------------------------------------------------------------- | -| labels | The labels to add to the aad-managed-pod-identity pods | `mpod.aad-pod-identity.io/system: "true"` | -| replicaCount | The number of aad-managed-pod-identity replicas to deploy for the webhook | `1` | -| image.repository | Image repository | `mcr.microsoft.com/oss/azure/aad-pod-managed-identity/webhook` | -| image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| image.release | The image release tag to use | Current release version: `v0.3.0` | -| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| arcCluster | Specify if it runs on Arc cluster | `false` | -| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | -| affinity | The node affinity to use for pod scheduling | `{}` | -| tolerations | The tolerations to use for pod scheduling | `[]` | -| service.type | Service type | `ClusterIP` | -| service.port | Service port | `443` | -| service.targetPort | Service target port | `9443` | -| azureTenantID | [**REQUIRED**] Azure tenant ID | `` | -| azureEnvironment | Azure Environment | `AzurePublicCloud` | - -## Contributing Changes - -This Helm chart is autogenerated from the AAD Managed Pod Identity static manifest. The generator code lives under `third_party/open-policy-agent/gatekeeper/helmify`. To make modifications to this template, please edit `kustomization.yaml`, `kustomize-for-helm.yaml` and `replacements.go` under that directory and then run `make manifests`. Your changes will show up in the `manifest_staging` directory and will be promoted to the root `charts` directory the next time a aad-pod-managed-identity release is cut. diff --git a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-admin-serviceaccount.yaml b/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-admin-serviceaccount.yaml deleted file mode 100644 index 8f9affb2f..000000000 --- a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-admin-serviceaccount.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: '{{ template "pod-identity-webhook.name" . }}' - chart: '{{ template "pod-identity-webhook.name" . }}' - mpod.aad-pod-identity.io/system: "true" - release: '{{ .Release.Name }}' - name: aad-pi-webhook-admin - namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-manager-rolebinding-clusterrolebinding.yaml b/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-manager-rolebinding-clusterrolebinding.yaml deleted file mode 100644 index 86c80465e..000000000 --- a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-manager-rolebinding-clusterrolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: '{{ template "pod-identity-webhook.name" . }}' - chart: '{{ template "pod-identity-webhook.name" . }}' - mpod.aad-pod-identity.io/system: "true" - release: '{{ .Release.Name }}' - name: aad-pi-webhook-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: aad-pi-webhook-manager-role -subjects: -- kind: ServiceAccount - name: aad-pi-webhook-admin - namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-server-cert-secret.yaml b/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-server-cert-secret.yaml deleted file mode 100644 index 61e9ad84d..000000000 --- a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-server-cert-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - labels: - app: '{{ template "pod-identity-webhook.name" . }}' - chart: '{{ template "pod-identity-webhook.name" . }}' - mpod.aad-pod-identity.io/system: "true" - release: '{{ .Release.Name }}' - name: aad-pi-webhook-server-cert - namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-webhook-service-service.yaml b/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-webhook-service-service.yaml deleted file mode 100644 index c19019167..000000000 --- a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-webhook-service-service.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: '{{ template "pod-identity-webhook.name" . }}' - chart: '{{ template "pod-identity-webhook.name" . }}' - mpod.aad-pod-identity.io/system: "true" - release: '{{ .Release.Name }}' - name: aad-pi-webhook-webhook-service - namespace: '{{ .Release.Namespace }}' -spec: - {{- if .Values.service }} - type: {{ .Values.service.type | default "ClusterIP" }} - {{- end }} - ports: - - port: 443 - targetPort: 9443 - selector: - app: '{{ template "pod-identity-webhook.name" . }}' - chart: '{{ template "pod-identity-webhook.name" . }}' - mpod.aad-pod-identity.io/system: "true" - release: '{{ .Release.Name }}' diff --git a/manifest_staging/charts/pod-identity-webhook/.helmignore b/manifest_staging/charts/workload-identity-webhook/.helmignore similarity index 100% rename from manifest_staging/charts/pod-identity-webhook/.helmignore rename to manifest_staging/charts/workload-identity-webhook/.helmignore diff --git a/manifest_staging/charts/workload-identity-webhook/Chart.yaml b/manifest_staging/charts/workload-identity-webhook/Chart.yaml new file mode 100644 index 000000000..32ea7d2b7 --- /dev/null +++ b/manifest_staging/charts/workload-identity-webhook/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: workload-identity-webhook +description: A Helm chart to install the azure-workload-identity webhook +type: application +version: 0.3.0 +appVersion: v0.3.0 +home: https://github.com/Azure/azure-workload-identity +sources: + - https://github.com/Azure/azure-workload-identity diff --git a/manifest_staging/charts/workload-identity-webhook/README.md b/manifest_staging/charts/workload-identity-webhook/README.md new file mode 100644 index 000000000..d0abf3292 --- /dev/null +++ b/manifest_staging/charts/workload-identity-webhook/README.md @@ -0,0 +1,52 @@ +# AAD Managed Pod Identity Helm Chart + +## Get Repo + +```console +helm repo add azure-workload-identity https://azure.github.io/azure-workload-identity/charts +helm repo update +``` + +## Install Chart + +```console +# Helm install with azure-workload-identity-system namespace already created +helm install -n azure-workload-identity-system [RELEASE_NAME] azure-workload-identity/workload-identity-webhook + +# Helm install and create namespace +helm install -n azure-workload-identity-system [RELEASE_NAME] azure-workload-identity/workload-identity-webhook --create-namespace +``` + +_See [parameters](#parameters) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Upgrade Chart + +```console +helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-identity/workload-identity-webhook +``` + +## Parameters + +| Parameter | Description | Default | +| :----------------- | :----------------------------------------------------------------------- | :------------------------------------------------------ | +| labels | The labels to add to the azure-workload-identity webhook pods | `azure-workload-identity.io/system: "true"` | +| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `1` | +| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | +| image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| image.release | The image release tag to use | Current release version: `v0.3.0` | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| arcCluster | Specify if it runs on Arc cluster | `false` | +| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | +| affinity | The node affinity to use for pod scheduling | `{}` | +| tolerations | The tolerations to use for pod scheduling | `[]` | +| service.type | Service type | `ClusterIP` | +| service.port | Service port | `443` | +| service.targetPort | Service target port | `9443` | +| azureTenantID | [**REQUIRED**] Azure tenant ID | `` | +| azureEnvironment | Azure Environment | `AzurePublicCloud` | + +## Contributing Changes + +This Helm chart is autogenerated from the AAD Managed Pod Identity static manifest. The generator code lives under `third_party/open-policy-agent/gatekeeper/helmify`. To make modifications to this template, please edit `kustomization.yaml`, `kustomize-for-helm.yaml` and `replacements.go` under that directory and then run `make manifests`. Your changes will show up in the `manifest_staging` directory and will be promoted to the root `charts` directory the next time an azure-workload-identity release is cut. diff --git a/manifest_staging/charts/pod-identity-webhook/templates/_helpers.tpl b/manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl similarity index 72% rename from manifest_staging/charts/pod-identity-webhook/templates/_helpers.tpl rename to manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl index 09ae354f6..a4c499903 100644 --- a/manifest_staging/charts/pod-identity-webhook/templates/_helpers.tpl +++ b/manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Expand the name of the chart. */}} -{{- define "pod-identity-webhook.name" -}} +{{- define "workload-identity-webhook.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} @@ -10,7 +10,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "pod-identity-webhook.fullname" -}} +{{- define "workload-identity-webhook.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} @@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "pod-identity-webhook.chart" -}} +{{- define "workload-identity-webhook.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "pod-identity-webhook.labels" -}} -helm.sh/chart: {{ include "pod-identity-webhook.chart" . }} -{{ include "pod-identity-webhook.selectorLabels" . }} +{{- define "workload-identity-webhook.labels" -}} +helm.sh/chart: {{ include "workload-identity-webhook.chart" . }} +{{ include "workload-identity-webhook.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -45,7 +45,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Selector labels */}} -{{- define "pod-identity-webhook.selectorLabels" -}} -app.kubernetes.io/name: {{ include "pod-identity-webhook.name" . }} +{{- define "workload-identity-webhook.selectorLabels" -}} +app.kubernetes.io/name: {{ include "workload-identity-webhook.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount.yaml new file mode 100644 index 000000000..25c2aa589 --- /dev/null +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-admin-serviceaccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' + release: '{{ .Release.Name }}' + name: azure-wi-webhook-admin + namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-config-configmap.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml similarity index 61% rename from manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-config-configmap.yaml rename to manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml index ade0dd41b..f4d7754c6 100644 --- a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-config-configmap.yaml +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml @@ -5,9 +5,9 @@ data: kind: ConfigMap metadata: labels: - app: '{{ template "pod-identity-webhook.name" . }}' - chart: '{{ template "pod-identity-webhook.name" . }}' - mpod.aad-pod-identity.io/system: "true" + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' release: '{{ .Release.Name }}' - name: aad-pi-webhook-config + name: azure-wi-webhook-config namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-controller-manager-deployment.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml similarity index 67% rename from manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-controller-manager-deployment.yaml rename to manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml index 65b7cf5f8..e51b7701d 100644 --- a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-controller-manager-deployment.yaml +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml @@ -2,26 +2,26 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - app: '{{ template "pod-identity-webhook.name" . }}' - chart: '{{ template "pod-identity-webhook.name" . }}' - mpod.aad-pod-identity.io/system: "true" + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' release: '{{ .Release.Name }}' - name: aad-pi-webhook-controller-manager + name: azure-wi-webhook-controller-manager namespace: '{{ .Release.Namespace }}' spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: - app: '{{ template "pod-identity-webhook.name" . }}' - chart: '{{ template "pod-identity-webhook.name" . }}' - mpod.aad-pod-identity.io/system: "true" + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' release: '{{ .Release.Name }}' template: metadata: labels: - app: '{{ template "pod-identity-webhook.name" . }}' - chart: '{{ template "pod-identity-webhook.name" . }}' - mpod.aad-pod-identity.io/system: "true" + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' release: '{{ .Release.Name }}' spec: containers: @@ -37,7 +37,7 @@ spec: fieldPath: metadata.namespace envFrom: - configMapRef: - name: aad-pi-webhook-config + name: azure-wi-webhook-config image: '{{ .Values.image.repository }}:{{ .Values.image.release }}' imagePullPolicy: '{{ .Values.image.pullPolicy }}' livenessProbe: @@ -64,9 +64,9 @@ spec: readOnly: true nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} - serviceAccountName: aad-pi-webhook-admin + serviceAccountName: azure-wi-webhook-admin volumes: - name: cert secret: defaultMode: 420 - secretName: aad-pi-webhook-server-cert + secretName: azure-wi-webhook-server-cert diff --git a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-manager-role-clusterrole.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-manager-role-clusterrole.yaml similarity index 67% rename from manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-manager-role-clusterrole.yaml rename to manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-manager-role-clusterrole.yaml index bc3ba7d73..ecc7ab98f 100644 --- a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-manager-role-clusterrole.yaml +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-manager-role-clusterrole.yaml @@ -3,11 +3,11 @@ kind: ClusterRole metadata: creationTimestamp: null labels: - app: '{{ template "pod-identity-webhook.name" . }}' - chart: '{{ template "pod-identity-webhook.name" . }}' - mpod.aad-pod-identity.io/system: "true" + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' release: '{{ .Release.Name }}' - name: aad-pi-webhook-manager-role + name: azure-wi-webhook-manager-role rules: - apiGroups: - "" diff --git a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-manager-role-role.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-manager-role-role.yaml similarity index 59% rename from manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-manager-role-role.yaml rename to manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-manager-role-role.yaml index 661e4406c..39a32733b 100644 --- a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-manager-role-role.yaml +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-manager-role-role.yaml @@ -3,11 +3,11 @@ kind: Role metadata: creationTimestamp: null labels: - app: '{{ template "pod-identity-webhook.name" . }}' - chart: '{{ template "pod-identity-webhook.name" . }}' - mpod.aad-pod-identity.io/system: "true" + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' release: '{{ .Release.Name }}' - name: aad-pi-webhook-manager-role + name: azure-wi-webhook-manager-role namespace: '{{ .Release.Namespace }}' rules: - apiGroups: diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-manager-rolebinding-clusterrolebinding.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-manager-rolebinding-clusterrolebinding.yaml new file mode 100644 index 000000000..0670323be --- /dev/null +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-manager-rolebinding-clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' + release: '{{ .Release.Name }}' + name: azure-wi-webhook-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: azure-wi-webhook-manager-role +subjects: +- kind: ServiceAccount + name: azure-wi-webhook-admin + namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-manager-rolebinding-rolebinding.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-manager-rolebinding-rolebinding.yaml similarity index 50% rename from manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-manager-rolebinding-rolebinding.yaml rename to manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-manager-rolebinding-rolebinding.yaml index faeaebe8e..26b283ff3 100644 --- a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-manager-rolebinding-rolebinding.yaml +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-manager-rolebinding-rolebinding.yaml @@ -2,17 +2,17 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - app: '{{ template "pod-identity-webhook.name" . }}' - chart: '{{ template "pod-identity-webhook.name" . }}' - mpod.aad-pod-identity.io/system: "true" + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' release: '{{ .Release.Name }}' - name: aad-pi-webhook-manager-rolebinding + name: azure-wi-webhook-manager-rolebinding namespace: '{{ .Release.Namespace }}' roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: aad-pi-webhook-manager-role + name: azure-wi-webhook-manager-role subjects: - kind: ServiceAccount - name: aad-pi-webhook-admin + name: azure-wi-webhook-admin namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml similarity index 61% rename from manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml rename to manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 96498d4a8..759365e80 100644 --- a/manifest_staging/charts/pod-identity-webhook/templates/aad-pi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -3,23 +3,23 @@ kind: MutatingWebhookConfiguration metadata: creationTimestamp: null labels: - app: '{{ template "pod-identity-webhook.name" . }}' - chart: '{{ template "pod-identity-webhook.name" . }}' - mpod.aad-pod-identity.io/system: "true" + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' release: '{{ .Release.Name }}' - name: aad-pi-webhook-mutating-webhook-configuration + name: azure-wi-webhook-mutating-webhook-configuration webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: - name: aad-pi-webhook-webhook-service + name: azure-wi-webhook-webhook-service namespace: '{{ .Release.Namespace }}' path: /mutate-v1-pod failurePolicy: Ignore matchPolicy: Equivalent - name: mpod.aad-pod-identity.io + name: mutation.azure-workload-identity.io rules: - apiGroups: - "" diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-server-cert-secret.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-server-cert-secret.yaml new file mode 100644 index 000000000..06edf8750 --- /dev/null +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-server-cert-secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' + release: '{{ .Release.Name }}' + name: azure-wi-webhook-server-cert + namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-webhook-service-service.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-webhook-service-service.yaml new file mode 100644 index 000000000..3c3014444 --- /dev/null +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-webhook-service-service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' + release: '{{ .Release.Name }}' + name: azure-wi-webhook-webhook-service + namespace: '{{ .Release.Namespace }}' +spec: + {{- if .Values.service }} + type: {{ .Values.service.type | default "ClusterIP" }} + {{- end }} + ports: + - port: 443 + targetPort: 9443 + selector: + app: '{{ template "workload-identity-webhook.name" . }}' + azure-workload-identity.io/system: "true" + chart: '{{ template "workload-identity-webhook.name" . }}' + release: '{{ .Release.Name }}' diff --git a/manifest_staging/charts/pod-identity-webhook/values.yaml b/manifest_staging/charts/workload-identity-webhook/values.yaml similarity index 76% rename from manifest_staging/charts/pod-identity-webhook/values.yaml rename to manifest_staging/charts/workload-identity-webhook/values.yaml index a81681b18..d4d40b734 100644 --- a/manifest_staging/charts/pod-identity-webhook/values.yaml +++ b/manifest_staging/charts/workload-identity-webhook/values.yaml @@ -1,12 +1,12 @@ -# Default values for pod-identity-webhook. +# Default values for workload-identity-webhook. # This is a YAML-formatted file. # Declare variables to be passed into your templates. labels: - mpod.aad-pod-identity.io/system: "true" + azure-workload-identity.io/system: "true" replicaCount: 1 image: - repository: mcr.microsoft.com/oss/azure/aad-pod-managed-identity/webhook + repository: mcr.microsoft.com/oss/azure/workload-identity/webhook pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. release: v0.3.0 diff --git a/manifest_staging/deploy/aad-pi-webhook.yaml b/manifest_staging/deploy/azure-wi-webhook.yaml similarity index 61% rename from manifest_staging/deploy/aad-pi-webhook.yaml rename to manifest_staging/deploy/azure-wi-webhook.yaml index 52df6449a..fc022b365 100644 --- a/manifest_staging/deploy/aad-pi-webhook.yaml +++ b/manifest_staging/deploy/azure-wi-webhook.yaml @@ -2,25 +2,25 @@ apiVersion: v1 kind: Namespace metadata: labels: - mpod.aad-pod-identity.io/system: "true" - name: aad-pi-webhook-system + azure-workload-identity.io/system: "true" + name: azure-workload-identity-system --- apiVersion: v1 kind: ServiceAccount metadata: labels: - mpod.aad-pod-identity.io/system: "true" - name: aad-pi-webhook-admin - namespace: aad-pi-webhook-system + azure-workload-identity.io/system: "true" + name: azure-wi-webhook-admin + namespace: azure-workload-identity-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null labels: - mpod.aad-pod-identity.io/system: "true" - name: aad-pi-webhook-manager-role - namespace: aad-pi-webhook-system + azure-workload-identity.io/system: "true" + name: azure-wi-webhook-manager-role + namespace: azure-workload-identity-system rules: - apiGroups: - "" @@ -40,8 +40,8 @@ kind: ClusterRole metadata: creationTimestamp: null labels: - mpod.aad-pod-identity.io/system: "true" - name: aad-pi-webhook-manager-role + azure-workload-identity.io/system: "true" + name: azure-wi-webhook-manager-role rules: - apiGroups: - "" @@ -71,32 +71,32 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - mpod.aad-pod-identity.io/system: "true" - name: aad-pi-webhook-manager-rolebinding - namespace: aad-pi-webhook-system + azure-workload-identity.io/system: "true" + name: azure-wi-webhook-manager-rolebinding + namespace: azure-workload-identity-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: aad-pi-webhook-manager-role + name: azure-wi-webhook-manager-role subjects: - kind: ServiceAccount - name: aad-pi-webhook-admin - namespace: aad-pi-webhook-system + name: azure-wi-webhook-admin + namespace: azure-workload-identity-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - mpod.aad-pod-identity.io/system: "true" - name: aad-pi-webhook-manager-rolebinding + azure-workload-identity.io/system: "true" + name: azure-wi-webhook-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: aad-pi-webhook-manager-role + name: azure-wi-webhook-manager-role subjects: - kind: ServiceAccount - name: aad-pi-webhook-admin - namespace: aad-pi-webhook-system + name: azure-wi-webhook-admin + namespace: azure-workload-identity-system --- apiVersion: v1 data: @@ -105,48 +105,48 @@ data: kind: ConfigMap metadata: labels: - mpod.aad-pod-identity.io/system: "true" - name: aad-pi-webhook-config - namespace: aad-pi-webhook-system + azure-workload-identity.io/system: "true" + name: azure-wi-webhook-config + namespace: azure-workload-identity-system --- apiVersion: v1 kind: Secret metadata: labels: - mpod.aad-pod-identity.io/system: "true" - name: aad-pi-webhook-server-cert - namespace: aad-pi-webhook-system + azure-workload-identity.io/system: "true" + name: azure-wi-webhook-server-cert + namespace: azure-workload-identity-system --- apiVersion: v1 kind: Service metadata: labels: - mpod.aad-pod-identity.io/system: "true" - name: aad-pi-webhook-webhook-service - namespace: aad-pi-webhook-system + azure-workload-identity.io/system: "true" + name: azure-wi-webhook-webhook-service + namespace: azure-workload-identity-system spec: ports: - port: 443 targetPort: 9443 selector: - mpod.aad-pod-identity.io/system: "true" + azure-workload-identity.io/system: "true" --- apiVersion: apps/v1 kind: Deployment metadata: labels: - mpod.aad-pod-identity.io/system: "true" - name: aad-pi-webhook-controller-manager - namespace: aad-pi-webhook-system + azure-workload-identity.io/system: "true" + name: azure-wi-webhook-controller-manager + namespace: azure-workload-identity-system spec: replicas: 1 selector: matchLabels: - mpod.aad-pod-identity.io/system: "true" + azure-workload-identity.io/system: "true" template: metadata: labels: - mpod.aad-pod-identity.io/system: "true" + azure-workload-identity.io/system: "true" spec: containers: - args: @@ -161,8 +161,8 @@ spec: fieldPath: metadata.namespace envFrom: - configMapRef: - name: aad-pi-webhook-config - image: mcr.microsoft.com/oss/azure/aad-pod-managed-identity/webhook:v0.3.0 + name: azure-wi-webhook-config + image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v0.3.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -193,32 +193,32 @@ spec: readOnly: true nodeSelector: kubernetes.io/os: linux - serviceAccountName: aad-pi-webhook-admin + serviceAccountName: azure-wi-webhook-admin volumes: - name: cert secret: defaultMode: 420 - secretName: aad-pi-webhook-server-cert + secretName: azure-wi-webhook-server-cert --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: creationTimestamp: null labels: - mpod.aad-pod-identity.io/system: "true" - name: aad-pi-webhook-mutating-webhook-configuration + azure-workload-identity.io/system: "true" + name: azure-wi-webhook-mutating-webhook-configuration webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: - name: aad-pi-webhook-webhook-service - namespace: aad-pi-webhook-system + name: azure-wi-webhook-webhook-service + namespace: azure-workload-identity-system path: /mutate-v1-pod failurePolicy: Ignore matchPolicy: Equivalent - name: mpod.aad-pod-identity.io + name: mutation.azure-workload-identity.io rules: - apiGroups: - "" diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go index e4180d895..f85240a98 100644 --- a/pkg/proxy/proxy.go +++ b/pkg/proxy/proxy.go @@ -11,8 +11,8 @@ import ( "strings" "time" - "github.com/Azure/aad-pod-managed-identity/pkg/version" - "github.com/Azure/aad-pod-managed-identity/pkg/webhook" + "github.com/Azure/azure-workload-identity/pkg/version" + "github.com/Azure/azure-workload-identity/pkg/webhook" "github.com/Azure/go-autorest/autorest/adal" "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential" diff --git a/pkg/proxy/proxy_test.go b/pkg/proxy/proxy_test.go index c7233a21f..8b31e0b26 100644 --- a/pkg/proxy/proxy_test.go +++ b/pkg/proxy/proxy_test.go @@ -11,7 +11,7 @@ import ( "testing" "time" - "github.com/Azure/aad-pod-managed-identity/pkg/webhook" + "github.com/Azure/azure-workload-identity/pkg/webhook" "github.com/gorilla/mux" ) diff --git a/pkg/util/pod_info.go b/pkg/util/pod_info.go index 5f593f48d..64f537f26 100644 --- a/pkg/util/pod_info.go +++ b/pkg/util/pod_info.go @@ -2,11 +2,11 @@ package util import "os" -// GetNamespace returns the namespace for aad-pi-webhook +// GetNamespace returns the namespace for azure-wi-webhook func GetNamespace() string { ns, found := os.LookupEnv("POD_NAMESPACE") if !found { - return "aad-pi-webhook-system" + return "azure-workload-identity-system" } return ns } diff --git a/pkg/util/pod_info_test.go b/pkg/util/pod_info_test.go index d07d966e1..3a305bd9d 100644 --- a/pkg/util/pod_info_test.go +++ b/pkg/util/pod_info_test.go @@ -14,7 +14,7 @@ func TestGetNamespace(t *testing.T) { { name: "default webhook namespace", podNamespace: "", - want: "aad-pi-webhook-system", + want: "azure-workload-identity-system", }, { name: "namespace set", diff --git a/pkg/version/version.go b/pkg/version/version.go index ed73cd40f..45fff46ab 100644 --- a/pkg/version/version.go +++ b/pkg/version/version.go @@ -10,11 +10,11 @@ var ( Vcs string // BuildTime is the date for the binary build BuildTime string - // BuildVersion is the aad-pod-managed-identity version. Will be overwritten from build. + // BuildVersion is the azure-workload-identity version. Will be overwritten from build. BuildVersion string ) -// GetUserAgent returns a user agent of the format: aad-pod-managed-identity/ (/) / +// GetUserAgent returns a user agent of the format: azure-workload-identity/ (/) / func GetUserAgent(component string) string { - return fmt.Sprintf("aad-pod-managed-identity/%s/%s (%s/%s) %s/%s", component, BuildVersion, runtime.GOOS, runtime.GOARCH, Vcs, BuildTime) + return fmt.Sprintf("azure-workload-identity/%s/%s (%s/%s) %s/%s", component, BuildVersion, runtime.GOOS, runtime.GOARCH, Vcs, BuildTime) } diff --git a/pkg/version/version_test.go b/pkg/version/version_test.go index 1829e57bf..5e2b549b9 100644 --- a/pkg/version/version_test.go +++ b/pkg/version/version_test.go @@ -12,7 +12,7 @@ func TestGetUserAgent(t *testing.T) { BuildVersion = "version" Vcs = "hash" - expected := fmt.Sprintf("aad-pod-managed-identity/webhook/%s (%s/%s) %s/%s", BuildVersion, runtime.GOOS, runtime.GOARCH, Vcs, BuildTime) + expected := fmt.Sprintf("azure-workload-identity/webhook/%s (%s/%s) %s/%s", BuildVersion, runtime.GOOS, runtime.GOARCH, Vcs, BuildTime) actual := GetUserAgent("webhook") if !strings.EqualFold(expected, actual) { t.Fatalf("expected: %s, got: %s", expected, actual) diff --git a/pkg/webhook/consts.go b/pkg/webhook/consts.go index f80d5bdeb..2f8cb4f20 100644 --- a/pkg/webhook/consts.go +++ b/pkg/webhook/consts.go @@ -2,19 +2,19 @@ package webhook // Annotations and labels defined in service account const ( - // UsePodIdentityLabel represents the service account is to be used for pod identity - UsePodIdentityLabel = "azure.pod.identity/use" + // UsePodIdentityLabel represents the service account is to be used for workload identity + UsePodIdentityLabel = "azure.workload.identity/use" // ClientIDAnnotation represents the clientID to be used with pod - ClientIDAnnotation = "azure.pod.identity/client-id" + ClientIDAnnotation = "azure.workload.identity/client-id" // TenantIDAnnotation represent the tenantID to be used with pod - TenantIDAnnotation = "azure.pod.identity/tenant-id" + TenantIDAnnotation = "azure.workload.identity/tenant-id" // ServiceAccountTokenExpiryAnnotation represents the expirationSeconds for projected service account token // [OPTIONAL] field. User might want to configure this to prevent any downtime caused by errors during service account token refresh. // Kubernetes service account token expiry will not be correlated with AAD tokens. AAD tokens expiry will be 24h. - ServiceAccountTokenExpiryAnnotation = "azure.pod.identity/service-account-token-expiration" // #nosec + ServiceAccountTokenExpiryAnnotation = "azure.workload.identity/service-account-token-expiration" // #nosec // SkipContainersAnnotation represents list of containers to skip adding projected service account token volume. - // By default, the projected service account token volume will be added to all containers if the service account is labeled with `azure.pod.identity/use: true` - SkipContainersAnnotation = "azure.pod.identity/skip-containers" + // By default, the projected service account token volume will be added to all containers if the service account is labeled with `azure.workload.identity/use: true` + SkipContainersAnnotation = "azure.workload.identity/skip-containers" // DefaultServiceAccountTokenExpiration is the default service account token expiration in seconds DefaultServiceAccountTokenExpiration = int64(86400) diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go index 6db6be57f..d400ba983 100644 --- a/pkg/webhook/webhook.go +++ b/pkg/webhook/webhook.go @@ -9,7 +9,7 @@ import ( "strconv" "strings" - "github.com/Azure/aad-pod-managed-identity/pkg/config" + "github.com/Azure/azure-workload-identity/pkg/config" "github.com/Azure/go-autorest/autorest/azure" "github.com/pkg/errors" @@ -21,11 +21,11 @@ import ( "sigs.k8s.io/controller-runtime/pkg/webhook/admission" ) -// +kubebuilder:webhook:path=/mutate-v1-pod,mutating=true,failurePolicy=ignore,groups="",resources=pods,verbs=create;update,versions=v1,name=mpod.aad-pod-identity.io,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Equivalent +// +kubebuilder:webhook:path=/mutate-v1-pod,mutating=true,failurePolicy=ignore,groups="",resources=pods,verbs=create;update,versions=v1,name=mutation.azure-workload-identity.io,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Equivalent // +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch // this is required for the webhook server certs generated and rotated as part of cert-controller rotator -// +kubebuilder:rbac:groups="",namespace=aad-pi-webhook-system,resources=secrets,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="",namespace=azure-workload-identity-system,resources=secrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete // podMutator mutates pod objects to add project service account token volume diff --git a/pkg/webhook/webhook_test.go b/pkg/webhook/webhook_test.go index ff74f5e3a..d61053908 100644 --- a/pkg/webhook/webhook_test.go +++ b/pkg/webhook/webhook_test.go @@ -14,7 +14,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client/fake" atypes "sigs.k8s.io/controller-runtime/pkg/webhook/admission" - "github.com/Azure/aad-pod-managed-identity/pkg/config" + "github.com/Azure/azure-workload-identity/pkg/config" ) var ( @@ -38,7 +38,7 @@ func TestIsServiceAccountAnnotated(t *testing.T) { expected: false, }, { - name: "service account is annotated with azure.pod.identity/use=true", + name: "service account is annotated with azure.workload.identity/use=true", sa: &corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Name: "sa", diff --git a/scripts/ci-e2e.sh b/scripts/ci-e2e.sh index 973e841ae..bac681dfc 100755 --- a/scripts/ci-e2e.sh +++ b/scripts/ci-e2e.sh @@ -98,24 +98,27 @@ main() { test_helm_chart() { readonly HELM="${REPO_ROOT}/hack/tools/bin/helm" - ${KUBECTL} create namespace aad-pi-webhook-system + ${KUBECTL} create namespace azure-workload-identity-system # test helm upgrade from chart to manifest_staging/chart - ${HELM} install pod-identity-webhook "${REPO_ROOT}/charts/pod-identity-webhook" \ - --set azureTenantID="${AZURE_TENANT_ID}" \ - --namespace aad-pi-webhook-system \ - --wait - poll_webhook_readiness + # TODO (aramase) reenable upgrade tests after v0.4.0 release once rename azure-workload-identity is complete + + # ${HELM} install workload-identity-webhook "${REPO_ROOT}/charts/workload-identity-webhook" \ + # --set azureTenantID="${AZURE_TENANT_ID}" \ + # --namespace azure-workload-identity-system \ + # --wait + # poll_webhook_readiness + # TODO (aramase) remove token exchange and proxy from GINKGO_SKIP after v0.4.0 release is published # Skipping TokenExchange test for the current release as we're using the latest msal-go image # which is updated to use AZURE_FEDERATED_TOKEN_FILE for token path. - GINKGO_SKIP=TokenExchange\|Proxy make test-e2e-run + # GINKGO_SKIP=TokenExchange\|Proxy make test-e2e-run - ${HELM} upgrade --install pod-identity-webhook "${REPO_ROOT}/manifest_staging/charts/pod-identity-webhook" \ - --set image.repository="${REGISTRY:-mcr.microsoft.com/oss/azure/aad-pod-managed-identity/webhook}" \ + ${HELM} upgrade --install workload-identity-webhook "${REPO_ROOT}/manifest_staging/charts/workload-identity-webhook" \ + --set image.repository="${REGISTRY:-mcr.microsoft.com/oss/azure/workload-identity/webhook}" \ --set image.release="${IMAGE_VERSION}" \ --set azureTenantID="${AZURE_TENANT_ID}" \ - --namespace aad-pi-webhook-system \ + --namespace azure-workload-identity-system \ --reuse-values \ --wait poll_webhook_readiness @@ -127,23 +130,23 @@ poll_webhook_readiness() { apiVersion: v1 kind: Namespace metadata: - name: aad-pi-webhook-system-test + name: azure-workload-identity-system-test --- apiVersion: v1 kind: ServiceAccount metadata: name: test-service-account - namespace: aad-pi-webhook-system-test + namespace: azure-workload-identity-system-test labels: - azure.pod.identity/use: "true" + azure.workload.identity/use: "true" annotations: - azure.pod.identity/service-account-token-expiration: "100" + azure.workload.identity/service-account-token-expiration: "100" --- apiVersion: v1 kind: Pod metadata: name: nginx-pod - namespace: aad-pi-webhook-system-test + namespace: azure-workload-identity-system-test spec: serviceAccountName: test-service-account containers: diff --git a/scripts/create-kind-cluster.sh b/scripts/create-kind-cluster.sh index a1e3c5d4a..b33a89164 100755 --- a/scripts/create-kind-cluster.sh +++ b/scripts/create-kind-cluster.sh @@ -14,7 +14,7 @@ readonly KUBECTL="${REPO_ROOT}/hack/tools/bin/kubectl" SERVICE_ACCOUNT_SIGNING_KEY_FILE="$(pwd)/sa.key" SERVICE_ACCOUNT_KEY_FILE="$(pwd)/sa.pub" -KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-aad-pod-managed-identity}" +KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-azure-workload-identity}" preflight() { if [[ ! -f "${SERVICE_ACCOUNT_SIGNING_KEY_FILE}" ]]; then diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go index a05463b3e..8e5eabb56 100644 --- a/test/e2e/e2e.go +++ b/test/e2e/e2e.go @@ -33,7 +33,7 @@ var ( c *kubernetes.Clientset coreNamespaces = []string{ metav1.NamespaceSystem, - "aad-pi-webhook-system", + "azure-workload-identity-system", } ) diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index dbc38eba5..cfe900d10 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -14,8 +14,8 @@ import ( func init() { flag.BoolVar(&arcCluster, "e2e.arc-cluster", false, "Running on an arc-enabled cluster") flag.StringVar(&tokenExchangeE2EImage, "e2e.token-exchange-image", "aramase/dotnet:v0.4", "The image to use for token exchange tests") - flag.StringVar(&proxyInitImage, "e2e.proxy-init-image", "mcr.microsoft.com/oss/azure/aad-pod-managed-identity/proxy-init:v0.3.0", "The proxy-init image") - flag.StringVar(&proxyImage, "e2e.proxy-image", "mcr.microsoft.com/oss/azure/aad-pod-managed-identity/proxy:v0.3.0", "The proxy image") + flag.StringVar(&proxyInitImage, "e2e.proxy-init-image", "mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v0.3.0", "The proxy-init image") + flag.StringVar(&proxyImage, "e2e.proxy-image", "mcr.microsoft.com/oss/azure/workload-identity/proxy:v0.3.0", "The proxy image") } // handleFlags sets up all flags and parses the command line. diff --git a/test/e2e/helpers.go b/test/e2e/helpers.go index 2ec7b9670..d09e8a676 100644 --- a/test/e2e/helpers.go +++ b/test/e2e/helpers.go @@ -7,7 +7,7 @@ import ( "fmt" "path/filepath" - "github.com/Azure/aad-pod-managed-identity/pkg/webhook" + "github.com/Azure/azure-workload-identity/pkg/webhook" "github.com/onsi/gomega" appsv1 "k8s.io/api/apps/v1" @@ -41,7 +41,7 @@ func createServiceAccount(c kubernetes.Interface, namespace, name string, labels framework.ExpectNoError(err, "failed to create service account %s", name) // make sure the service account is created - // ref: https://github.com/Azure/aad-pod-managed-identity/issues/114 + // ref: https://github.com/Azure/azure-workload-identity/issues/114 gomega.Eventually(func() bool { _, err := c.CoreV1().ServiceAccounts(namespace).Get(context.TODO(), name, metav1.GetOptions{}) if apierrors.IsNotFound(err) { diff --git a/test/e2e/proxy_test.go b/test/e2e/proxy_test.go index 8a041e849..263975134 100644 --- a/test/e2e/proxy_test.go +++ b/test/e2e/proxy_test.go @@ -8,7 +8,7 @@ import ( "os" "strings" - "github.com/Azure/aad-pod-managed-identity/pkg/webhook" + "github.com/Azure/azure-workload-identity/pkg/webhook" "github.com/onsi/ginkgo" "github.com/onsi/gomega" corev1 "k8s.io/api/core/v1" diff --git a/test/e2e/token_exchange.go b/test/e2e/token_exchange.go index 5b09e1876..69b7204b6 100644 --- a/test/e2e/token_exchange.go +++ b/test/e2e/token_exchange.go @@ -7,7 +7,7 @@ import ( "os" "strings" - "github.com/Azure/aad-pod-managed-identity/pkg/webhook" + "github.com/Azure/azure-workload-identity/pkg/webhook" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -21,7 +21,7 @@ import ( var _ = ginkgo.Describe("TokenExchange [KindOnly]", func() { f := framework.NewDefaultFramework("token-exchange") - // E2E scenario from https://github.com/Azure/aad-pod-managed-identity/tree/main/examples/msal-go + // E2E scenario from https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-go ginkgo.It("should exchange the service account token for a valid AAD token", func() { clientID, ok := os.LookupEnv("APPLICATION_CLIENT_ID") gomega.Expect(ok).To(gomega.BeTrue(), "APPLICATION_CLIENT_ID must be set") diff --git a/test/e2e/webhook.go b/test/e2e/webhook.go index b9a748972..5ec39b825 100644 --- a/test/e2e/webhook.go +++ b/test/e2e/webhook.go @@ -6,7 +6,7 @@ import ( "fmt" "strings" - "github.com/Azure/aad-pod-managed-identity/pkg/webhook" + "github.com/Azure/azure-workload-identity/pkg/webhook" "github.com/onsi/ginkgo" "k8s.io/kubernetes/test/e2e/framework" diff --git a/third_party/open-policy-agent/gatekeeper/helmify/kustomization.yaml b/third_party/open-policy-agent/gatekeeper/helmify/kustomization.yaml index be8165b92..2c41372c3 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/kustomization.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/kustomization.yaml @@ -1,7 +1,7 @@ namespace: "{{ .Release.Namespace }}" commonLabels: - app: '{{ template "pod-identity-webhook.name" . }}' - chart: '{{ template "pod-identity-webhook.name" . }}' + app: '{{ template "workload-identity-webhook.name" . }}' + chart: '{{ template "workload-identity-webhook.name" . }}' release: "{{ .Release.Name }}" bases: - "../../../../config/default" # calls ../../default @@ -11,7 +11,7 @@ patchesJson6902: # these are defined in the chart values rather than hard-coded - target: kind: Deployment - name: aad-pi-webhook-controller-manager + name: azure-wi-webhook-controller-manager patch: |- - op: remove path: /spec/template/spec/containers/0/resources/limits diff --git a/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml b/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml index 9b05f75ca..6ae584a20 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml @@ -4,38 +4,38 @@ data: AZURE_TENANT_ID: HELMSUBST_CONFIGMAP_AZURE_TENANT_ID kind: ConfigMap metadata: - name: aad-pi-webhook-config - namespace: aad-pi-webhook-system + name: azure-wi-webhook-config + namespace: azure-workload-identity-system --- apiVersion: v1 kind: Service metadata: - name: aad-pi-webhook-webhook-service - namespace: aad-pi-webhook-system + name: azure-wi-webhook-webhook-service + namespace: azure-workload-identity-system spec: HELMSUBST_SERVICE_TYPE: "" ports: - port: {{ .Values.service.port }} targetPort: {{ .Values.service.targetPort }} selector: - mpod.aad-pod-identity.io/system: "true" + azure-workload-identity.io/system: "true" --- apiVersion: apps/v1 kind: Deployment metadata: labels: - mpod.aad-pod-identity.io/system: "true" - name: aad-pi-webhook-controller-manager - namespace: aad-pi-webhook-system + azure-workload-identity.io/system: "true" + name: azure-wi-webhook-controller-manager + namespace: azure-workload-identity-system spec: replicas: HELMSUBST_DEPLOYMENT_REPLICAS selector: matchLabels: - mpod.aad-pod-identity.io/system: "true" + azure-workload-identity.io/system: "true" template: metadata: labels: - mpod.aad-pod-identity.io/system: "true" + azure-workload-identity.io/system: "true" spec: containers: - args: @@ -44,7 +44,7 @@ spec: - /manager envFrom: - configMapRef: - name: aad-pi-webhook-config + name: azure-wi-webhook-config image: "{{ .Values.image.repository }}:{{ .Values.image.release }}" imagePullPolicy: "{{ .Values.image.pullPolicy }}" name: manager @@ -60,4 +60,4 @@ spec: - name: cert secret: defaultMode: 420 - secretName: aad-pi-webhook-server-cert + secretName: azure-wi-webhook-server-cert diff --git a/third_party/open-policy-agent/gatekeeper/helmify/main.go b/third_party/open-policy-agent/gatekeeper/helmify/main.go index a2db281a7..a50db3000 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/main.go +++ b/third_party/open-policy-agent/gatekeeper/helmify/main.go @@ -12,7 +12,7 @@ import ( ) var ( - outputDir = flag.String("output-dir", "manifest_staging/charts/pod-identity-webhook", "The root directory in which to write the Helm chart") + outputDir = flag.String("output-dir", "manifest_staging/charts/workload-identity-webhook", "The root directory in which to write the Helm chart") ) var kindRegex = regexp.MustCompile(`(?m)^kind:[\s]+([\S]+)[\s]*$`) diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml index e80b889d0..32ea7d2b7 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -name: pod-identity-webhook -description: A Helm chart to install the aad-pod-managed-identity webhook +name: workload-identity-webhook +description: A Helm chart to install the azure-workload-identity webhook type: application version: 0.3.0 appVersion: v0.3.0 -home: https://github.com/Azure/aad-pod-managed-identity +home: https://github.com/Azure/azure-workload-identity sources: - - https://github.com/Azure/aad-pod-managed-identity + - https://github.com/Azure/azure-workload-identity diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md index acb61456d..d0abf3292 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md @@ -3,18 +3,18 @@ ## Get Repo ```console -helm repo add aad-pod-managed-identity https://azure.github.io/aad-pod-managed-identity/charts +helm repo add azure-workload-identity https://azure.github.io/azure-workload-identity/charts helm repo update ``` ## Install Chart ```console -# Helm install with aad-pi-webhook-system namespace already created -helm install -n aad-pi-webhook-system [RELEASE_NAME] aad-pod-managed-identity/pod-identity-webhook +# Helm install with azure-workload-identity-system namespace already created +helm install -n azure-workload-identity-system [RELEASE_NAME] azure-workload-identity/workload-identity-webhook # Helm install and create namespace -helm install -n aad-pi-webhook-system [RELEASE_NAME] aad-pod-managed-identity/pod-identity-webhook --create-namespace +helm install -n azure-workload-identity-system [RELEASE_NAME] azure-workload-identity/workload-identity-webhook --create-namespace ``` _See [parameters](#parameters) below._ @@ -24,29 +24,29 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen ## Upgrade Chart ```console -helm upgrade -n aad-pi-webhook-system [RELEASE_NAME] aad-pod-managed-identity/pod-identity-webhook +helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-identity/workload-identity-webhook ``` ## Parameters -| Parameter | Description | Default | -| :----------------- | :------------------------------------------------------------------------ | :------------------------------------------------------------- | -| labels | The labels to add to the aad-managed-pod-identity pods | `mpod.aad-pod-identity.io/system: "true"` | -| replicaCount | The number of aad-managed-pod-identity replicas to deploy for the webhook | `1` | -| image.repository | Image repository | `mcr.microsoft.com/oss/azure/aad-pod-managed-identity/webhook` | -| image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| image.release | The image release tag to use | Current release version: `v0.3.0` | -| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| arcCluster | Specify if it runs on Arc cluster | `false` | -| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | -| affinity | The node affinity to use for pod scheduling | `{}` | -| tolerations | The tolerations to use for pod scheduling | `[]` | -| service.type | Service type | `ClusterIP` | -| service.port | Service port | `443` | -| service.targetPort | Service target port | `9443` | -| azureTenantID | [**REQUIRED**] Azure tenant ID | `` | -| azureEnvironment | Azure Environment | `AzurePublicCloud` | +| Parameter | Description | Default | +| :----------------- | :----------------------------------------------------------------------- | :------------------------------------------------------ | +| labels | The labels to add to the azure-workload-identity webhook pods | `azure-workload-identity.io/system: "true"` | +| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `1` | +| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | +| image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| image.release | The image release tag to use | Current release version: `v0.3.0` | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| arcCluster | Specify if it runs on Arc cluster | `false` | +| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | +| affinity | The node affinity to use for pod scheduling | `{}` | +| tolerations | The tolerations to use for pod scheduling | `[]` | +| service.type | Service type | `ClusterIP` | +| service.port | Service port | `443` | +| service.targetPort | Service target port | `9443` | +| azureTenantID | [**REQUIRED**] Azure tenant ID | `` | +| azureEnvironment | Azure Environment | `AzurePublicCloud` | ## Contributing Changes -This Helm chart is autogenerated from the AAD Managed Pod Identity static manifest. The generator code lives under `third_party/open-policy-agent/gatekeeper/helmify`. To make modifications to this template, please edit `kustomization.yaml`, `kustomize-for-helm.yaml` and `replacements.go` under that directory and then run `make manifests`. Your changes will show up in the `manifest_staging` directory and will be promoted to the root `charts` directory the next time a aad-pod-managed-identity release is cut. +This Helm chart is autogenerated from the AAD Managed Pod Identity static manifest. The generator code lives under `third_party/open-policy-agent/gatekeeper/helmify`. To make modifications to this template, please edit `kustomization.yaml`, `kustomize-for-helm.yaml` and `replacements.go` under that directory and then run `make manifests`. Your changes will show up in the `manifest_staging` directory and will be promoted to the root `charts` directory the next time an azure-workload-identity release is cut. diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl b/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl index 09ae354f6..a4c499903 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Expand the name of the chart. */}} -{{- define "pod-identity-webhook.name" -}} +{{- define "workload-identity-webhook.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} @@ -10,7 +10,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "pod-identity-webhook.fullname" -}} +{{- define "workload-identity-webhook.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} @@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "pod-identity-webhook.chart" -}} +{{- define "workload-identity-webhook.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "pod-identity-webhook.labels" -}} -helm.sh/chart: {{ include "pod-identity-webhook.chart" . }} -{{ include "pod-identity-webhook.selectorLabels" . }} +{{- define "workload-identity-webhook.labels" -}} +helm.sh/chart: {{ include "workload-identity-webhook.chart" . }} +{{ include "workload-identity-webhook.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -45,7 +45,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Selector labels */}} -{{- define "pod-identity-webhook.selectorLabels" -}} -app.kubernetes.io/name: {{ include "pod-identity-webhook.name" . }} +{{- define "workload-identity-webhook.selectorLabels" -}} +app.kubernetes.io/name: {{ include "workload-identity-webhook.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml index a81681b18..d4d40b734 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml @@ -1,12 +1,12 @@ -# Default values for pod-identity-webhook. +# Default values for workload-identity-webhook. # This is a YAML-formatted file. # Declare variables to be passed into your templates. labels: - mpod.aad-pod-identity.io/system: "true" + azure-workload-identity.io/system: "true" replicaCount: 1 image: - repository: mcr.microsoft.com/oss/azure/aad-pod-managed-identity/webhook + repository: mcr.microsoft.com/oss/azure/workload-identity/webhook pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. release: v0.3.0