Merge pull request #5 from shiftavenue/feature/make_chart_more_custom…

…izable

added more customization for helm chart

README.md

@@ -14,13 +14,16 @@ helm repo update
 helm install clientid-syncer-webhook azure-clientid-syncer/azure-clientid-syncer-webhook \
    --namespace azure-clientid-syncer-system \
    --create-namespace \
-   --set azureTenantID="${AZURE_TENANT_ID}"
+   --set config.azureTenantID="${AZURE_TENANT_ID}"
 ```
 
 ## Getting started 
-
 1. Create a managed identity with an federated identity credential to use azure-client-syncer with Workload Identity - configure the credential according to your environment. The following are the default values for the Service Account deployed with the chart:
 * Namespace: azure-clientid-syncer-system
 * Name: azure-clientid-syncer-webhook-admin
-2. Install the helm chart with the values according to your managed identity and tenant. (An example can be found [here](example/example-values.yaml))
-3. Start deploying...
+2. Assign Reader permissions to your managed identity:
+3. Install the helm chart with the values according to your managed identity and tenant. (An example can be found [here](example/example-values.yaml))
+4. Start deploying...
+
+## Performance considerations
+The webhook is called every time a service account is created. This can lead to a lot of calls to the Azure API required to check the federated identity credentials. To reduce the number of calls, the webhook allows to set a **FILTER_TAGS** environment variable and you should follow the principal of priviledge when assigning Reader permissions to the identity. This variable contains a comma separated list of tags which will be used as additional parameter for the query of the Azure managed identities. Kubernetes mutation webhooks have a max. timeout of 30 seconds. To achieve this time it is recommended to build a query which returns at **maximum around ~70 managed identities**.

charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-config-configmap.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 data:
   AZURE_AUTHORITY_HOST: {{ .Values.azureEnvironment | default "AzurePublicCloud" }}
-  AZURE_TENANT_ID: {{ required "A valid .Values.azureTenantID entry required!" .Values.azureTenantID }}
+  AZURE_TENANT_ID: {{ required "A valid .Values.config.azureTenantID entry required!" .Values.config.azureTenantID }}
 kind: ConfigMap
 metadata:
   labels:

charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-controller-manager-deployment.yaml

@@ -43,18 +43,18 @@ spec:
               apiVersion: v1
               fieldPath: metadata.namespace
         - name: AUTO_DETECT_OIDC_ISSUER_URL
-          value: '{{ .Values.autoDetectOidcIssuerUrl | default "true" }}'
-        {{ if .Values.oidcIssuerUrl }}
+          value: '{{ .Values.config.autoDetectOidcIssuerUrl | default "true" }}'
+        {{ if .Values.config.oidcIssuerUrl }}
         - name: OIDC_ISSUER_URL
-          value: '{{ .Values.oidcIssuerUrl }}'
+          value: '{{ .Values.config.oidcIssuerUrl }}'
         {{ end }}
-        {{ if .Values.filterTags }}
+        {{ if .Values.config.filterTags }}
         - name: FILTER_TAGS
-          value: '{{ .Values.filterTags }}'
+          value: '{{ .Values.config.filterTags }}'
         {{ end }}
-        {{ if .Values.clusterIdentifier }}
+        {{ if .Values.config.clusterIdentifier }}
         - name: CLUSTER_IDENTIFIER
-          value: '{{ .Values.clusterIdentifier }}'
+          value: '{{ .Values.config.clusterIdentifier }}'
         {{ end }}
         envFrom:
         - configMapRef:

charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml

@@ -21,7 +21,7 @@ webhooks:
   failurePolicy: Fail
   matchPolicy: Equivalent
   name: mutation.azure-clientid-syncer-webhook.io
-  timeoutSeconds: 30
+  timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
   namespaceSelector: {{- toYaml .Values.mutatingWebhookNamespaceSelector | nindent 4 }}
   objectSelector:
     matchLabels:

charts/azure-clientid-syncer-webhook/values.yaml

@@ -26,11 +26,14 @@ service:
   targetPort: 9443
 azureEnvironment: AzurePublicCloud
 # enter your tenant ID here. If you leave this empty, the webhook will try to auto-detect the tenant ID.
-azureTenantID: ""
-autoDetectOidcIssuerUrl: "true"
-oidcIssuerUrl: ""
-tagsFilter: ""
-clusterIdentifier: ""
+config:
+  azureTenantID: ""
+  autoDetectOidcIssuerUrl: "true"
+  oidcIssuerUrl: ""
+  filterTags: ""
+  clusterIdentifier: ""
+webhook:
+  timeoutSeconds: 15
 metricsAddr: ":8095"
 metricsBackend: prometheus
 logLevel: 0

example/README.md

@@ -2,7 +2,7 @@
     1. Deploy new AKS cluster with OIDC and Workload Identity enabled:
     ```bash
     az aks create --resource-group <resource-group> --name <cluster-name> --node-count 1 --enable-oidc-issuer --enable-workload-identity
-    ISSUER=$(az aks show --resource-group test-group --name awdawd --query "oidcIssuerProfile.issuerUrl" -otsv)
+    ISSUER=$(az aks show --resource-group <resource-group> --name <cluster-name> --query "oidcIssuerProfile.issuerUrl" -otsv)
     ```
     2. Update existing AKS cluster with OIDC and Workload Identity enabled:
     ```bash
@@ -22,3 +22,4 @@
     ```bash
     az role assignment create --role Reader --assignee <identity-client-id> --scope subscriptions/<subscription-id>
     ```
+4. Install the helm chart with the values according to your managed identity and tenant. (An example can be found [here](example-values.yaml))

example/example-values.yaml

@@ -1,5 +1,9 @@
-azureTenantID: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
-filterTags: "aks-clientid-syncer:true,namespace:<NAMESPACE>,serviceaccountname:<SERVICE_ACCOUNT_NAME>"
+config:
+  azureTenantID: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
+  filterTags: "aks-clientid-syncer:true,namespace:<NAMESPACE>,serviceaccountname:<SERVICE_ACCOUNT_NAME>"
+
+webhook:
+  timeoutSeconds: 10
 
 podLabels:
   azure.workload.identity/use: "true"