From 68a6707f83a1dbc3ce323adab7f51200a2e40a87 Mon Sep 17 00:00:00 2001 From: Felix Date: Sun, 14 Jan 2024 11:22:19 +0100 Subject: [PATCH] added more customization for helm chart --- README.md | 11 +++++++---- ...e-clientid-syncer-webhook-config-configmap.yaml | 2 +- ...ncer-webhook-controller-manager-deployment.yaml | 14 +++++++------- ...configuration-mutatingwebhookconfiguration.yaml | 2 +- charts/azure-clientid-syncer-webhook/values.yaml | 13 ++++++++----- example/README.md | 3 ++- example/example-values.yaml | 8 ++++++-- 7 files changed, 32 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index e247c2c..dfc760b 100644 --- a/README.md +++ b/README.md @@ -14,13 +14,16 @@ helm repo update helm install clientid-syncer-webhook azure-clientid-syncer/azure-clientid-syncer-webhook \ --namespace azure-clientid-syncer-system \ --create-namespace \ - --set azureTenantID="${AZURE_TENANT_ID}" + --set config.azureTenantID="${AZURE_TENANT_ID}" ``` ## Getting started - 1. Create a managed identity with an federated identity credential to use azure-client-syncer with Workload Identity - configure the credential according to your environment. The following are the default values for the Service Account deployed with the chart: * Namespace: azure-clientid-syncer-system * Name: azure-clientid-syncer-webhook-admin -2. Install the helm chart with the values according to your managed identity and tenant. (An example can be found [here](example/example-values.yaml)) -3. Start deploying... +2. Assign Reader permissions to your managed identity: +3. Install the helm chart with the values according to your managed identity and tenant. (An example can be found [here](example/example-values.yaml)) +4. Start deploying... + +## Performance considerations +The webhook is called every time a service account is created. This can lead to a lot of calls to the Azure API required to check the federated identity credentials. To reduce the number of calls, the webhook allows to set a **FILTER_TAGS** environment variable and you should follow the principal of priviledge when assigning Reader permissions to the identity. This variable contains a comma separated list of tags which will be used as additional parameter for the query of the Azure managed identities. Kubernetes mutation webhooks have a max. timeout of 30 seconds. To achieve this time it is recommended to build a query which returns at **maximum around ~70 managed identities**. diff --git a/charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-config-configmap.yaml b/charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-config-configmap.yaml index f169620..28f7301 100644 --- a/charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-config-configmap.yaml +++ b/charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-config-configmap.yaml @@ -1,7 +1,7 @@ apiVersion: v1 data: AZURE_AUTHORITY_HOST: {{ .Values.azureEnvironment | default "AzurePublicCloud" }} - AZURE_TENANT_ID: {{ required "A valid .Values.azureTenantID entry required!" .Values.azureTenantID }} + AZURE_TENANT_ID: {{ required "A valid .Values.config.azureTenantID entry required!" .Values.config.azureTenantID }} kind: ConfigMap metadata: labels: diff --git a/charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-controller-manager-deployment.yaml b/charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-controller-manager-deployment.yaml index ae7422f..bda0104 100644 --- a/charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-controller-manager-deployment.yaml +++ b/charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-controller-manager-deployment.yaml @@ -43,18 +43,18 @@ spec: apiVersion: v1 fieldPath: metadata.namespace - name: AUTO_DETECT_OIDC_ISSUER_URL - value: '{{ .Values.autoDetectOidcIssuerUrl | default "true" }}' - {{ if .Values.oidcIssuerUrl }} + value: '{{ .Values.config.autoDetectOidcIssuerUrl | default "true" }}' + {{ if .Values.config.oidcIssuerUrl }} - name: OIDC_ISSUER_URL - value: '{{ .Values.oidcIssuerUrl }}' + value: '{{ .Values.config.oidcIssuerUrl }}' {{ end }} - {{ if .Values.filterTags }} + {{ if .Values.config.filterTags }} - name: FILTER_TAGS - value: '{{ .Values.filterTags }}' + value: '{{ .Values.config.filterTags }}' {{ end }} - {{ if .Values.clusterIdentifier }} + {{ if .Values.config.clusterIdentifier }} - name: CLUSTER_IDENTIFIER - value: '{{ .Values.clusterIdentifier }}' + value: '{{ .Values.config.clusterIdentifier }}' {{ end }} envFrom: - configMapRef: diff --git a/charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 02e81c9..1d41e29 100644 --- a/charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/charts/azure-clientid-syncer-webhook/templates/azure-clientid-syncer-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -21,7 +21,7 @@ webhooks: failurePolicy: Fail matchPolicy: Equivalent name: mutation.azure-clientid-syncer-webhook.io - timeoutSeconds: 30 + timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} namespaceSelector: {{- toYaml .Values.mutatingWebhookNamespaceSelector | nindent 4 }} objectSelector: matchLabels: diff --git a/charts/azure-clientid-syncer-webhook/values.yaml b/charts/azure-clientid-syncer-webhook/values.yaml index 384265c..2a6af2d 100644 --- a/charts/azure-clientid-syncer-webhook/values.yaml +++ b/charts/azure-clientid-syncer-webhook/values.yaml @@ -26,11 +26,14 @@ service: targetPort: 9443 azureEnvironment: AzurePublicCloud # enter your tenant ID here. If you leave this empty, the webhook will try to auto-detect the tenant ID. -azureTenantID: "" -autoDetectOidcIssuerUrl: "true" -oidcIssuerUrl: "" -tagsFilter: "" -clusterIdentifier: "" +config: + azureTenantID: "" + autoDetectOidcIssuerUrl: "true" + oidcIssuerUrl: "" + filterTags: "" + clusterIdentifier: "" +webhook: + timeoutSeconds: 15 metricsAddr: ":8095" metricsBackend: prometheus logLevel: 0 diff --git a/example/README.md b/example/README.md index 59c34fd..bd4621b 100644 --- a/example/README.md +++ b/example/README.md @@ -2,7 +2,7 @@ 1. Deploy new AKS cluster with OIDC and Workload Identity enabled: ```bash az aks create --resource-group --name --node-count 1 --enable-oidc-issuer --enable-workload-identity - ISSUER=$(az aks show --resource-group test-group --name awdawd --query "oidcIssuerProfile.issuerUrl" -otsv) + ISSUER=$(az aks show --resource-group --name --query "oidcIssuerProfile.issuerUrl" -otsv) ``` 2. Update existing AKS cluster with OIDC and Workload Identity enabled: ```bash @@ -22,3 +22,4 @@ ```bash az role assignment create --role Reader --assignee --scope subscriptions/ ``` +4. Install the helm chart with the values according to your managed identity and tenant. (An example can be found [here](example-values.yaml)) diff --git a/example/example-values.yaml b/example/example-values.yaml index a114115..28c2920 100644 --- a/example/example-values.yaml +++ b/example/example-values.yaml @@ -1,5 +1,9 @@ -azureTenantID: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -filterTags: "aks-clientid-syncer:true,namespace:,serviceaccountname:" +config: + azureTenantID: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + filterTags: "aks-clientid-syncer:true,namespace:,serviceaccountname:" + +webhook: + timeoutSeconds: 10 podLabels: azure.workload.identity/use: "true"