Skip to content

Commit

Permalink
updating to aks provided
Browse files Browse the repository at this point in the history
  • Loading branch information
Gordon Byers committed Mar 8, 2023
1 parent 11f98a6 commit 05c0212
Show file tree
Hide file tree
Showing 8 changed files with 370 additions and 98 deletions.
14 changes: 3 additions & 11 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,5 @@
## [AKS Workload Identity - Sample] Changelog
# [AKS Workload Identity - Sample] Changelog

<a name="x.y.z"></a>
# x.y.z (yyyy-mm-dd)
## 2023-03-08

*Features*
* ...

*Bug Fixes*
* ...

*Breaking Changes*
* ...
* Shifted the Workload Identity through AKS feature instead of helm install
5 changes: 2 additions & 3 deletions CONTRIBUTING.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,14 @@

This project welcomes contributions and suggestions. Most contributions require you to agree to a
Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
the rights to use your contribution. For details, visit [https://cla.opensource.microsoft.com](https://cla.opensource.microsoft.com).

When you submit a pull request, a CLA bot will automatically determine whether you need to provide
a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
contact [[email protected]](mailto:[email protected]) with any additional questions or comments.
For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [[email protected]](mailto:[email protected]) with any additional questions or comments.

- [Code of Conduct](#coc)
- [Issues and Bugs](#issue)
Expand Down
29 changes: 16 additions & 13 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ The [Azure CSI Secrets driver](https://docs.microsoft.com/azure/aks/csi-secrets-

Enabling workload identity on an AKS cluster creates an [OIDC issuer](https://learn.microsoft.com/azure/aks/cluster-configuration#oidc-issuer) that can then be used to authenticate a workload running to an OIDC provider (Azure Active Directory in this example).

[Workload Identities](https://github.com/Azure/azure-workload-identity) facilitate a narrow scope of use of a service account for exclusive use by an application instead of an identity that is leveraged at the VM level that could be used by multiple applications.
[Workload Identities](https://github.com/Azure/azure-workload-identity) facilitate a narrow scope of use of a service account for exclusive use by an application instead of an identity that is leveraged at the VM level that could be used by multiple applications.

### Auth Diagrams

Expand Down Expand Up @@ -105,13 +105,16 @@ graph TB
style App fill:#F25022,stroke:#333,stroke-width:4px
end
```

## Getting Started

### Prerequisites

Interaction with Azure is done using the [Azure CLI](https://docs.microsoft.com/cli/azure/), [Helm](https://helm.sh/docs/intro/install/) and [Kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) are required for accessing Kubernetes packages and installing them to the cluster.

[JQ](https://stedolan.github.io/jq/download/) is used for transforming json objects in the script samples. It's a commonly used binary available in the Azure CLI, on GitHub runners etc.
[JQ](https://stedolan.github.io/jq/download/) is used for transforming json objects in the script samples. It's a commonly used binary available in the Azure CloudShell, on GitHub runners etc.

[Helm](https://helm.sh/) is used to install (and package) Kubernetes applications. It's a commonly used binary available in the Azure CloudShell, on GitHub runners etc.

OIDC Issuer is an AKS Feature, and is required for Workload Identity to function.

Expand All @@ -122,16 +125,16 @@ OIDC Issuer is an AKS Feature, and is required for Workload Identity to function
Using [AKS Construction](https://github.com/Azure/Aks-Construction), we can quickly set up an AKS cluster to the correct configuration. It has been referenced as a git submodule, and therefore easily consumed in [this projects bicep infrastructure file](main.bicep).

The main.bicep deployment creates
- 1 AKS Cluster, with CSI Secrets Managed Identity
- 5 Azure Key Vaults
- 3 User Assigned Managed Identities
- The Azure Workload Identity Mutating Admission Webhook on the AKS cluster

* 1 AKS Cluster, with CSI Secrets Managed Identity and managed Workload Identity Mutating Admission Webhook
* 5 Azure Key Vaults
* 3 User Assigned Managed Identities

### Guide

#### 1. clone the repo

```
```bash
git clone https://github.com/Azure-Samples/aks-workload-identity.git
cd aks-workload-identity
```
Expand Down Expand Up @@ -194,7 +197,7 @@ helm upgrade --install app5 charts/workloadIdApp2 --set nameOverride=workloadida

#### 6. Checking the workloads

At this point 3 out of 5 applications should be working.
At this point 3 out of 5 applications should be working.

We're expecting that application 2 won't yet be working as it is missing Federated Id configuration to trust the AKS Cluster. The errors from these application logs will however be useful to see what is expected to be provided when we created the Federated Identity.

Expand All @@ -211,7 +214,7 @@ kubectl logs $APP2POD -n app2

##### App2

```bash
```bash
APP2SVCACCNT="app2-workloadidapp2"
APP2NAMESPACE="app2"
APP2APPOBJECTID="$(az ad app show --id $APP2 --query id -o tsv)"
Expand Down Expand Up @@ -273,7 +276,7 @@ az group delete -n $RGNAME

## Resources

- [Azure Workload Identity](https://github.com/Azure/azure-workload-identity)
- [Azure AD workload identity federation with Kubernetes](https://blog.identitydigest.com/azuread-federate-k8s/)
- [Azure Key Vault provider for Secrets Store CSI Driver](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/getting-started/usage/)
- [Managed Identity FAQ](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/managed-identities-faq)
* [Azure Workload Identity](https://github.com/Azure/azure-workload-identity)
* [Azure AD workload identity federation with Kubernetes](https://blog.identitydigest.com/azuread-federate-k8s/)
* [Azure Key Vault provider for Secrets Store CSI Driver](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/getting-started/usage/)
* [Managed Identity FAQ](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/managed-identities-faq)
Loading

0 comments on commit 05c0212

Please sign in to comment.