Skip to content

Commit

Permalink
feat: add workload identity (#778)
Browse files Browse the repository at this point in the history 
* feat: add workload identity

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

* test: add e2e for workload identity

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

* chore: upgrade to driver v1.1.0-rc.0 and set token requests

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

* test: add create kind cluster script

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

* test: add service account issuer env var for arc

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

* docs: add doc for workload identity mode

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

* review feedback

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
  • Loading branch information
@aramase
aramase authored Feb 16, 2022
1 parent 05920f3 commit 07b6ace
Show file tree
Hide file tree
Showing 33 changed files with 897 additions and 174 deletions.
1 change: 1 addition & 0 deletions .pipelines/e2e-job-azure.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ pr:
exclude:
- docs/*
- website/*
- README.md

pool: staging-pool

Expand Down
3 changes: 3 additions & 0 deletions .pipelines/templates/arc/e2e-test-kind.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ jobs:
make install-helm install-kubectl setup-kind
displayName: "install dependencies and setup kind"
condition: succeeded()
env:
SERVICE_ACCOUNT_ISSUER: $(SERVICE_ACCOUNT_ISSUER)
SERVICE_ACCOUNT_KEYVAULT_NAME: $(SERVICE_ACCOUNT_KEYVAULT_NAME)
- template: cluster-connect.yaml
- template: extension-create.yaml
parameters:
Expand Down
3 changes: 3 additions & 0 deletions .pipelines/templates/build-images.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,6 @@ steps:
make e2e-bootstrap
displayName: "Build and push azure keyvault provider image"
condition: succeeded()
env:
SERVICE_ACCOUNT_ISSUER: $(SERVICE_ACCOUNT_ISSUER)
SERVICE_ACCOUNT_KEYVAULT_NAME: $(SERVICE_ACCOUNT_KEYVAULT_NAME)
5 changes: 5 additions & 0 deletions .pipelines/templates/e2e-test-kind.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,9 @@ jobs:
IS_HELM_TEST: false

steps:
# logging in to download the sa.pub and sa.key used for creating the kind cluster
# with OIDC issuer enabled
- template: az-login.yaml
- script: |
export REGISTRY="e2e"
export IMAGE_VERSION=e2e-$(git rev-parse --short HEAD)
Expand All @@ -49,6 +52,8 @@ jobs:
displayName: "Build image"
env:
CI_KIND_CLUSTER: true
SERVICE_ACCOUNT_ISSUER: $(SERVICE_ACCOUNT_ISSUER)
SERVICE_ACCOUNT_KEYVAULT_NAME: $(SERVICE_ACCOUNT_KEYVAULT_NAME)
- script: |
make e2e-test
displayName: Run e2e tests
Expand Down
7 changes: 2 additions & 5 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,18 +220,15 @@ e2e-test:
.PHONY: setup-kind
setup-kind:
curl -L https://github.com/kubernetes-sigs/kind/releases/download/v${KIND_VERSION}/kind-linux-amd64 --output kind && chmod +x kind && sudo mv kind /usr/local/bin/
# Check for existing kind cluster
if [ $$(kind get clusters) ]; then kind delete cluster; fi
# using kind config to create cluster for testing custom cloud environments
TERM=dumb kind create cluster --image kindest/node:${KIND_K8S_VERSION} --config test/kind-config.yaml
./scripts/create-kind-cluster.sh

.PHONY: install-helm
install-helm:
helm version --short | grep -q v3 || (curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash)

.PHONY: e2e-local-bootstrap
e2e-local-bootstrap: build
kind create cluster --image kindest/node:${KIND_K8S_VERSION} --config test/kind-config.yaml
./scripts/create-kind-cluster.sh
$(MAKE) container-all push-manifest
kind load docker-image --name kind $(IMAGE_TAG)

Expand Down
1 change: 1 addition & 0 deletions azure-pipelines.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ pr:
exclude:
- docs/*
- website/*
- README.md

pool: staging-pool

Expand Down
4 changes: 4 additions & 0 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ require (
github.com/Azure/azure-sdk-for-go v61.3.0+incompatible
github.com/Azure/go-autorest/autorest v0.11.24
github.com/Azure/go-autorest/autorest/adal v0.9.18
github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0
github.com/google/go-cmp v0.5.5
github.com/pkg/errors v0.9.1
github.com/stretchr/testify v1.7.0
Expand All @@ -32,8 +33,11 @@ require (
github.com/cespare/xxhash/v2 v2.1.1 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/go-logr/logr v0.4.0 // indirect
github.com/golang-jwt/jwt v3.2.1+incompatible // indirect
github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/google/uuid v1.1.2 // indirect
github.com/kylelemons/godebug v1.1.0 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_golang v1.11.0 // indirect
Expand Down
9 changes: 9 additions & 0 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z
github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0 h1:WVsrXCnHlDDX8ls+tootqRE87/hL9S/g4ewig9RsD/c=
github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
Expand Down Expand Up @@ -189,6 +191,8 @@ github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a
github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU=
github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
Expand Down Expand Up @@ -245,6 +249,7 @@ github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hf
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
Expand Down Expand Up @@ -324,6 +329,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/kubernetes-csi/csi-lib-utils v0.10.0/go.mod h1:BmGZZB16L18+9+Lgg9YWwBKfNEHIDdgGfAyuW6p2NV0=
github.com/kubernetes-csi/csi-test/v4 v4.2.0/go.mod h1:HuWP7lCCJzehodzd4kO170soxqgzSQHZ5Jbp1pKPlmA=
github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM=
github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4=
github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ=
Expand Down Expand Up @@ -354,6 +361,7 @@ github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJ
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
Expand Down Expand Up @@ -408,6 +416,7 @@ github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc=
github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ=
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
Expand Down
6 changes: 3 additions & 3 deletions manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
dependencies:
- name: secrets-store-csi-driver
repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
version: 1.0.1
digest: sha256:bf0bde14adcdbfa6e9b8379ad9fb13e93ee7682c64ceb5209b45d75244c582b2
generated: "2022-01-14T01:06:20.678326867Z"
version: 1.1.0-rc.0
digest: sha256:0a537d796293991703428dbadf2d57501f6cd7e5aa975904bf21c58c07d4a012
generated: "2022-02-08T23:08:26.9052764Z"
2 changes: 1 addition & 1 deletion manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,5 @@ maintainers:
dependencies:
- name: secrets-store-csi-driver
repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
version: 1.0.1
version: 1.1.0-rc.0
condition: secrets-store-csi-driver.install
5 changes: 3 additions & 2 deletions manifest_staging/charts/csi-secrets-store-provider-azure/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,15 +120,15 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `secrets-store-csi-driver.linux.metricsAddr` | The address the metric endpoint binds to | `:8080` |
| `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` |
| `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` |
| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.0.1` |
| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.1.0-rc.0` |
| `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` |
| `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` |
| `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.4.0` |
| `secrets-store-csi-driver.linux.livenessProbeImage.repository` | Driver Linux liveness-probe image repository | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe` |
| `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` |
| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.5.0` |
| `secrets-store-csi-driver.linux.crds.image.repository` | Driver CRDs Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds` |
| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.0.1` |
| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.1.0-rc.0` |
| `secrets-store-csi-driver.linux.crds.image.pullPolicy` | Driver CRDs Linux image pull policy | `IfNotPresent` |
| `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false |
| `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` |
Expand All @@ -146,6 +146,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `secrets-store-csi-driver.rotationPollInterval` | Secret rotation poll interval duration | `2m` |
| `secrets-store-csi-driver.filteredWatchSecret` | Enable filtered watch for NodePublishSecretRef secrets with label `secrets-store.csi.k8s.io/used=true`. Refer to [doc](https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html) for more details | `true` |
| `secrets-store-csi-driver.syncSecret.enabled` | Enable rbac roles and bindings required for syncing to Kubernetes native secrets | `false` |
| `secrets-store-csi-driver.tokenRequests` | Token requests configuration for the csi driver. Refer to [doc](https://kubernetes-csi.github.io/docs/token-requests.html) for more info. | `[audience: api://AzureADTokenExchange]` |
| `rbac.install` | Install default service account | true |
| `rbac.pspEnabled` | If `true`, create and use a restricted pod security policy for Secrets Store CSI Driver AKV provider pod(s) | false |
| `constructPEMChain` | Explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT | `true` |
7 changes: 5 additions & 2 deletions manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ secrets-store-csi-driver:
metricsAddr: ":8080"
image:
repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver
tag: v1.0.1
tag: v1.1.0-rc.0
pullPolicy: IfNotPresent
registrarImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar
Expand All @@ -142,7 +142,7 @@ secrets-store-csi-driver:
metricsAddr: ":8080"
image:
repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver
tag: v1.0.1
tag: v1.1.0-rc.0
pullPolicy: IfNotPresent
registrarImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar
Expand All @@ -161,6 +161,9 @@ secrets-store-csi-driver:
syncSecret:
enabled: false

tokenRequests:
- audience: api://AzureADTokenExchange

## Install default service account
rbac:
install: true
Expand Down
Loading

0 comments on commit 07b6ace

Please sign in to comment.