Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate from AAD Pod Identity to Workload Identity (Supported by User Managed Identities) & Update AKS Version #326

Merged
merged 43 commits into from
Oct 7, 2022
Merged

Migrate from AAD Pod Identity to Workload Identity (Supported by User Managed Identities) & Update AKS Version #326

merged 43 commits into from
Oct 7, 2022

Conversation

ckittel
Copy link
Member

@ckittel ckittel commented May 27, 2022
edited
Loading

  • Replaced Pod Identity with Workload Identity (with Managed Identity)
    • Moved az cli requirement to the version that supports workload managed identity (if a user needs to manipulate via cli)
    • Removed the manifest files related to pod identity
    • Adjust Azure Policy assignments based on the removal of the pod identity pods
    • Remove the managed identity operator role assignment (yay!)
  • Also upgraded to AKS 1.24.6 (not related to this change, 1.24.0 is no longer supported)
  • Remove the extension manager feature flag (not related to this change, just isn't needed anymore)
  • Updated the azure policy assignment names (not related to this change, just reflecting new output)
  • Updated some resource references to strong references to avoid bicep warnings on newer versions of the bicep linter (QOL)

This was tested end-to-end. 🚢

ckittel added 28 commits May 2, 2022 20:28
@ckittel
WIP changes
bac86fe
@ckittel
Merge branch 'main' into migrate-workload-identity
f60bb89
@ckittel
WIP Checkpoint
2a8a82c
@ckittel
wip
a7012b8
@ckittel
Merge branch 'main' into migrate-workload-identity
b4edd43
@ckittel
add fed cred placeholder
39e2778
@ckittel
Remove uneeded assignment
1834754
@ckittel
Merge branch 'main' into migrate-workload-identity
cbe2906
@ckittel
update pre-reqs
87f44f1
@ckittel
remove AAD Pod Identity bits from bicep and enable workload identity
8753601
@ckittel
update region
8de055d
@ckittel
Add policy exceptions for the new namespace
27750b6
@ckittel
test prometheus metrics for workload identity
17436f8
@ckittel
add placeholders
524f5ce
@ckittel
Get Traefik working
9e55b59
@ckittel
Update version text
205e02b
@ckittel
Merge branch 'main' into migrate-workload-identity
178a678
@ckittel
pod identity scrub
0b14e8f
@ckittel
Merge branch 'main' into migrate-workload-identity
b1bec1c
@ckittel
Stamp file cleanup
ab798dc
@ckittel
Merge branch 'main' into migrate-workload-identity
5602aa3
@ckittel
Merge branch 'main' into migrate-workload-identity
6719930
@ckittel
remove old intro text
f57d07a
@ckittel
realign with main
c51d837
@ckittel
revert spacing changes
0c2570a
@ckittel
revert spacing changes (again)
8f256a5
@ckittel
realign wording with main
d5a5906
@ckittel
Merge branch 'main' into migrate-workload-identity
31501c2
@ckittel ckittel mentioned this pull request May 27, 2022
Closed
@ckittel ckittel changed the title [PREVIEW] [DO NOT MERGE] Migrate from AAD Pod Identity to Workload Identity (Supported by User Managed Identities) Migrate from AAD Pod Identity to Workload Identity (Supported by User Managed Identities) & Update AKS Version Oct 7, 2022
@ckittel ckittel requested a review from hallihan October 7, 2022 16:50
@ckittel ckittel marked this pull request as ready for review October 7, 2022 16:50
hallihan
hallihan approved these changes Oct 7, 2022
View reviewed changes
Copy link
Contributor

@hallihan hallihan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just a couple of suggestions

04-networking.md Outdated
@@ -85,7 +85,7 @@ The following two resource groups will be created and populated with networking
The spoke creation will emit the following:

* `appGwPublicIpAddress` - The Public IP address of the Azure Application Gateway (WAF) that will receive traffic for your workload.
* `clusterVnetResourceId` - The resource ID of the VNet that the cluster will land in. E.g. `/subscriptions/[id]/resourceGroups/rg-enterprise-networking-spokes/providers/Microsoft.Network/virtualNetworks/vnet-spoke-BU0001A0008-00`
* `clusterVnetResourceId` - The resource ID of the Virtual network that the cluster, App Gateway, and related will be deployed in. E.g. `/subscriptions/[id]/resourceGroups/rg-enterprise-networking-spokes/providers/Microsoft.Network/virtualNetworks/vnet-spoke-BU0001A0008-00`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `clusterVnetResourceId` - The resource ID of the Virtual network that the cluster, App Gateway, and related will be deployed in. E.g. `/subscriptions/[id]/resourceGroups/rg-enterprise-networking-spokes/providers/Microsoft.Network/virtualNetworks/vnet-spoke-BU0001A0008-00`
* `clusterVnetResourceId` - The resource ID of the Virtual network where the cluster, App Gateway, and related will be deployed. E.g. `/subscriptions/[id]/resourceGroups/rg-enterprise-networking-spokes/providers/Microsoft.Network/virtualNetworks/vnet-spoke-BU0001A0008-00`

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good reword, update will be coming shortly.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved in: 3f30586

cluster-stamp.bicep Outdated
@@ -1558,7 +1546,7 @@ resource kvPodMiIngressControllerSecretsUserRole_roleAssignment 'Microsoft.Autho
}
}

// Grant the AKS cluster ingress controller pod managed identity with key vault reader role permissions; this allows our ingress controller to pull certificates
// Grant the AKS cluster ingress controller managed workload identity with key vault reader role permissions; this allows our ingress controller to pull certificates
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For consistency with above:

Suggested change
// Grant the AKS cluster ingress controller managed workload identity with key vault reader role permissions; this allows our ingress controller to pull certificates
// Grant the AKS cluster ingress controller's managed workload identity with key vault reader role permissions; this allows our ingress controller to pull certificates.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved in: 3f30586

RobBagby
RobBagby reviewed Oct 7, 2022
View reviewed changes
04-networking.md Outdated
@@ -85,7 +85,7 @@ The following two resource groups will be created and populated with networking
The spoke creation will emit the following:

* `appGwPublicIpAddress` - The Public IP address of the Azure Application Gateway (WAF) that will receive traffic for your workload.
* `clusterVnetResourceId` - The resource ID of the VNet that the cluster will land in. E.g. `/subscriptions/[id]/resourceGroups/rg-enterprise-networking-spokes/providers/Microsoft.Network/virtualNetworks/vnet-spoke-BU0001A0008-00`
* `clusterVnetResourceId` - The resource ID of the Virtual network that the cluster, App Gateway, and related will be deployed in. E.g. `/subscriptions/[id]/resourceGroups/rg-enterprise-networking-spokes/providers/Microsoft.Network/virtualNetworks/vnet-spoke-BU0001A0008-00`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you missing a noun after related? The related what will be deployed?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, update will be coming shortly.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved in: 3f30586

@ckittel
Copy link
Member Author

ckittel commented Oct 7, 2022

Thanks all for the review. If there is anything else, just let me know and I'll catch it in a follow-up PR.

@ckittel ckittel merged commit 2fd6486 into main Oct 7, 2022
@ckittel ckittel deleted the migrate-workload-identity branch October 7, 2022 17:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hallihan hallihan hallihan approved these changes

@RobBagby RobBagby RobBagby approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ckittel @hallihan @RobBagby