Workload Identity (feature flagged) (#363)

* added Workload Identity Signed-off-by: Gordonby <gordon.byers@microsoft.com> * added deploy param Signed-off-by: Gordonby <gordon.byers@microsoft.com> * typos Signed-off-by: Gordonby <gordon.byers@microsoft.com> Signed-off-by: Gordonby <gordon.byers@microsoft.com>
2022-09-05 16:16:01 +01:00 · 2022-09-05 16:16:01 +01:00 · cf6317e47b
--- a/bicep/main.bicep
+++ b/bicep/main.bicep
@ -890,6 +890,9 @@ param natGwIdleTimeout int = 30
@description('Configures the cluster as an OIDC issuer for use with Workload Identity')
 param oidcIssuer bool = false

+@description('Installs Azure Workload Identity into the cluster')
+param workloadIdentity bool = false
+
@description('System Pool presets are derived from the recommended system pool specs')
 var systemPoolPresets = {
  CostOptimised : {
@ -1090,6 +1093,11 @@ var aksProperties = union({
  oidcIssuerProfile: {
    enabled: oidcIssuer
  }
+  securityProfile: {
+    workloadIdentity: {
+      enabled: workloadIdentity
+    }
+  }
 },
 aksOutboundTrafficType == 'managedNATGateway' ? managedNATGatewayProfile : {},
 defenderForContainers && createLaw ? azureDefenderSecurityProfile : {}
--- a/helper/src/components/addonsTab.js
+++ b/helper/src/components/addonsTab.js
@ -7,6 +7,7 @@ import { adv_stackstyle, hasError, getError } from './common'
 export default function ({ tabValues, updateFn, featureFlag, invalidArray }) {
    const { addons, net } = tabValues
    const osmFeatureFlag = featureFlag.includes('osm')
+    const wiFeatureFlag = featureFlag.includes('workloadId')
    return (
        <Stack tokens={{ childrenGap: 15 }} styles={adv_stackstyle}>

@ -369,6 +370,19 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) {
                <Checkbox styles={{ root: { marginLeft: '50px' } }} inputProps={{ "data-testid": "addons-osm-Checkbox"}} checked={addons.openServiceMeshAddon} onChange={(ev, v) => updateFn("openServiceMeshAddon", v)} label="Install the Open Service Mesh AddOn" />
            </Stack.Item>

+            { wiFeatureFlag &&
+            <>
+                <Separator className="notopmargin" />
+
+                <Stack.Item align="start">
+                    <Label required={true}>
+                        Workload Identity : Enable Azure Workload Identity on the AKS Cluster
+                        (<a target="_new" href="https://github.com/Azure/azure-workload-identity">project</a>)
+                    </Label>
+                    <Checkbox styles={{ root: { marginLeft: '50px' } }} inputProps={{ "data-testid": "addons-workloadIdentity-Checkbox"}} checked={addons.workloadIdentity} onChange={(ev, v) => updateFn("workloadIdentity", v)} label="Install Workload Identity" />
+                </Stack.Item>
+            </>}
+
            <Separator className="notopmargin" />

            <Stack.Item align="start">
--- a/helper/src/components/deployTab.js
+++ b/helper/src/components/deployTab.js
@ -115,6 +115,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
      })
    }),
    ...(defaults.addons.kedaAddon !== addons.kedaAddon && {kedaAddon: addons.kedaAddon }),
+    ...(defaults.addons.workloadIdentity !== addons.workloadIdentity && {workloadIdentity: addons.workloadIdentity }),
    ...(urlParams.getAll('feature').includes('defender') && cluster.DefenderForContainers !== defaults.cluster.DefenderForContainers && { DefenderForContainers: cluster.DefenderForContainers })
  }

--- a/helper/src/config.json
+++ b/helper/src/config.json
@ -56,6 +56,7 @@
            "networkPolicy": "none",
            "kedaAddon": false,
            "openServiceMeshAddon": false,
+            "workloadIdentity": false,
            "denydefaultNetworkPolicy": false,
            "azurepolicy": "none",
            "azurePolicyInitiative": "Baseline",