* feat: make update user msi calls retriable
* Add stats support if an error occurs when updating user msi
* Add e2e test case
* Address PR comments
* Add an additional test case
* Apply linting rule
Fix typos
Fix swallowed errors
Report Metrics reporter errors
Remove unused/dead code
Properly goimports/gofmt files
Rename stats.StatsType to stats.Type
Add lint to CI
Update golangci-lint to v1.27
Bump go version to 1.14.2, auto update minor versions in Docker
Fix: #571
* update docs and manifests for 1.6
* generate helm package and index
* add intro to managed mode
* Review feedback
* update release to 1.6.0
* add changelog for 1.6
* add force namespaced mode to doc and warning for upgrade
* add MIC_POD_NAMESPACE env var to all manifests
* Update README.msi.md
Added a note to ensure that the user assigned identity is also granted the VM Contributor role due to the following error:
Updating msis on node aks-cyclecloud-22900616-vmss, add [1], del [0] failed with error compute.VirtualMachineScaleSetsClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client 'd101b0e0-f10e-4e17-996f-b7c7cb70c6d9' with object id 'd101b0e0-f10e-4e17-996f-b7c7cb70c6d9' has permission to perform action 'Microsoft.Compute/virtualMachineScaleSets/write' on scope '/subscriptions/72b61f0d-9bea-401f-ba03-2053af77b5e7/resourceGroups/dapolina-aks-s1-nodes/providers/Microsoft.Compute/virtualMachineScaleSets/aks-cyclecloud-22900616-vmss'; however, it does not have permission to perform action 'Microsoft.Network/virtualNetworks/subnets/join/action' on the linked scope(s) '/subscriptions/72b61f0d-9bea-401f-ba03-2053af77b5e7/resourceGroups/AzureHubVNET/providers/Microsoft.Network/virtualNetworks/AzureEUS2VNET1/subnets/AKS-SN2' or the linked scope(s) are invalid."
* Update README.msi.md
Added the link for grant custom roles.
* Updating README.msi.md to account for GA behavior, and to specify min-access requirements
* Updating with PR feedback
* Updating bash command terminology for consistency
* deny requests without metadata header to avoid SSRF
* fix status code and body of IMDS reponse
* encapsulate metadata-releatd error into one method
* feature flag for metadata header required
* unit test for msiHandler
* fix issues from comments
* remove useless module
* Typo fix
* remove server header
Co-authored-by: Guoqing Geng <gugeng@microsoft.com>
* Update metrics name and refactor
* update go mod
* add imds op views and update buckets
* update measurement
* update metrics readme
* update bucket size
* add unit tests
* First draft to expose
prometheus metrics for monitoring
* Exposed metrics for Cloudprovider, k8s operations
* Moved to OpenCensus metrics and prometheusexporter
* Refactored, Added cloud operationduration metric
* adal auth operations to CloudProvider metrics.
Added ns,resource to nmi metrics
Added unit test for metrics
* Update auth.go
Fixing adalTokenFromMSIOperationName in auth
* Adding support for whitelisting of user-defined managed identities
* Fixing pull request comments
* adding example for immutableUserMSIs flags readme
* fixing rebase
* improving helm chart to be more convenient
* improving readme file
* fixing remarks in Readme file
* reverting go.sum changes
* adding e2e test for immutable identity
* refactoring immutable identity test
* fixing e2e test for immutable identity
* Add --block-instance-metadata flag
* Switch from 404 to 403 for blocked requests
* Only block /metadata/instance
* Add message body to 403 response
* Add docs on --block-instance-metadata
* Validation of identity via Gatekeeper
* Enriched logs for validation test in e2e, updating constraint template as per suggestion in comments.
* updating readme.validation with latest constrainttemplate
* fixing typos in validation content.
* Adds support for MIC to authenticate with azure using system assigned or user assigned MSI.
Resolves the item in #261.
This PR adds the capability for MIC to look at azure.json or environment variables
to determine whether the system assigned or user assigned MSI has to be used for accessing
azure resources. The MIC requests for token based on MSI. Also contains changes in NMI to determine
if the request is originating from an MIC replicaset. If so, NMI directly generates the tokens
instead of looking up the azure assigned identity for the pod-binding match.
* Changes to accomodate merge from head of the tree
* Fix merge issues
* Address code reviews
* Refactor code to functions
* Simplify code
* README instructions
* README instructions - iteration 1
* README instructions - update
* README instructions - update
* README instructions - update
* Fix the identity remove from VMSS for system assigned identity only scenarios.
* Doc updates
* Update logging and fix the isMIC parameters
* Add adal TODO
* Address review comments.
* added note on type of AzureIdentity
* Added Tutorial
* Set cluster name with env
* ref upcoming changed in docs
* added commands to check descriptions of azureidentity
Sertaç Özercan
Anish Ramasekar
Ernest Wong
Paul Kelso
hbc
Jonas-Taha El Sesiy
David Apolinar
DrEsteban
Guoqing Geng
Surender Singh
Dharma Bellamkonda
dmeytin
Dharma Bellamkonda
Krishnakumar R(KK)
Cecile Robert-Michon
Bill Pratt
Brendan Burns
Rita Zhang
Rian Finnegan
Khaled Henidak (Kal)
Khaled Henidak(Kal)