Azure
/
azure-workload-identity
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

release: update manifest and helm charts for v1.0.0-alpha.0 (#740) 

Co-authored-by: aramase <aramase@users.noreply.github.com>
This commit is contained in:
github-actions[bot] 2023-02-08 18:17:59 +00:00 коммит произвёл GitHub
Родитель 27e585ae65
Коммит 8f241bd6d2
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
18 изменённых файлов: 63 добавлений и 56 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
Makefile
Просмотреть файл

@ -2,7 +2,7 @@ REGISTRY ?= mcr.microsoft.com/oss/azure/workload-identity
PROXY_IMAGE_NAME := proxy
INIT_IMAGE_NAME := proxy-init
WEBHOOK_IMAGE_NAME := webhook
IMAGE_VERSION ?= v0.15.0
IMAGE_VERSION ?= v1.0.0-alpha.0
ORG_PATH := github.com/Azure
PROJECT_NAME := azure-workload-identity

4
charts/workload-identity-webhook/Chart.yaml
Просмотреть файл

@ -2,8 +2,8 @@ apiVersion: v2
name: workload-identity-webhook
description: A Helm chart to install the azure-workload-identity webhook
type: application
version: 0.15.0
appVersion: v0.15.0
version: 1.0.0-alpha.0
appVersion: v1.0.0-alpha.0
home: https://github.com/Azure/azure-workload-identity
sources:
- https://github.com/Azure/azure-workload-identity

49
charts/workload-identity-webhook/README.md
Просмотреть файл

@ -29,32 +29,29 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
## Parameters
| Parameter | Description | Default |
| :------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ |
| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` |
| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
| image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| image.release | The image release tag to use | Current release version: `v0.15.0` |
| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| arcCluster | Specify if it runs on Arc cluster | `false` |
| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi |
| affinity | The node affinity to use for pod scheduling | `{}` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| service.type | Service type | `ClusterIP` |
| service.port | Service port | `443` |
| service.targetPort | Service target port | `9443` |
| azureTenantID | [**REQUIRED**] Azure tenant ID | `` |
| azureEnvironment | Azure Environment | `AzurePublicCloud` |
| logEncoder | The log encoder to use for the webhook manager (`json`, `console`) | `console` |
| metricsAddr | The address to bind the metrics server to | `:8095` |
| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` |
| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook. Default is `Ignore` and it's safe. Setting this to fail closed could cause cluster outage when webhook is not available. | `Ignore` |
| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` |
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. | `` |
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` |
| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` |
| Parameter | Description | Default |
| :------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ |
| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` |
| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
| image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| image.release | The image release tag to use | Current release version: `v1.0.0-alpha.0` |
| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi |
| affinity | The node affinity to use for pod scheduling | `{}` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| service.type | Service type | `ClusterIP` |
| service.port | Service port | `443` |
| service.targetPort | Service target port | `9443` |
| azureTenantID | [**REQUIRED**] Azure tenant ID | `` |
| azureEnvironment | Azure Environment | `AzurePublicCloud` |
| logLevel | The log level to use for the webhook manager. In order of increasing verbosity: unset (empty string), info, debug, trace and all. | `info` |
| metricsAddr | The address to bind the metrics server to | `:8095` |
| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` |
| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` |
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` |
| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` |
## Contributing Changes

8
charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml
Просмотреть файл

@ -29,8 +29,7 @@ spec:
{{- toYaml .Values.affinity | nindent 8 }}
containers:
- args:
- --arc-cluster={{ .Values.arcCluster }}
- --log-encoder={{ .Values.logEncoder }}
- --log-level={{ .Values.logLevel }}
- --metrics-addr={{ .Values.metricsAddr }}
- --metrics-backend={{ .Values.metricsBackend }}
command:
@ -47,9 +46,12 @@ spec:
image: '{{ .Values.image.repository }}:{{ .Values.image.release }}'
imagePullPolicy: '{{ .Values.image.pullPolicy }}'
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 15
periodSeconds: 20
name: manager
ports:
- containerPort: {{ trimPrefix ":" .Values.metricsAddr }}
@ -65,6 +67,8 @@ spec:
httpGet:
path: /readyz
port: healthz
initialDelaySeconds: 5
periodSeconds: 5
resources:
{{- toYaml .Values.resources | nindent 10 }}
securityContext:

6
charts/workload-identity-webhook/templates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
Просмотреть файл

@ -18,11 +18,13 @@ webhooks:
name: azure-wi-webhook-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /mutate-v1-pod
failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }}
failurePolicy: Fail
matchPolicy: Equivalent
name: mutation.azure-workload-identity.io
namespaceSelector: {{- toYaml .Values.mutatingWebhookNamespaceSelector | nindent 4 }}
objectSelector: {{- toYaml .Values.mutatingWebhookObjectSelector | nindent 4 }}
objectSelector:
matchLabels:
azure.workload.identity/use: "true"
rules:
- apiGroups:
- ""

7
charts/workload-identity-webhook/values.yaml
Просмотреть файл

@ -7,11 +7,10 @@ image:
repository: mcr.microsoft.com/oss/azure/workload-identity/webhook
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
release: v0.15.0
release: v1.0.0-alpha.0
imagePullSecrets: []
nodeSelector:
kubernetes.io/os: linux
arcCluster: false
resources:
limits:
cpu: 100m
@ -27,12 +26,10 @@ service:
targetPort: 9443
azureEnvironment: AzurePublicCloud
azureTenantID:
logEncoder: console
logLevel: info
metricsAddr: ":8095"
metricsBackend: prometheus
mutatingWebhookFailurePolicy: Ignore
priorityClassName: system-cluster-critical
mutatingWebhookObjectSelector: {}
mutatingWebhookAnnotations: {}
podLabels: {}
mutatingWebhookNamespaceSelector: {}

2
config/manager/kustomization.yaml
Просмотреть файл

@ -5,7 +5,7 @@ kind: Kustomization
images:
- name: manager
newName: mcr.microsoft.com/oss/azure/workload-identity/webhook
newTag: v0.15.0
newTag: v1.0.0-alpha.0
configMapGenerator:
- literals:
- AZURE_TENANT_ID="${AZURE_TENANT_ID}"

15
deploy/azure-wi-webhook.yaml
Просмотреть файл

@ -156,7 +156,7 @@ spec:
spec:
containers:
- args:
- --arc-cluster=${ARC_CLUSTER:-false}
- --log-level=info
command:
- /manager
env:
@ -168,12 +168,15 @@ spec:
envFrom:
- configMapRef:
name: azure-wi-webhook-config
image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v0.15.0
image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.0.0-alpha.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 15
periodSeconds: 20
name: manager
ports:
- containerPort: 9443
@ -189,6 +192,8 @@ spec:
httpGet:
path: /readyz
port: healthz
initialDelaySeconds: 5
periodSeconds: 5
resources:
limits:
cpu: 100m
@ -237,7 +242,6 @@ spec:
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
creationTimestamp: null
labels:
azure-workload-identity.io/system: "true"
name: azure-wi-webhook-mutating-webhook-configuration
@ -250,9 +254,12 @@ webhooks:
name: azure-wi-webhook-webhook-service
namespace: azure-workload-identity-system
path: /mutate-v1-pod
failurePolicy: Ignore
failurePolicy: Fail
matchPolicy: Equivalent
name: mutation.azure-workload-identity.io
objectSelector:
matchLabels:
azure.workload.identity/use: "true"
rules:
- apiGroups:
- ""

2
docs/book/src/installation/mutating-admission-webhook.md
Просмотреть файл

@ -73,7 +73,7 @@ The deployment YAML contains the environment variables we defined above and we r
Install the webhook using the deployment YAML via `kubectl apply -f` and `envsubst`:
```bash
curl -sL https://github.com/Azure/azure-workload-identity/releases/download/v0.15.0/azure-wi-webhook.yaml | envsubst | kubectl apply -f -
curl -sL https://github.com/Azure/azure-workload-identity/releases/download/v1.0.0-alpha.0/azure-wi-webhook.yaml | envsubst | kubectl apply -f -
```
<details>

4
examples/migration/pod-with-proxy-init-and-proxy-sidecar.yaml
Просмотреть файл

@ -8,7 +8,7 @@ spec:
serviceAccountName: workload-identity-sa
initContainers:
- name: init-networking
image: mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v0.15.0
image: mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v1.0.0-alpha.0
securityContext:
capabilities:
add:
@ -26,6 +26,6 @@ spec:
ports:
- containerPort: 80
- name: proxy
image: mcr.microsoft.com/oss/azure/workload-identity/proxy:v0.15.0
image: mcr.microsoft.com/oss/azure/workload-identity/proxy:v1.0.0-alpha.0
ports:
- containerPort: 8000

4
manifest_staging/charts/workload-identity-webhook/Chart.yaml
Просмотреть файл

@ -2,8 +2,8 @@ apiVersion: v2
name: workload-identity-webhook
description: A Helm chart to install the azure-workload-identity webhook
type: application
version: 0.15.0
appVersion: v0.15.0
version: 1.0.0-alpha.0
appVersion: v1.0.0-alpha.0
home: https://github.com/Azure/azure-workload-identity
sources:
- https://github.com/Azure/azure-workload-identity

2
manifest_staging/charts/workload-identity-webhook/README.md
Просмотреть файл

@ -34,7 +34,7 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` |
| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
| image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| image.release | The image release tag to use | Current release version: `v0.15.0` |
| image.release | The image release tag to use | Current release version: `v1.0.0-alpha.0` |
| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi |

2
manifest_staging/charts/workload-identity-webhook/values.yaml
Просмотреть файл

@ -7,7 +7,7 @@ image:
repository: mcr.microsoft.com/oss/azure/workload-identity/webhook
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
release: v0.15.0
release: v1.0.0-alpha.0
imagePullSecrets: []
nodeSelector:
kubernetes.io/os: linux

2
manifest_staging/deploy/azure-wi-webhook.yaml
Просмотреть файл

@ -168,7 +168,7 @@ spec:
envFrom:
- configMapRef:
name: azure-wi-webhook-config
image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v0.15.0
image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.0.0-alpha.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6

2
pkg/cmd/podidentity/detect.go
Просмотреть файл

@ -35,7 +35,7 @@ var (
const (
imageRepository = "mcr.microsoft.com/oss/azure/workload-identity"
imageTag = "v0.15.0"
imageTag = "v1.0.0-alpha.0"
proxyInitImageName = "proxy-init"
proxyImageName = "proxy"

4
third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml поставляемый
Просмотреть файл

@ -2,8 +2,8 @@ apiVersion: v2
name: workload-identity-webhook
description: A Helm chart to install the azure-workload-identity webhook
type: application
version: 0.15.0
appVersion: v0.15.0
version: 1.0.0-alpha.0
appVersion: v1.0.0-alpha.0
home: https://github.com/Azure/azure-workload-identity
sources:
- https://github.com/Azure/azure-workload-identity

2
third_party/open-policy-agent/gatekeeper/helmify/static/README.md поставляемый
Просмотреть файл

@ -34,7 +34,7 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` |
| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
| image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| image.release | The image release tag to use | Current release version: `v0.15.0` |
| image.release | The image release tag to use | Current release version: `v1.0.0-alpha.0` |
| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi |

2
third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml поставляемый
Просмотреть файл

@ -7,7 +7,7 @@ image:
repository: mcr.microsoft.com/oss/azure/workload-identity/webhook
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
release: v0.15.0
release: v1.0.0-alpha.0
imagePullSecrets: []
nodeSelector:
kubernetes.io/os: linux