diff --git a/Makefile b/Makefile index 48c6d67..c38e0dd 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ REGISTRY ?= mcr.microsoft.com/oss/azure/workload-identity PROXY_IMAGE_NAME := proxy INIT_IMAGE_NAME := proxy-init WEBHOOK_IMAGE_NAME := webhook -IMAGE_VERSION ?= v0.15.0 +IMAGE_VERSION ?= v1.0.0-alpha.0 ORG_PATH := github.com/Azure PROJECT_NAME := azure-workload-identity diff --git a/charts/workload-identity-webhook/Chart.yaml b/charts/workload-identity-webhook/Chart.yaml index 6126592..a235491 100644 --- a/charts/workload-identity-webhook/Chart.yaml +++ b/charts/workload-identity-webhook/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: workload-identity-webhook description: A Helm chart to install the azure-workload-identity webhook type: application -version: 0.15.0 -appVersion: v0.15.0 +version: 1.0.0-alpha.0 +appVersion: v1.0.0-alpha.0 home: https://github.com/Azure/azure-workload-identity sources: - https://github.com/Azure/azure-workload-identity diff --git a/charts/workload-identity-webhook/README.md b/charts/workload-identity-webhook/README.md index 02edbd9..8fa38cb 100644 --- a/charts/workload-identity-webhook/README.md +++ b/charts/workload-identity-webhook/README.md @@ -29,32 +29,29 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide ## Parameters -| Parameter | Description | Default | -| :------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ | -| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | -| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | -| image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| image.release | The image release tag to use | Current release version: `v0.15.0` | -| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | -| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| arcCluster | Specify if it runs on Arc cluster | `false` | -| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | -| affinity | The node affinity to use for pod scheduling | `{}` | -| tolerations | The tolerations to use for pod scheduling | `[]` | -| service.type | Service type | `ClusterIP` | -| service.port | Service port | `443` | -| service.targetPort | Service target port | `9443` | -| azureTenantID | [**REQUIRED**] Azure tenant ID | `` | -| azureEnvironment | Azure Environment | `AzurePublicCloud` | -| logEncoder | The log encoder to use for the webhook manager (`json`, `console`) | `console` | -| metricsAddr | The address to bind the metrics server to | `:8095` | -| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` | -| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook. Default is `Ignore` and it's safe. Setting this to fail closed could cause cluster outage when webhook is not available. | `Ignore` | -| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` | -| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. | `` | -| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | -| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` | -| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` | +| Parameter | Description | Default | +| :------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ | +| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | +| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | +| image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| image.release | The image release tag to use | Current release version: `v1.0.0-alpha.0` | +| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | +| affinity | The node affinity to use for pod scheduling | `{}` | +| tolerations | The tolerations to use for pod scheduling | `[]` | +| service.type | Service type | `ClusterIP` | +| service.port | Service port | `443` | +| service.targetPort | Service target port | `9443` | +| azureTenantID | [**REQUIRED**] Azure tenant ID | `` | +| azureEnvironment | Azure Environment | `AzurePublicCloud` | +| logLevel | The log level to use for the webhook manager. In order of increasing verbosity: unset (empty string), info, debug, trace and all. | `info` | +| metricsAddr | The address to bind the metrics server to | `:8095` | +| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` | +| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` | +| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | +| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` | +| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` | ## Contributing Changes diff --git a/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml b/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml index 0841172..80e5d06 100644 --- a/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml +++ b/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml @@ -29,8 +29,7 @@ spec: {{- toYaml .Values.affinity | nindent 8 }} containers: - args: - - --arc-cluster={{ .Values.arcCluster }} - - --log-encoder={{ .Values.logEncoder }} + - --log-level={{ .Values.logLevel }} - --metrics-addr={{ .Values.metricsAddr }} - --metrics-backend={{ .Values.metricsBackend }} command: @@ -47,9 +46,12 @@ spec: image: '{{ .Values.image.repository }}:{{ .Values.image.release }}' imagePullPolicy: '{{ .Values.image.pullPolicy }}' livenessProbe: + failureThreshold: 6 httpGet: path: /healthz port: healthz + initialDelaySeconds: 15 + periodSeconds: 20 name: manager ports: - containerPort: {{ trimPrefix ":" .Values.metricsAddr }} @@ -65,6 +67,8 @@ spec: httpGet: path: /readyz port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 resources: {{- toYaml .Values.resources | nindent 10 }} securityContext: diff --git a/charts/workload-identity-webhook/templates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/workload-identity-webhook/templates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 9236ff7..309ad67 100644 --- a/charts/workload-identity-webhook/templates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/charts/workload-identity-webhook/templates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -18,11 +18,13 @@ webhooks: name: azure-wi-webhook-webhook-service namespace: '{{ .Release.Namespace }}' path: /mutate-v1-pod - failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }} + failurePolicy: Fail matchPolicy: Equivalent name: mutation.azure-workload-identity.io namespaceSelector: {{- toYaml .Values.mutatingWebhookNamespaceSelector | nindent 4 }} - objectSelector: {{- toYaml .Values.mutatingWebhookObjectSelector | nindent 4 }} + objectSelector: + matchLabels: + azure.workload.identity/use: "true" rules: - apiGroups: - "" diff --git a/charts/workload-identity-webhook/values.yaml b/charts/workload-identity-webhook/values.yaml index 542d0c0..f68f8ef 100644 --- a/charts/workload-identity-webhook/values.yaml +++ b/charts/workload-identity-webhook/values.yaml @@ -7,11 +7,10 @@ image: repository: mcr.microsoft.com/oss/azure/workload-identity/webhook pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - release: v0.15.0 + release: v1.0.0-alpha.0 imagePullSecrets: [] nodeSelector: kubernetes.io/os: linux -arcCluster: false resources: limits: cpu: 100m @@ -27,12 +26,10 @@ service: targetPort: 9443 azureEnvironment: AzurePublicCloud azureTenantID: -logEncoder: console +logLevel: info metricsAddr: ":8095" metricsBackend: prometheus -mutatingWebhookFailurePolicy: Ignore priorityClassName: system-cluster-critical -mutatingWebhookObjectSelector: {} mutatingWebhookAnnotations: {} podLabels: {} mutatingWebhookNamespaceSelector: {} diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 996bf71..e524572 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -5,7 +5,7 @@ kind: Kustomization images: - name: manager newName: mcr.microsoft.com/oss/azure/workload-identity/webhook - newTag: v0.15.0 + newTag: v1.0.0-alpha.0 configMapGenerator: - literals: - AZURE_TENANT_ID="${AZURE_TENANT_ID}" diff --git a/deploy/azure-wi-webhook.yaml b/deploy/azure-wi-webhook.yaml index 0d22f6c..4992349 100644 --- a/deploy/azure-wi-webhook.yaml +++ b/deploy/azure-wi-webhook.yaml @@ -156,7 +156,7 @@ spec: spec: containers: - args: - - --arc-cluster=${ARC_CLUSTER:-false} + - --log-level=info command: - /manager env: @@ -168,12 +168,15 @@ spec: envFrom: - configMapRef: name: azure-wi-webhook-config - image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v0.15.0 + image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.0.0-alpha.0 imagePullPolicy: IfNotPresent livenessProbe: + failureThreshold: 6 httpGet: path: /healthz port: healthz + initialDelaySeconds: 15 + periodSeconds: 20 name: manager ports: - containerPort: 9443 @@ -189,6 +192,8 @@ spec: httpGet: path: /readyz port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 resources: limits: cpu: 100m @@ -237,7 +242,6 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - creationTimestamp: null labels: azure-workload-identity.io/system: "true" name: azure-wi-webhook-mutating-webhook-configuration @@ -250,9 +254,12 @@ webhooks: name: azure-wi-webhook-webhook-service namespace: azure-workload-identity-system path: /mutate-v1-pod - failurePolicy: Ignore + failurePolicy: Fail matchPolicy: Equivalent name: mutation.azure-workload-identity.io + objectSelector: + matchLabels: + azure.workload.identity/use: "true" rules: - apiGroups: - "" diff --git a/docs/book/src/installation/mutating-admission-webhook.md b/docs/book/src/installation/mutating-admission-webhook.md index 2488e4d..34c81fa 100644 --- a/docs/book/src/installation/mutating-admission-webhook.md +++ b/docs/book/src/installation/mutating-admission-webhook.md @@ -73,7 +73,7 @@ The deployment YAML contains the environment variables we defined above and we r Install the webhook using the deployment YAML via `kubectl apply -f` and `envsubst`: ```bash -curl -sL https://github.com/Azure/azure-workload-identity/releases/download/v0.15.0/azure-wi-webhook.yaml | envsubst | kubectl apply -f - +curl -sL https://github.com/Azure/azure-workload-identity/releases/download/v1.0.0-alpha.0/azure-wi-webhook.yaml | envsubst | kubectl apply -f - ```
diff --git a/examples/migration/pod-with-proxy-init-and-proxy-sidecar.yaml b/examples/migration/pod-with-proxy-init-and-proxy-sidecar.yaml index 42f2e5d..c8d9a76 100644 --- a/examples/migration/pod-with-proxy-init-and-proxy-sidecar.yaml +++ b/examples/migration/pod-with-proxy-init-and-proxy-sidecar.yaml @@ -8,7 +8,7 @@ spec: serviceAccountName: workload-identity-sa initContainers: - name: init-networking - image: mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v0.15.0 + image: mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v1.0.0-alpha.0 securityContext: capabilities: add: @@ -26,6 +26,6 @@ spec: ports: - containerPort: 80 - name: proxy - image: mcr.microsoft.com/oss/azure/workload-identity/proxy:v0.15.0 + image: mcr.microsoft.com/oss/azure/workload-identity/proxy:v1.0.0-alpha.0 ports: - containerPort: 8000 diff --git a/manifest_staging/charts/workload-identity-webhook/Chart.yaml b/manifest_staging/charts/workload-identity-webhook/Chart.yaml index 6126592..a235491 100644 --- a/manifest_staging/charts/workload-identity-webhook/Chart.yaml +++ b/manifest_staging/charts/workload-identity-webhook/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: workload-identity-webhook description: A Helm chart to install the azure-workload-identity webhook type: application -version: 0.15.0 -appVersion: v0.15.0 +version: 1.0.0-alpha.0 +appVersion: v1.0.0-alpha.0 home: https://github.com/Azure/azure-workload-identity sources: - https://github.com/Azure/azure-workload-identity diff --git a/manifest_staging/charts/workload-identity-webhook/README.md b/manifest_staging/charts/workload-identity-webhook/README.md index 894cd75..8fa38cb 100644 --- a/manifest_staging/charts/workload-identity-webhook/README.md +++ b/manifest_staging/charts/workload-identity-webhook/README.md @@ -34,7 +34,7 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide | replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | | image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | | image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| image.release | The image release tag to use | Current release version: `v0.15.0` | +| image.release | The image release tag to use | Current release version: `v1.0.0-alpha.0` | | imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | diff --git a/manifest_staging/charts/workload-identity-webhook/values.yaml b/manifest_staging/charts/workload-identity-webhook/values.yaml index 29a341e..f68f8ef 100644 --- a/manifest_staging/charts/workload-identity-webhook/values.yaml +++ b/manifest_staging/charts/workload-identity-webhook/values.yaml @@ -7,7 +7,7 @@ image: repository: mcr.microsoft.com/oss/azure/workload-identity/webhook pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - release: v0.15.0 + release: v1.0.0-alpha.0 imagePullSecrets: [] nodeSelector: kubernetes.io/os: linux diff --git a/manifest_staging/deploy/azure-wi-webhook.yaml b/manifest_staging/deploy/azure-wi-webhook.yaml index ecc2c0c..4992349 100644 --- a/manifest_staging/deploy/azure-wi-webhook.yaml +++ b/manifest_staging/deploy/azure-wi-webhook.yaml @@ -168,7 +168,7 @@ spec: envFrom: - configMapRef: name: azure-wi-webhook-config - image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v0.15.0 + image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.0.0-alpha.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 diff --git a/pkg/cmd/podidentity/detect.go b/pkg/cmd/podidentity/detect.go index 1c5f6b6..8c86f0d 100644 --- a/pkg/cmd/podidentity/detect.go +++ b/pkg/cmd/podidentity/detect.go @@ -35,7 +35,7 @@ var ( const ( imageRepository = "mcr.microsoft.com/oss/azure/workload-identity" - imageTag = "v0.15.0" + imageTag = "v1.0.0-alpha.0" proxyInitImageName = "proxy-init" proxyImageName = "proxy" diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml index 6126592..a235491 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: workload-identity-webhook description: A Helm chart to install the azure-workload-identity webhook type: application -version: 0.15.0 -appVersion: v0.15.0 +version: 1.0.0-alpha.0 +appVersion: v1.0.0-alpha.0 home: https://github.com/Azure/azure-workload-identity sources: - https://github.com/Azure/azure-workload-identity diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md index 894cd75..8fa38cb 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md @@ -34,7 +34,7 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide | replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | | image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | | image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| image.release | The image release tag to use | Current release version: `v0.15.0` | +| image.release | The image release tag to use | Current release version: `v1.0.0-alpha.0` | | imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml index 29a341e..f68f8ef 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml @@ -7,7 +7,7 @@ image: repository: mcr.microsoft.com/oss/azure/workload-identity/webhook pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - release: v0.15.0 + release: v1.0.0-alpha.0 imagePullSecrets: [] nodeSelector: kubernetes.io/os: linux