Azure
/
azure-workload-identity
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

release: update manifest and helm charts for v1.0.0-alpha.0 (#740) 

Co-authored-by: aramase <aramase@users.noreply.github.com>
This commit is contained in:
github-actions[bot] 2023-02-08 18:17:59 +00:00 коммит произвёл GitHub
Родитель 27e585ae65
Коммит 8f241bd6d2
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
18 изменённых файлов: 63 добавлений и 56 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
Makefile
Просмотреть файл

@ -2,7 +2,7 @@ REGISTRY ?= mcr.microsoft.com/oss/azure/workload-identity
PROXY_IMAGE_NAME := proxy PROXY_IMAGE_NAME := proxy
INIT_IMAGE_NAME := proxy-init INIT_IMAGE_NAME := proxy-init
WEBHOOK_IMAGE_NAME := webhook WEBHOOK_IMAGE_NAME := webhook
IMAGE_VERSION ?= v0.15.0 IMAGE_VERSION ?= v1.0.0-alpha.0
ORG_PATH := github.com/Azure ORG_PATH := github.com/Azure
PROJECT_NAME := azure-workload-identity PROJECT_NAME := azure-workload-identity

4
charts/workload-identity-webhook/Chart.yaml
Просмотреть файл

@ -2,8 +2,8 @@ apiVersion: v2
name: workload-identity-webhook name: workload-identity-webhook
description: A Helm chart to install the azure-workload-identity webhook description: A Helm chart to install the azure-workload-identity webhook
type: application type: application
version: 0.15.0 version: 1.0.0-alpha.0
appVersion: v0.15.0 appVersion: v1.0.0-alpha.0
home: https://github.com/Azure/azure-workload-identity home: https://github.com/Azure/azure-workload-identity
sources: sources:
- https://github.com/Azure/azure-workload-identity - https://github.com/Azure/azure-workload-identity

49
charts/workload-identity-webhook/README.md
Просмотреть файл

@ -29,32 +29,29 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
## Parameters ## Parameters
| Parameter | Description | Default | | Parameter | Description | Default |
| :------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ | | :------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ |
| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | | replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` |
| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | | image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
| image.pullPolicy | Image pullPolicy | `IfNotPresent` | | image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| image.release | The image release tag to use | Current release version: `v0.15.0` | | image.release | The image release tag to use | Current release version: `v1.0.0-alpha.0` |
| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | | imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| arcCluster | Specify if it runs on Arc cluster | `false` | | resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi |
| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | | affinity | The node affinity to use for pod scheduling | `{}` |
| affinity | The node affinity to use for pod scheduling | `{}` | | tolerations | The tolerations to use for pod scheduling | `[]` |
| tolerations | The tolerations to use for pod scheduling | `[]` | | service.type | Service type | `ClusterIP` |
| service.type | Service type | `ClusterIP` | | service.port | Service port | `443` |
| service.port | Service port | `443` | | service.targetPort | Service target port | `9443` |
| service.targetPort | Service target port | `9443` | | azureTenantID | [**REQUIRED**] Azure tenant ID | `` |
| azureTenantID | [**REQUIRED**] Azure tenant ID | `` | | azureEnvironment | Azure Environment | `AzurePublicCloud` |
| azureEnvironment | Azure Environment | `AzurePublicCloud` | | logLevel | The log level to use for the webhook manager. In order of increasing verbosity: unset (empty string), info, debug, trace and all. | `info` |
| logEncoder | The log encoder to use for the webhook manager (`json`, `console`) | `console` | | metricsAddr | The address to bind the metrics server to | `:8095` |
| metricsAddr | The address to bind the metrics server to | `:8095` | | metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` |
| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` | | priorityClassName | The priority class name for webhook manager | `system-cluster-critical` |
| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook. Default is `Ignore` and it's safe. Setting this to fail closed could cause cluster outage when webhook is not available. | `Ignore` | | mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` | | podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` |
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. | `` | | mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` |
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` |
| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` |
## Contributing Changes ## Contributing Changes

8
charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml
Просмотреть файл

@ -29,8 +29,7 @@ spec:
{{- toYaml .Values.affinity | nindent 8 }} {{- toYaml .Values.affinity | nindent 8 }}
containers: containers:
- args: - args:
- --arc-cluster={{ .Values.arcCluster }} - --log-level={{ .Values.logLevel }}
- --log-encoder={{ .Values.logEncoder }}
- --metrics-addr={{ .Values.metricsAddr }} - --metrics-addr={{ .Values.metricsAddr }}
- --metrics-backend={{ .Values.metricsBackend }} - --metrics-backend={{ .Values.metricsBackend }}
command: command:
@ -47,9 +46,12 @@ spec:
image: '{{ .Values.image.repository }}:{{ .Values.image.release }}' image: '{{ .Values.image.repository }}:{{ .Values.image.release }}'
imagePullPolicy: '{{ .Values.image.pullPolicy }}' imagePullPolicy: '{{ .Values.image.pullPolicy }}'
livenessProbe: livenessProbe:
failureThreshold: 6
httpGet: httpGet:
path: /healthz path: /healthz
port: healthz port: healthz
initialDelaySeconds: 15
periodSeconds: 20
name: manager name: manager
ports: ports:
- containerPort: {{ trimPrefix ":" .Values.metricsAddr }} - containerPort: {{ trimPrefix ":" .Values.metricsAddr }}
@ -65,6 +67,8 @@ spec:
httpGet: httpGet:
path: /readyz path: /readyz
port: healthz port: healthz
initialDelaySeconds: 5
periodSeconds: 5
resources: resources:
{{- toYaml .Values.resources | nindent 10 }} {{- toYaml .Values.resources | nindent 10 }}
securityContext: securityContext:

6
charts/workload-identity-webhook/templates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
Просмотреть файл

@ -18,11 +18,13 @@ webhooks:
name: azure-wi-webhook-webhook-service name: azure-wi-webhook-webhook-service
namespace: '{{ .Release.Namespace }}' namespace: '{{ .Release.Namespace }}'
path: /mutate-v1-pod path: /mutate-v1-pod
failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }} failurePolicy: Fail
matchPolicy: Equivalent matchPolicy: Equivalent
name: mutation.azure-workload-identity.io name: mutation.azure-workload-identity.io
namespaceSelector: {{- toYaml .Values.mutatingWebhookNamespaceSelector | nindent 4 }} namespaceSelector: {{- toYaml .Values.mutatingWebhookNamespaceSelector | nindent 4 }}
objectSelector: {{- toYaml .Values.mutatingWebhookObjectSelector | nindent 4 }} objectSelector:
matchLabels:
azure.workload.identity/use: "true"
rules: rules:
- apiGroups: - apiGroups:
- "" - ""

7
charts/workload-identity-webhook/values.yaml
Просмотреть файл

@ -7,11 +7,10 @@ image:
repository: mcr.microsoft.com/oss/azure/workload-identity/webhook repository: mcr.microsoft.com/oss/azure/workload-identity/webhook
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion. # Overrides the image tag whose default is the chart appVersion.
release: v0.15.0 release: v1.0.0-alpha.0
imagePullSecrets: [] imagePullSecrets: []
nodeSelector: nodeSelector:
kubernetes.io/os: linux kubernetes.io/os: linux
arcCluster: false
resources: resources:
limits: limits:
cpu: 100m cpu: 100m
@ -27,12 +26,10 @@ service:
targetPort: 9443 targetPort: 9443
azureEnvironment: AzurePublicCloud azureEnvironment: AzurePublicCloud
azureTenantID: azureTenantID:
logEncoder: console logLevel: info
metricsAddr: ":8095" metricsAddr: ":8095"
metricsBackend: prometheus metricsBackend: prometheus
mutatingWebhookFailurePolicy: Ignore
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
mutatingWebhookObjectSelector: {}
mutatingWebhookAnnotations: {} mutatingWebhookAnnotations: {}
podLabels: {} podLabels: {}
mutatingWebhookNamespaceSelector: {} mutatingWebhookNamespaceSelector: {}

2
config/manager/kustomization.yaml
Просмотреть файл

@ -5,7 +5,7 @@ kind: Kustomization
images: images:
- name: manager - name: manager
newName: mcr.microsoft.com/oss/azure/workload-identity/webhook newName: mcr.microsoft.com/oss/azure/workload-identity/webhook
newTag: v0.15.0 newTag: v1.0.0-alpha.0
configMapGenerator: configMapGenerator:
- literals: - literals:
- AZURE_TENANT_ID="${AZURE_TENANT_ID}" - AZURE_TENANT_ID="${AZURE_TENANT_ID}"

15
deploy/azure-wi-webhook.yaml
Просмотреть файл

@ -156,7 +156,7 @@ spec:
spec: spec:
containers: containers:
- args: - args:
- --arc-cluster=${ARC_CLUSTER:-false} - --log-level=info
command: command:
- /manager - /manager
env: env:
@ -168,12 +168,15 @@ spec:
envFrom: envFrom:
- configMapRef: - configMapRef:
name: azure-wi-webhook-config name: azure-wi-webhook-config
image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v0.15.0 image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.0.0-alpha.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 6
httpGet: httpGet:
path: /healthz path: /healthz
port: healthz port: healthz
initialDelaySeconds: 15
periodSeconds: 20
name: manager name: manager
ports: ports:
- containerPort: 9443 - containerPort: 9443
@ -189,6 +192,8 @@ spec:
httpGet: httpGet:
path: /readyz path: /readyz
port: healthz port: healthz
initialDelaySeconds: 5
periodSeconds: 5
resources: resources:
limits: limits:
cpu: 100m cpu: 100m
@ -237,7 +242,6 @@ spec:
apiVersion: admissionregistration.k8s.io/v1 apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration kind: MutatingWebhookConfiguration
metadata: metadata:
creationTimestamp: null
labels: labels:
azure-workload-identity.io/system: "true" azure-workload-identity.io/system: "true"
name: azure-wi-webhook-mutating-webhook-configuration name: azure-wi-webhook-mutating-webhook-configuration
@ -250,9 +254,12 @@ webhooks:
name: azure-wi-webhook-webhook-service name: azure-wi-webhook-webhook-service
namespace: azure-workload-identity-system namespace: azure-workload-identity-system
path: /mutate-v1-pod path: /mutate-v1-pod
failurePolicy: Ignore failurePolicy: Fail
matchPolicy: Equivalent matchPolicy: Equivalent
name: mutation.azure-workload-identity.io name: mutation.azure-workload-identity.io
objectSelector:
matchLabels:
azure.workload.identity/use: "true"
rules: rules:
- apiGroups: - apiGroups:
- "" - ""

2
docs/book/src/installation/mutating-admission-webhook.md
Просмотреть файл

@ -73,7 +73,7 @@ The deployment YAML contains the environment variables we defined above and we r
Install the webhook using the deployment YAML via `kubectl apply -f` and `envsubst`: Install the webhook using the deployment YAML via `kubectl apply -f` and `envsubst`:
```bash ```bash
curl -sL https://github.com/Azure/azure-workload-identity/releases/download/v0.15.0/azure-wi-webhook.yaml | envsubst | kubectl apply -f - curl -sL https://github.com/Azure/azure-workload-identity/releases/download/v1.0.0-alpha.0/azure-wi-webhook.yaml | envsubst | kubectl apply -f -
``` ```
<details> <details>

4
examples/migration/pod-with-proxy-init-and-proxy-sidecar.yaml
Просмотреть файл

@ -8,7 +8,7 @@ spec:
serviceAccountName: workload-identity-sa serviceAccountName: workload-identity-sa
initContainers: initContainers:
- name: init-networking - name: init-networking
image: mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v0.15.0 image: mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v1.0.0-alpha.0
securityContext: securityContext:
capabilities: capabilities:
add: add:
@ -26,6 +26,6 @@ spec:
ports: ports:
- containerPort: 80 - containerPort: 80
- name: proxy - name: proxy
image: mcr.microsoft.com/oss/azure/workload-identity/proxy:v0.15.0 image: mcr.microsoft.com/oss/azure/workload-identity/proxy:v1.0.0-alpha.0
ports: ports:
- containerPort: 8000 - containerPort: 8000

4
manifest_staging/charts/workload-identity-webhook/Chart.yaml
Просмотреть файл

@ -2,8 +2,8 @@ apiVersion: v2
name: workload-identity-webhook name: workload-identity-webhook
description: A Helm chart to install the azure-workload-identity webhook description: A Helm chart to install the azure-workload-identity webhook
type: application type: application
version: 0.15.0 version: 1.0.0-alpha.0
appVersion: v0.15.0 appVersion: v1.0.0-alpha.0
home: https://github.com/Azure/azure-workload-identity home: https://github.com/Azure/azure-workload-identity
sources: sources:
- https://github.com/Azure/azure-workload-identity - https://github.com/Azure/azure-workload-identity

2
manifest_staging/charts/workload-identity-webhook/README.md
Просмотреть файл

@ -34,7 +34,7 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | | replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` |
| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | | image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
| image.pullPolicy | Image pullPolicy | `IfNotPresent` | | image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| image.release | The image release tag to use | Current release version: `v0.15.0` | | image.release | The image release tag to use | Current release version: `v1.0.0-alpha.0` |
| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | | imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | | resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi |

2
manifest_staging/charts/workload-identity-webhook/values.yaml
Просмотреть файл

@ -7,7 +7,7 @@ image:
repository: mcr.microsoft.com/oss/azure/workload-identity/webhook repository: mcr.microsoft.com/oss/azure/workload-identity/webhook
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion. # Overrides the image tag whose default is the chart appVersion.
release: v0.15.0 release: v1.0.0-alpha.0
imagePullSecrets: [] imagePullSecrets: []
nodeSelector: nodeSelector:
kubernetes.io/os: linux kubernetes.io/os: linux

2
manifest_staging/deploy/azure-wi-webhook.yaml
Просмотреть файл

@ -168,7 +168,7 @@ spec:
envFrom: envFrom:
- configMapRef: - configMapRef:
name: azure-wi-webhook-config name: azure-wi-webhook-config
image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v0.15.0 image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.0.0-alpha.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 6 failureThreshold: 6

2
pkg/cmd/podidentity/detect.go
Просмотреть файл

@ -35,7 +35,7 @@ var (
const ( const (
imageRepository = "mcr.microsoft.com/oss/azure/workload-identity" imageRepository = "mcr.microsoft.com/oss/azure/workload-identity"
imageTag = "v0.15.0" imageTag = "v1.0.0-alpha.0"
proxyInitImageName = "proxy-init" proxyInitImageName = "proxy-init"
proxyImageName = "proxy" proxyImageName = "proxy"

4
third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml поставляемый
Просмотреть файл

@ -2,8 +2,8 @@ apiVersion: v2
name: workload-identity-webhook name: workload-identity-webhook
description: A Helm chart to install the azure-workload-identity webhook description: A Helm chart to install the azure-workload-identity webhook
type: application type: application
version: 0.15.0 version: 1.0.0-alpha.0
appVersion: v0.15.0 appVersion: v1.0.0-alpha.0
home: https://github.com/Azure/azure-workload-identity home: https://github.com/Azure/azure-workload-identity
sources: sources:
- https://github.com/Azure/azure-workload-identity - https://github.com/Azure/azure-workload-identity

2
third_party/open-policy-agent/gatekeeper/helmify/static/README.md поставляемый
Просмотреть файл

@ -34,7 +34,7 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | | replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` |
| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | | image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
| image.pullPolicy | Image pullPolicy | `IfNotPresent` | | image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| image.release | The image release tag to use | Current release version: `v0.15.0` | | image.release | The image release tag to use | Current release version: `v1.0.0-alpha.0` |
| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | | imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | | resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi |

2
third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml поставляемый
Просмотреть файл

@ -7,7 +7,7 @@ image:
repository: mcr.microsoft.com/oss/azure/workload-identity/webhook repository: mcr.microsoft.com/oss/azure/workload-identity/webhook
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion. # Overrides the image tag whose default is the chart appVersion.
release: v0.15.0 release: v1.0.0-alpha.0
imagePullSecrets: [] imagePullSecrets: []
nodeSelector: nodeSelector:
kubernetes.io/os: linux kubernetes.io/os: linux