Merge pull request #279 from brk3/feature/custom-aadpodidentity-selector

Allow full kustomisation of aad-msi-binding.yaml
2021-12-08 13:53:43 +08:00 · 2021-12-08 13:53:43 +08:00 · 5f8f241cd5
--- a/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml
+++ b/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml
@ -1,9 +1,12 @@
 # https://github.com/Azure/aad-pod-identity/blob/b3ee1d07209f26c47a96abf3ba20749932763de6/website/content/en/docs/Concepts/azureidentity.md
+#
+# Note, while the ${} values are not required for kustomize to work, they signify which values are
+# eligible for configuration.

 apiVersion: aadpodidentity.k8s.io/v1
 kind: AzureIdentity
 metadata:
-    name: podmi-caf-rover-platform-level0
+    name: ${azureidentity_name}
 spec:
    type: 0
    resourceID: ${resource_id}
@ -12,8 +15,8 @@ spec:
 apiVersion: aadpodidentity.k8s.io/v1
 kind: AzureIdentityBinding
 metadata:
-    name: podmi-gitlab-runner-binding
+    name: ${azureidentitybinding_name}
 spec:
-    azureIdentity: podmi-caf-rover-platform-level0
-    selector: podmi-caf-rover-platform-level0
+    azureIdentity: ${azureidentity_name}
+    selector: ${azureidentity_selector}

--- a/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf
+++ b/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf
@ -27,6 +27,18 @@ data "kustomization_overlay" "aad_pod_identity" {

  namespace = var.aad_pod_identity.namespace

+  patches {
+    patch = <<-EOF
+      - op: replace
+        path: /metadata/name
+        value: ${each.value.name}
+    EOF
+
+    target = {
+      kind = "AzureIdentity"
+    }
+  }
+
  patches {
    patch = <<-EOF
      - op: replace
@ -87,11 +99,13 @@ data "kustomization_overlay" "aad_pod_identity" {
    }
  }

+  # You can provide a managed_identities.<key>.aadpodidentity_selector to specify the value here,
+  # alternatively provide none to have the MSI name used as the selector.
  patches {
    patch = <<-EOF
      - op: replace
        path: /spec/selector
-        value: ${each.value.name}
+        value: ${each.value.selector}
    EOF

    target = {
@ -112,6 +126,7 @@ locals {
          for msi_key in value.msi_keys : {
            key       = key
            msi_key   = msi_key
+            selector  = try(value.aadpodidentity_selector, local.remote.managed_identities[value.lz_key][msi_key].name)
            client_id = local.remote.managed_identities[value.lz_key][msi_key].client_id
            id        = local.remote.managed_identities[value.lz_key][msi_key].id
            name      = local.remote.managed_identities[value.lz_key][msi_key].name