Allow full kustomisation of aad-msi-binding.yaml

Currently the name of the AzureIdentity/AzureIdentityBinding objects created as part of the aad-pod-identity lz addon have hardcoded names. This made it not possible to create more than one pair for one MSI. This patch applies kustomise to each field allowing for more customisation. It also adds a new 'selector' argument in the case the user doesn't want the name of the MSI used in this field: managed_identities = { ingress_msi = { lz_key = "aks" aadpodidentity_selector = "ingress" msi_keys = [ "ingress", ] } } If aadpodidentity_selector is not specified the MSI name is used as before.
2021-11-18 16:23:18 +00:00 · 2021-11-18 16:23:18 +00:00 · e125497902
--- a/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml
+++ b/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml
@ -1,9 +1,12 @@
 # https://github.com/Azure/aad-pod-identity/blob/b3ee1d07209f26c47a96abf3ba20749932763de6/website/content/en/docs/Concepts/azureidentity.md
+#
+# Note, while the ${} values are not required for kustomize to work, they signify which values are
+# eligible for configuration.

 apiVersion: aadpodidentity.k8s.io/v1
 kind: AzureIdentity
 metadata:
-    name: podmi-caf-rover-platform-level0
+    name: ${azureidentity_name}
 spec:
    type: 0
    resourceID: ${resource_id}
@ -12,8 +15,8 @@ spec:
 apiVersion: aadpodidentity.k8s.io/v1
 kind: AzureIdentityBinding
 metadata:
-    name: podmi-gitlab-runner-binding
+    name: ${azureidentitybinding_name}
 spec:
-    azureIdentity: podmi-caf-rover-platform-level0
-    selector: podmi-caf-rover-platform-level0
+    azureIdentity: ${azureidentity_name}
+    selector: ${azureidentity_selector}

--- a/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf
+++ b/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf
@ -27,6 +27,18 @@ data "kustomization_overlay" "aad_pod_identity" {

  namespace = var.aad_pod_identity.namespace

+  patches {
+    patch = <<-EOF
+      - op: replace
+        path: /metadata/name
+        value: ${each.value.name}
+    EOF
+
+    target = {
+      kind = "AzureIdentity"
+    }
+  }
+
  patches {
    patch = <<-EOF
      - op: replace
@ -87,11 +99,13 @@ data "kustomization_overlay" "aad_pod_identity" {
    }
  }

+  # You can provide a managed_identities.<key>.aadpodidentity_selector to specify the value here,
+  # alternatively provide none to have the MSI name used as the selector.
  patches {
    patch = <<-EOF
      - op: replace
        path: /spec/selector
-        value: ${each.value.name}
+        value: ${each.value.selector}
    EOF

    target = {
@ -112,6 +126,7 @@ locals {
          for msi_key in value.msi_keys : {
            key       = key
            msi_key   = msi_key
+            selector  = try(value.aadpodidentity_selector, local.remote.managed_identities[value.lz_key][msi_key].name)
            client_id = local.remote.managed_identities[value.lz_key][msi_key].client_id
            id        = local.remote.managed_identities[value.lz_key][msi_key].id
            name      = local.remote.managed_identities[value.lz_key][msi_key].name