From b4cf82008e50f2de14f9cff59f6f72012f05fb60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toma=CC=81s=CC=8C=20Freund?= Date: Wed, 25 Aug 2021 16:37:21 +0200 Subject: [PATCH 1/5] add multiple azure managed identities docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Tomáš Freund --- .../docs/configuration/acme/dns01/azuredns.md | 20 ++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/content/en/docs/configuration/acme/dns01/azuredns.md b/content/en/docs/configuration/acme/dns01/azuredns.md index e495bc49df2..600d194029e 100644 --- a/content/en/docs/configuration/acme/dns01/azuredns.md +++ b/content/en/docs/configuration/acme/dns01/azuredns.md @@ -140,9 +140,8 @@ When creating an AKS cluster in Azure there is the option to use a managed ident There are some caveats with this approach, these mainly being: -- You will need to ensure only 1 managed identity is assigned to the node pool. This is due to cert-manager not currently being able to select the identity to use - Any permissions granted to this identity will also be accessible to all containers running inside the Kubernetes cluster. -- Using AKS extensions like `Kube Dashboard` will not work with this method as this creates an additional identity that is assigned to the node pools. +- Using AKS extensions like `Kube Dashboard`, `Virtual Node`, or `HTTP Application Routing` (see full list [here](https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#summary-of-managed-identities)) will create additional identities that are assigned to your node pools. If your node pools have more than one identity assigned, you will need to specify either clientID or resourceID to select the correct one. To set this up, firstly you will need to retrieve the identity that the kubelet is using by querying the AKS cluster. This can then be used to create the appropriate permissions in the DNS zone. @@ -180,7 +179,16 @@ resource "azurerm_role_assignment" "dns_contributor" { } ``` -Then when creating the cert-manager issuer we only need to specify the `hostedZoneName`, `resourceGroupName` and `subscriptionID` fields for the DNS Zone. Example below: +Then when creating the cert-manager issuer we only need to specify the `hostedZoneName`, `resourceGroupName` and `subscriptionID` fields for the DNS Zone. + +We also need to specify `managedIdentity.clientID` or `managedIdentity.resourceID` if multiple managed identities are assigned to the node pools. + +The value for `managedIdentity.clientID` can be fetched by running this command: +```bash +az aks show -n $CLUSTERNAME -g $CLUSTER_GROUP --query "identityProfile.kubeletidentity.clientId" -o tsv +``` + +Example below: ```yaml apiVersion: cert-manager.io/v1 kind: Issuer @@ -197,6 +205,12 @@ spec: hostedZoneName: AZURE_DNS_ZONE # Azure Cloud Environment, default to AzurePublicCloud environment: AzurePublicCloud + # optional, only required if node pools have more than 1 managed identity assigned + managedIdentity: + # client id of the node pool managed identity (can not be set at the same time as resourceID) + clientID: YOUR_MANAGED_IDENTITY_CLIENT_ID + # resource id of the managed identity (can not be set at the same time as clientID) + # resourceID: YOUR_MANAGED_IDENTITY_RESOURCE_ID ``` ## Service Principal From 990386c2ddf3dc5056bf1fab46600a0c360852bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toma=CC=81s=CC=8C=20Freund?= Date: Wed, 25 Aug 2021 16:42:02 +0200 Subject: [PATCH 2/5] remove word as per code review suggestion MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Tomáš Freund --- content/en/docs/configuration/acme/dns01/azuredns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/configuration/acme/dns01/azuredns.md b/content/en/docs/configuration/acme/dns01/azuredns.md index 600d194029e..370f305791c 100644 --- a/content/en/docs/configuration/acme/dns01/azuredns.md +++ b/content/en/docs/configuration/acme/dns01/azuredns.md @@ -114,7 +114,7 @@ podLabels: aadpodidbinding: certman-label ``` -Lastly when we create the certificate issuer we only need to specify the `hostedZoneName`, `resourceGroupName` and `subscriptionID` fields for the DNS zone. Example below: +Lastly when we create the certificate issuer we need to specify the `hostedZoneName`, `resourceGroupName` and `subscriptionID` fields for the DNS zone. Example below: ```yaml apiVersion: cert-manager.io/v1 From 6893e8c2e00c7e4d1ef1961b089cea41e5bf1908 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toma=CC=81s=CC=8C=20Freund?= Date: Wed, 25 Aug 2021 16:42:39 +0200 Subject: [PATCH 3/5] remove word as per code review suggestion MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Tomáš Freund --- content/en/docs/configuration/acme/dns01/azuredns.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/configuration/acme/dns01/azuredns.md b/content/en/docs/configuration/acme/dns01/azuredns.md index 370f305791c..267138bd060 100644 --- a/content/en/docs/configuration/acme/dns01/azuredns.md +++ b/content/en/docs/configuration/acme/dns01/azuredns.md @@ -114,7 +114,7 @@ podLabels: aadpodidbinding: certman-label ``` -Lastly when we create the certificate issuer we need to specify the `hostedZoneName`, `resourceGroupName` and `subscriptionID` fields for the DNS zone. Example below: +Lastly when we create the certificate issuer we only need to specify the `hostedZoneName`, `resourceGroupName` and `subscriptionID` fields for the DNS zone. Example below: ```yaml apiVersion: cert-manager.io/v1 @@ -179,7 +179,7 @@ resource "azurerm_role_assignment" "dns_contributor" { } ``` -Then when creating the cert-manager issuer we only need to specify the `hostedZoneName`, `resourceGroupName` and `subscriptionID` fields for the DNS Zone. +Then when creating the cert-manager issuer we need to specify the `hostedZoneName`, `resourceGroupName` and `subscriptionID` fields for the DNS Zone. We also need to specify `managedIdentity.clientID` or `managedIdentity.resourceID` if multiple managed identities are assigned to the node pools. From 73036b059208bedd1656212d2de55d5ca0eb41ca Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Fri, 3 Sep 2021 16:13:57 +0100 Subject: [PATCH 4/5] Quote the words clientID and resourceID to satisfy the spell checker Signed-off-by: Richard Wall --- content/en/docs/configuration/acme/dns01/azuredns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/configuration/acme/dns01/azuredns.md b/content/en/docs/configuration/acme/dns01/azuredns.md index 267138bd060..3702bfced99 100644 --- a/content/en/docs/configuration/acme/dns01/azuredns.md +++ b/content/en/docs/configuration/acme/dns01/azuredns.md @@ -141,7 +141,7 @@ When creating an AKS cluster in Azure there is the option to use a managed ident There are some caveats with this approach, these mainly being: - Any permissions granted to this identity will also be accessible to all containers running inside the Kubernetes cluster. -- Using AKS extensions like `Kube Dashboard`, `Virtual Node`, or `HTTP Application Routing` (see full list [here](https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#summary-of-managed-identities)) will create additional identities that are assigned to your node pools. If your node pools have more than one identity assigned, you will need to specify either clientID or resourceID to select the correct one. +- Using AKS extensions like `Kube Dashboard`, `Virtual Node`, or `HTTP Application Routing` (see full list [here](https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#summary-of-managed-identities)) will create additional identities that are assigned to your node pools. If your node pools have more than one identity assigned, you will need to specify either `clientID` or `resourceID` to select the correct one. To set this up, firstly you will need to retrieve the identity that the kubelet is using by querying the AKS cluster. This can then be used to create the appropriate permissions in the DNS zone. From ee75bf5685474c651d08750ecfe3a150de5eb586 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Fri, 3 Sep 2021 16:14:56 +0100 Subject: [PATCH 5/5] Whitespace cleanup Signed-off-by: Richard Wall --- content/en/docs/configuration/acme/dns01/azuredns.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/en/docs/configuration/acme/dns01/azuredns.md b/content/en/docs/configuration/acme/dns01/azuredns.md index 3702bfced99..9c3b1425084 100644 --- a/content/en/docs/configuration/acme/dns01/azuredns.md +++ b/content/en/docs/configuration/acme/dns01/azuredns.md @@ -79,7 +79,7 @@ kind: AzureIdentity metadata: annotations: # recommended to use namespaced identites https://azure.github.io/aad-pod-identity/docs/configure/match_pods_in_namespace/ - aadpodidentity.k8s.io/Behavior: namespaced + aadpodidentity.k8s.io/Behavior: namespaced name: certman-identity namespace: cert-manager # change to your preferred namespace spec: @@ -136,7 +136,7 @@ spec: ## Managed Identity Using AKS Kubelet Identity -When creating an AKS cluster in Azure there is the option to use a managed identity that is assigned to the kubelet. This identity is assigned to the underlying node pool in the AKS cluster and can then be used by the cert-manager pods to authenticate to Azure Active Directory. +When creating an AKS cluster in Azure there is the option to use a managed identity that is assigned to the kubelet. This identity is assigned to the underlying node pool in the AKS cluster and can then be used by the cert-manager pods to authenticate to Azure Active Directory. There are some caveats with this approach, these mainly being: @@ -155,7 +155,7 @@ ZONE_ID=$(az network dns zone show --name $ZONE_NAME --resource-group $ZONE_GROU # Create role assignment az role assignment create --role "DNS Zone Contributor" --assignee $PRINCIPAL_ID --scope $ZONE_ID -``` +``` - Example terraform: ```terraform @@ -173,8 +173,8 @@ resource "azurerm_kubernetes_cluster" "cluster" { resource "azurerm_role_assignment" "dns_contributor" { scope = var.dns_zone_id - role_definition_name = "DNS Zone Contributor" - principal_id = azurerm_kubernetes_cluster.cluster.kubelet_identity[0].object_id + role_definition_name = "DNS Zone Contributor" + principal_id = azurerm_kubernetes_cluster.cluster.kubelet_identity[0].object_id skip_service_principal_aad_check = true # Allows skipping propagation of identity to ensure assignment succeeds. } ``` @@ -210,7 +210,7 @@ spec: # client id of the node pool managed identity (can not be set at the same time as resourceID) clientID: YOUR_MANAGED_IDENTITY_CLIENT_ID # resource id of the managed identity (can not be set at the same time as clientID) - # resourceID: YOUR_MANAGED_IDENTITY_RESOURCE_ID + # resourceID: YOUR_MANAGED_IDENTITY_RESOURCE_ID ``` ## Service Principal