-
Notifications
You must be signed in to change notification settings - Fork 461
Add support for Service Principal with Certificate auth using AAD pod identity #2258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -43,17 +43,20 @@ type AllowedNamespaces struct { | |||||
|
|
||||||
| // AzureClusterIdentitySpec defines the parameters that are used to create an AzureIdentity. | ||||||
| type AzureClusterIdentitySpec struct { | ||||||
| // UserAssignedMSI or Service Principal | ||||||
| // Type is the type of Azure Identity used. | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
Although since this field is just
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
So I think
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You're right--so hard to read when things "stutter" like that.
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🤯 |
||||||
| // ServicePrincipal, ServicePrincipalCertificate, or ManualServicePrincipal. | ||||||
| Type IdentityType `json:"type"` | ||||||
| // User assigned MSI resource id. | ||||||
| // ResourceID is the Azure resource ID for the User Assigned MSI resource. | ||||||
| // Not currently supported. | ||||||
| // +optional | ||||||
| ResourceID string `json:"resourceID,omitempty"` | ||||||
| // ClientID is the service principal client ID. | ||||||
| // Both User Assigned MSI and SP can use this field. | ||||||
| ClientID string `json:"clientID"` | ||||||
| // ClientSecret is a secret reference which should contain either a Service Principal password or certificate secret. | ||||||
| // +optional | ||||||
| ClientSecret corev1.SecretReference `json:"clientSecret,omitempty"` | ||||||
| // Service principal primary tenant id. | ||||||
| // TenantID is the service principal primary tenant id. | ||||||
| TenantID string `json:"tenantID"` | ||||||
| // AllowedNamespaces is used to identify the namespaces the clusters are allowed to use the identity from. | ||||||
| // Namespaces can be selected either using an array of namespaces or with label selector. | ||||||
|
|
||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -422,18 +422,21 @@ const ( | |
| ) | ||
|
|
||
| // IdentityType represents different types of identities. | ||
| // +kubebuilder:validation:Enum=ServicePrincipal;ManualServicePrincipal;UserAssignedMSI | ||
| // +kubebuilder:validation:Enum=ServicePrincipal;ManualServicePrincipal;ServicePrincipalCertificate | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this looks like a breaking change, is that intended/allowed?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It technically breaking but in practice, no one should be broken by the change. Right now if you set it to
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Makes sense! |
||
| type IdentityType string | ||
|
|
||
| const ( | ||
| // UserAssignedMSI represents a user-assigned identity. | ||
| UserAssignedMSI IdentityType = "UserAssignedMSI" | ||
|
|
||
| // ServicePrincipal represents a service principal. | ||
| // ServicePrincipal represents a service principal using a client password as secret. | ||
| ServicePrincipal IdentityType = "ServicePrincipal" | ||
|
|
||
| // ManualServicePrincipal represents a manual service principal. | ||
| ManualServicePrincipal IdentityType = "ManualServicePrincipal" | ||
|
|
||
| // ServicePrincipalCertificate represents a service principal using a certificate as secret. | ||
| ServicePrincipalCertificate IdentityType = "ServicePrincipalCertificate" | ||
| ) | ||
|
|
||
| // OSDisk defines the operating system disk for a VM. | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.