From 65bd725eb2b9649eaf207b74b3af5b9c7d60f6f2 Mon Sep 17 00:00:00 2001 From: Ashutosh Kumar Date: Tue, 23 May 2023 04:04:10 +0530 Subject: [PATCH] skip using azwi mwh which is optional Signed-off-by: Ashutosh Kumar --- Tiltfile | 10 -- azure/scope/workload_identity.go | 4 +- config/manager/manager.yaml | 14 ++ test/e2e/config/azwi.yaml | 272 ------------------------------- test/e2e/e2e_suite_test.go | 13 -- 5 files changed, 17 insertions(+), 296 deletions(-) delete mode 100644 test/e2e/config/azwi.yaml diff --git a/Tiltfile b/Tiltfile index 2da3f6fa73f..85982b66cc5 100644 --- a/Tiltfile +++ b/Tiltfile @@ -23,7 +23,6 @@ settings = { "cert_manager_version": "v1.11.1", "kubernetes_version": "v1.25.6", "aks_kubernetes_version": "v1.25.6", - "azwi_version": "v1.1.0", "flatcar_version": "3374.2.1", } @@ -47,13 +46,6 @@ if "allowed_contexts" in settings: if "default_registry" in settings: default_registry(settings.get("default_registry")) -# deploy AZWI webhook -def deploy_azwi(): - version = settings.get("azwi_version") - azwi_uri = "https://github.com/Azure/azure-workload-identity/releases/download/{}/azure-wi-webhook.yaml".format(version) - cmd = "curl -sSL {} | {} | {} apply -f -".format(azwi_uri, envsubst_cmd, kubectl_cmd) - local(cmd, quiet = True) - # deploy CAPI def deploy_capi(): version = settings.get("capi_version") @@ -443,8 +435,6 @@ load("ext://cert_manager", "deploy_cert_manager") if settings.get("deploy_cert_manager"): deploy_cert_manager(version = settings.get("cert_manager_version")) -deploy_azwi() - deploy_capi() create_identity_secret() diff --git a/azure/scope/workload_identity.go b/azure/scope/workload_identity.go index 5793564b120..ecac9b18993 100644 --- a/azure/scope/workload_identity.go +++ b/azure/scope/workload_identity.go @@ -56,6 +56,8 @@ const ( AzureClientIDEnvKey = "AZURE_CLIENT_ID" // AzureTenantIDEnvKey is the env key for AZURE_TENANT_ID. AzureTenantIDEnvKey = "AZURE_TENANT_ID" + // AzureTokenFilePath is the path of the projected token. + AzureTokenFilePath = "/var/run/secrets/azure/tokens/azure-identity-token" // #nosec G101 ) type workloadIdentityCredential struct { @@ -94,7 +96,7 @@ func (w *WorkloadIdentityCredentialOptions) WithTenantID(tenantID string) *Workl func GetProjectedTokenPath() (string, error) { tokenPath := os.Getenv(AzureFedratedTokenFileEnvKey) if strings.TrimSpace(tokenPath) == "" { - return "", errors.New("projected token path not injected") + return AzureTokenFilePath, nil } return tokenPath, nil } diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 66e219a6ad8..cd88e4d4b6a 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -31,6 +31,10 @@ spec: image: controller:latest imagePullPolicy: Always name: manager + volumeMounts: + - mountPath: /var/run/secrets/azure/tokens + name: azure-identity-token + readOnly: true ports: - containerPort: 9440 name: healthz @@ -78,3 +82,13 @@ spec: key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane + volumes: + - name: azure-identity-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + audience: api://AzureADTokenExchange + expirationSeconds: 3600 + path: azure-identity-token + diff --git a/test/e2e/config/azwi.yaml b/test/e2e/config/azwi.yaml deleted file mode 100644 index 5062420d4c8..00000000000 --- a/test/e2e/config/azwi.yaml +++ /dev/null @@ -1,272 +0,0 @@ -# This config of azure workload identity is used to deploy in e2e -# The current config is from https://github.com/Azure/azure-workload-identity/releases/tag/v1.0.0 -apiVersion: v1 -kind: Namespace -metadata: - labels: - azure-workload-identity.io/system: "true" - pod-security.kubernetes.io/audit: restricted - pod-security.kubernetes.io/audit-version: latest - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/enforce-version: latest - pod-security.kubernetes.io/warn: restricted - pod-security.kubernetes.io/warn-version: latest - name: azure-workload-identity-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - azure-workload-identity.io/system: "true" - name: azure-wi-webhook-admin - namespace: azure-workload-identity-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - azure-workload-identity.io/system: "true" - name: azure-wi-webhook-manager-role - namespace: azure-workload-identity-system -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - azure-workload-identity.io/system: "true" - name: azure-wi-webhook-manager-role -rules: - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch - - apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - verbs: - - get - - list - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - azure-workload-identity.io/system: "true" - name: azure-wi-webhook-manager-rolebinding - namespace: azure-workload-identity-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: azure-wi-webhook-manager-role -subjects: - - kind: ServiceAccount - name: azure-wi-webhook-admin - namespace: azure-workload-identity-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - azure-workload-identity.io/system: "true" - name: azure-wi-webhook-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: azure-wi-webhook-manager-role -subjects: - - kind: ServiceAccount - name: azure-wi-webhook-admin - namespace: azure-workload-identity-system ---- -apiVersion: v1 -data: - AZURE_ENVIRONMENT: AzurePublicCloud - # CAPZ uses tenant ID from AzureClusterIdentity object and this is injected as env - # as a fallback only. AZWI webhook currently does not allow this as an optional - # field and hence passing a dummy value. - AZURE_TENANT_ID: 00000000-0000-0000-0000-000000000000 -kind: ConfigMap -metadata: - labels: - azure-workload-identity.io/system: "true" - name: azure-wi-webhook-config - namespace: azure-workload-identity-system ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - azure-workload-identity.io/system: "true" - name: azure-wi-webhook-server-cert - namespace: azure-workload-identity-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - azure-workload-identity.io/system: "true" - name: azure-wi-webhook-webhook-service - namespace: azure-workload-identity-system -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - azure-workload-identity.io/system: "true" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - azure-workload-identity.io/system: "true" - name: azure-wi-webhook-controller-manager - namespace: azure-workload-identity-system -spec: - replicas: 2 - selector: - matchLabels: - azure-workload-identity.io/system: "true" - template: - metadata: - labels: - azure-workload-identity.io/system: "true" - spec: - containers: - - args: - - --log-level=info - command: - - /manager - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - envFrom: - - configMapRef: - name: azure-wi-webhook-config - image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.0.0 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - - containerPort: 8095 - name: metrics - protocol: TCP - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /certs - name: cert - readOnly: true - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - serviceAccountName: azure-wi-webhook-admin - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: azure-wi-webhook-server-cert ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - labels: - azure-workload-identity.io/system: "true" - name: azure-wi-webhook-controller-manager - namespace: azure-workload-identity-system -spec: - minAvailable: 1 - selector: - matchLabels: - azure-workload-identity.io/system: "true" ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - labels: - azure-workload-identity.io/system: "true" - name: azure-wi-webhook-mutating-webhook-configuration -webhooks: - - admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: azure-wi-webhook-webhook-service - namespace: azure-workload-identity-system - path: /mutate-v1-pod - failurePolicy: Fail - matchPolicy: Equivalent - name: mutation.azure-workload-identity.io - objectSelector: - matchLabels: - azure.workload.identity/use: "true" - reinvocationPolicy: IfNeeded - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None diff --git a/test/e2e/e2e_suite_test.go b/test/e2e/e2e_suite_test.go index 73485bc29a2..8c69430ac05 100644 --- a/test/e2e/e2e_suite_test.go +++ b/test/e2e/e2e_suite_test.go @@ -179,10 +179,6 @@ func setupBootstrapCluster(config *clusterctl.E2EConfig, useExistingCluster bool } func initBootstrapCluster(bootstrapClusterProxy framework.ClusterProxy, config *clusterctl.E2EConfig, clusterctlConfig, artifactFolder string) { - // This deploys azwi webhook. It is important that azwi webhook config gets deployed before capz config as capz - // depends on env var and projected service account token volume. - // ToDo: @sonasingh46 : deploy azwi as part of init mgmt cluster. - deployAzwiWebhook(bootstrapClusterProxy) clusterctl.InitManagementClusterAndWatchControllerLogs(context.TODO(), clusterctl.InitManagementClusterAndWatchControllerLogsInput{ ClusterProxy: bootstrapClusterProxy, ClusterctlConfigPath: clusterctlConfig, @@ -199,12 +195,3 @@ func tearDown(bootstrapClusterProvider bootstrap.ClusterProvider, bootstrapClust bootstrapClusterProvider.Dispose(context.TODO()) } } - -func deployAzwiWebhook(bootstrapClusterProxy framework.ClusterProxy) { - path, _ := os.Getwd() - yamlBytes, err := os.ReadFile("config/azwi.yaml") - Expect(err).To(BeNil(), "failed to read workload identity webhook config: %s: %s", err, path) - - err = bootstrapClusterProxy.Apply(context.TODO(), yamlBytes) - Expect(err).To(BeNil(), "failed to deploy workload identity webhook: %s", err) -}