@@ -8,11 +8,11 @@ Azure Service Operator supports four different styles of authentication today.
88Each section below dives into one of these authentication options, including examples for how to set it up and
99use it at the different [ credential scopes] ( {{< relref "credential-scope" >}} ).
1010
11- ## Azure Workload Identity
11+ ## Managed Identity (via workload identity)
1212
1313See [ Azure Workload Identity] ( https://github.com/Azure/azure-workload-identity ) for details about the workload identity project.
1414
15- ** Workload identity (with Managed Identity ) is the recommended authentication mode for production use-cases** .
15+ ** Managed Identity (via workload identity ) is the recommended authentication mode for production use-cases** .
1616
1717### Prerequisites
1818
@@ -426,9 +426,130 @@ EOF
426426{{% /tab %}}
427427{{< /tabpane >}}
428428
429+ ## Managed Identity (via IMDS on Azure infrastructure)
430+
431+ ### Prerequisites
432+
433+ 1 . An existing Azure Managed Identity.
434+ 2 . ASO running on Azure infrastructure (such as an AKS cluster) with the Managed Identity assigned to that infrastructure.
435+
436+ First, set the following environment variables:
437+
438+ ``` bash
439+ export IDENTITY_RESOURCE_GROUP=" myrg" # The resource group containing the managed identity.
440+ export IDENTITY_NAME=" myidentity" # The name of the identity.
441+ export AZURE_SUBSCRIPTION_ID=" 00000000-0000-0000-0000-00000000000" # The Azure Subscription ID the identity is in.
442+ export AZURE_TENANT_ID=" 00000000-0000-0000-0000-00000000000" # The Azure AAD Tenant the identity/subscription is associated with.
443+ ```
444+
445+ Use the ` az cli ` to get some more details about the identity to use:
446+
447+ ``` bash
448+ export IDENTITY_CLIENT_ID=" $( az identity show -g ${IDENTITY_RESOURCE_GROUP} -n ${IDENTITY_NAME} --query clientId -otsv) "
449+ export IDENTITY_RESOURCE_ID=" $( az identity show -g ${IDENTITY_RESOURCE_GROUP} -n ${IDENTITY_NAME} --query id -otsv) "
450+ ```
451+
452+ ### Create the secret
453+
454+ {{< tabpane text=true left=true >}}
455+ {{% tab header="** Scope** :" disabled=true /%}}
456+ {{% tab header="Global" %}}
457+
458+ If installing ASO for the first time, you can pass these values via Helm arguments:
459+
460+ ``` bash
461+ helm upgrade --install --devel aso2 aso2/azure-service-operator \
462+ --create-namespace \
463+ --namespace=azureserviceoperator-system \
464+ --set azureSubscriptionID=$AZURE_SUBSCRIPTION_ID \
465+ --set azureClientID=${IDENTITY_CLIENT_ID} \
466+ --set crdPattern=' resources.azure.com/*;containerservice.azure.com/*;keyvault.azure.com/*;managedidentity.azure.com/*;eventhub.azure.com/*'
467+ ```
468+
469+ See [ CRD management] ( {{< relref "crd-management" >}} ) for more details about ` crdPattern ` .
470+
471+ Create or update the ` aso-controller-settings ` secret:
472+
473+ ``` bash
474+ cat << EOF | kubectl apply -f -
475+ apiVersion: v1
476+ kind: Secret
477+ metadata:
478+ name: aso-controller-settings
479+ namespace: azureserviceoperator-system
480+ stringData:
481+ AZURE_SUBSCRIPTION_ID: "$AZURE_SUBSCRIPTION_ID "
482+ AZURE_TENANT_ID: "$AZURE_TENANT_ID "
483+ AZURE_CLIENT_ID: "$IDENTITY_CLIENT_ID "
484+ EOF
485+ ```
486+
487+ ** Note:** The ` aso-controller-settings ` secret contains more configuration than just the global credential.
488+ If ASO was already installed on your cluster and you are updating the ` aso-controller-settings ` secret, ensure that
489+ [ other values] ( {{< relref "aso-controller-settings-options" >}} ) in that secret are not being overwritten.
490+
491+ {{% /tab %}}
492+ {{% tab header="Namespace" %}}
493+
494+ Create the ` aso-credential ` secret in your namespace:
495+
496+ ``` bash
497+ cat << EOF | kubectl apply -f -
498+ apiVersion: v1
499+ kind: Secret
500+ metadata:
501+ name: aso-credential
502+ namespace: my-namespace
503+ stringData:
504+ AZURE_SUBSCRIPTION_ID: "$AZURE_SUBSCRIPTION_ID "
505+ AZURE_TENANT_ID: "$AZURE_TENANT_ID "
506+ AZURE_CLIENT_ID: "$IDENTITY_CLIENT_ID "
507+ AUTH_MODE: "podidentity"
508+ EOF
509+ ```
510+
511+ {{% /tab %}}
512+ {{% tab header="Resource" %}}
513+
514+ Create a per-resource secret. We'll use ` my-resource-secret ` :
515+
516+ ``` bash
517+ cat << EOF | kubectl apply -f -
518+ apiVersion: v1
519+ kind: Secret
520+ metadata:
521+ name: my-resource-secret
522+ namespace: my-namespace
523+ stringData:
524+ AZURE_SUBSCRIPTION_ID: "$AZURE_SUBSCRIPTION_ID "
525+ AZURE_TENANT_ID: "$AZURE_TENANT_ID "
526+ AZURE_CLIENT_ID: "$IDENTITY_CLIENT_ID "
527+ AUTH_MODE: "podidentity"
528+ EOF
529+ ```
530+
531+ Create the ASO resource referring to ` my-resource-secret ` . We show a ` ResourceGroup ` here, but any ASO resource will work.
532+
533+ ``` bash
534+ cat << EOF | kubectl apply -f -
535+ apiVersion: resources.azure.com/v1api20200601
536+ kind: ResourceGroup
537+ metadata:
538+ name: aso-sample-rg
539+ namespace: default
540+ annotations:
541+ serviceoperator.azure.com/credential-from: my-resource-secret
542+ spec:
543+ location: westcentralus
544+ EOF
545+ ```
546+
547+ {{% /tab %}}
548+ {{< /tabpane >}}
549+
429550## [ Deprecated] Managed Identity (aad-pod-identity)
430551
431- > ** This authentication mechanism still works but is deprecated. See [ Azure Workload Identity] ( #azure -workload-identity ) for the new way**
552+ > ** This authentication mechanism still works but is deprecated. See [ Managed Identity (via workload identity) ] ( #managed-identity-via -workload-identity ) for the new way**
432553
433554### Prerequisites
434555
0 commit comments