Merge pull request #251249 from RichardChen820/appconfig/junbchen/revertWorkloadIdentity4

prmerger-automator[bot] · web-flow · commit 0bd0061e3cfd · 2023-09-13T08:16:44.000Z
Revert the workload identity support
diff --git a/articles/azure-app-configuration/reference-kubernetes-provider.md b/articles/azure-app-configuration/reference-kubernetes-provider.md
@@ -40,19 +40,12 @@ If the `spec.target.configMapData` property is not set, the generated ConfigMap
 |type|The setting that indicates how the retrieved data is constructed in the generated ConfigMap. The allowed values include `default`, `json`, `yaml` and `properties`|optional|string|
 |key|The key name of the retrieved data when the `type` is set to `json`, `yaml` or `properties`. Set it to the file name if the ConfigMap is set up to be consumed as a mounted file|conditional|string|
 
-The `spec.auth` property isn't required if the connection string of your App Configuration store is provided by setting the `spec.connectionStringReference` property. Otherwise, one of the identities, service principal, workload identity, or managed identity, will be used for authentication. The `spec.auth` has the following child properties. Only one of them should be specified. If none of them are set, the system-assigned managed identity of the virtual machine scale set will be used.
+If the `spec.auth` property isn't set, the system-assigned managed identity is used. It has the following child properties. Only one authentication method should be set.
 
 |Name|Description|Required|Type|
 |---|---|---|---|
+|managedIdentityClientId|The Client ID of user-assigned managed identity|false|string|
 |servicePrincipalReference|The name of the Kubernetes Secret that contains the credentials of a service principal|false|string|
-|workloadIdentity|The settings for using workload identity|false|object|
-|managedIdentityClientId|The Client ID of user-assigned managed identity of virtual machine scale set|false|string|
-
-The `spec.auth.workloadIdentity` property has the following child property.
-
-|Name|Description|Required|Type|
-|---|---|---|---|
-|managedIdentityClientId|The Client ID of the user-assigned managed identity associated with the workload identity|true|string|
 
 The `spec.keyValues` has the following child properties. The `spec.keyValues.keyVaults` property is required if any Key Vault references are expected to be downloaded.
 
@@ -87,19 +80,17 @@ If the `spec.keyValues.keyVaults.auth` property isn't set, the system-assigned m
 
 |Name|Description|Required|Type|
 |---|---|---|---|
+|managedIdentityClientId|The client ID of a user-assigned managed identity used for authentication with vaults that don't have individual authentication methods specified|false|string|
 |servicePrincipalReference|The name of the Kubernetes Secret that contains the credentials of a service principal used for authentication with vaults that don't have individual authentication methods specified|false|string|
-|workloadIdentity|The settings of the workload identity used for authentication with vaults that don't have individual authentication methods specified. It has the same child properties as `spec.auth.workloadIdentity`|false|object|
-|managedIdentityClientId|The client ID of a user-assigned managed identity of virtual machine scale set used for authentication with vaults that don't have individual authentication methods specified|false|string|
 |vaults|The authentication methods for individual vaults|false|object array|
 
-The authentication method of each *vault* can be specified with the following properties. One of `managedIdentityClientId`, `servicePrincipalReference` or `workloadIdentity` must be provided.
+The authentication method of each *vault* can be specified with the following properties. One of `managedIdentityClientId` and `servicePrincipalReference` must be provided.
 
 |Name|Description|Required|Type|
 |---|---|---|---|
 |uri|The URI of a vault|true|string|
+|managedIdentityClientId|The client ID of a user-assigned managed identity used for authentication with a vault|false|string|
 |servicePrincipalReference|The name of the Kubernetes Secret that contains the credentials of a service principal used for authentication with a vault|false|string|
-|workloadIdentity|The settings of the workload identity used for authentication with a vault. It has the same child properties as `spec.auth.workloadIdentity`|false|object|
-|managedIdentityClientId|The client ID of a user-assigned managed identity of virtual machine scale set used for authentication with a vault|false|string|
 
 The `spec.keyValues.refresh` property has the following child properties.
 
@@ -119,12 +110,10 @@ The `spec.keyValues.refresh.monitoring.keyValues` is an array of objects, which
 
 ### Authentication
 
-#### Use system-assigned managed identity of virtual machine scale set
+#### Use System-Assigned Managed Identity
 
 1. [Enable the system-assigned managed identity in the virtual machine scale set](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#enable-system-assigned-managed-identity-on-an-existing-virtual-machine-scale-set) used by the Azure Kubernetes Service (AKS) cluster.
-
 1. [Grant the system-assigned managed identity **App Configuration Data Reader** role](/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity#grant-access-to-app-configuration) in Azure App Configuration.
-
 1. Deploy the following sample `AzureAppConfigurationProvider` resource to the AKS cluster.
 
     ``` yaml
@@ -138,14 +127,11 @@ The `spec.keyValues.refresh.monitoring.keyValues` is an array of objects, which
         configMapName: configmap-created-by-appconfig-provider
     ```
 
-#### Use user-assigned managed identity of virtual machine scale set
+#### Use User-Assigned Managed Identity
 
 1. [Create a user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities#create-a-user-assigned-managed-identity) and note down its client ID after creation.
-
 1. [Assign the user-assigned managed identity to the virtual machine scale set](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#user-assigned-managed-identity) used by the Azure Kubernetes Service (AKS) cluster.
-
 1. [Grant the user-assigned managed identity **App Configuration Data Reader** role](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#user-assigned-managed-identity) in Azure App Configuration.
-
 1. Set the `spec.auth.managedIdentityClientId` property to the client ID of the user-assigned managed identity in the following sample `AzureAppConfigurationProvider` resource and deploy it to the AKS cluster.
 
     ``` yaml
@@ -161,14 +147,11 @@ The `spec.keyValues.refresh.monitoring.keyValues` is an array of objects, which
         managedIdentityClientId: <your-managed-identity-client-id>
     ```
 
-#### Use service principal
+#### Use Service Principal
 
 1. [Create a Service Principal](/azure/active-directory/develop/howto-create-service-principal-portal)
-
 1. [Grant the service principal **App Configuration Data Reader** role](/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity#grant-access-to-app-configuration) in Azure App Configuration.
-
 1. Create a Kubernetes Secret in the same namespace as the `AzureAppConfigurationProvider` resource and add *azure_client_id*, *azure_client_secret*, and *azure_tenant_id* of the service principal to the Secret.
-
 1. Set the `spec.auth.servicePrincipalReference` property to the name of the Secret in the following sample `AzureAppConfigurationProvider` resource and deploy it to the Kubernetes cluster.
 
     ``` yaml
@@ -184,42 +167,9 @@ The `spec.keyValues.refresh.monitoring.keyValues` is an array of objects, which
         servicePrincipalReference: <your-service-principal-secret-name>
     ```
 
-#### Use workload identity
-
-1. [Enable Workload Identity](/azure/aks/workload-identity-deploy-cluster#update-an-existing-aks-cluster) on the Azure Kubernetes Service (AKS) cluster.
- 
-1. [Get the OIDC issuer URL](/azure/aks/workload-identity-deploy-cluster#retrieve-the-oidc-issuer-url) of the AKS cluster.
-
-1. [Create a user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities#create-a-user-assigned-managed-identity) and note down its client ID after creation.
-
-1. Create the federated identity credential between the managed identity, OIDC issuer, and subject using the Azure CLI.
-   
-   ``` azurecli
-   az identity federated-credential create --name "${FEDERATED_IDENTITY_CREDENTIAL_NAME}" --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}" --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:azappconfig-system:az-appconfig-k8s-provider --audience api://AzureADTokenExchange
-   ```
-
-1. [Grant the user-assigned managed identity **App Configuration Data Reader** role](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#user-assigned-managed-identity) in Azure App Configuration.
-
-1. Set the `spec.auth.workloadIdentity.managedIdentityClientId` property to the client ID of the user-assigned managed identity in the following sample `AzureAppConfigurationProvider` resource and deploy it to the AKS cluster.
-
-    ``` yaml
-    apiVersion: azconfig.io/v1beta1
-    kind: AzureAppConfigurationProvider
-    metadata:
-      name: appconfigurationprovider-sample
-    spec:
-      endpoint: <your-app-configuration-store-endpoint>
-      target:
-        configMapName: configmap-created-by-appconfig-provider
-      auth:
-        workloadIdentity:
-          managedIdentityClientId: <your-managed-identity-client-id>
-    ```
-
-#### Use connection string
+#### Use Connection String
 
 1. Create a Kubernetes Secret in the same namespace as the `AzureAppConfigurationProvider` resource and add Azure App Configuration connection string with key *azure_app_configuration_connection_string* in the Secret.
-
 1. Set the `spec.connectionStringReference` property to the name of the Secret in the following sample `AzureAppConfigurationProvider` resource and deploy it to the Kubernetes cluster.
 
     ``` yaml
@@ -232,7 +182,6 @@ The `spec.keyValues.refresh.monitoring.keyValues` is an array of objects, which
       target:
         configMapName: configmap-created-by-appconfig-provider
     ```
-
 ### Key-value selection
 
 Use the `selectors` property to filter the key-values to be downloaded from Azure App Configuration.
