Bumped aad-pod-identity chart to v4.0.0

Author: adamrushuk

terraform/aad_pod_identity_helm.tf

@@ -51,13 +51,7 @@ resource "helm_release" "aad_pod_identity" {
     data.template_file.azureIdentities.rendered
   ]
 
-  # should only be required for helm v2
-  set {
-    name  = "installCRDs"
-    value = "false"
-  }
-
-  # allow Kubenet: https://azure.github.io/aad-pod-identity/docs/configure/aad_pod_identity_on_kubenet/
+  # enable if using Kubenet: https://azure.github.io/aad-pod-identity/docs/configure/aad_pod_identity_on_kubenet/
   set {
     name  = "nmi.allowNetworkPluginKubenet"
     value = "false"

terraform/helm/aad_pod_identity_values.yaml

@@ -1,4 +1,4 @@
-# source: https://github.com/Azure/aad-pod-identity/blob/v1.7.1/charts/aad-pod-identity/values.yaml
+# source: https://github.com/Azure/aad-pod-identity/blob/v1.7.5/charts/aad-pod-identity/values.yaml
 
 # Default values for aad-pod-identity-helm.
 # This is a YAML-formatted file.
@@ -15,12 +15,6 @@ image:
 # imagePullSecrets:
 #   - name: myRegistryKeySecretName
 
-# https://github.com/Azure/aad-pod-identity#4-optional-match-pods-in-the-namespace
-# By default, AAD Pod Identity matches pods to identities across namespaces.
-# To match only pods in the namespace containing AzureIdentity set this to true.
-# DEPRECATED - use 'forceNamespaced' instead.
-forceNameSpaced: ""
-
 # https://github.com/Azure/aad-pod-identity#4-optional-match-pods-in-the-namespace
 # By default, AAD Pod Identity matches pods to identities across namespaces.
 # To match only pods in the namespace containing AzureIdentity set this to true.
@@ -51,8 +45,9 @@ operationMode: "standard"
 
 mic:
   image: mic
-  tag: v1.7.1
+  tag: v1.7.5
 
+  # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical
   priorityClassName: ""
 
   # log level. Uses V logs (klog)
@@ -69,14 +64,28 @@ mic:
 
   podAnnotations: {}
 
+  podLabels: {}
+
   ## Node labels for pod assignment
   ## aad-pod-identity is currently only supported on linux
   nodeSelector:
     kubernetes.io/os: linux
 
   tolerations: []
+    # - key: "CriticalAddonsOnly"
+    #   operator: "Exists"
 
+  # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
   affinity: {}
+    # nodeAffinity:
+    #   preferredDuringSchedulingIgnoredDuringExecution:
+    #     - weight 1
+    #       preference:
+    #         matchExpressions:
+    #           - key: kubernetes.azure.com/mode
+    #             operator: In
+    #             values:
+    #               - system
 
   # Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
   # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
@@ -147,8 +156,9 @@ mic:
 
 nmi:
   image: nmi
-  tag: v1.7.1
+  tag: v1.7.5
 
+  # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical
   priorityClassName: ""
 
   # log level. Uses V logs (klog)
@@ -165,14 +175,28 @@ nmi:
 
   podAnnotations: {}
 
+  podLabels: {}
+
   ## Node labels for pod assignment
   ## aad-pod-identity is currently only supported on linux
   nodeSelector:
     kubernetes.io/os: linux
 
   tolerations: []
+    # - key: "CriticalAddonsOnly"
+    #   operator: "Exists"
 
+  # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
   affinity: {}
+    # nodeAffinity:
+    #   preferredDuringSchedulingIgnoredDuringExecution:
+    #     - weight 1
+    #       preference:
+    #         matchExpressions:
+    #           - key: kubernetes.azure.com/mode
+    #             operator: In
+    #             values:
+    #               - system
 
   # Override iptables update interval in seconds (default is 60)
   ipTableUpdateTimeIntervalInSeconds: ""
@@ -221,6 +245,7 @@ rbac:
   # NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity.
   # If using only MSI (type: 0) in AzureIdentity, secret get permission can be disabled by setting this to false.
   allowAccessToSecrets: true
+  pspEnabled: false
 
 # Create azure identities and bindings
 # This is a map with the AzureIdentityName being the key and the rest of the blob as value in accordance
@@ -247,5 +272,6 @@ azureIdentities:
   #     # The selector will also need to be included in labels for app deployment
   #     selector: "demo"
 
-# If true, install necessary custom resources.
-installCRDs: false
+# If provided, the userAgent string will be appended to the pod identity user agents for all
+# ADAL, ARM and Kube API server requests.
+customUserAgent: ""

terraform/variables.tf

@@ -65,7 +65,7 @@ variable "akv2k8s_chart_version" {
 # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4
 # helm search repo aad-pod-identity/aad-pod-identity
 variable "aad_pod_identity_chart_version" {
-  default = "3.0.3"
+  default = "4.0.0"
 }
 
 # https://bitnami.com/stack/external-dns/helm
@@ -78,7 +78,7 @@ variable "external_dns_chart_version" {
 # https://github.com/weaveworks/kured/tree/master/charts/kured
 # helm search repo kured/kured
 variable "kured_chart_version" {
-  default = "2.4.0"
+  default = "2.4.1"
 }
 
 # https://github.com/weaveworks/kured#kubernetes--os-compatibility