docs

cvvz · cvvz · commit 25c7b0a05d4f · 2023-05-11T07:47:19.000Z
diff --git a/docs/workload-identity.md b/docs/workload-identity.md
@@ -1,4 +1,4 @@
-# How to Use workload identity with Azurefile
+# How to Use workload identity with Blob CSI driver
 
 ## Prerequisites
 
@@ -9,20 +9,16 @@ After you finish the Installation guide, you should have already:
 * installed the mutating admission webhook
 * obtained your cluster’s OIDC issuer URL
 
-## 1. Enable Azure Workload Identity Mutating Webhook injection to Pod in the `kube-system` namespace
-
-Per [azure-workload-identity Known Issues](https://github.com/Azure/azure-workload-identity/blob/main/docs/book/src/known-issues.md#environment-variables-not-injected-into-pods-deployed-in-the-kube-system-namespace-in-an-aks-cluster), if you're deploying Azurefile in the `kube-system` namespace of an AKS cluster, add the `"admissions.enforcer/disabled": "true"` label or annotation in the [MutatingWebhookConfiguration](https://github.com/Azure/azure-workload-identity/blob/8644a217f09902fa1ac63e05cf04d9a3f3f1ebc3/deploy/azure-wi-webhook.yaml#L206-L235).
-
-## 2. Export environment variables
+## 1. Export environment variables
 
 ```shell
 export CLUSTER_NAME="<your cluster name>"
 export CLUSTER_RESOURCE_GROUP="<cluster resource group name>"
 export LOCATION="<location>"
 export OIDC_ISSUER="<your cluster’s OIDC issuer URL>"
 
-# [OPTIONAL] resource group where Azurefile storage account reside
-export AZURE_FILE_RESOURCE_GROUP="<resource group where Azurefile storage account reside>"
+# [OPTIONAL] resource group where Blob storage account reside
+export AZURE_BLOB_RESOURCE_GROUP="<resource group where Blob storage account reside>"
 
 # environment variables for the AAD application
 # [OPTIONAL] Only set this if you're using a Azure AD Application as part of this tutorial
@@ -33,26 +29,26 @@ export APPLICATION_NAME="<your application name>"
 export USER_ASSIGNED_IDENTITY_NAME="<your user-assigned managed identity name>"
 export IDENTITY_RESOURCE_GROUP="<resource group where your user-assigned managed identity reside>"
 
-# Azurefile CSI Driver Service Account and namespace
-export SA_LIST=( "csi-azurefile-controller-sa" "csi-azurefile-node-sa" )
+# Blob CSI Driver Service Account and namespace
+export SA_LIST=( "csi-blob-controller-sa" "csi-blob-node-sa" )
 export NAMESPACE="kube-system"
 ```
 
-## 3. Create Azurefile resource group
+## 2. Create Blob resource group
 
-If you are using AKS, you can get the resource group where Azurefile storage class reside by running:
+If you are using AKS, you can get the resource group where Blob storage class reside by running:
 
 ```shell
-export AZURE_FILE_RESOURCE_GROUP="$(az aks show --name $CLUSTER_NAME --resource-group $CLUSTER_RESOURCE_GROUP --query "nodeResourceGroup" -o tsv)"
+export AZURE_BLOB_RESOURCE_GROUP="$(az aks show --name $CLUSTER_NAME --resource-group $CLUSTER_RESOURCE_GROUP --query "nodeResourceGroup" -o tsv)"
 ```
 
-You can also create resource group by yourself, but you must [specify the resource group](https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/master/docs/driver-parameters.md#:~:text=current%20k8s%20cluster-,resourceGroup,No,-if%20empty%2C%20driver) in the storage class while using Azurefile.
+You can also create resource group by yourself, but you must [specify the resource group](https://github.com/cvvz/blob-csi-driver/blob/workload_identity/docs/driver-parameters.md) in the storage class while using Blob CSI driver:
 
 ```shell
-az group create -n $AZURE_FILE_RESOURCE_GROUP -l $LOCATION
+az group create -n $AZURE_BLOB_RESOURCE_GROUP -l $LOCATION
 ```
 
-## 4. Create an AAD application or user-assigned managed identity and grant required permissions 
+## 3. Create an AAD application or user-assigned managed identity and grant required permissions 
 
 ```shell
 # create an AAD application if using Azure AD Application for this tutorial
@@ -61,28 +57,29 @@ az ad sp create-for-rbac --name "${APPLICATION_NAME}"
 
 ```shell
 # create a user-assigned managed identity if using user-assigned managed identity for this tutorial
+az group create -n ${IDENTITY_RESOURCE_GROUP} -l $LOCATION
 az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${IDENTITY_RESOURCE_GROUP}"
 ```
 
-Grant required permission to the AAD application or user-assigned managed identity, for simplicity, we just assign Contributor role to the resource group where Azurefile storage class reside:
+Grant required permission to the AAD application or user-assigned managed identity, for simplicity, we just assign Contributor role to the resource group where Blob storage class reside:
 
 If using Azure AD Application:
 
 ```shell
 export APPLICATION_CLIENT_ID="$(az ad sp list --display-name "${APPLICATION_NAME}" --query '[0].appId' -otsv)"
-export AZURE_FILE_RESOURCE_GROUP_ID="$(az group show -n $AZURE_FILE_RESOURCE_GROUP --query 'id' -otsv)"
-az role assignment create --assignee $APPLICATION_CLIENT_ID --role Contributor --scope $AZURE_FILE_RESOURCE_GROUP_ID
+export AZURE_BLOB_RESOURCE_GROUP_ID="$(az group show -n $AZURE_BLOB_RESOURCE_GROUP --query 'id' -otsv)"
+az role assignment create --assignee $APPLICATION_CLIENT_ID --role Contributor --scope $AZURE_BLOB_RESOURCE_GROUP_ID
 ```
 
 if using user-assigned managed identity:
 
 ```shell
 export USER_ASSIGNED_IDENTITY_OBJECT_ID="$(az identity show --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${IDENTITY_RESOURCE_GROUP}" --query 'principalId' -otsv)"
-export AZURE_FILE_RESOURCE_GROUP_ID="$(az group show -n $AZURE_FILE_RESOURCE_GROUP --query 'id' -otsv)"
-az role assignment create --assignee $USER_ASSIGNED_IDENTITY_OBJECT_ID --role Contributor --scope $AZURE_FILE_RESOURCE_GROUP_ID
+export AZURE_BLOB_RESOURCE_GROUP_ID="$(az group show -n $AZURE_BLOB_RESOURCE_GROUP --query 'id' -otsv)"
+az role assignment create --assignee $USER_ASSIGNED_IDENTITY_OBJECT_ID --role Contributor --scope $AZURE_BLOB_RESOURCE_GROUP_ID
 ```
 
-## 5. Establish federated identity credential between the identity and the Azurefile service account issuer & subject
+## 4. Establish federated identity credential between the identity and the Blob service account issuer & subject
 
 If using Azure AD Application:
 
@@ -122,25 +119,25 @@ az identity federated-credential create \
 done
 ```
 
-## 6. Deploy Azurefile
+## 5. Deploy Blob CSI Driver
 
 Deploy storageclass:
 
 ```shell
-kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/storageclass-azurefile-csi.yaml
-kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/storageclass-azurefile-nfs.yaml
+kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/deploy/example/storageclass-blobfuse.yaml
+kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/deploy/example/storageclass-blob-nfs.yaml
 ```
 
-Deploy Azurefile(If you are using AKS, please disable the managed Azurefile CSI driver by `--disable-file-driver` first)
+Deploy Blob CSI Driver
 
 If using Azure AD Application:
 
 ```shell
 export CLIENT_ID="$(az ad sp list --display-name "${APPLICATION_NAME}" --query '[0].appId' -otsv)"
 export TENANT_ID="$(az ad sp list --display-name "${APPLICATION_NAME}" --query '[0].appOwnerOrganizationId' -otsv)"
-helm install azurefile-csi-driver charts/latest/azurefile-csi-driver \
+helm install blob-csi-driver charts/latest/blob-csi-driver \
 --namespace $NAMESPACE \
---set workloadIdentity.clientID=$CLIENT_ID 
+--set workloadIdentity.clientID=$CLIENT_ID \
 --set workloadIdentity.tenantID=$TENANT_ID
 ```
 
@@ -149,17 +146,17 @@ If using user-assigned managed identity:
 ```shell
 export CLIENT_ID="$(az identity show --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${IDENTITY_RESOURCE_GROUP}" --query 'clientId' -otsv)"
 export TENANT_ID="$(az identity show --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${IDENTITY_RESOURCE_GROUP}" --query 'tenantId' -otsv)"
-helm install azurefile-csi-driver charts/latest/azurefile-csi-driver \
+helm install blob-csi-driver charts/latest/blob-csi-driver \
 --namespace $NAMESPACE \
---set workloadIdentity.clientID=$CLIENT_ID 
+--set workloadIdentity.clientID=$CLIENT_ID \
 --set workloadIdentity.tenantID=$TENANT_ID
 ```
 
-## 7. Deploy application using Azurefile
+## 6. Deploy application using Blob CSI driver
 
 ```shell
-kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/nfs/statefulset.yaml
-kubectl create -f  https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/deployment.yaml
+kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/deploy/example/nfs/statefulset.yaml
+kubectl create -f  https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/deploy/example/deployment.yaml
 ```
 
 Please make sure all the Pods are running.
