This readme documents an App on the Giant Swarm App Platform
Read more in: What is this repo?
This App installs the Azure AD Pod Identity onto your tenant cluster.
Azure AD Pod Identity enables Kubernetes applications to access cloud resources securely with Azure Active Directory.
Using Kubernetes primitives, administrators configure identities and bindings to match pods. Then without any code modifications, your containerized applications can leverage any resource in the cloud that depends on Azure Active Directory as an identity provider.
Table of Contents:
- Azure AD Pod Identity App
- Installing
- Configuration Options
- Limitations
- For developers
- What is this repo?
There are 3 ways to install this app onto a tenant cluster.
- Using our web interface
- Using our API
- Directly creating the App custom resource on the Control Plane.
This application cannot be installed without configuring the following required parameters:
Parameter | Description |
---|---|
adminsecret.cloud |
Azure cloud environment name. Should be one of: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud |
adminsecret.subscriptionID |
Azure subscription ID where the cluster is located |
adminsecret.resourceGroup |
Azure resource group of the cluster |
adminsecret.tenantID |
Azure service principal tenantID |
adminsecret.clientID |
Azure service principal clientID |
adminsecret.clientSecret |
Azure service principal clientSecret |
For more configuration options, see Configuration Options
This is an example of the values file you could upload using our web interface.
# values.yaml
adminsecret:
cloud: AzurePublicCloud
If you are not using the web interface, our (deprecated) API takes the same structure but formatted as JSON:
# values.json
{
"adminsecret": {
"cloud": "AzurePublicCloud"
}
}
If you have access to the Kubernetes API on the Control Plane, you could create the App CR and ConfigMap directly.
Here is an example that would install the azure-ad-pod-identity-app to
tenant cluster abc12
:
# appCR.yaml
apiVersion: application.giantswarm.io/v1alpha1
kind: App
metadata:
labels:
app-operator.giantswarm.io/version: 1.0.0
name: azure-ad-pod-identity-app
# Tenant cluster resources live in a namespace with the same ID as the
# tenant cluster.
namespace: abc12
spec:
name: azure-ad-pod-identity-app
namespace: azure-system
catalog: giantswarm-playground
version: 0.1.0
userConfig:
configMap:
name: azure-ad-pod-identity-app-user-values
namespace: abc12
secret:
name: ""
namespace: ""
kubeConfig:
context:
name: abc12-kubeconfig
inCluster: false
secret:
name: abc12-kubeconfig
namespace: abc12
# user-values-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: azure-ad-pod-identity-app-user-values
namespace: abc12
data:
values: |
adminsecret:
cloud: AzurePublicCloud
If you feel like any of the configuration values need to be encrypted at rest, you can also provide a secret.
It is a convention to call the user level configmap {app-name}-user-values
.
So in this case we called the ConfigMap azure-ad-pod-identity-app-user-values
If you place these files in a folder called foldername
, you could use the
command: kubectl apply foldername
, to deploy this app to a tenant cluster
with id abc12
.
See our full reference page on how to configure applications for more details.
All configuration options are documented in the values.yaml file.
Some of our apps have certain restrictions on how they can be deployed. Not following these limitations will most likely result in a broken deployment.
- This app must not be installed more than once.
To install the chart locally:
$ git clone https://github.com/giantswarm/azure-ad-pod-identity-app.git
$ cd azure-ad-pod-identity-app
$ helm install helm/azure-ad-pod-identity-app
! Beware that you need to provide Azure Credentials for the application to run.
Provide a custom values.yaml
:
$ helm install azure-ad-pod-identity-app -f values.yaml
- Ensure CHANGELOG.md is up to date.
- Create a new GitHub release with the version e.g.
v0.1.0
and link the changelog entry. - This will push a new git tag and trigger a new tarball to be pushed to the giantswarm-playground-catalog.
- Test and verify the Azure AD Pod Identity App release across supported environments in a new or existing WIP platform release.
This repo contains a helm chart for the Giant Swarm App Platform. While it is just a Helm chart, there might be some Giant Swarm App Platform specific values in the templates.
It is available as an App
in the giantswarm-playground-catalog
and giantswarm-playground-test-catalog
.