aad-pod-identity
aad-pod-identity copied to clipboard
Azure
Support for configMapRef and secretRef in AzureIdentity
The AzureIdentity CRD currently requires to configure the resourceId and clientId directly in the CRD. Beside this 'direct' configuring of the values for these attributes, it would help to be able to reference the values from other resources (secrets and configmaps).
We have a fully automated infrastructure setup, where we orchestrate the infrastructure with terraform, and afterwards run kubernetes (kustomize) deployments on the created infrastructure. In the terraform run we create the identities, but we have to move the resourceId and clientId 'manually' to the cluster. Since the configuration is based on CRD's, we can not create these during our terraform setup (as the CRD's are not present at that moment in time). However, we are able to create secrets or configmaps. Having the configMapRef and/or secretRef would enable us to fully automate this cycle without extra magic.
Alternatives we have considered are implementing this magic inside our pipeline (and using the the az cli to retrieve the values), or moving it to a kustomize plugin. However, in our opinion this is extra (hidden) complexity, which we wouldn't need if a configMapRef/secretRef feature is available.
Hi @joyrex2001, https://github.com/Azure/aad-pod-identity/issues/532#issuecomment-651995514 explained why we currently don't support this feature at the moment. However, since we have more and more people onboarding aad-pod-identity, we will seriously consider this feature in our next release.
@aramase thanks for the suggestion. This is a similar approach as using the az cli to get the the values and creating the azure identity resource. It is not that I don't know how to solve it, but all solutions will require an extra moving part (in your example terraform output and templating). That complexity is not required if the AzureIdentity CRD supports references to secret or configmap values.