provider-azure
provider-azure copied to clipboard
crossplane-contrib
Support for system-assigned and user-assigned managed identities
Description of your changes
Fixes #164, #292, #319
This PR adds support for system-assigned and user-assigned managed identities, formerly known as Managed Service Identities (MSIs) via the Azure Identity client module.
An example ProviderConfig that uses a system-assigned managed identity is as follows:
apiVersion: azure.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: example
spec:
credentials:
source: InjectedIdentity
subscriptionID: <Azure subscription ID>
Another example using a user-assigned managed identity:
apiVersion: azure.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: example
spec:
credentials:
source: InjectedIdentity
subscriptionID: <Azure subscription ID>
clientID: <Client ID of the user-assigned managed kubelet identity>
I have:
- [x] Read and followed Crossplane's contribution process.
- [x] Run
make reviewable testto ensure this PR is ready for review.
How has this code been tested
I have successfully provisioned a ResourceGroup and an AKSCluster using a system-assigned managed identity and also a user-assigned managed identity with the ProviderConfigs given above.
I tested the PR with user-assigned managed identity with following steps:
- Created an identitiy
az identity create --name ezgiidentity --resource-group ezgi --location westeurope
- Assigned
Managed Identity OperatorandContributorroles to it. Seeing these role assignments' effects took some time. - Created an AKS cluster and set its identity and its kubelet's identity to the managed one above
az aks create --resource-group ezgi --name ezgi-cluster --enable-managed-identity --assign-identity $ID --location westeurope
- Installed crossplane
up uxp installed -n crossplane-system
- Installed provider built from this branch
kc install provider ulucinar/provider-azure:build-3eacbce2
- Created a provider config with user-managed identity ID
apiVersion: azure.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: example
spec:
credentials:
source: InjectedIdentity
subscriptionID: <sub-id>
clientID: <client-id>
- Successfully created a resourcegroup with example manifest
- Successfully created subnet, virtual network with example manifets
- Failed to create an AKS cluster with following error
Warning CannotCreateExternalResource 3m16s (x340 over 28m) managed/akscluster.compute.azure.crossplane.io cannot create AKSCluster: containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="MustDefineAtLeastOneSystemPool" Message="Must define at least one system pool."
While preparing a cluster with user-managed identity, I noticed that kubelet's identity should also be set. Following curl command helped me to troubleshoot. I created a pod with curl binary in the cluster and executed it inside it:
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s
@turkenh I have a client who would like to use Manage Identities. I would be happy to try and help fix whatever CodeCov is saying is wrong but I do not have access to see what the problem is. Can you let us know what it is or help to get it addressed so that we can all start using these amazingly helpful changes from @ulucinar?
I would also love to see this PR merged because it would simplify our current setup using Crossplane with Service Principals a lot!
Any ETA here? Hoping this helps me automate giving the role "DNS Zone Contributor" to my AKS clusters so external-dns will work.
I'm looking at implementing this provider. The feature you've introduced aligns perfectly with our current needs. Thank you for your valuable work @ulucinar !
I see this was approved on May 9, 2022 but is still not merged because of codegov check.
@turkenh / @ezgidemirel if possible, could you revisit this matter for a second evaluation? The report is no longer available, and a previous user mentioned that external users don't have access to it. Your assistance in this matter would be greatly appreciated.
