Skip to content

Commit

Permalink
feat(azure-apps): introduce azure-workload-identity-webhook deployment
Browse files Browse the repository at this point in the history
  • Loading branch information
@hairmare
hairmare committed Dec 1, 2023
1 parent 95d89f7 commit 03fdf65
Show file tree
Hide file tree
Showing 6 changed files with 76 additions and 24 deletions.
30 changes: 7 additions & 23 deletions charts/azure-apps/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: azure-apps
description: Argo CD app-of-apps config for Azure applications
type: application
version: 0.12.0
version: 0.13.0
home: https://github.com/adfinis/helm-charts/tree/main/charts/azure-apps
sources:
- https://github.com/adfinis/helm-charts
Expand All @@ -16,26 +16,10 @@ dependencies:
repository: https://charts.adfinis.com
annotations:
artifacthub.io/changes: |
- kind: changed
description: "azureKvCsiProvider: bump azureKvCsiProvider from v1.3 to v1.4.1"
- kind: added
description: "feat: add azure-workload-identity-webhook"
links:
- name: Fixes CVE-2022-41717
url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/1039
- name: Fixes CVE-2022-32149
url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/999
- name: Fixes CVE-2022-27664
url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/976
- name: Fixes CVE-2022-1996
url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/957
- name: fix/updates template condition for Arc
url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/973
- name: fix/increase fluentd resource limits for arc
url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/946
- name: fix/bug 948 arc missing system identity
url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/949
- name: fix/runs msi-adapter as privileged on openshift
url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/920
- name: Update to v1.4.0
url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.4.0
- name: Update to v1.4.1
url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.4.1
- name: Microsoft Entra Workload ID
url: https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview
- name: Azure Workload Identity System
url: https://azure.github.io/azure-workload-identity
9 changes: 8 additions & 1 deletion charts/azure-apps/README.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions charts/azure-apps/ci/default-values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,6 @@ promitorScraper:
promitorResourceDiscovery:
enabled: true
values: {}
azureWorkloadIdentityWebhook:
enabled: true
values: {}
5 changes: 5 additions & 0 deletions charts/azure-apps/examples/azure-workload-identity-webhook.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
azureWorkloadIdentityWebhook:
enabled: true
project: azure-workload-identity-system
values:
azureTenantID: <REPLACE ME>
33 changes: 33 additions & 0 deletions charts/azure-apps/templates/azure-workload-identity-webhook.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{{ if .Values.azureWorkloadIdentityWebhook.enabled }}
{{ template "argoconfig.application" (list . "azure-apps.azureWorkloadIdentityWebhook") }}
{{ end }}

{{- define "azure-apps.azureWorkloadIdentityWebhook" -}}{{- $app := unset .Values.azureWorkloadIdentityWebhook "enabled" -}}{{- $name := default $app.destination.namespace $app.name -}}
metadata:
name: {{ template "common.fullname" . }}-{{ $name }}
spec:
{{- if $app.project }}
project: {{ $app.project | quote }}
{{- end }}
source:
repoURL: {{ $app.repoURL | quote }}
chart: {{ $app.chart | quote }}
targetRevision: {{ $app.targetRevision | quote }}
helm:
releaseName: {{ $name | quote }}
values: |-
nameOverride: {{ $name | quote }}
{{- $app.values | toYaml | nindent 8 }}
{{- if $app.destination }}
destination:
{{ $app.destination | toYaml | nindent 4 }}
{{- end }}
{{- if $app.syncPolicy }}
syncPolicy:
{{ $app.syncPolicy | toYaml | nindent 4 }}
{{- end }}
{{- if $app.ignoreDifferences }}
ignoreDifferences:
{{ $app.ignoreDifferences | toYaml | nindent 4 }}
{{- end }}
{{- end -}}
20 changes: 20 additions & 0 deletions charts/azure-apps/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,3 +57,23 @@ promitorResourceDiscovery:
# -- Helm values
# @default -- [upstream values](https://github.com/promitor/charts/blob/main/promitor-agent-resource-discovery/values.yaml)
values: {}

# -- [azure-workload-identity](https://azure.github.io/azure-workload-identity) ([example](./examples/azure-workload-identity-webhook.yaml))
# # @default -- -
azureWorkloadIdentityWebhook:
# -- Enable azure-workload-identity webhook
enabled: false
name: azure-workload-identity-webhook
destination:
# -- Namespace
namespace: "azure-workload-identity-system"
# -- Repo URL
# @default -- [repo](https://azure.github.io/azure-workload-identity/charts)
repoURL: "https://azure.github.io/azure-workload-identity/charts"
# -- Chart
chart: "azure-workload-identity-webhook"
# -- [azure-workload-identity-webhook Helm chart](https://github.com/Azure/azure-workload-identity/tree/main/charts/workload-identity-webhook) version
targetRevision: "0.12.0"
# -- Helm values
# @default -- [upstream values](https://github.com/adfinis/helm-charts/blob/main/charts/azure-apps/values.yaml)
values: {}

0 comments on commit 03fdf65

Please sign in to comment.