From 03fdf65067f646d7c96efc148513703c412042c7 Mon Sep 17 00:00:00 2001 From: Lucas Date: Fri, 1 Dec 2023 15:02:26 +0100 Subject: [PATCH] feat(azure-apps): introduce azure-workload-identity-webhook deployment --- charts/azure-apps/Chart.yaml | 30 ++++------------- charts/azure-apps/README.md | 9 ++++- charts/azure-apps/ci/default-values.yaml | 3 ++ .../azure-workload-identity-webhook.yaml | 5 +++ .../azure-workload-identity-webhook.yaml | 33 +++++++++++++++++++ charts/azure-apps/values.yaml | 20 +++++++++++ 6 files changed, 76 insertions(+), 24 deletions(-) create mode 100644 charts/azure-apps/examples/azure-workload-identity-webhook.yaml create mode 100644 charts/azure-apps/templates/azure-workload-identity-webhook.yaml diff --git a/charts/azure-apps/Chart.yaml b/charts/azure-apps/Chart.yaml index 14127665f..a55ef3b83 100644 --- a/charts/azure-apps/Chart.yaml +++ b/charts/azure-apps/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: azure-apps description: Argo CD app-of-apps config for Azure applications type: application -version: 0.12.0 +version: 0.13.0 home: https://github.com/adfinis/helm-charts/tree/main/charts/azure-apps sources: - https://github.com/adfinis/helm-charts @@ -16,26 +16,10 @@ dependencies: repository: https://charts.adfinis.com annotations: artifacthub.io/changes: | - - kind: changed - description: "azureKvCsiProvider: bump azureKvCsiProvider from v1.3 to v1.4.1" + - kind: added + description: "feat: add azure-workload-identity-webhook" links: - - name: Fixes CVE-2022-41717 - url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/1039 - - name: Fixes CVE-2022-32149 - url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/999 - - name: Fixes CVE-2022-27664 - url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/976 - - name: Fixes CVE-2022-1996 - url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/957 - - name: fix/updates template condition for Arc - url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/973 - - name: fix/increase fluentd resource limits for arc - url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/946 - - name: fix/bug 948 arc missing system identity - url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/949 - - name: fix/runs msi-adapter as privileged on openshift - url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/920 - - name: Update to v1.4.0 - url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.4.0 - - name: Update to v1.4.1 - url: https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.4.1 + - name: Microsoft Entra Workload ID + url: https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview + - name: Azure Workload Identity System + url: https://azure.github.io/azure-workload-identity diff --git a/charts/azure-apps/README.md b/charts/azure-apps/README.md index 823f32cc1..00e7f6a56 100644 --- a/charts/azure-apps/README.md +++ b/charts/azure-apps/README.md @@ -1,6 +1,6 @@ # azure-apps -![Version: 0.12.0](https://img.shields.io/badge/Version-0.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.13.0](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Argo CD app-of-apps config for Azure applications @@ -30,6 +30,13 @@ This chart is maintained by [Adfinis](https://adfinis.com/?pk_campaign=github&pk | azureKvCsiProvider.repoURL | string | [repo](https://azure.github.io/secrets-store-csi-driver-provider-azure/charts) | Repo URL | | azureKvCsiProvider.targetRevision | string | `"1.4.1"` | [csi-secrets-store-provider-azure Helm chart](https://github.com/Azure/secrets-store-csi-driver-provider-azure/tree/master/charts/csi-secrets-store-provider-azure) version | | azureKvCsiProvider.values | object | [upstream values](https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/master/charts/csi-secrets-store-provider-azure/values.yaml) | Helm values | +| azureWorkloadIdentityWebhook | object | `{"chart":"azure-workload-identity-webhook","destination":{"namespace":"azure-workload-identity-system"},"enabled":false,"name":"azure-workload-identity-webhook","repoURL":"https://azure.github.io/azure-workload-identity/charts","targetRevision":"0.12.0","values":{}}` | [azure-workload-identity](https://azure.github.io/azure-workload-identity) ([example](./examples/azure-workload-identity-webhook.yaml)) # @default -- - | +| azureWorkloadIdentityWebhook.chart | string | `"azure-workload-identity-webhook"` | Chart | +| azureWorkloadIdentityWebhook.destination.namespace | string | `"azure-workload-identity-system"` | Namespace | +| azureWorkloadIdentityWebhook.enabled | bool | `false` | Enable azure-workload-identity webhook | +| azureWorkloadIdentityWebhook.repoURL | string | [repo](https://azure.github.io/azure-workload-identity/charts) | Repo URL | +| azureWorkloadIdentityWebhook.targetRevision | string | `"0.12.0"` | [azure-workload-identity-webhook Helm chart](https://github.com/Azure/azure-workload-identity/tree/main/charts/workload-identity-webhook) version | +| azureWorkloadIdentityWebhook.values | object | [upstream values](https://github.com/adfinis/helm-charts/blob/main/charts/azure-apps/values.yaml) | Helm values | | promitorResourceDiscovery | object | - | [promitor](https://promitor.io/) resource discovery ([example](./examples/promitor.yaml)) | | promitorResourceDiscovery.chart | string | `"promitor-agent-resource-discovery"` | Chart | | promitorResourceDiscovery.destination.namespace | string | `"infra-promitor"` | Namespace | diff --git a/charts/azure-apps/ci/default-values.yaml b/charts/azure-apps/ci/default-values.yaml index c91f1abe4..5c468261d 100644 --- a/charts/azure-apps/ci/default-values.yaml +++ b/charts/azure-apps/ci/default-values.yaml @@ -7,3 +7,6 @@ promitorScraper: promitorResourceDiscovery: enabled: true values: {} +azureWorkloadIdentityWebhook: + enabled: true + values: {} diff --git a/charts/azure-apps/examples/azure-workload-identity-webhook.yaml b/charts/azure-apps/examples/azure-workload-identity-webhook.yaml new file mode 100644 index 000000000..a2bc9ff4b --- /dev/null +++ b/charts/azure-apps/examples/azure-workload-identity-webhook.yaml @@ -0,0 +1,5 @@ +azureWorkloadIdentityWebhook: + enabled: true + project: azure-workload-identity-system + values: + azureTenantID: diff --git a/charts/azure-apps/templates/azure-workload-identity-webhook.yaml b/charts/azure-apps/templates/azure-workload-identity-webhook.yaml new file mode 100644 index 000000000..2102cfc4a --- /dev/null +++ b/charts/azure-apps/templates/azure-workload-identity-webhook.yaml @@ -0,0 +1,33 @@ +{{ if .Values.azureWorkloadIdentityWebhook.enabled }} +{{ template "argoconfig.application" (list . "azure-apps.azureWorkloadIdentityWebhook") }} +{{ end }} + +{{- define "azure-apps.azureWorkloadIdentityWebhook" -}}{{- $app := unset .Values.azureWorkloadIdentityWebhook "enabled" -}}{{- $name := default $app.destination.namespace $app.name -}} +metadata: + name: {{ template "common.fullname" . }}-{{ $name }} +spec: + {{- if $app.project }} + project: {{ $app.project | quote }} + {{- end }} + source: + repoURL: {{ $app.repoURL | quote }} + chart: {{ $app.chart | quote }} + targetRevision: {{ $app.targetRevision | quote }} + helm: + releaseName: {{ $name | quote }} + values: |- + nameOverride: {{ $name | quote }} + {{- $app.values | toYaml | nindent 8 }} + {{- if $app.destination }} + destination: + {{ $app.destination | toYaml | nindent 4 }} + {{- end }} + {{- if $app.syncPolicy }} + syncPolicy: + {{ $app.syncPolicy | toYaml | nindent 4 }} + {{- end }} + {{- if $app.ignoreDifferences }} + ignoreDifferences: + {{ $app.ignoreDifferences | toYaml | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/azure-apps/values.yaml b/charts/azure-apps/values.yaml index 04e1cf020..8dd90bfe1 100644 --- a/charts/azure-apps/values.yaml +++ b/charts/azure-apps/values.yaml @@ -57,3 +57,23 @@ promitorResourceDiscovery: # -- Helm values # @default -- [upstream values](https://github.com/promitor/charts/blob/main/promitor-agent-resource-discovery/values.yaml) values: {} + +# -- [azure-workload-identity](https://azure.github.io/azure-workload-identity) ([example](./examples/azure-workload-identity-webhook.yaml)) +# # @default -- - +azureWorkloadIdentityWebhook: + # -- Enable azure-workload-identity webhook + enabled: false + name: azure-workload-identity-webhook + destination: + # -- Namespace + namespace: "azure-workload-identity-system" + # -- Repo URL + # @default -- [repo](https://azure.github.io/azure-workload-identity/charts) + repoURL: "https://azure.github.io/azure-workload-identity/charts" + # -- Chart + chart: "azure-workload-identity-webhook" + # -- [azure-workload-identity-webhook Helm chart](https://github.com/Azure/azure-workload-identity/tree/main/charts/workload-identity-webhook) version + targetRevision: "0.12.0" + # -- Helm values + # @default -- [upstream values](https://github.com/adfinis/helm-charts/blob/main/charts/azure-apps/values.yaml) + values: {}