update: add pod identity to workload identity (#203)

azure/scripts/bootstrap.sh

@@ -13,26 +13,66 @@ AKS_CLUSTER_NAME=${2:-cluster}
 AKS_MANAGED_IDENTITY=${3:-identity}
 # quourum
 AKS_NAMESPACE=${4:-quorum}
+SA_NAME=${5:-quorum}
 
 echo "az get-credentials ..."
 # if running this on a VM/Function/etc use a managed identity
 # az login --identity --debug
 # if running locally
 az login
 
-# The pod identity cant be done via an ARM template and can only be done via CLI, hence
-# https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity
-echo "Update the cluster to use pod identity ... "
-az aks update --name "$AKS_CLUSTER_NAME"  --resource-group "$AKS_RESOURCE_GROUP" --enable-pod-identity
+# https://learn.microsoft.com/en-us/azure/aks/use-oidc-issuer
+echo "Update the cluster to use oidc issuer and workload identity ... "
+az aks update -g myResourceGroup -n myAKSCluster --enable-oidc-issuer --enable-workload-identity
 
 echo "Provisioning AAD pod-identity... "
 AKS_MANAGED_IDENTITY_RESOURCE_ID=$(az identity show --name "$AKS_MANAGED_IDENTITY"  --resource-group "$AKS_RESOURCE_GROUP" | jq -r '.id')
-az aks pod-identity add \
-    --resource-group "$AKS_RESOURCE_GROUP" \
-    --cluster-name "$AKS_CLUSTER_NAME" \
-    --identity-resource-id "$AKS_MANAGED_IDENTITY_RESOURCE_ID" \
-    --namespace "$AKS_NAMESPACE" \
-    --name quorum-pod-identity >/dev/null
+AKS_OIDC_ISSUER=$(az aks show --name "$AKS_MANAGED_IDENTITY" --resource-group "$AKS_RESOURCE_GROUP"     --query "oidcIssuerProfile.issuerUrl" -otsv)
+
+# https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    azure.workload.identity/client-id: "${AKS_MANAGED_IDENTITY_RESOURCE_ID}"
+  name: "${SA_NAME}"
+  namespace: "${AKS_NAMESPACE}"
+EOF
+
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: "${AKS_NAMESPACE}"
+  name: "${SA_NAME}"
+rules:
+- apiGroups: [""]
+  resources: ["secrets", "configmaps"]
+  verbs: ["create", "get", "list", "update", "delete", "patch"]
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["get", "list"]
+EOF  
+
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "${SA_NAME}"
+  namespace: "${AKS_NAMESPACE}"
+subjects:
+- kind: ServiceAccount
+  name: "${SA_NAME}"
+  namespace: "${AKS_NAMESPACE}"
+roleRef:
+  kind: Role
+  name: "${SA_NAME}"
+  apiGroup: rbac.authorization.k8s.io
+EOF   
+
+az identity federated-credential create --name aks-federated-credential --identity-name "${AKS_MANAGED_IDENTITY}" --resource-group "${RESOURCE_GROUP}" --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:"${AKS_NAMESPACE}":"${SA_NAME}" --audience api://AzureADTokenExchange
+
 
 
 echo "Provisioning CSI drivers... "

helm/charts/besu-genesis/templates/genesis-job-cleanup.yaml

@@ -5,7 +5,7 @@ metadata:
   name: {{ include "besu-genesis.name" . }}-cleanup
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}  
     app.kubernetes.io/name: besu-genesis-job-cleanup
     app.kubernetes.io/component: genesis-job-cleanup
@@ -24,7 +24,7 @@ spec:
     metadata:
       labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end}}         
         app.kubernetes.io/name: besu-genesis-job-cleanup
         app.kubernetes.io/component: genesis-job-cleanup
@@ -35,7 +35,7 @@ spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "besu-genesis.name" . }}-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end }}        
       restartPolicy: "Never"
       containers:

helm/charts/besu-genesis/templates/genesis-job-init.yaml

@@ -5,7 +5,7 @@ metadata:
   name: {{ include "besu-genesis.name" . }}-init
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}
     app.kubernetes.io/name: besu-genesis-job
     app.kubernetes.io/component: genesis-job
@@ -23,7 +23,7 @@ spec:
     metadata:
       labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end }}
         app.kubernetes.io/name: besu-genesis-job
         app.kubernetes.io/component: genesis-job
@@ -34,7 +34,7 @@ spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "besu-genesis.name" . }}-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end }}
       restartPolicy: "Never"
       containers:

helm/charts/besu-genesis/values.yaml

@@ -14,8 +14,7 @@ aws:
   region: ap-southeast-2
 
 azure:
-  # the script/bootstrap.sh uses the name 'quorum-pod-identity' so only change this if you altered the name
-  identityName: quorum-pod-identity
+  serviceAccountName: quorum
   # the clientId of the user assigned managed identity created in the template
   identityClientId: azure-clientId
   keyvaultName: azure-keyvault

helm/charts/besu-node/templates/azure-secret-provider-class.yaml

@@ -8,9 +8,8 @@ metadata:
 spec:
   provider: azure
   parameters:
-    usePodIdentity: "true"
+    usePodIdentity: "false"
     useVMManagedIdentity: "false"
-    userAssignedIdentityID: "{{ .Values.azure.identityClientId }}"
     keyvaultName: "{{ .Values.azure.keyvaultName }}"
     tenantId: "{{ .Values.azure.tenantId }}"
     cloudName: "AzurePublicCloud"

helm/charts/besu-node/templates/node-hooks-pre-delete.yaml

@@ -10,7 +10,7 @@ metadata:
     helm.sh/hook-delete-policy: "hook-succeeded"
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}
     app.kubernetes.io/name: pre-delete-hook
     app.kubernetes.io/component: job
@@ -25,15 +25,15 @@ spec:
     metadata:
       labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end}}      
         app.kubernetes.io/name: pre-delete-hook
         app.kubernetes.io/instance: {{ .Release.Name }} 
     spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "besu-node.fullname" . }}-hooks-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end }}    
       restartPolicy: "OnFailure"
       containers:

helm/charts/besu-node/templates/node-hooks-pre-install.yaml

@@ -10,7 +10,7 @@ metadata:
     "helm.sh/hook-delete-policy": "hook-succeeded"
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}
     app.kubernetes.io/name: pre-install-hook
     app.kubernetes.io/component: job
@@ -25,15 +25,15 @@ spec:
     metadata:
       labels:  
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end }}
         app.kubernetes.io/name: pre-install-hook
         app.kubernetes.io/instance: {{ .Release.Name }} 
     spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "besu-node.fullname" . }}-hooks-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end }}
       restartPolicy: "OnFailure"
       containers:

helm/charts/besu-node/templates/node-statefulset.yaml

@@ -5,7 +5,7 @@ metadata:
   name: {{ template "besu-node.fullname" . }}
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}
     app.kubernetes.io/name: besu-statefulset
     app.kubernetes.io/component: besu
@@ -44,7 +44,7 @@ spec:
     metadata:
       labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}        
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end }}
         app.kubernetes.io/name: besu-statefulset
         app.kubernetes.io/component: besu
@@ -60,7 +60,7 @@ spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "besu-node.fullname" . }}-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end }}
       initContainers:
 

helm/charts/besu-node/values.yaml

@@ -19,8 +19,7 @@ aws:
   region: ap-southeast-2
 
 azure:
-  # the script/bootstrap.sh uses the name 'quorum-pod-identity' so only change this if you altered the name
-  identityName: quorum-pod-identity
+  serviceAccountName: quorum
   # the clientId of the user assigned managed identity created in the template
   identityClientId: azure-clientId
   keyvaultName: azure-keyvault