From b4336d2d8772f3cddf8afb07f9e7b8713dcb362f Mon Sep 17 00:00:00 2001
From: "Woojin Na(Eddie)" <cheapluv@gmail.com>
Date: Mon, 25 Sep 2023 19:23:18 +0900
Subject: [PATCH] update: add pod identity to workload identity (#203)

---
 azure/scripts/bootstrap.sh                    | 60 +++++++++++++++----
 .../templates/genesis-job-cleanup.yaml        |  6 +-
 .../templates/genesis-job-init.yaml           |  6 +-
 .../templates/genesis-service-account.yaml    | 40 -------------
 helm/charts/besu-genesis/values.yaml          |  3 +-
 .../azure-secret-provider-class.yaml          |  3 +-
 .../templates/node-hooks-pre-delete.yaml      |  6 +-
 .../templates/node-hooks-pre-install.yaml     |  6 +-
 .../templates/node-hooks-service-account.yaml | 50 ----------------
 .../templates/node-service-account.yaml       | 41 -------------
 .../besu-node/templates/node-statefulset.yaml |  6 +-
 helm/charts/besu-node/values.yaml             |  3 +-
 .../templates/genesis-job-cleanup.yaml        |  6 +-
 .../templates/genesis-job-init.yaml           |  6 +-
 .../templates/genesis-service-account.yaml    | 40 -------------
 .../azure-secret-provider-class.yaml          |  3 +-
 .../templates/node-hooks-pre-delete.yaml      |  6 +-
 .../templates/node-hooks-pre-install.yaml     |  6 +-
 .../templates/node-hooks-service-account.yaml | 48 ---------------
 .../templates/node-service-account.yaml       | 39 ------------
 .../templates/node-statefulset.yaml           |  6 +-
 helm/charts/goquorum-node/values.yaml         |  3 +-
 helm/values/bootnode.yml                      |  3 +-
 helm/values/genesis-besu.yml                  |  3 +-
 helm/values/genesis-goquorum.yml              |  3 +-
 helm/values/reader.yml                        |  3 +-
 helm/values/txnode.yml                        |  3 +-
 helm/values/validator.yml                     |  3 +-
 28 files changed, 91 insertions(+), 320 deletions(-)
 delete mode 100644 helm/charts/besu-genesis/templates/genesis-service-account.yaml
 delete mode 100644 helm/charts/besu-node/templates/node-hooks-service-account.yaml
 delete mode 100644 helm/charts/besu-node/templates/node-service-account.yaml
 delete mode 100644 helm/charts/goquorum-genesis/templates/genesis-service-account.yaml
 delete mode 100644 helm/charts/goquorum-node/templates/node-hooks-service-account.yaml
 delete mode 100644 helm/charts/goquorum-node/templates/node-service-account.yaml

diff --git a/azure/scripts/bootstrap.sh b/azure/scripts/bootstrap.sh
index 7ea91710..1660e7f7 100755
--- a/azure/scripts/bootstrap.sh
+++ b/azure/scripts/bootstrap.sh
@@ -13,6 +13,7 @@ AKS_CLUSTER_NAME=${2:-cluster}
 AKS_MANAGED_IDENTITY=${3:-identity}
 # quourum
 AKS_NAMESPACE=${4:-quorum}
+SA_NAME=${5:-quorum}
 
 echo "az get-credentials ..."
 # if running this on a VM/Function/etc use a managed identity
@@ -20,19 +21,58 @@ echo "az get-credentials ..."
 # if running locally
 az login
 
-# The pod identity cant be done via an ARM template and can only be done via CLI, hence
-# https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity
-echo "Update the cluster to use pod identity ... "
-az aks update --name "$AKS_CLUSTER_NAME"  --resource-group "$AKS_RESOURCE_GROUP" --enable-pod-identity
+# https://learn.microsoft.com/en-us/azure/aks/use-oidc-issuer
+echo "Update the cluster to use oidc issuer and workload identity ... "
+az aks update -g myResourceGroup -n myAKSCluster --enable-oidc-issuer --enable-workload-identity
 
 echo "Provisioning AAD pod-identity... "
 AKS_MANAGED_IDENTITY_RESOURCE_ID=$(az identity show --name "$AKS_MANAGED_IDENTITY"  --resource-group "$AKS_RESOURCE_GROUP" | jq -r '.id')
-az aks pod-identity add \
-    --resource-group "$AKS_RESOURCE_GROUP" \
-    --cluster-name "$AKS_CLUSTER_NAME" \
-    --identity-resource-id "$AKS_MANAGED_IDENTITY_RESOURCE_ID" \
-    --namespace "$AKS_NAMESPACE" \
-    --name quorum-pod-identity >/dev/null
+AKS_OIDC_ISSUER=$(az aks show --name "$AKS_MANAGED_IDENTITY" --resource-group "$AKS_RESOURCE_GROUP"     --query "oidcIssuerProfile.issuerUrl" -otsv)
+
+# https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    azure.workload.identity/client-id: "${AKS_MANAGED_IDENTITY_RESOURCE_ID}"
+  name: "${SA_NAME}"
+  namespace: "${AKS_NAMESPACE}"
+EOF
+
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: "${AKS_NAMESPACE}"
+  name: "${SA_NAME}"
+rules:
+- apiGroups: [""]
+  resources: ["secrets", "configmaps"]
+  verbs: ["create", "get", "list", "update", "delete", "patch"]
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["get", "list"]
+EOF  
+
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "${SA_NAME}"
+  namespace: "${AKS_NAMESPACE}"
+subjects:
+- kind: ServiceAccount
+  name: "${SA_NAME}"
+  namespace: "${AKS_NAMESPACE}"
+roleRef:
+  kind: Role
+  name: "${SA_NAME}"
+  apiGroup: rbac.authorization.k8s.io
+EOF   
+
+az identity federated-credential create --name aks-federated-credential --identity-name "${AKS_MANAGED_IDENTITY}" --resource-group "${RESOURCE_GROUP}" --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:"${AKS_NAMESPACE}":"${SA_NAME}" --audience api://AzureADTokenExchange
+
 
 
 echo "Provisioning CSI drivers... "
diff --git a/helm/charts/besu-genesis/templates/genesis-job-cleanup.yaml b/helm/charts/besu-genesis/templates/genesis-job-cleanup.yaml
index fa01e977..4a827bdb 100644
--- a/helm/charts/besu-genesis/templates/genesis-job-cleanup.yaml
+++ b/helm/charts/besu-genesis/templates/genesis-job-cleanup.yaml
@@ -5,7 +5,7 @@ metadata:
   name: {{ include "besu-genesis.name" . }}-cleanup
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}  
     app.kubernetes.io/name: besu-genesis-job-cleanup
     app.kubernetes.io/component: genesis-job-cleanup
@@ -24,7 +24,7 @@ spec:
     metadata:
       labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end}}         
         app.kubernetes.io/name: besu-genesis-job-cleanup
         app.kubernetes.io/component: genesis-job-cleanup
@@ -35,7 +35,7 @@ spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "besu-genesis.name" . }}-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end }}        
       restartPolicy: "Never"
       containers:
diff --git a/helm/charts/besu-genesis/templates/genesis-job-init.yaml b/helm/charts/besu-genesis/templates/genesis-job-init.yaml
index a9e1e9d6..85beedee 100644
--- a/helm/charts/besu-genesis/templates/genesis-job-init.yaml
+++ b/helm/charts/besu-genesis/templates/genesis-job-init.yaml
@@ -5,7 +5,7 @@ metadata:
   name: {{ include "besu-genesis.name" . }}-init
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}
     app.kubernetes.io/name: besu-genesis-job
     app.kubernetes.io/component: genesis-job
@@ -23,7 +23,7 @@ spec:
     metadata:
       labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end }}
         app.kubernetes.io/name: besu-genesis-job
         app.kubernetes.io/component: genesis-job
@@ -34,7 +34,7 @@ spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "besu-genesis.name" . }}-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end }}
       restartPolicy: "Never"
       containers:
diff --git a/helm/charts/besu-genesis/templates/genesis-service-account.yaml b/helm/charts/besu-genesis/templates/genesis-service-account.yaml
deleted file mode 100644
index 271460b2..00000000
--- a/helm/charts/besu-genesis/templates/genesis-service-account.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "besu-genesis.name" . }}-sa
-  namespace: {{ .Release.Namespace }}
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "besu-genesis.name" . }}-role
-  namespace: {{ .Release.Namespace }}
-rules:
-  - apiGroups: [""]
-    resources: ["secrets", "configmaps"]
-    verbs: ["create", "get", "list", "update", "delete" ]
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get", "list", "watch" ]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "besu-genesis.name" . }}-rb
-  namespace: {{ .Release.Namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "besu-genesis.name" . }}-role
-subjects:
-  - kind: ServiceAccount
-    namespace: {{ .Release.Namespace }}
-{{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
-    name: {{ .Values.aws.serviceAccountName }}
-{{- else }}
-    name: {{ include "besu-genesis.name" . }}-sa
-{{- end}}
diff --git a/helm/charts/besu-genesis/values.yaml b/helm/charts/besu-genesis/values.yaml
index 1f67979f..4b940032 100644
--- a/helm/charts/besu-genesis/values.yaml
+++ b/helm/charts/besu-genesis/values.yaml
@@ -14,8 +14,7 @@ aws:
   region: ap-southeast-2
 
 azure:
-  # the script/bootstrap.sh uses the name 'quorum-pod-identity' so only change this if you altered the name
-  identityName: quorum-pod-identity
+  serviceAccountName: quorum
   # the clientId of the user assigned managed identity created in the template
   identityClientId: azure-clientId
   keyvaultName: azure-keyvault
diff --git a/helm/charts/besu-node/templates/azure-secret-provider-class.yaml b/helm/charts/besu-node/templates/azure-secret-provider-class.yaml
index 5036e38d..706444ce 100644
--- a/helm/charts/besu-node/templates/azure-secret-provider-class.yaml
+++ b/helm/charts/besu-node/templates/azure-secret-provider-class.yaml
@@ -8,9 +8,8 @@ metadata:
 spec:
   provider: azure
   parameters:
-    usePodIdentity: "true"
+    usePodIdentity: "false"
     useVMManagedIdentity: "false"
-    userAssignedIdentityID: "{{ .Values.azure.identityClientId }}"
     keyvaultName: "{{ .Values.azure.keyvaultName }}"
     tenantId: "{{ .Values.azure.tenantId }}"
     cloudName: "AzurePublicCloud"
diff --git a/helm/charts/besu-node/templates/node-hooks-pre-delete.yaml b/helm/charts/besu-node/templates/node-hooks-pre-delete.yaml
index ee1df0f7..11b8f659 100644
--- a/helm/charts/besu-node/templates/node-hooks-pre-delete.yaml
+++ b/helm/charts/besu-node/templates/node-hooks-pre-delete.yaml
@@ -10,7 +10,7 @@ metadata:
     helm.sh/hook-delete-policy: "hook-succeeded"
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}
     app.kubernetes.io/name: pre-delete-hook
     app.kubernetes.io/component: job
@@ -25,7 +25,7 @@ spec:
     metadata:
       labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end}}      
         app.kubernetes.io/name: pre-delete-hook
         app.kubernetes.io/instance: {{ .Release.Name }} 
@@ -33,7 +33,7 @@ spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "besu-node.fullname" . }}-hooks-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end }}    
       restartPolicy: "OnFailure"
       containers:
diff --git a/helm/charts/besu-node/templates/node-hooks-pre-install.yaml b/helm/charts/besu-node/templates/node-hooks-pre-install.yaml
index 0dbae85b..f9c8efa0 100644
--- a/helm/charts/besu-node/templates/node-hooks-pre-install.yaml
+++ b/helm/charts/besu-node/templates/node-hooks-pre-install.yaml
@@ -10,7 +10,7 @@ metadata:
     "helm.sh/hook-delete-policy": "hook-succeeded"
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}
     app.kubernetes.io/name: pre-install-hook
     app.kubernetes.io/component: job
@@ -25,7 +25,7 @@ spec:
     metadata:
       labels:  
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end }}
         app.kubernetes.io/name: pre-install-hook
         app.kubernetes.io/instance: {{ .Release.Name }} 
@@ -33,7 +33,7 @@ spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "besu-node.fullname" . }}-hooks-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end }}
       restartPolicy: "OnFailure"
       containers:
diff --git a/helm/charts/besu-node/templates/node-hooks-service-account.yaml b/helm/charts/besu-node/templates/node-hooks-service-account.yaml
deleted file mode 100644
index ddb116bc..00000000
--- a/helm/charts/besu-node/templates/node-hooks-service-account.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "besu-node.fullname" . }}-hooks-sa
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook-delete-policy": before-hook-creation
-    "helm.sh/hook": "pre-install,pre-delete,post-delete"  
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "besu-node.fullname" . }}-hooks-role
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook-delete-policy": before-hook-creation
-    "helm.sh/hook": "pre-install,pre-delete,post-delete"    
-rules:
-  - apiGroups: [""]
-    resources: ["secrets", "configmaps"]
-    verbs: ["create", "get", "list", "update", "delete", "patch" ]
-  - apiGroups: [""]
-    resources: ["services"]
-    verbs: ["get", "list"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "besu-node.fullname" . }}-hooks-rb
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook-delete-policy": before-hook-creation
-    "helm.sh/hook": "pre-install,pre-delete,post-delete"    
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "besu-node.fullname" . }}-hooks-role
-subjects:
-- kind: ServiceAccount
-  namespace:  {{ .Release.Namespace }}
-{{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
-  name: {{ .Values.aws.serviceAccountName }}
-{{- else }}
-  name: {{ include "besu-node.fullname" . }}-hooks-sa
-{{- end}}
-
-
diff --git a/helm/charts/besu-node/templates/node-service-account.yaml b/helm/charts/besu-node/templates/node-service-account.yaml
deleted file mode 100644
index 31034df6..00000000
--- a/helm/charts/besu-node/templates/node-service-account.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "besu-node.fullname" . }}-sa
-  namespace: {{ .Release.Namespace }}
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "besu-node.fullname" . }}-role
-  namespace: {{ .Release.Namespace }}
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get"]
-  - apiGroups: [""]
-    resources: ["services"]
-    verbs: ["get", "list"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "besu-node.fullname" . }}-rb
-  namespace: {{ .Release.Namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "besu-node.fullname" . }}-role
-subjects:
-- kind: ServiceAccount
-  namespace: {{ .Release.Namespace }}
-{{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-  name: {{ include "besu-node.fullname" . }}-sa
-{{- else if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
-  name: {{ .Values.aws.serviceAccountName }}
-{{- else }}
-  name: {{ include "besu-node.fullname" . }}-sa
-{{- end }}
\ No newline at end of file
diff --git a/helm/charts/besu-node/templates/node-statefulset.yaml b/helm/charts/besu-node/templates/node-statefulset.yaml
index 7594aae5..6a39439c 100644
--- a/helm/charts/besu-node/templates/node-statefulset.yaml
+++ b/helm/charts/besu-node/templates/node-statefulset.yaml
@@ -5,7 +5,7 @@ metadata:
   name: {{ template "besu-node.fullname" . }}
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}
     app.kubernetes.io/name: besu-statefulset
     app.kubernetes.io/component: besu
@@ -44,7 +44,7 @@ spec:
     metadata:
       labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}        
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end }}
         app.kubernetes.io/name: besu-statefulset
         app.kubernetes.io/component: besu
@@ -60,7 +60,7 @@ spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "besu-node.fullname" . }}-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end }}
       initContainers:
 
diff --git a/helm/charts/besu-node/values.yaml b/helm/charts/besu-node/values.yaml
index 997cdd41..c06b0871 100644
--- a/helm/charts/besu-node/values.yaml
+++ b/helm/charts/besu-node/values.yaml
@@ -19,8 +19,7 @@ aws:
   region: ap-southeast-2
 
 azure:
-  # the script/bootstrap.sh uses the name 'quorum-pod-identity' so only change this if you altered the name
-  identityName: quorum-pod-identity
+  serviceAccountName: quorum
   # the clientId of the user assigned managed identity created in the template
   identityClientId: azure-clientId
   keyvaultName: azure-keyvault
diff --git a/helm/charts/goquorum-genesis/templates/genesis-job-cleanup.yaml b/helm/charts/goquorum-genesis/templates/genesis-job-cleanup.yaml
index 871db589..68c61202 100644
--- a/helm/charts/goquorum-genesis/templates/genesis-job-cleanup.yaml
+++ b/helm/charts/goquorum-genesis/templates/genesis-job-cleanup.yaml
@@ -5,7 +5,7 @@ metadata:
   name: {{ include "goquorum-genesis.name" . }}-cleanup
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}  
     app.kubernetes.io/name: goquorum-genesis-job-cleanup
     app.kubernetes.io/component: genesis-job-cleanup
@@ -24,7 +24,7 @@ spec:
     metadata:
       labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end}}         
         app.kubernetes.io/name: goquorum-genesis-job-cleanup
         app.kubernetes.io/component: genesis-job-cleanup
@@ -35,7 +35,7 @@ spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "goquorum-genesis.name" . }}-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end }}        
       restartPolicy: "Never"
       containers:
diff --git a/helm/charts/goquorum-genesis/templates/genesis-job-init.yaml b/helm/charts/goquorum-genesis/templates/genesis-job-init.yaml
index 879d98d7..0ed7eb0b 100644
--- a/helm/charts/goquorum-genesis/templates/genesis-job-init.yaml
+++ b/helm/charts/goquorum-genesis/templates/genesis-job-init.yaml
@@ -5,7 +5,7 @@ metadata:
   name: {{ include "goquorum-genesis.name" . }}-init
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}  
     app.kubernetes.io/name: goquorum-genesis-job
     app.kubernetes.io/component: genesis-job
@@ -22,7 +22,7 @@ spec:
     metadata:
       labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end}}      
         app.kubernetes.io/name: goquorum-genesis-job
         app.kubernetes.io/component: genesis-job
@@ -33,7 +33,7 @@ spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "goquorum-genesis.name" . }}-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end }}    
       restartPolicy: "Never"
       containers:
diff --git a/helm/charts/goquorum-genesis/templates/genesis-service-account.yaml b/helm/charts/goquorum-genesis/templates/genesis-service-account.yaml
deleted file mode 100644
index 56b59016..00000000
--- a/helm/charts/goquorum-genesis/templates/genesis-service-account.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "goquorum-genesis.name" . }}-sa
-  namespace: {{ .Release.Namespace }}
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "goquorum-genesis.name" . }}-role
-  namespace: {{ .Release.Namespace }}
-rules:
-  - apiGroups: [""]
-    resources: ["secrets", "configmaps"]
-    verbs: ["create", "get", "list", "update", "delete", "patch" ]
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get", "list", "watch" ]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "goquorum-genesis.name" . }}-rb
-  namespace: {{ .Release.Namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "goquorum-genesis.name" . }}-role
-subjects:
-  - kind: ServiceAccount
-{{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
-    name: {{ .Values.aws.serviceAccountName }}
-{{- else }}
-    name: {{ include "goquorum-genesis.name" . }}-sa
-{{- end }}
-    namespace: {{ .Release.Namespace }}
-
diff --git a/helm/charts/goquorum-node/templates/azure-secret-provider-class.yaml b/helm/charts/goquorum-node/templates/azure-secret-provider-class.yaml
index 40e1290b..cd127e17 100644
--- a/helm/charts/goquorum-node/templates/azure-secret-provider-class.yaml
+++ b/helm/charts/goquorum-node/templates/azure-secret-provider-class.yaml
@@ -9,9 +9,8 @@ metadata:
 spec:
   provider: azure
   parameters:
-    usePodIdentity: "true"           
+    usePodIdentity: "false"           
     useVMManagedIdentity: "false"    
-    userAssignedIdentityID: "{{ .Values.azure.identityClientId }}"
     keyvaultName: "{{ .Values.azure.keyvaultName }}"
     tenantId: "{{ .Values.azure.tenantId }}"                      
     cloudName: "AzurePublicCloud"
diff --git a/helm/charts/goquorum-node/templates/node-hooks-pre-delete.yaml b/helm/charts/goquorum-node/templates/node-hooks-pre-delete.yaml
index 64ca1edd..df95120f 100644
--- a/helm/charts/goquorum-node/templates/node-hooks-pre-delete.yaml
+++ b/helm/charts/goquorum-node/templates/node-hooks-pre-delete.yaml
@@ -11,7 +11,7 @@ metadata:
     helm.sh/hook-delete-policy: "hook-succeeded"
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}
     app.kubernetes.io/name: pre-delete-hook
     app.kubernetes.io/component: job
@@ -26,7 +26,7 @@ spec:
     metadata:
       labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end}}      
         app.kubernetes.io/name: pre-delete-hook
         app.kubernetes.io/release: {{ .Release.Name }}
@@ -34,7 +34,7 @@ spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "goquorum-node.fullname" . }}-hooks-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end }}    
       restartPolicy: "OnFailure"
       containers:
diff --git a/helm/charts/goquorum-node/templates/node-hooks-pre-install.yaml b/helm/charts/goquorum-node/templates/node-hooks-pre-install.yaml
index 400f0c49..4747c152 100644
--- a/helm/charts/goquorum-node/templates/node-hooks-pre-install.yaml
+++ b/helm/charts/goquorum-node/templates/node-hooks-pre-install.yaml
@@ -11,7 +11,7 @@ metadata:
     "helm.sh/hook-delete-policy": "hook-succeeded"
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}
     app.kubernetes.io/name: pre-install-hook
     app.kubernetes.io/component: job
@@ -26,7 +26,7 @@ spec:
     metadata:
       labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end}}      
         app.kubernetes.io/name: pre-install-hook
         app.kubernetes.io/release: {{ .Release.Name }}
@@ -34,7 +34,7 @@ spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "goquorum-node.fullname" . }}-hooks-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end }}       
       restartPolicy: "OnFailure"
       containers:
diff --git a/helm/charts/goquorum-node/templates/node-hooks-service-account.yaml b/helm/charts/goquorum-node/templates/node-hooks-service-account.yaml
deleted file mode 100644
index 960b5094..00000000
--- a/helm/charts/goquorum-node/templates/node-hooks-service-account.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "goquorum-node.fullname" . }}-hooks-sa
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook-delete-policy": before-hook-creation
-    "helm.sh/hook": "pre-install,pre-delete,post-delete"  
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "goquorum-node.fullname" . }}-hooks-role
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook-delete-policy": before-hook-creation
-    "helm.sh/hook": "pre-install,pre-delete,post-delete"
-rules:
-  - apiGroups: [""]
-    resources: ["secrets", "configmaps"]
-    verbs: ["create", "get", "list", "update", "delete", "patch"]
-  - apiGroups: [""]
-    resources: ["services"]
-    verbs: ["get", "list"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "goquorum-node.fullname" . }}-hooks-rb
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook-delete-policy": before-hook-creation
-    "helm.sh/hook": "pre-install,pre-delete,post-delete"    
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "goquorum-node.fullname" . }}-hooks-role
-subjects:
-- kind: ServiceAccount
-  namespace:  {{ .Release.Namespace }}
-{{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
-  name: {{ .Values.aws.serviceAccountName }}
-{{- else }}
-  name: {{ include "goquorum-node.fullname" . }}-hooks-sa
-{{- end}}
\ No newline at end of file
diff --git a/helm/charts/goquorum-node/templates/node-service-account.yaml b/helm/charts/goquorum-node/templates/node-service-account.yaml
deleted file mode 100644
index 2c9363cf..00000000
--- a/helm/charts/goquorum-node/templates/node-service-account.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "goquorum-node.fullname" . }}-sa
-  namespace: {{ .Release.Namespace }}
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "goquorum-node.fullname" . }}-role
-  namespace: {{ .Release.Namespace }}
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get"]
-  - apiGroups: [""]
-    resources: ["services"]
-    verbs: ["get", "list"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "goquorum-node.fullname" . }}-rb
-  namespace: {{ .Release.Namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "goquorum-node.fullname" . }}-role
-subjects:
-- kind: ServiceAccount
-  namespace:  {{ .Release.Namespace }}
-{{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
-  name: {{ .Values.aws.serviceAccountName }}
-{{- else }}
-  name: {{ include "goquorum-node.fullname" . }}-sa
-{{- end}}
diff --git a/helm/charts/goquorum-node/templates/node-statefulset.yaml b/helm/charts/goquorum-node/templates/node-statefulset.yaml
index 74898e71..5fd0cb72 100644
--- a/helm/charts/goquorum-node/templates/node-statefulset.yaml
+++ b/helm/charts/goquorum-node/templates/node-statefulset.yaml
@@ -6,7 +6,7 @@ metadata:
   name: {{ template "goquorum-node.fullname" . }}
   labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-    aadpodidbinding: "{{ .Values.azure.identityName }}"
+    azure.workload.identity/use: "true"
 {{- end }}  
     app.kubernetes.io/name: goquorum-statefulset
     app.kubernetes.io/component: goquorum
@@ -45,7 +45,7 @@ spec:
     metadata:
       labels:
 {{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }}
-        aadpodidbinding: "{{ .Values.azure.identityName }}"
+        azure.workload.identity/use: "true"
 {{- end }}
         app.kubernetes.io/name: goquorum-statefulset
         app.kubernetes.io/component: goquorum
@@ -61,7 +61,7 @@ spec:
 {{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }}
       serviceAccountName: {{ .Values.aws.serviceAccountName }}
 {{- else }}
-      serviceAccountName: {{ include "goquorum-node.fullname" . }}-sa
+      serviceAccountName: {{ .Values.azure.serviceAccountName}}
 {{- end}}    
       containers:
 
diff --git a/helm/charts/goquorum-node/values.yaml b/helm/charts/goquorum-node/values.yaml
index 211ac06a..54b5380f 100644
--- a/helm/charts/goquorum-node/values.yaml
+++ b/helm/charts/goquorum-node/values.yaml
@@ -16,8 +16,7 @@ aws:
   region: ap-southeast-2
 
 azure:
-  # the script/bootstrap.sh uses the name 'quorum-pod-identity' so only change this if you altered the name
-  identityName: quorum-pod-identity
+  serviceAccountName: quorum
   # the clientId of the user assigned managed identity created in the template
   identityClientId: azure-clientId
   keyvaultName: azure-keyvault
diff --git a/helm/values/bootnode.yml b/helm/values/bootnode.yml
index 7379fbd1..e4b69666 100644
--- a/helm/values/bootnode.yml
+++ b/helm/values/bootnode.yml
@@ -18,8 +18,7 @@ aws:
   region: ap-southeast-2
 
 azure:
-  # the script/bootstrap.sh uses the name 'quorum-pod-identity' so only change this if you altered the name
-  identityName: quorum-pod-identity
+  serviceAccountName: quorum
   # the clientId of the user assigned managed identity created in the template
   identityClientId: azure-clientId
   keyvaultName: azure-keyvault
diff --git a/helm/values/genesis-besu.yml b/helm/values/genesis-besu.yml
index bc6d0650..2b0ec593 100644
--- a/helm/values/genesis-besu.yml
+++ b/helm/values/genesis-besu.yml
@@ -13,8 +13,7 @@ aws:
   region: ap-southeast-2
 
 azure:
-  # the script/bootstrap.sh uses the name 'quorum-pod-identity' so only change this if you altered the name
-  identityName: quorum-pod-identity
+  serviceAccountName: quorum
   # the clientId of the user assigned managed identity created in the template
   identityClientId: azure-clientId
   keyvaultName: azure-keyvault
diff --git a/helm/values/genesis-goquorum.yml b/helm/values/genesis-goquorum.yml
index 3f2ab21d..343da7e3 100644
--- a/helm/values/genesis-goquorum.yml
+++ b/helm/values/genesis-goquorum.yml
@@ -13,8 +13,7 @@ aws:
   region: ap-southeast-2
 
 azure:
-  # the script/bootstrap.sh uses the name 'quorum-pod-identity' so only change this if you altered the name
-  identityName: quorum-pod-identity
+  serviceAccountName: quorum
   # the clientId of the user assigned managed identity created in the template
   identityClientId: azure-clientId
   keyvaultName: azure-keyvault
diff --git a/helm/values/reader.yml b/helm/values/reader.yml
index 3437edcf..83d8d2d4 100644
--- a/helm/values/reader.yml
+++ b/helm/values/reader.yml
@@ -18,8 +18,7 @@ aws:
   region: ap-southeast-2
 
 azure:
-  # the script/bootstrap.sh uses the name 'quorum-pod-identity' so only change this if you altered the name
-  identityName: quorum-pod-identity
+  serviceAccountName: quorum
   # the clientId of the user assigned managed identity created in the template
   identityClientId: azure-clientId
   keyvaultName: azure-keyvault
diff --git a/helm/values/txnode.yml b/helm/values/txnode.yml
index 278b038f..e0043cd9 100644
--- a/helm/values/txnode.yml
+++ b/helm/values/txnode.yml
@@ -18,8 +18,7 @@ aws:
   region: ap-southeast-2
 
 azure:
-  # the script/bootstrap.sh uses the name 'quorum-pod-identity' so only change this if you altered the name
-  identityName: quorum-pod-identity
+  serviceAccountName: quorum
   # the clientId of the user assigned managed identity created in the template
   identityClientId: azure-clientId
   keyvaultName: azure-keyvault
diff --git a/helm/values/validator.yml b/helm/values/validator.yml
index c12ab4e9..186c6ba3 100644
--- a/helm/values/validator.yml
+++ b/helm/values/validator.yml
@@ -18,8 +18,7 @@ aws:
   region: ap-southeast-2
 
 azure:
-  # the script/bootstrap.sh uses the name 'quorum-pod-identity' so only change this if you altered the name
-  identityName: quorum-pod-identity
+  serviceAccountName: quorum
   # the clientId of the user assigned managed identity created in the template
   identityClientId: azure-clientId
   keyvaultName: azure-keyvault