POC: Proposed solution for flexible azure auth #1206
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frodopwns
requested review from
davefellows,
jananivMS,
matthchr,
Porges,
theunrepentantgeek and
WilliamMortlMicrosoft
as code owners
davefellows
reviewed
Sep 17, 2020
| @@ -211,3 +225,85 @@ func (r *AsyncReconciler) Reconcile(req ctrl.Request, obj runtime.Object) (resul | |||
|
|
|||
| return result, err | |||
| } | |||
|
|
|||
| // AuthSourceMode determines the strategy used to soruce auth credentials when authenticating with Azure | |||
There was a problem hiding this comment.
Suggested change
| // AuthSourceMode determines the strategy used to soruce auth credentials when authenticating with Azure | |
| // AuthSourceMode determines the strategy used to source auth credentials when authenticating with Azure |
2 tasks
|
@babbageclunk I think as discussed we can close this PR based on the work you're doing? |
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allows flexible authentication options for the Resource Group and Azure SQL operators as a way for proving the concept.
This PR adds 2 environment variables:
AZURE_OPERATOR_AUTH_SOURCE_MODE defaults to "fallback".
Potential values:
fallback: Operators tries to find service principal in namespace where resource request is created. If not found, the operator tries to find a credential in an admin namespace if AZURE_OPERATOR_AUTH_SOURCE_NAMESPACE is set. If those fail, the operator falls back to the current default of using a global credential.namespace: Operator tries to find a credential namedaso-authin the same namespace as the request. This is a strict mode so no alternatives will be used.admin-namespace: Operator tries to find a credential in the admin namespace designated by the env var mentioned above. The credential secret in that namespace would be namedaso-auth-{target_namespace}. This allows admins to store secrets that grant permissions for deployment in other namespaces. This is also a strict mode.global: Operator uses the current default which is to use a global service principal.The Async Controller would source the credential before calling
EnsureorDelete.relates to #1173
relates to #1188
What this PR does / why we need it:
proposes a solution for allowing multiple service principals and later managed identities to be used in multi-tenant clusters
Special notes for your reviewer:
Look at the implementation and submit your feedback. This is a POC.