various fixes and updates

- updated msi pull controller to 0.1.7
- updated pull binding CRD for the additional workload identity fields
- updated podmonitor to use the az apigroup (we don't have core prometheus CRDs installed)
- updated VAP parameterNotFoundAction to `Allow` to mitigate a potential bug
- updated servicegroup name in pipeline.yaml for acrpull
- serialize image-puller MI federation setup (only one update at a time is supported)

Signed-off-by: Gerd Oberlechner <[email protected]>
Signed-off-by: Steve Kuznetsov <[email protected]>

acrpull/Makefile

@@ -1,8 +1,10 @@
 -include ../setup-env.mk
+-include ../helm-cmd.mk
+HELM_CMD ?= helm upgrade --install
 
 deploy:
 	kubectl create namespace acrpull --dry-run=client -o json | kubectl apply -f - && \
-	helm upgrade --install ${HELM_DRY_RUN} acrpull \
+	${HELM_CMD} acrpull \
 		deploy/helm/acrpull/ \
 		--set image=mcr.microsoft.com/aks/msi-acrpull@${ACRPULL_DIGEST} \
 		--namespace acrpull

acrpull/deploy/helm/acrpull/templates/acrpull.microsoft.com_acrpullbindings.yaml

@@ -17,7 +17,34 @@ spec:
     singular: acrpullbinding
   scope: Namespaced
   versions:
-  - name: v1beta2
+  - additionalPrinterColumns:
+    - description: FQDN for the ACR.
+      jsonPath: .spec.acr.server
+      name: Server
+      type: string
+    - description: Scope for the ACR token.
+      jsonPath: .spec.acr.scope
+      name: Scope
+      priority: 1
+      type: string
+    - description: ServiceAccount to which the pull credentials are attached.
+      jsonPath: .spec.serviceAccountName
+      name: Target
+      type: string
+    - description: Time the token was last refreshed.
+      jsonPath: .status.lastTokenRefreshTime
+      name: Last Refresh
+      priority: 1
+      type: date
+    - description: Time the current token expires.
+      jsonPath: .status.tokenExpirationTime
+      name: Expiration
+      type: date
+    - description: Errors encountered during token generation, if any.
+      jsonPath: .status.error
+      name: Error
+      type: string
+    name: v1beta2
     schema:
       openAPIV3Schema:
         description: AcrPullBinding is the Schema for the acrpullbindings API
@@ -136,12 +163,35 @@ spec:
                     description: WorkloadIdentity uses Azure Workload Identity to
                       authenticate with Azure.
                     properties:
+                      clientID:
+                        description: |-
+                          ClientID holds an optional client identifier of a federated identity.
+                          Specify this identifier if multiple identities are federated with the
+                          service account and the identity to use for image pulling is not the
+                          default identity stored in the service account's annotations. The
+                          client and tenant ID must be specified together.
+                        example: 1b461305-28be-5271-beda-bd9fd2e24251
+                        type: string
                       serviceAccountRef:
                         description: |-
                           ServiceAccountName specifies the name of the service account
                           that should be used when authenticating with WorkloadIdentity.
                         type: string
+                      tenantID:
+                        description: |-
+                          TenantID holds an optional tenant identifier of a federated identity.
+                          Specify this identifier if multiple identities are federated with the
+                          service account and the identity to use for image pulling is not the
+                          default identity stored in the service account's annotations. The
+                          client and tenant ID must be specified together.
+                        example: 72f988bf-86f1-41af-91ab-2d7cd011db47
+                        type: string
                     type: object
+                    x-kubernetes-validations:
+                    - message: custom client and tenant identifiers must be provided
+                        together, if at all
+                      rule: (has(self.clientID) && has(self.tenantID)) || (!has(self.clientID)
+                        && !has(self.tenantID))
                 type: object
                 x-kubernetes-validations:
                 - message: only one authentication type can be set

acrpull/deploy/helm/acrpull/templates/podmonitor.yaml

@@ -1,4 +1,4 @@
-apiVersion: monitoring.coreos.com/v1
+apiVersion: azmonitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
   labels:

acrpull/deploy/helm/acrpull/templates/validatingadmissionpolicybindings.yaml

@@ -11,7 +11,7 @@ spec:
   paramRef:
     name: "admission-policies-controller-config"
     namespace: {{ .Values.namespace }}
-    parameterNotFoundAction: "Deny"
+    parameterNotFoundAction: "Allow"
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
@@ -26,7 +26,7 @@ spec:
   paramRef:
     name: "admission-policies-controller-config"
     namespace: {{ .Values.namespace }}
-    parameterNotFoundAction: "Deny"
+    parameterNotFoundAction: "Allow"
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
@@ -41,4 +41,4 @@ spec:
   paramRef:
     name: "admission-policies-controller-config"
     namespace: {{ .Values.namespace }}
-    parameterNotFoundAction: "Deny"
+    parameterNotFoundAction: "Allow"

acrpull/pipeline.yaml

@@ -1,5 +1,5 @@
 $schema: "pipeline.schema.v1"
-serviceGroup: Microsoft.Azure.ARO.HCP.RP.Frontend
+serviceGroup: Microsoft.Azure.ARO.HCP.ACRPull
 rolloutName: ACRPull Controller Rollout
 resourceGroups:
   - name: {{ .svc.rg }}
@@ -11,8 +11,8 @@ resourceGroups:
         command: make deploy
         dryRun:
           variables:
-            - name: HELM_DRY_RUN
-              value: "--dry-run=server --debug"
+            - name: DRY_RUN
+              value: "true"
         variables:
           - name: ACRPULL_DIGEST
             configRef: acrPullImageDigest

config/config.msft.yaml

@@ -18,6 +18,7 @@ defaults:
   subnetPrefix: "10.128.8.0/21"
   podSubnetPrefix: "10.128.64.0/18"
   aksName: aro-hcp-aks
+  acrPullImageDigest: sha256:1d18e828564dcd509a8551185808549bd8bfddec1fcc4a2783914dc2103bc2ca #v0.1.7
 
   # Hypershift
   hypershift:

config/config.yaml

@@ -16,7 +16,7 @@ defaults:
   subnetPrefix: "10.128.8.0/21"
   podSubnetPrefix: "10.128.64.0/18"
   aksName: aro-hcp-aks
-  acrPullImageDigest: sha256:9816561e7ee91a0814a482564d202288f2e5401ca2387a56641f144d04fa3535 #v0.1.5
+  acrPullImageDigest: sha256:1d18e828564dcd509a8551185808549bd8bfddec1fcc4a2783914dc2103bc2ca #v0.1.7
 
   # Hypershift
   hypershift:

config/public-cloud-cs-pr.json

@@ -1,4 +1,5 @@
 {
+  "acrPullImageDigest": "sha256:1d18e828564dcd509a8551185808549bd8bfddec1fcc4a2783914dc2103bc2ca",
   "aksName": "aro-hcp-aks",
   "armHelperClientId": "2c6ca254-36bd-43c8-a7a8-fe880bc2c489",
   "armHelperFPAPrincipalId": "bc17c825-6cf8-40d0-8bd6-5536a993115e",

config/public-cloud-dev.json

@@ -1,4 +1,5 @@
 {
+  "acrPullImageDigest": "sha256:1d18e828564dcd509a8551185808549bd8bfddec1fcc4a2783914dc2103bc2ca",
   "aksName": "aro-hcp-aks",
   "armHelperClientId": "2c6ca254-36bd-43c8-a7a8-fe880bc2c489",
   "armHelperFPAPrincipalId": "bc17c825-6cf8-40d0-8bd6-5536a993115e",

config/public-cloud-msft-int.json

@@ -1,4 +1,5 @@
 {
+  "acrPullImageDigest": "sha256:1d18e828564dcd509a8551185808549bd8bfddec1fcc4a2783914dc2103bc2ca",
   "aksName": "aro-hcp-aks",
   "armHelperClientId": "",
   "armHelperFPAPrincipalId": "",

config/public-cloud-personal-dev.json

@@ -1,4 +1,5 @@
 {
+  "acrPullImageDigest": "sha256:1d18e828564dcd509a8551185808549bd8bfddec1fcc4a2783914dc2103bc2ca",
   "aksName": "aro-hcp-aks",
   "armHelperClientId": "2c6ca254-36bd-43c8-a7a8-fe880bc2c489",
   "armHelperFPAPrincipalId": "bc17c825-6cf8-40d0-8bd6-5536a993115e",