Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ARO-9420: *: add acrpull controller, binding #1011

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

ARO-9420: *: add acrpull controller, binding #1011

wants to merge 2 commits into from
+882 −19

Conversation

stevekuznetsov
Copy link
Contributor

Supersedes #986

@stevekuznetsov
Copy link
Contributor Author 

Error: failed linting charts: failed processing charts
 ✖︎ frontend => (version: "0.1.0", path: "frontend/deploy/helm/frontend") > failed waiting for process: exit status 1

??

@stevekuznetsov stevekuznetsov force-pushed the skuznets/acrpull branch 2 times, most recently from 76b9942 to a234856 Compare December 19, 2024 21:00
geoberle
geoberle reviewed Dec 20, 2024
View reviewed changes
dev-infrastructure/modules/aks-cluster-base.bicep

module acrPullerRoles 'acr/acr-permissions.bicep' = [
for (_, i) in acrPullResourceGroups: {
name: guid(acrRg[i].id, aksCluster.id, acrPullRoleDefinitionId)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this name definition is identical with the one used in module acrPullRole - hence the error during the PR check what-if

Suggested change
name: guid(acrRg[i].id, aksCluster.id, acrPullRoleDefinitionId)
name: guid(acrRg[i].id, aksCluster.id, acrPullRoleDefinitionId, 'puller-identity')

dev-infrastructure/modules/aks-cluster-base.bicep
Comment on lines +493 to +497
audiences: [
'api://AzureCRTokenExchange'
]
issuer: aksCluster.properties.oidcIssuerProfile.issuerURL
subject: 'system:serviceaccount:${workloadIdentities[i].value.namespace}:${workloadIdentities[i].value.serviceAccountName}'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

after running this template i get the error Issuer and subject combination already exists for this Managed Identity

so an MI can be federated only once with a certain SA on a cluster BUT the audience list can only hold one value.

https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-considerations

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geoberle geoberle geoberle left review comments

@bennerv bennerv Awaiting requested review from bennerv bennerv is a code owner

@janboll janboll Awaiting requested review from janboll janboll is a code owner

@weinong weinong Awaiting requested review from weinong weinong is a code owner

@whober0521 whober0521 Awaiting requested review from whober0521 whober0521 is a code owner

@tony-schndr tony-schndr Awaiting requested review from tony-schndr tony-schndr is a code owner

@mbarnes mbarnes Awaiting requested review from mbarnes mbarnes is a code owner

@SudoBrendan SudoBrendan Awaiting requested review from SudoBrendan SudoBrendan is a code owner

@jmelis jmelis Awaiting requested review from jmelis jmelis is a code owner

@jonathan34c jonathan34c Awaiting requested review from jonathan34c jonathan34c is a code owner

@UlrichSchlueter UlrichSchlueter Awaiting requested review from UlrichSchlueter UlrichSchlueter is a code owner

@jharrington22 jharrington22 Awaiting requested review from jharrington22 jharrington22 is a code owner

@zgalor zgalor Awaiting requested review from zgalor zgalor is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stevekuznetsov @geoberle