Skip to content

Commit

Permalink
docs: update labels and annotations requirement (#860)
Browse files Browse the repository at this point in the history 
Signed-off-by: Anish Ramasekar <[email protected]>
  • Loading branch information
@aramase
aramase committed Apr 20, 2023
1 parent 098e99c commit b09a9d3
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 10 deletions.
2 changes: 0 additions & 2 deletions docs/book/src/quick-start.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,8 +168,6 @@ kind: ServiceAccount
metadata:
annotations:
azure.workload.identity/client-id: ${APPLICATION_CLIENT_ID:-$USER_ASSIGNED_IDENTITY_CLIENT_ID}
labels:
azure.workload.identity/use: "true" # if you're using azure-workload-identity v1.0.0+, this label is not required.
name: ${SERVICE_ACCOUNT_NAME}
namespace: ${SERVICE_ACCOUNT_NAMESPACE}
EOF
Expand Down
14 changes: 6 additions & 8 deletions docs/book/src/topics/service-account-labels-and-annotations.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ The following is a list of available labels and annotations that can be used to

### Annotations

All annotations are optional. If the annotation is not specified, the default value will be used.

| Annotation | Description | Default |
| ---------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- |
| `azure.workload.identity/service-account-token-expiration` | **(Takes precedence if the service account is also annotated)** Represents the `expirationSeconds` field for the projected service account token. It is an optional field that the user might want to configure this to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry will not be correlated with AAD tokens. AAD tokens will expire in 24 hours after they are issued. | `3600` (acceptable range: `3600 - 86400`) |
Expand All @@ -24,18 +26,14 @@ The following is a list of available labels and annotations that can be used to

## Service Account

### Labels

| Label | Description | Recommended value | Required? |
| ----------------------------- | ------------------------------------------------------------------- | ----------------- | --------------------------------------------------------------------------------- |
| `azure.workload.identity/use` | Represents the service account is to be used for workload identity. | `true` | **This label is only required if using azure-workload-identity version < v1.0.0** |

### Annotations

All annotations are optional. If the annotation is not specified, the default value will be used.

| Annotation | Description | Default |
| ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
| `azure.workload.identity/client-id` | Represents the AAD application client ID to be used with the pod. | |
| `azure.workload.identity/tenant-id` | Represents the Azure tenant ID where the AAD application is registered. | `AZURE_TENANT_ID` environment variable extracted from [`azure-wi-webhook-config`][1] ConfigMap |
| `azure.workload.identity/client-id` | Represents the AAD application or user-assigned managed identity client ID to be used with the pod. | |
| `azure.workload.identity/tenant-id` | Represents the Azure tenant ID where the AAD application or user-assigned managed identity is registered. | `AZURE_TENANT_ID` environment variable extracted from [`azure-wi-webhook-config`][1] ConfigMap |
| `azure.workload.identity/service-account-token-expiration` | Represents the `expirationSeconds` field for the projected service account token. It is an optional field that the user might want to configure this to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry will not be correlated with AAD tokens. AAD tokens will expire in 24 hours after they are issued. | `3600` (acceptable range: `3600 - 86400`) |

[1]: https://github.com/Azure/azure-workload-identity/blob/40b3842dc49784bb014ad5d8b02cf6c959244196/deploy/azure-wi-webhook.yaml#L101-L110

0 comments on commit b09a9d3

Please sign in to comment.