Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: update labels and annotations requirement #860

Merged
merged 1 commit into from
Apr 20, 2023
Merged

docs: update labels and annotations requirement #860

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions docs/book/src/quick-start.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,8 +168,6 @@ kind: ServiceAccount
metadata:
annotations:
azure.workload.identity/client-id: ${APPLICATION_CLIENT_ID:-$USER_ASSIGNED_IDENTITY_CLIENT_ID}
labels:
azure.workload.identity/use: "true" # if you're using azure-workload-identity v1.0.0+, this label is not required.
name: ${SERVICE_ACCOUNT_NAME}
namespace: ${SERVICE_ACCOUNT_NAMESPACE}
EOF
Expand Down
14 changes: 6 additions & 8 deletions docs/book/src/topics/service-account-labels-and-annotations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ The following is a list of available labels and annotations that can be used to

### Annotations

All annotations are optional. If the annotation is not specified, the default value will be used.

| Annotation | Description | Default |
| ---------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- |
| `azure.workload.identity/service-account-token-expiration` | **(Takes precedence if the service account is also annotated)** Represents the `expirationSeconds` field for the projected service account token. It is an optional field that the user might want to configure this to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry will not be correlated with AAD tokens. AAD tokens will expire in 24 hours after they are issued. | `3600` (acceptable range: `3600 - 86400`) |
Expand All @@ -24,18 +26,14 @@ The following is a list of available labels and annotations that can be used to

## Service Account

### Labels

| Label | Description | Recommended value | Required? |
| ----------------------------- | ------------------------------------------------------------------- | ----------------- | --------------------------------------------------------------------------------- |
| `azure.workload.identity/use` | Represents the service account is to be used for workload identity. | `true` | **This label is only required if using azure-workload-identity version < v1.0.0** |

### Annotations

All annotations are optional. If the annotation is not specified, the default value will be used.

| Annotation | Description | Default |
| ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
| `azure.workload.identity/client-id` | Represents the AAD application client ID to be used with the pod. | |
| `azure.workload.identity/tenant-id` | Represents the Azure tenant ID where the AAD application is registered. | `AZURE_TENANT_ID` environment variable extracted from [`azure-wi-webhook-config`][1] ConfigMap |
| `azure.workload.identity/client-id` | Represents the AAD application or user-assigned managed identity client ID to be used with the pod. | |
| `azure.workload.identity/tenant-id` | Represents the Azure tenant ID where the AAD application or user-assigned managed identity is registered. | `AZURE_TENANT_ID` environment variable extracted from [`azure-wi-webhook-config`][1] ConfigMap |
| `azure.workload.identity/service-account-token-expiration` | Represents the `expirationSeconds` field for the projected service account token. It is an optional field that the user might want to configure this to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry will not be correlated with AAD tokens. AAD tokens will expire in 24 hours after they are issued. | `3600` (acceptable range: `3600 - 86400`) |

[1]: https://github.com/Azure/azure-workload-identity/blob/40b3842dc49784bb014ad5d8b02cf6c959244196/deploy/azure-wi-webhook.yaml#L101-L110