Open joachimnielandt opened 1 year ago
ckittel
commented
1 year ago This repo is already using workload identity. There might be a lingering aadpodbinding annotation still in the manifest. If that's the case, let me know and we can remove that annotation/metadata that is no longer needed.
joachimnielandt
commented
1 year ago Good to hear, seeing that annotation and linking it to the notice confused me.
The annotations can be found here:
So, for my understanding: the notice mentions having to include azure.workload.identity/use on serviceaccounts and pods (as a temporary measure to switch from pod identity?). This would not be necessary as it's already set up properly to begin with?
ckittel
commented
1 year ago Don't need to add that additional annotation (azure.workload.identity/use) -- that's for code-level usage of workload identity. Traefik doesn't do that, it just uses pre-mounted secrets. The AKS Key Vault Provider is the one that is using workload identity for this. So it's already all set up to go.
Thanks. I'll leave this github issue open as a signal to delete those two legacy pod identity annotations -- sorry for the confusion!
joachimnielandt
commented
1 year ago Great, once again thanks for the explanation!
Hello all,
I am using a modified version of this repository as the basis of my cluster. I noticed recent upgrades mention having to switch over from 'pod managed identity' to 'workload identity', which impacts, e.g., Traefik's
aadpodidbinding. Are there plans to modify this repository to reflect this advised change, or can you advise on how to migrate correctly?I understood that there are some required labels and annotations, but I also see mention of sidecars and migration paths to eliminate the 'pod managed identity' capability altogether, so I figured I'd better ask to have the full picture before doing anything untoward.
Best regards and thanks in advance
related docs: