Add support for MySQL AAD Users #1315
Conversation
matthchr
requested review from
babbageclunk,
davefellows,
frodopwns,
jananivMS,
Porges,
theunrepentantgeek and
WilliamMortlMicrosoft
as code owners
README.md
Outdated
| @@ -60,6 +60,7 @@ Ready to quickly deploy the latest version of Azure Service Operator on your Kub | |||
| helm repo add azureserviceoperator https://raw.githubusercontent.com/Azure/azure-service-operator/master/charts | |||
| ``` | |||
| 3. Create an Azure Service Principal. You'll need this to grant Azure Service Operator permissions to create resources in your subscription. | |||
| For more information about other forms of authentication supported by ASO, see [] | |||
| // +kubebuilder:rbac:groups=azure.microsoft.com,resources=AzureSQLUsers,verbs=get;list;watch;create;update;patch;delete | ||
| // +kubebuilder:rbac:groups=azure.microsoft.com,resources={AzureSQLUsers/status,AzureSQLUsers/finalizers},verbs=get;update;patch | ||
| // +kubebuilder:rbac:groups=azure.microsoft.com,resources=azuresqlusers,verbs=get;list;watch;create;update;patch;delete | ||
| // +kubebuilder:rbac:groups=azure.microsoft.com,resources={azuresqlusers/status,azuresqlusers/finalizers},verbs=get;update;patch |
There was a problem hiding this comment.
Is this casing change a breaking one?
There was a problem hiding this comment.
No. As I mentioned below to @babbageclunk, the issue is that these were duplicate entries and the ones in main.go were winning. The ones in main.go were lowercase so I just moved them here to match the pattern all of the other resources had with the RBAC permissions being on the _controller file.
I just went and manually confirmed as well that in master in the generated role.yaml file, the permissions for azuresqlusers are lowercase:
resources:
- azuresqlusers
docs/howto/deploy.md
Outdated
|
|
||
| 2. Apply the AzureIdentity and Binding manifests. This binds the identity to the Azure Service Operator. | ||
| Where a particular `resourceID` or `clientID` is referenced in the template below, ensure that you replace it with your Managed Identity `resourceID` and `clientID`. | ||
| If you used the script mentioned [here](managedidentity.md), this should be automatically done for you. |
There was a problem hiding this comment.
Should the bash shell stuff below have specific subscription and identities removed, to encourage people to fill out their own?
There was a problem hiding this comment.
I'm not really aware of a way to templatize this and still leave it "clean" -- but what I can do at least is change the subscription ID to all 0's.
There was a problem hiding this comment.
Actually... I can just do <your-x-here>, maybe that's cleaner? I'll do that.
| // TODO: looks like here? https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/master/internal/iam/authorizers.go | ||
|
|
||
| // TODO: No we need to actually delete this file and all of its usage I think... | ||
| // TODO: just use https://github.com/Azure/go-autorest/blob/master/autorest/azure/auth/auth.go NewAuthorizerFromEnvironment |
There was a problem hiding this comment.
Should these TODOs be addressed now?
There was a problem hiding this comment.
They are actually wrong, will fix and remove TODO as what remains is mostly "notes" rather than a TODO.
There was a problem hiding this comment.
This looks great - I don't fully understand the pod identity details. From the reading I did today it seems like the magic is in NMI rewriting the node's iptables so it can intercept MSI requests and add extra information about the identity on the way. Is that right?
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
|
|
||
| package cmd |
There was a problem hiding this comment.
Could you add something in the description explaining why this was deleted? I'm guessing because it's obsolete now? Although this change is specific to MySQL - is there any need for a more general facility as well?
There was a problem hiding this comment.
Added the following:
This also includes updates to the Managed Identity documentation to help improve clarity of the feature. As part of this I deleted the tool
createMi.goas all it really did was run 3 az cli commands to create a managed identity and assign it permissions. It made assumptions about what permissions you wanted the identity to have. Additionally it suggested to installaad-pod-identity, but this guidance is not appropriate for installations via Helm because Helm already installs that dependency as part of the chart. Rather than having a script try to be one-size fits all it makes more sense to give customers the instructions they need to create the managed identity and allow them to choose what permissions they want to give it.
| clientID: 5bb69783-06a1-4277-82b7-97820b357503 | ||
| --- | ||
| apiVersion: "aadpodidentity.k8s.io/v1" | ||
| kind: AzureIdentityBinding |
There was a problem hiding this comment.
Something I don't understand about aad-pod-identity from reading the docs is: why is the AzureIdentityBinding needed? The pods are annotated with a label matching the selector on the binding, but why wouldn't the label refer directly to the identity instead? I don't understand why there's an extra layer of indirection.
Hmm. I guess it would mean that you could switch the identity being used by the pods without having to update them all, you could just update the binding. So maybe that's it? It would be good if they could spell out the reasons in the docs though.
They also have an example of having more than one binding with selectors that match the label on a pod, so the identity used would be random? It seems very weird.
matthchr
force-pushed
the
feature/mysql-aad
branch
2 times, most recently
from
0558d1c to
62784ed
Compare
matthchr
force-pushed
the
feature/mysql-aad
branch
from
62784ed to
1272106
Compare
- This will allow us to differentiate between different
identities when we support multi-tenancy.
matthchr
force-pushed
the
feature/mysql-aad
branch
from
1272106 to
697ce67
Compare
Co-authored-by: Christian Muirhead <christian.muirhead@microsoft.com>
matthchr
force-pushed
the
feature/mysql-aad
branch
from
697ce67 to
ade5236
Compare
What this PR does / why we need it:
Adds support for AAD users in MySQL. These users can only be created or managed if the identity ASO is operating as is:
This also includes updates to the Managed Identity documentation to help improve clarity of the feature. As part of this I deleted the tool
createMi.goas all it really did was run 3 az cli commands to create a managed identity and assign it permissions. It made assumptions about what permissions you wanted the identity to have. Additionally it suggested to installaad-pod-identity, but this guidance is not appropriate for installations via Helm because Helm already installs that dependency as part of the chart. Rather than having a script try to be one-size fits all it makes more sense to give customers the instructions they need to create the managed identity and allow them to choose what permissions they want to give it.Special notes for your reviewer:
I may need to update this resource to also work with non-managed identities, as we have customers asking for that use case as well... so there may be some updates to the PR.
Testing this in our existing test infrastructure is basically not doable, as you need to be deployed to a VM in Azure and have a pod running with an MSI assigned. Going forward we will want to fix that, but for now I tested this manually to unblock us.
How does this PR make you feel:
If applicable: