Require to opt-in for the global service account (#60)

* Require to opt in the global service account * Rename
Azure · Jul 29, 2024 · 9049e02 · 9049e02
1 parent 257ccae
commit 9049e02
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 11 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/oss/go/microsoft/golang:1.22-cbl-mariner2.0 as builder
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/oss/go/microsoft/golang:1.22-cbl-mariner2.0 AS builder
 
 ARG MODULE_VERSION
 WORKDIR /workspace

diff --git a/deploy/parameter/helm-values.yaml b/deploy/parameter/helm-values.yaml
@@ -20,7 +20,7 @@ requestTracing:
 
 workloadIdentity:
   enabled: true
-  disableGlobalServiceAccount: false
+  globalServiceAccountEnabled: false
 
 serviceAccount:
   # Specifies whether a service account should be created

diff --git a/deploy/templates/_helpers.tpl b/deploy/templates/_helpers.tpl
@@ -49,7 +49,7 @@ Selector labels
 app.kubernetes.io/name: {{ include "az-appconfig-k8s-provider.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 control-plane: controller-manager
-{{- if and (.Values.workloadIdentity.enabled) (not .Values.workloadIdentity.disableGlobalServiceAccount) }}
+{{- if and (.Values.workloadIdentity.enabled) }}
 azure.workload.identity/use: "true"
 {{- end }}
 {{- end }}

diff --git a/deploy/templates/deployment.yaml b/deploy/templates/deployment.yaml
@@ -77,8 +77,8 @@ spec:
         {{- end }}
         - name: WORKLOAD_IDENTITY_ENABLED
           value: "{{ .Values.workloadIdentity.enabled }}"
-        - name: WORKLOAD_IDENTITY_DISABLE_GLOBAL_SERVICE_ACCOUNT
-          value: "{{ .Values.workloadIdentity.disableGlobalServiceAccount }}"
+        - name: WORKLOAD_IDENTITY_GLOBAL_SERVICE_ACCOUNT_ENABLED
+          value: "{{ .Values.workloadIdentity.globalServiceAccountEnabled }}"
         {{- if and (hasKey .Values "global") 
             (hasKey .Values.global "azure")
             (hasKey .Values.global.azure "extension")

diff --git a/deploy/templates/serviceaccount.yaml b/deploy/templates/serviceaccount.yaml
@@ -9,7 +9,7 @@ metadata:
     {{- if .Values.serviceAccount.annotations }}
     {{ toYaml .Values.serviceAccount.annotations . | nindent 4 }}
     {{- end }}
-    {{- if and (.Values.workloadIdentity.enabled) (not .Values.workloadIdentity.disableGlobalServiceAccount) }}
+    {{- if and (.Values.workloadIdentity.enabled) (.Values.workloadIdentity.globalServiceAccountEnabled) }}
     azure.workload.identity/client-id: ""
     {{- end }}
 {{- end }}
diff --git a/internal/controller/utils.go b/internal/controller/utils.go
@@ -21,7 +21,7 @@ const (
 	MinimalSecretRefreshInterval                time.Duration = time.Minute
 	MinimalFeatureFlagRefreshInterval           time.Duration = time.Second
 	WorkloadIdentityEnabled                     string        = "WORKLOAD_IDENTITY_ENABLED"
-	WorkloadIdentityDisableGlobalServiceAccount string        = "WORKLOAD_IDENTITY_DISABLE_GLOBAL_SERVICE_ACCOUNT"
+	WorkloadIdentityGlobalServiceAccountEnabled string        = "WORKLOAD_IDENTITY_GLOBAL_SERVICE_ACCOUNT_ENABLED"
 )
 
 func verifyObject(spec acpv1.AzureAppConfigurationProviderSpec) error {
@@ -247,15 +247,15 @@ func verifyWorkloadIdentityParameters(workloadIdentity *acpv1.WorkloadIdentityPa
 	var authCount int = 0
 
 	if workloadIdentity.ManagedIdentityClientId != nil {
-		if strings.EqualFold(os.Getenv(WorkloadIdentityDisableGlobalServiceAccount), "true") {
-			return loader.NewArgumentError("auth.workloadIdentity.managedIdentityClientId", fmt.Errorf("'managedIdentityClientId' is not allowed since global service account is disabled"))
+		if strings.EqualFold(os.Getenv(WorkloadIdentityGlobalServiceAccountEnabled), "false") {
+			return loader.NewArgumentError("auth.workloadIdentity.managedIdentityClientId", fmt.Errorf("using a global service account is no longer permitted with workload identity. See https://aka.ms/appconfig/k8sglobalserviceaccount for more information"))
 		}
 		authCount++
 	}
 
 	if workloadIdentity.ManagedIdentityClientIdReference != nil {
-		if strings.EqualFold(os.Getenv(WorkloadIdentityDisableGlobalServiceAccount), "true") {
-			return loader.NewArgumentError("auth.workloadIdentity.managedIdentityClientIdReference", fmt.Errorf("'managedIdentityClientIdReference' is not allowed since global service account is disabled"))
+		if strings.EqualFold(os.Getenv(WorkloadIdentityGlobalServiceAccountEnabled), "false") {
+			return loader.NewArgumentError("auth.workloadIdentity.managedIdentityClientIdReference", fmt.Errorf("using a global service account is no longer permitted with workload identity. See https://aka.ms/appconfig/k8sglobalserviceaccount for more information"))
 		}
 		authCount++
 	}