Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Support Role Assignment for Azure Search #4294

Open
valeriianesterova-lego opened this issue Sep 25, 2024 · 1 comment
Open

Feature: Support Role Assignment for Azure Search #4294

valeriianesterova-lego opened this issue Sep 25, 2024 · 1 comment
Assignees
@theunrepentantgeek
Labels
needs-triage 🔍 new-feature

Comments

@valeriianesterova-lego
Copy link

I'm currently using Azure Service Operator (ASO) v2.7.0 in my Kubernetes cluster and encountered an issue when trying to assign roles such as Search Index Data Reader to Azure Search resources via ASO. While the ASO documentation and examples suggest that Azure Search resources (like SearchService) are supported, it seems that role assignments related to Azure Search are not yet fully supported.

Problem:

When attempting to assign a role to an Azure Search resource using the following RoleAssignment configuration, I receive an error stating that it could not resolve the reference for the Azure Search service:

apiVersion: authorization.azure.com/v1api20220401 kind: RoleAssignment metadata: name: ${SERVICE_NAME}-search-index-reader ownerReferences: - apiVersion: managedidentity.azure.com/v1api20220401 kind: UserAssignedIdentity name: ${SERVICE_NAME} uid: ${IDENTITY_DEFINITION_UID} spec: azureName: "${UID3}" principalId: ${IDENTITY_PRINCIPAL_ID} owner: name: ${AZURE_SEARCH_NAME} group: search.azure.com kind: SearchService roleDefinitionReference: armId: /subscriptions/${AZURE_SUBSCRIPTION_ID}/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f

The error returned is as follows:
failed to get owner: couldn't resolve reference azure-search, Group/Kind: search.azure.com/SearchService: no matches for kind "SearchService" in version "search.azure.com/v1api20220401storage"

Request:

I would like to ask that support for role assignments related to Azure Search resources be added in future releases of ASO. This would greatly improve automation workflows for users managing Azure Search services and requiring specific role assignments like Search Index Data Reader for managed identities.
@theunrepentantgeek
Copy link
Member

failed to get owner: couldn't resolve reference azure-search, Group/Kind: search.azure.com/SearchService: no matches for kind "SearchService" in version "search.azure.com/v1api20220401storage"

Do you know where it's getting the version v1api20220401storage?

The storage versions of the resources are largely an internal implementation detail (used to achieve cross-version compatibility), we'd normally expect your resources to be referring to the normal variants (without the storage suffix).

It seems to have picked up on the version of RoleAssignment (v1api20220401) instead of the version of SearchService (v1api20220901).

If you're willing to share your YAML for the SearchService and for the RoleAssignment that would help me drill down and identify the problem.

@theunrepentantgeek theunrepentantgeek self-assigned this Sep 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@theunrepentantgeek theunrepentantgeek

Labels
needs-triage 🔍 new-feature
Projects
Azure Service Operator Roadmap
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@theunrepentantgeek @valeriianesterova-lego