diff --git a/Makefile b/Makefile index bf6cd6407..25a4dc49b 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ REGISTRY ?= mcr.microsoft.com/oss/azure/workload-identity PROXY_IMAGE_NAME := proxy INIT_IMAGE_NAME := proxy-init WEBHOOK_IMAGE_NAME := webhook -IMAGE_VERSION ?= v1.0.0 +IMAGE_VERSION ?= v1.1.0 ORG_PATH := github.com/Azure PROJECT_NAME := azure-workload-identity diff --git a/charts/workload-identity-webhook/Chart.yaml b/charts/workload-identity-webhook/Chart.yaml index ce7b9036b..b8d0f61b6 100644 --- a/charts/workload-identity-webhook/Chart.yaml +++ b/charts/workload-identity-webhook/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: workload-identity-webhook description: A Helm chart to install the azure-workload-identity webhook type: application -version: 1.0.0 -appVersion: v1.0.0 +version: 1.1.0 +appVersion: v1.1.0 home: https://github.com/Azure/azure-workload-identity sources: - https://github.com/Azure/azure-workload-identity diff --git a/charts/workload-identity-webhook/README.md b/charts/workload-identity-webhook/README.md index b38e68010..e0a655a5e 100644 --- a/charts/workload-identity-webhook/README.md +++ b/charts/workload-identity-webhook/README.md @@ -29,30 +29,32 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide ## Parameters -| Parameter | Description | Default | -| :------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ | -| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | -| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | -| image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| image.release | The image release tag to use | Current release version: `v1.0.0` | -| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | -| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | -| affinity | The node affinity to use for pod scheduling | `{}` | -| tolerations | The tolerations to use for pod scheduling | `[]` | -| service.type | Service type | `ClusterIP` | -| service.port | Service port | `443` | -| service.targetPort | Service target port | `9443` | -| azureTenantID | [**REQUIRED**] Azure tenant ID | `` | -| azureEnvironment | Azure Environment | `AzurePublicCloud` | -| logLevel | The log level to use for the webhook manager. In order of increasing verbosity: unset (empty string), info, debug, trace and all. | `info` | -| metricsAddr | The address to bind the metrics server to | `:8095` | -| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` | -| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` | -| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | -| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` | -| podAnnotations | The annotations to add to the azure-workload-identity webhook pods | `{}` | -| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` | +| Parameter | Description | Default | +| :--------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ | +| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | +| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | +| image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| image.release | The image release tag to use | Current release version: `v1.1.0` | +| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | +| affinity | The node affinity to use for pod scheduling | `{}` | +| tolerations | The tolerations to use for pod scheduling | `[]` | +| service.type | Service type | `ClusterIP` | +| service.port | Service port | `443` | +| service.targetPort | Service target port | `9443` | +| azureTenantID | [**REQUIRED**] Azure tenant ID | `` | +| azureEnvironment | Azure Environment | `AzurePublicCloud` | +| logLevel | The log level to use for the webhook manager. In order of increasing verbosity: unset (empty string), info, debug, trace and all. | `info` | +| metricsAddr | The address to bind the metrics server to | `:8095` | +| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` | +| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` | +| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | +| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` | +| podAnnotations | The annotations to add to the azure-workload-identity webhook pods | `{}` | +| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` | +| podDisruptionBudget.minAvailable | The minimum number of pods that must be available for the webhook to be considered available | `1` | +| podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available | `nil` | ## Contributing Changes diff --git a/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-poddisruptionbudget.yaml b/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-poddisruptionbudget.yaml index de008222e..d51152913 100644 --- a/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-poddisruptionbudget.yaml +++ b/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-poddisruptionbudget.yaml @@ -9,7 +9,12 @@ metadata: name: azure-wi-webhook-controller-manager namespace: '{{ .Release.Namespace }}' spec: - minAvailable: 1 + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} selector: matchLabels: app: '{{ template "workload-identity-webhook.name" . }}' diff --git a/charts/workload-identity-webhook/values.yaml b/charts/workload-identity-webhook/values.yaml index 6adb72262..0ec86e334 100644 --- a/charts/workload-identity-webhook/values.yaml +++ b/charts/workload-identity-webhook/values.yaml @@ -7,7 +7,7 @@ image: repository: mcr.microsoft.com/oss/azure/workload-identity/webhook pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - release: v1.0.0 + release: v1.1.0 imagePullSecrets: [] nodeSelector: kubernetes.io/os: linux @@ -34,3 +34,7 @@ mutatingWebhookAnnotations: {} podLabels: {} podAnnotations: {} mutatingWebhookNamespaceSelector: {} +# minAvailable and maxUnavailable are mutually exclusive +podDisruptionBudget: + minAvailable: 1 + # maxUnavailable: 0 diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index bec2c5ab2..b90dea5b8 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -5,7 +5,7 @@ kind: Kustomization images: - name: manager newName: mcr.microsoft.com/oss/azure/workload-identity/webhook - newTag: v1.0.0 + newTag: v1.1.0 configMapGenerator: - literals: - AZURE_TENANT_ID="${AZURE_TENANT_ID}" diff --git a/deploy/azure-wi-webhook.yaml b/deploy/azure-wi-webhook.yaml index a4d8048aa..cc17b8cfb 100644 --- a/deploy/azure-wi-webhook.yaml +++ b/deploy/azure-wi-webhook.yaml @@ -162,7 +162,7 @@ spec: envFrom: - configMapRef: name: azure-wi-webhook-config - image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.0.0 + image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.1.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 diff --git a/docs/book/src/installation/mutating-admission-webhook.md b/docs/book/src/installation/mutating-admission-webhook.md index b73c2372f..fa6df80a0 100644 --- a/docs/book/src/installation/mutating-admission-webhook.md +++ b/docs/book/src/installation/mutating-admission-webhook.md @@ -73,7 +73,7 @@ The deployment YAML contains the environment variables we defined above and we r Install the webhook using the deployment YAML via `kubectl apply -f` and `envsubst`: ```bash -curl -sL https://github.com/Azure/azure-workload-identity/releases/download/v1.0.0/azure-wi-webhook.yaml | envsubst | kubectl apply -f - +curl -sL https://github.com/Azure/azure-workload-identity/releases/download/v1.1.0/azure-wi-webhook.yaml | envsubst | kubectl apply -f - ```
diff --git a/examples/migration/pod-with-proxy-init-and-proxy-sidecar.yaml b/examples/migration/pod-with-proxy-init-and-proxy-sidecar.yaml index 5f5049cbf..951467204 100644 --- a/examples/migration/pod-with-proxy-init-and-proxy-sidecar.yaml +++ b/examples/migration/pod-with-proxy-init-and-proxy-sidecar.yaml @@ -8,7 +8,7 @@ spec: serviceAccountName: workload-identity-sa initContainers: - name: init-networking - image: mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v1.0.0 + image: mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v1.1.0 securityContext: capabilities: add: @@ -26,6 +26,6 @@ spec: ports: - containerPort: 80 - name: proxy - image: mcr.microsoft.com/oss/azure/workload-identity/proxy:v1.0.0 + image: mcr.microsoft.com/oss/azure/workload-identity/proxy:v1.1.0 ports: - containerPort: 8000 diff --git a/manifest_staging/charts/workload-identity-webhook/Chart.yaml b/manifest_staging/charts/workload-identity-webhook/Chart.yaml index ce7b9036b..b8d0f61b6 100644 --- a/manifest_staging/charts/workload-identity-webhook/Chart.yaml +++ b/manifest_staging/charts/workload-identity-webhook/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: workload-identity-webhook description: A Helm chart to install the azure-workload-identity webhook type: application -version: 1.0.0 -appVersion: v1.0.0 +version: 1.1.0 +appVersion: v1.1.0 home: https://github.com/Azure/azure-workload-identity sources: - https://github.com/Azure/azure-workload-identity diff --git a/manifest_staging/charts/workload-identity-webhook/README.md b/manifest_staging/charts/workload-identity-webhook/README.md index 129225bae..e0a655a5e 100644 --- a/manifest_staging/charts/workload-identity-webhook/README.md +++ b/manifest_staging/charts/workload-identity-webhook/README.md @@ -34,7 +34,7 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide | replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | | image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | | image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| image.release | The image release tag to use | Current release version: `v1.0.0` | +| image.release | The image release tag to use | Current release version: `v1.1.0` | | imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | diff --git a/manifest_staging/charts/workload-identity-webhook/values.yaml b/manifest_staging/charts/workload-identity-webhook/values.yaml index 2e8e995da..0ec86e334 100644 --- a/manifest_staging/charts/workload-identity-webhook/values.yaml +++ b/manifest_staging/charts/workload-identity-webhook/values.yaml @@ -7,7 +7,7 @@ image: repository: mcr.microsoft.com/oss/azure/workload-identity/webhook pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - release: v1.0.0 + release: v1.1.0 imagePullSecrets: [] nodeSelector: kubernetes.io/os: linux diff --git a/manifest_staging/deploy/azure-wi-webhook.yaml b/manifest_staging/deploy/azure-wi-webhook.yaml index a4d8048aa..cc17b8cfb 100644 --- a/manifest_staging/deploy/azure-wi-webhook.yaml +++ b/manifest_staging/deploy/azure-wi-webhook.yaml @@ -162,7 +162,7 @@ spec: envFrom: - configMapRef: name: azure-wi-webhook-config - image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.0.0 + image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.1.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 diff --git a/pkg/cmd/podidentity/detect.go b/pkg/cmd/podidentity/detect.go index 656a4e32b..e0c5244b5 100644 --- a/pkg/cmd/podidentity/detect.go +++ b/pkg/cmd/podidentity/detect.go @@ -35,7 +35,7 @@ var ( const ( imageRepository = "mcr.microsoft.com/oss/azure/workload-identity" - imageTag = "v1.0.0" + imageTag = "v1.1.0" proxyInitImageName = "proxy-init" proxyImageName = "proxy" diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml index ce7b9036b..b8d0f61b6 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: workload-identity-webhook description: A Helm chart to install the azure-workload-identity webhook type: application -version: 1.0.0 -appVersion: v1.0.0 +version: 1.1.0 +appVersion: v1.1.0 home: https://github.com/Azure/azure-workload-identity sources: - https://github.com/Azure/azure-workload-identity diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md index 129225bae..e0a655a5e 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md @@ -34,7 +34,7 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide | replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | | image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | | image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| image.release | The image release tag to use | Current release version: `v1.0.0` | +| image.release | The image release tag to use | Current release version: `v1.1.0` | | imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml index 2e8e995da..0ec86e334 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml @@ -7,7 +7,7 @@ image: repository: mcr.microsoft.com/oss/azure/workload-identity/webhook pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - release: v1.0.0 + release: v1.1.0 imagePullSecrets: [] nodeSelector: kubernetes.io/os: linux