Skip to content

Commit

Permalink
infra/azure-peerpods: remove unnecessary resources
Browse files Browse the repository at this point in the history
Now that we don't rely on the coco-operator anymore, we don't need some
of these.
  • Loading branch information
Freax13 committed Nov 4, 2024
1 parent 5aed8d8 commit 56fc63d
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 74 deletions.
2 changes: 0 additions & 2 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,4 @@ id_rsa*
kube.conf
out.env
infra/**/peer-pods-config.yaml
infra/**/kustomization.yaml
infra/**/workload-identity.yaml
uplosi.conf*
72 changes: 0 additions & 72 deletions infra/azure-peerpods/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -69,14 +69,6 @@ resource "azurerm_role_assignment" "ra_network_contributor" {
principal_id = azuread_service_principal.sp.object_id
}

resource "azuread_application_federated_identity_credential" "federated_credentials" {
display_name = local.name
application_id = azuread_application.app.id
issuer = azurerm_kubernetes_cluster.cluster.oidc_issuer_url
subject = "system:serviceaccount:confidential-containers-system:cloud-api-adaptor"
audiences = ["api://AzureADTokenExchange"]
}

resource "azuread_application_password" "cred" {
application_id = azuread_application.app.id
}
Expand Down Expand Up @@ -128,70 +120,6 @@ resource "local_file" "kubeconfig" {
content = azurerm_kubernetes_cluster.cluster.kube_config_raw
}

resource "local_file" "workload_identity" {
filename = "./workload-identity.yaml"
file_permission = "0777"
content = <<EOF
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cloud-api-adaptor-daemonset
namespace: confidential-containers-system
spec:
template:
metadata:
labels:
azure.workload.identity/use: "true"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cloud-api-adaptor
namespace: confidential-containers-system
annotations:
azure.workload.identity/client-id: ${azuread_application.app.client_id}
EOF
}

resource "local_file" "kustomization" {
filename = "./kustomization.yaml"
file_permission = "0777"
content = <<EOF
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
bases:
- ../../yamls
images:
- name: cloud-api-adaptor
newName: quay.io/confidential-containers/cloud-api-adaptor
newTag: v0.9.0-amd64
generatorOptions:
disableNameSuffixHash: true
configMapGenerator:
- name: peer-pods-cm
namespace: confidential-containers-system
literals:
- CLOUD_PROVIDER=azure
- AZURE_SUBSCRIPTION_ID=${data.azurerm_subscription.current.subscription_id}
- AZURE_REGION=${data.azurerm_resource_group.rg.location}
- AZURE_INSTANCE_SIZE=Standard_DC2as_v5
- AZURE_RESOURCE_GROUP=${data.azurerm_resource_group.rg.name}
- AZURE_SUBNET_ID=${one(azurerm_virtual_network.main.subnet.*.id)}
- AZURE_IMAGE_ID=${var.image_id}
- DISABLECVM=false
secretGenerator:
- name: peer-pods-secret
namespace: confidential-containers-system
- name: ssh-key-secret
namespace: confidential-containers-system
files:
- id_rsa.pub
patchesStrategicMerge:
- workload-identity.yaml
EOF
}


data "local_file" "id_rsa" {
filename = "id_rsa.pub"
}
Expand Down

0 comments on commit 56fc63d

Please sign in to comment.