This version drop the support for the POD IDENTITY
To use the workload identity and be able to load secrets directly from kv, you need to setup this two things.
Add this yaml tag with the service account info
microservice-chart:
serviceAccount:
name: testit-workload-identitythis service account was setuped before (infra), and linked to the workload identity
To be able to use the workload identity is mandatory to setup the client id associated to this one. To do so, you will have to pass as a parameter as shown below
microservice-chart:
azure:
# -- Azure Workload Identity Client ID (e.g. qwerty123-a1aa-1234-xyza-qwerty123)
workloadIdentityClientId: qwerty123-a1aa-1234-xyza-qwerty123or you can override with an helm parameter in this way bellow, if you don't want to commit this value
--set microservice-chart.azure.workloadIdentityClientId="$CLIENT_ID"the client id is not secret, this is why we can put into git
the guaranteed version of 5.x is 5.3 which contains all the fixes necessary to minimize the inconvenience of a migration
securityContextnow has the following configuration to allow you to comply with the minimum security configurations of the pods
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- alltmpVolumeMount-> (formellytmpFolder) If you need a temp folder for example for logs or temp data use this propertiestmpVolumeMount. In this way you can create a tmp folder without disablingreadOnlyRootFilesystem.
tmpVolumeMount:
create: true
mounts:
- name: tmp
mountPath: /tmp
- name: logs
mountPath: /app/logs-
externalConfigMapFiles-> (formellyfileConfigExternals) see readme -
configMapFromFile-> (formellyfileConfig) see readme -
externalConfigMapValues-> (formellyenvConfigMapExternals) see readme