From 8ca0f319a1c59e3487f5df918fe611127d3e4e2e Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Fri, 3 Jan 2025 11:37:10 -0800 Subject: [PATCH] document how to configure Azure for CI --- README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/README.md b/README.md index 2fe0de060..e23a30834 100644 --- a/README.md +++ b/README.md @@ -144,6 +144,24 @@ Using the `gcloud secrets list` command or the [web console](https://console.clo you can list the available secrets. The content of each secret is a YAML file with secret key/value pairs. You can also use the `./hack/edit-gcloud-secret.sh ` script to edit or inspect each secret. +## Configure Azure for CI to test on AKS + +There are several CI jobs which test that Pinniped works when installed on Azure's AKS. +For these jobs to run, they need to be able to create and delete ephemeral AKS clusters. +This requires the following: + +1. An active Azure Subscription. (A "subscription" in Azure is the equivalent of an "account" in AWS or a "project" in GCP.) +2. An Azure App Registration (basically, a service account) active in the same Directory (aka tenant) as the Subscription. + Create the app in "My Organization Only". It does not need a redirect URI or any other optional settings. + Create a client secret for this app. If you want the client secret to have a long lifetime, you can use the `az` CLI to create it. + In the Subscription's IAM settings, assign this app the role "Azure Kubernetes Service Contributor Role" to allow + the app to manage AKS clusters. Do not grant this app permissions in any other Subscription or use it for any + other purpose. +3. Configure the pipelines with the app's Application (client) ID, Client Secret, and Directory (tenant) ID + as the appropriate secret values. + +The CI jobs will create and delete AKS clusters in a Resource Group called `pinniped-ci` within the provided Subscription. + ## Setting Up Active Directory Test Environment To test the `ActiveDirectoryIdentityProvider` functionality, we have a long-running Active Directory Domain Controller