Confused on how to use with a service principal

[Dragonsong3k]

Hi!

I am trying to configure my cluster to use a dedicated service principal.

I am using the helm chart and supplying the values in line with the --set commands.

Does the chart also create the actual secret via the "adminsecret" parameters or do I need to create the secret manually?

If the secret needs to be created manually, why does the ClientSecret need to be passed to the chart at all?

Thanks!

[chewong]

As far as I know, adminsecret.clientSecret has to be manually created before you can reference it in https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/templates/mic-secret.yaml. The reason why it needs to be passed to the chart via --set is that It's better not to expose the secret in plain text, and instead store it as a Kubenretes secret and let other objects reference it.

[Dragonsong3k]

I was just reading that. It seems that the "adminsecret" parameters are passed to the mic-secret.yaml as you mentioned.

I am attempting to use MANAGED mode where there is no MIC created.

Does this mean I do not need the adminsecret section at all and just a pre-created k8s secret in the deployment?

[chewong]

Yes, you don't need any secret at all if you are using managed mode because NMI (the only component that is deployed in managed mode) does not require auth with Azure. However, you will have to manually assign identities to your underlying VM/VMSS nodes beforehand. See https://azure.github.io/aad-pod-identity/docs/configure/pod_identity_in_managed_mode/ for more details.