Sharing data through ConfigMaps

Resources supported by Azure Service Operator may support dynamic input in the form of reading a ConfigMap. They may also support storing certain output into a ConfigMap (such as ManagedIdentity principalId and clientId).

How to provide ConfigMap data to ASO

Resources may have fields in their spec that allow a reference to a Kubernetes ConfigMap. In general, these fields are usually optional, and you can choose to specify the raw value or source it from a ConfigMap for something more dynamic.

For example, in order to create a RoleAssignment, you must specify the principalId of the identity it applies to. You can hardcode that principalId or you can refer to it dynamically as a ConfigMap key.

Example (from the RoleAssignment sample):

apiVersion: authorization.azure.com/v1api20200801preview
kind: RoleAssignment
metadata:
  name: fee8b6b1-fe6e-481d-8330-0e950e4e6b86 # Should be UUID
  namespace: default
spec:
  location: westcentralus
  # This resource can be owner by any resource. In this example we've chosen a resource group for simplicity
  owner:
    name: aso-sample-rg
    group: resources.azure.com
    kind: ResourceGroup
  # This is the Principal ID of the AAD identity to which the role will be assigned
  principalIdFromConfig:
    name: identity-settings
    key: principalId
  roleDefinitionReference:
    # This ARM ID represents "Contributor" - you can read about other built in roles here: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
    armId: /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c

This reads the principalId value from a ConfigMap. Alternatively it could have been specified explicitly via the spec.principalId field instead of using spec.principalIdFromConfig.

Note that not every field for every resource supports importing data from ConfigMap. To check if a resource supports it, consult its documentation.

How to export ConfigMap data from ASO

Data can be exported to a ConfigMap of your choosing by configuring the .spec.operatorSpec.configMaps field, or the .spec.operatorSpec.configMapExpressions field. The data will be written to the destination(s) you specify once the resource has successfully been provisioned in Azure.

The resource will not move to Condition Ready=True until the data has been written.

Example .spec.operatorSpec.configMapExpressions:

apiVersion: managedidentity.azure.com/v1api20181130
kind: UserAssignedIdentity
metadata:
  name: sampleuserassignedidentity
  namespace: default
spec:
  location: westcentralus
  owner:
    name: aso-sample-rg
  operatorSpec:
    configMapExpressions:
      - name: identity-settings
        key: principalId
        value: self.status.principalId
      - name: identity-settings
        key: principalId
        value: self.status.clientId

More complex expressions can be exported as well, see Expressions for more details.

Example .spec.operatorSpec.configMaps (from the UserAssignedIdentity sample):

apiVersion: managedidentity.azure.com/v1api20181130
kind: UserAssignedIdentity
metadata:
  name: sampleuserassignedidentity
  namespace: default
spec:
  location: westcentralus
  owner:
    name: aso-sample-rg
  operatorSpec:
    configMaps:
      # Export the principalId and clientId to a ConfigMap for use by our application and/or
      # other ASO resources such as RoleAssignments
      principalId:
        name: identity-settings
        key: principalId
      clientId:
        name: identity-settings
        key: clientId