github.com/Azure/aad-pod-identity@v1.8.17/charts/aad-pod-identity/values.yaml

# Default values for aad-pod-identity-helm.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

nameOverride: ""
fullnameOverride: ""

image:
  repository: mcr.microsoft.com/oss/azure/aad-pod-identity
  imagePullPolicy: IfNotPresent

# One or more secrets to be used when pulling images
# imagePullSecrets:
#   - name: myRegistryKeySecretName

# https://github.com/Azure/aad-pod-identity#4-optional-match-pods-in-the-namespace
# By default, AAD Pod Identity matches pods to identities across namespaces.
# To match only pods in the namespace containing AzureIdentity set this to true.
forceNamespaced: "false"

# When NMI runs on a node where MIC is running, then MIC token request call is also
# intercepted by NMI. MIC can't get a valid token as to initialize and then
# assign the identity. Installing an exception for MIC would ensure all token requests
# for MIC pods directly go to IMDS and not go through the pod-identity validation
# https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.app-exception.md
installMICException: "true"

## If using a separate service principal for aad-pod-identity instead of cluster service principal specify the following
## (The chart will perform the base64 encoding for you for values that are stored in secrets.)
adminsecret: {}
#   cloud: <cloud environment name>
#   subscriptionID: <subscription id>
#   resourceGroup: <node resource group>
#   vmType: <`standard` for normal virtual machine nodes, and `vmss` for cluster deployed with a virtual machine scale set>
#   tenantID: <service principal tenant id>
#   clientID: <service principal client id. Set to `msi` when using a User Managed Identity>
#   clientSecret: <service principal client secret. Set to `msi` when using a User Managed Identity>
#   useMSI: <set to true when using a User Managed Identity>
#   userAssignedMSIClientID: <client id for the User Managed Identity>
# Operation mode for pod-identity. Default is standard mode that has MIC doing identity assignment
# Allowed values: "standard", "managed"
operationMode: "standard"

mic:
  image: mic
  tag: v1.8.17

  # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical
  priorityClassName: ""

  # log level. Uses V logs (klog)
  logVerbosity: 0
  loggingFormat: ""

  replicas: 2

  resources:
    limits:
      cpu: 200m
      memory: 1024Mi
    requests:
      cpu: 100m
      memory: 256Mi

  podAnnotations: {}

  podLabels: {}

  ## Node labels for pod assignment
  ## aad-pod-identity is currently only supported on linux
  nodeSelector:
    kubernetes.io/os: linux

  tolerations: []
    # - key: "CriticalAddonsOnly"
    #   operator: "Exists"

  # Affinity rules to apply to the mic deployment.
  # Uses an anti-affinity rule to prefer not to co-locate pods on the same node as default.
  # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
  affinity:
    podAntiAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 1
        podAffinityTerm:
          topologyKey: kubernetes.io/hostname
          labelSelector:
            matchLabels:
              app.kubernetes.io/component: mic

  # Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
  # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
  topologySpreadConstraints: []
    # - maxSkew: 1
    #   topologyKey: failure-domain.beta.kubernetes.io/zone
    #   whenUnsatisfiable: DoNotSchedule
    #   labelSelector:
    #     matchLabels:
    #       app.kubernetes.io/component: mic

  # Limit the number of concurrent disruptions that your application experiences,
  # allowing for higher availability while permitting the cluster administrator to manage the clusters nodes.
  # ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
  podDisruptionBudget: {}
    # minAvailable: 1

  leaderElection:
    # Override leader election instance name (default is 'hostname')
    instance: ""
    # Override the namespace to create leader election objects (default is default namespace)
    namespace: ""
    # Override leader election name (default is aad-pod-identity-mic)
    name: ""
    # Override leader election duration (default is 15s)
    duration: ""

  # Override http liveliness probe port (default is 8080)
  probePort: ""

  # Override interval in seconds at which sync loop should periodically check for errors and reconcile (default is 3600s)
  syncRetryDuration: ""

  # Override the defult value of immutable identities.
  immutableUserMSIs: []
    # Example of MSIs (should be replaced with the real client ids)
    #- "00000000-0000-0000-0000-000000000000"
    #- "11111111-1111-1111-1111-111111111111"

  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#batch-create-delete-flag
  # default value is 20
  createDeleteBatch: ""

  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#client-qps-flag
  # default value is 5
  clientQps: ""

  # default value is 8888
  # prometheus port for metrics
  prometheusPort: ""

  # cloud configuration used to authenticate with Azure
  cloudConfig: "/etc/kubernetes/azure.json"

  # Configures for a custom cloud per the example here:
  # https://azure.github.io/aad-pod-identity/docs/configure/custom_cloud/
  customCloud:
    enabled: false
    configPath: "/etc/kubernetes/akscustom.json"

  # The maximum retry of UpdateUserMSI call. MIC updates all the identities in a batch. If a single identity contains an error
  # or is invalid, then the entire operation fails. Configuring this flag will make MIC retry by removing the erroneous identities
  # returned in the error
  # Default value is 2.
  updateUserMSIMaxRetry: ""

  # The duration to wait before retrying UpdateUserMSI (batch assigning/un-assigning identity from VM/VMSS) in case of errors
  # Default value is 1s
  updateUserMSIRetryInterval: ""

  # The interval between reconciling identity assignment on Azure based on an existing list of AzureAssignedIdentities
  # Default value is 3m
  identityAssignmentReconcileInterval: ""

nmi:
  image: nmi
  tag: v1.8.17

  # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical
  priorityClassName: ""

  # log level. Uses V logs (klog)
  logVerbosity: 0
  loggingFormat: ""

  resources:
    limits:
      cpu: 200m
      memory: 512Mi
    requests:
      cpu: 100m
      memory: 256Mi

  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1

  podAnnotations: {}

  podLabels: {}

  ## Node labels for pod assignment
  ## aad-pod-identity is currently only supported on linux
  nodeSelector:
    kubernetes.io/os: linux

  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  ## An empty key with operator Exists matches all keys, values and effects which means this will tolerate everything.
  tolerations:
    - operator: "Exists"

  # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
  affinity: {}
    # nodeAffinity:
    #   preferredDuringSchedulingIgnoredDuringExecution:
    #     - weight: 1
    #       preference:
    #         matchExpressions:
    #           - key: kubernetes.azure.com/mode
    #             operator: In
    #             values:
    #               - system

  # Override iptables update interval in seconds (default is 60)
  ipTableUpdateTimeIntervalInSeconds: ""

  # Override mic namespace to short circuit MIC token requests (default is default namespace)
  micNamespace: ""

  # Override http liveliness probe port (default is 8080)
  probePort: "8085"

  # Override number of retries in NMI to find assigned identity in CREATED state (default is 16)
  retryAttemptsForCreated: ""

  # Override number of retries in NMI to find assigned identity in ASSIGNED state (default is 4)
  retryAttemptsForAssigned: ""

  # Override retry interval to find assigned identities in seconds (default is 5)
  findIdentityRetryIntervalInSeconds: ""

  # Enable scale features - https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#enable-scale-features-flag
  # Accepted values are true/false. Default is true for v1.8.1+.
  enableScaleFeatures: true

  # default value is 9090
  # prometheus port for metrics
  prometheusPort: ""

  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#block-instance-metadata-flag
  # default is false
  blockInstanceMetadata: ""

  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#metadata-header-required-flag
  # default is true
  metadataHeaderRequired: true

  # enable running aad-pod-identity on clusters with kubenet
  # default is false
  allowNetworkPluginKubenet: false

  # Path to kubelet default config.
  # default is /etc/default/kubelet
  kubeletConfig: "/etc/default/kubelet"

  # Set retry-after header in the NMI responses when the identity is still being assigned.
  setRetryAfterHeader: false

  # Enable/Disable deletion of conntrack entries for pre-existing connections to metadata endpoint
  enableConntrackDeletion: false

rbac:
  enabled: true
  # NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity.
  # If using only MSI (type: 0) in AzureIdentity, secret get permission can be disabled by setting this to false.
  allowAccessToSecrets: true
  pspEnabled: false
  # If set to true, then view and edit cluster roles will be created with annotations
  # that agrigate to the admin, edit and view built-in cluster roles. These roles will
  # be able to create the necessary resources to allow pod identity binding on pods.
  createUserFacingClusterRoles: false

# Create azure identities and bindings
# This is a map with the AzureIdentityName being the key and the rest of the blob as value in accordance
# to helm best practices: https://helm.sh/docs/chart_best_practices/values/#consider-how-users-will-use-your-values
azureIdentities:
  # "azure-identity":
  #   # if not defined, then the azure identity will be deployed in the same namespace as the chart
  #   namespace: ""
  #   # if not defined, then the name of azure identity will be the same as the key
  #   name: ""
  #   # type 0: User-assigned identity, type 1: Service Principal, type 2: Service principal with certificate
  #   type: 0
  #   # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name
  #   # Required for type 0
  #   resourceID: ""
  #   # Required for type 0, 1 and 2
  #   clientID: ""
  #   # Required for type 1 and 2
  #   tenantID: ""
  #   # Required for type 1 and 2
  #   clientPassword: "{\"name\":\"<secret name>\",\"namespace\":\"<secret namespace>\"}"
  #   # Optional for type 1 and 2 (multi-tenant)
  #   auxiliaryTenantIDs: []
  #   binding:
  #     name: "azure-identity-binding"
  #     # The selector will also need to be included in labels for app deployment
  #     selector: "demo"

# If provided, the userAgent string will be appended to the pod identity user agents for all
# ADAL, ARM and Kube API server requests.
customUserAgent: ""