Update azure.md

updated version of external-dns, added notes for MSI permissions and which roles can be used, fixed mounting of config-file-secret

docs/tutorials/azure.md

@@ -61,7 +61,7 @@ The `resourceGroup` is the Resource Group created in a previous step.
 The `aadClientID` and `aaClientSecret` are associated with the Service Principal, that you need to create next.
 
 ### Creating service principal
-A Service Principal with a minimum access level of `contributor` to the DNS zone(s) and `reader` to the resource group containing the Azure DNS zone(s) is necessary for ExternalDNS to be able to edit DNS records. However, other more permissive access levels will work too (e.g. `contributor` to the resource group or the whole subscription). 
+A Service Principal with a minimum access level of `DNS Zone Contributor` or `Contributor` to the DNS zone(s) and `Reader` to the resource group containing the Azure DNS zone(s) is necessary for ExternalDNS to be able to edit DNS records. However, other more permissive access levels will work too (e.g. `Contributor` to the resource group or the whole subscription). 
 
 This is an Azure CLI example on how to query the Azure API for the information required for the Resource Group and DNS zone you would have already created in previous steps.
 
@@ -136,7 +136,7 @@ $ kubectl create secret generic azure-config-file --from-file=/local/path/to/azu
 
 ### Azure Managed Service Identity (MSI)
 
-If [Azure Managed Service Identity (MSI)](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview) is enabled for virtual machines, then there is no need to create separate service principal.
+If [Azure Managed Service Identity (MSI)](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview) is enabled for virtual machines, then there is no need to create separate service principal. Note that when granting access the kubeletidentity must be used, not the MSI used for the cluster (it usually has a name in the format <Clustername>-<agentpool>).
 
 The contents of `azure.json` should be similar to this:
 
@@ -191,7 +191,7 @@ spec:
     spec:
       containers:
       - name: external-dns
-        image: k8s.gcr.io/external-dns/external-dns:v0.7.6
+        image: k8s.gcr.io/external-dns/external-dns:v0.8.0
         args:
         - --source=service
         - --source=ingress
@@ -206,6 +206,9 @@ spec:
       - name: azure-config-file
         secret:
           secretName: azure-config-file
+          items:
+          - key: externaldns-config.json
+            path: azure.json
 ```
 
 ### Manifest (for clusters with RBAC enabled, cluster access)
@@ -261,7 +264,7 @@ spec:
       serviceAccountName: external-dns
       containers:
       - name: external-dns
-        image: k8s.gcr.io/external-dns/external-dns:v0.7.6
+        image: k8s.gcr.io/external-dns/external-dns:v0.8.0
         args:
         - --source=service
         - --source=ingress
@@ -276,6 +279,9 @@ spec:
       - name: azure-config-file
         secret:
           secretName: azure-config-file
+          items:
+          - key: externaldns-config.json
+            path: azure.json
 ```
 
 ### Manifest (for clusters with RBAC enabled, namespace access)
@@ -331,7 +337,7 @@ spec:
       serviceAccountName: external-dns
       containers:
       - name: external-dns
-        image: k8s.gcr.io/external-dns/external-dns:v0.7.6
+        image: k8s.gcr.io/external-dns/external-dns:v0.8.0
         args:
         - --source=service
         - --source=ingress
@@ -346,6 +352,9 @@ spec:
       - name: azure-config-file
         secret:
           secretName: azure-config-file
+          items:
+          - key: externaldns-config.json
+            path: azure.json
 ```
 
 Create the deployment for ExternalDNS: