diff --git a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml index 2218f2b8f3..100868dcbe 100644 --- a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml @@ -7,8 +7,8 @@ commonLabels: resources: - sync.yaml -patchesStrategicMerge: - - kubectl-patch.yaml +patches: +- path: kubectl-patch.yaml vars: - name: KUBE_SECRET diff --git a/manifests/integrations/registry-credentials-sync/_base/sync.yaml b/manifests/integrations/registry-credentials-sync/_base/sync.yaml index 913b94e28e..de1cd0cee3 100644 --- a/manifests/integrations/registry-credentials-sync/_base/sync.yaml +++ b/manifests/integrations/registry-credentials-sync/_base/sync.yaml @@ -101,9 +101,9 @@ rules: - create - update - patch - # # Lock this down to the specific Secret name (Optional) - #resourceNames: - #- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml + # Lock this down to the specific Secret name (Optional) + resourceNames: + - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml index 2218f2b8f3..100868dcbe 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml @@ -7,8 +7,8 @@ commonLabels: resources: - sync.yaml -patchesStrategicMerge: - - kubectl-patch.yaml +patches: +- path: kubectl-patch.yaml vars: - name: KUBE_SECRET diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/bind-irsa-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/bind-irsa-patch.yaml new file mode 100644 index 0000000000..c5d5c19cc3 --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/bind-irsa-patch.yaml @@ -0,0 +1,9 @@ +# Bind IRSA for the ServiceAccount +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: credentials-sync + namespace: flux-system + annotations: + eks.amazonaws.com/role-arn: # set the ARN for your role diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-map-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-map-patch.yaml new file mode 100644 index 0000000000..1c922716e6 --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-map-patch.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: credentials-sync +data: + ECR_REGION: us-east-1 # set the region + ECR_REGISTRY: .dkr.ecr..amazonaws.com # fill in the account id and region + KUBE_SECRET: ecr-credentials # does not yet exist -- will be created in the same Namespace diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml deleted file mode 100644 index 3c8492257a..0000000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - ECR_REGION: us-east-1 # set the region - ECR_REGISTRY: .dkr.ecr..amazonaws.com # fill in the account id and region - KUBE_SECRET: ecr-credentials # does not yet exist -- will be created in the same Namespace - - -# Bind IRSA for the ServiceAccount ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system - annotations: - eks.amazonaws.com/role-arn: # set the ARN for your role - - -# Set the reconcile period ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - schedule: 0 */6 * * * # every 6hrs -- ECR tokens expire every 12 hours; refresh faster than that - - -## If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables -## Store these values in a Secret and load them in the container using envFrom. -## For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build. -## https://fluxcd.io/docs/guides/mozilla-sops/ -## https://fluxcd.io/docs/guides/sealed-secrets/ -# --- -# apiVersion: apps/v1 -# kind: Deployment -# metadata: -# name: credentials-sync -# namespace: flux-system -# spec: -# template: -# spec: -# containers: -# - name: sync -# envFrom: -# secretRef: -# name: $(ECR_SECRET_NAME) # uncomment the var for this in kustomization.yaml diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/credentials-injection-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/credentials-injection-patch.yaml new file mode 100644 index 0000000000..d6910ecbe9 --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/credentials-injection-patch.yaml @@ -0,0 +1,21 @@ +# If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables +# Store these values in a Secret and load them in the container using envFrom. +# For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build. +# https://fluxcd.io/docs/guides/mozilla-sops/ +# https://fluxcd.io/docs/guides/sealed-secrets/ +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: credentials-sync + namespace: flux-system +spec: + jobTemplate: + spec: + template: + spec: + containers: + - name: sync + envFrom: + - secretRef: + name: $(ECR_SECRET_NAME) # uncomment the var for this in kustomization.yaml diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/ecr-token-refresh-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/ecr-token-refresh-patch.yaml new file mode 100644 index 0000000000..f61998ab99 --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/ecr-token-refresh-patch.yaml @@ -0,0 +1,9 @@ +# Set the reconcile period +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: credentials-sync + namespace: flux-system +spec: + schedule: 0 */6 * * * # every 6hrs -- ECR tokens expire every 12 hours; refresh faster than that diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/encrypted-secret.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/encrypted-secret.yaml new file mode 100644 index 0000000000..2926ca347a --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/encrypted-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: credentials-sync +data: + AWS_ACCESS_KEY_ID: Zm9vCg== + AWS_SECRET_ACCESS_KEY: YmFyCg== +type: Opaque \ No newline at end of file diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml index 6e58e58bb4..23d642a460 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml @@ -7,19 +7,26 @@ commonLabels: namespace: flux-system -bases: +resources: - ../_base -## If not using IRSA, consider creating the following file via SOPS or SealedSecrets +# # If not using IRSA, consider creating the following file via SOPS or SealedSecrets # - encrypted-secret.yaml -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml +patches: +- path: config-map-patch.yaml +- path: reconcile-patch.yaml +- path: ecr-token-refresh-patch.yaml +# Comment out bind-irsa-patch.yaml if not using IRSA +- path: bind-irsa-patch.yaml +# # Uncomment if not using IRSA, please also check credentials-injection-patch.yaml +# - path: credentials-injection-patch.yaml -## uncomment if using encrypted-secret.yaml +# # Uncomment if using encrypted-secret.yaml # vars: # - name: ECR_SECRET_NAME # objref: # kind: Secret # name: credentials-sync # apiVersion: v1 +# configurations: +# - kustomizeconfig.yaml diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomizeconfig.yaml new file mode 100644 index 0000000000..7a4fe799f9 --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomizeconfig.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/jobTemplate/spec/template/spec/containers/envFrom/secretRef + kind: CronJob diff --git a/manifests/integrations/registry-credentials-sync/azure/config-patches.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/azure-identity-patch.yaml similarity index 62% rename from manifests/integrations/registry-credentials-sync/azure/config-patches.yaml rename to manifests/integrations/registry-credentials-sync/_cronjobs/azure/azure-identity-patch.yaml index d386a497d2..6bc09216da 100644 --- a/manifests/integrations/registry-credentials-sync/azure/config-patches.yaml +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/azure-identity-patch.yaml @@ -1,13 +1,3 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - ACR_NAME: my-registry - KUBE_SECRET: acr-my-registry # does not yet exist -- will be created in the same Namespace - SYNC_PERIOD: "3600" # ACR tokens expire every 3 hours; refresh faster than that - # Create an identity in Azure and assign it a role to pull from ACR (note: the identity's resourceGroup should match the desired ACR): # az identity create -n acr-sync # az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)" @@ -24,16 +14,3 @@ spec: clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync type: 0 # user-managed identity - -# Specify the pod-identity via the aadpodidbinding label ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync - namespace: flux-system -spec: - template: - metadata: - labels: - aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-map-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-map-patch.yaml new file mode 100644 index 0000000000..fe4a1a899b --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-map-patch.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: credentials-sync +data: + ACR_NAME: my-registry + KUBE_SECRET: acr-my-registry # does not yet exist -- will be created in the same Namespace diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml index 54c333a989..b1965c6965 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml @@ -7,14 +7,15 @@ commonLabels: namespace: flux-system -bases: -- ../_base resources: +- ../_base - az-identity.yaml -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml +patches: +- path: config-map-patch.yaml +- path: azure-identity-patch.yaml +- path: token-refresh-and-identity-injection-patch.yaml +- path: reconcile-patch.yaml vars: - name: AZ_IDENTITY_NAME diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/token-refresh-and-identity-injection-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/token-refresh-and-identity-injection-patch.yaml new file mode 100644 index 0000000000..3124c6b208 --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/token-refresh-and-identity-injection-patch.yaml @@ -0,0 +1,15 @@ +# Set the reconcile period + specify the pod-identity via the aadpodidbinding label +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: credentials-sync + namespace: flux-system +spec: + schedule: 0 * * * * # ACR tokens expire every 3 hours; refresh faster than that + jobTemplate: + spec: + template: + metadata: + labels: + aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/bind-irsa-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/bind-irsa-patch.yaml new file mode 100644 index 0000000000..829f184d1b --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/bind-irsa-patch.yaml @@ -0,0 +1,9 @@ +# Bind to the GCP service-account +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: credentials-sync + namespace: flux-system + annotations: + iam.gke.io/gcp-service-account: @.iam.gserviceaccount.com # set the GCP service-account diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-map-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-map-patch.yaml new file mode 100644 index 0000000000..2f8fe3ae1a --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-map-patch.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: credentials-sync +data: + GCR_REGISTRY: gcr.io # set the registry + KUBE_SECRET: gcr-credentials # does not yet exist -- will be created in the same Namespace diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml deleted file mode 100644 index fdbb39d151..0000000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - GCR_REGISTRY: gcr.io # set the registry - KUBE_SECRET: gcr-credentials # does not yet exist -- will be created in the same Namespace - -# Bind to the GCP service-account ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system - annotations: - iam.gke.io/gcp-service-account: @.iam.gserviceaccount.com # set the GCP service-account - -# Set the reconcile period ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - schedule: 0,30 * * * * # 30m interval -- GCR tokens expire every hour; refresh faster than that diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/gcr-token-refresh-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/gcr-token-refresh-patch.yaml new file mode 100644 index 0000000000..f142cc328e --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/gcr-token-refresh-patch.yaml @@ -0,0 +1,9 @@ +# Set the reconcile period +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: credentials-sync + namespace: flux-system +spec: + schedule: 0,30 * * * * # 30m interval -- GCR tokens expire every hour; refresh faster than that diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml index ea28e0b609..561dcbccce 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml @@ -7,9 +7,11 @@ commonLabels: namespace: flux-system -bases: +resources: - ../_base -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml +patches: +- path: config-map-patch.yaml +- path: bind-irsa-patch.yaml +- path: gcr-token-refresh-patch.yaml +- path: reconcile-patch.yaml diff --git a/manifests/integrations/registry-credentials-sync/aws/bind-irsa-patch.yaml b/manifests/integrations/registry-credentials-sync/aws/bind-irsa-patch.yaml new file mode 100644 index 0000000000..c5d5c19cc3 --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/aws/bind-irsa-patch.yaml @@ -0,0 +1,9 @@ +# Bind IRSA for the ServiceAccount +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: credentials-sync + namespace: flux-system + annotations: + eks.amazonaws.com/role-arn: # set the ARN for your role diff --git a/manifests/integrations/registry-credentials-sync/aws/config-map-patch.yaml b/manifests/integrations/registry-credentials-sync/aws/config-map-patch.yaml new file mode 100644 index 0000000000..7d7e637750 --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/aws/config-map-patch.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: credentials-sync +data: + ECR_REGION: us-east-1 # set the region + ECR_REGISTRY: .dkr.ecr..amazonaws.com # fill in the account id and region + KUBE_SECRET: ecr-credentials # does not yet exist -- will be created in the same Namespace + SYNC_PERIOD: "21600" # 6hrs -- ECR tokens expire every 12 hours; refresh faster than that diff --git a/manifests/integrations/registry-credentials-sync/aws/config-patches.yaml b/manifests/integrations/registry-credentials-sync/aws/config-patches.yaml deleted file mode 100644 index f57ccf7920..0000000000 --- a/manifests/integrations/registry-credentials-sync/aws/config-patches.yaml +++ /dev/null @@ -1,42 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - ECR_REGION: us-east-1 # set the region - ECR_REGISTRY: .dkr.ecr..amazonaws.com # fill in the account id and region - KUBE_SECRET: ecr-credentials # does not yet exist -- will be created in the same Namespace - SYNC_PERIOD: "21600" # 6hrs -- ECR tokens expire every 12 hours; refresh faster than that - - -# Bind IRSA for the ServiceAccount ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system - annotations: - eks.amazonaws.com/role-arn: # set the ARN for your role - - -## If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables -## Store these values in a Secret and load them in the container using envFrom. -## For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build. -## https://fluxcd.io/flux/guides/mozilla-sops/ -## https://fluxcd.io/flux/guides/sealed-secrets/ -# --- -# apiVersion: apps/v1 -# kind: Deployment -# metadata: -# name: credentials-sync -# namespace: flux-system -# spec: -# template: -# spec: -# containers: -# - name: sync -# envFrom: -# secretRef: -# name: $(ECR_SECRET_NAME) # uncomment the var for this in kustomization.yaml diff --git a/manifests/integrations/registry-credentials-sync/aws/credentials-injection-patch.yaml b/manifests/integrations/registry-credentials-sync/aws/credentials-injection-patch.yaml new file mode 100644 index 0000000000..f301fb4d47 --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/aws/credentials-injection-patch.yaml @@ -0,0 +1,19 @@ +# If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables +# Store these values in a Secret and load them in the container using envFrom. +# For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build. +# https://fluxcd.io/flux/guides/mozilla-sops/ +# https://fluxcd.io/flux/guides/sealed-secrets/ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: credentials-sync + namespace: flux-system +spec: + template: + spec: + containers: + - name: sync + envFrom: + - secretRef: + name: $(ECR_SECRET_NAME) # uncomment the var for this in kustomization.yaml diff --git a/manifests/integrations/registry-credentials-sync/aws/encrypted-secret.yaml b/manifests/integrations/registry-credentials-sync/aws/encrypted-secret.yaml new file mode 100644 index 0000000000..2926ca347a --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/aws/encrypted-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: credentials-sync +data: + AWS_ACCESS_KEY_ID: Zm9vCg== + AWS_SECRET_ACCESS_KEY: YmFyCg== +type: Opaque \ No newline at end of file diff --git a/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml b/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml index 6e58e58bb4..c56ff6854e 100644 --- a/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml @@ -7,19 +7,25 @@ commonLabels: namespace: flux-system -bases: +resources: - ../_base -## If not using IRSA, consider creating the following file via SOPS or SealedSecrets +# # If not using IRSA, consider creating the following file via SOPS or SealedSecrets # - encrypted-secret.yaml -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml +patches: +- path: config-map-patch.yaml +- path: reconcile-patch.yaml +# Comment out bind-irsa-patch.yaml if not using IRSA +- path: bind-irsa-patch.yaml +# # Uncomment if not using IRSA, please also check credentials-injection-patch.yaml +# - path: credentials-injection-patch.yaml -## uncomment if using encrypted-secret.yaml +# # Uncomment if using encrypted-secret.yaml # vars: # - name: ECR_SECRET_NAME # objref: # kind: Secret # name: credentials-sync # apiVersion: v1 +# configurations: +# - kustomizeconfig.yaml diff --git a/manifests/integrations/registry-credentials-sync/aws/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/aws/kustomizeconfig.yaml new file mode 100644 index 0000000000..ba359dc99f --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/aws/kustomizeconfig.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/template/spec/containers/envFrom/secretRef + kind: Deployment diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml b/manifests/integrations/registry-credentials-sync/azure/azure-identity-patch.yaml similarity index 59% rename from manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml rename to manifests/integrations/registry-credentials-sync/azure/azure-identity-patch.yaml index a642886016..6bc09216da 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml +++ b/manifests/integrations/registry-credentials-sync/azure/azure-identity-patch.yaml @@ -1,12 +1,3 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - ACR_NAME: my-registry - KUBE_SECRET: acr-my-registry # does not yet exist -- will be created in the same Namespace - # Create an identity in Azure and assign it a role to pull from ACR (note: the identity's resourceGroup should match the desired ACR): # az identity create -n acr-sync # az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)" @@ -23,19 +14,3 @@ spec: clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync type: 0 # user-managed identity - -# Set the reconcile period + specify the pod-identity via the aadpodidbinding label ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - schedule: 0 * * * * # ACR tokens expire every 3 hours; refresh faster than that - jobTemplate: - spec: - template: - metadata: - labels: - aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/azure/config-map-patch.yaml b/manifests/integrations/registry-credentials-sync/azure/config-map-patch.yaml new file mode 100644 index 0000000000..a116add97b --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/azure/config-map-patch.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: credentials-sync +data: + ACR_NAME: my-registry + KUBE_SECRET: acr-my-registry # does not yet exist -- will be created in the same Namespace + SYNC_PERIOD: "3600" # ACR tokens expire every 3 hours; refresh faster than that diff --git a/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml b/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml index 54c333a989..fb3c11e18e 100644 --- a/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml @@ -7,14 +7,15 @@ commonLabels: namespace: flux-system -bases: -- ../_base resources: +- ../_base - az-identity.yaml -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml +patches: +- path: config-map-patch.yaml +- path: azure-identity-patch.yaml +- path: pod-identity-injection-patch.yaml +- path: reconcile-patch.yaml vars: - name: AZ_IDENTITY_NAME diff --git a/manifests/integrations/registry-credentials-sync/azure/pod-identity-injection-patch.yaml b/manifests/integrations/registry-credentials-sync/azure/pod-identity-injection-patch.yaml new file mode 100644 index 0000000000..4018feb1db --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/azure/pod-identity-injection-patch.yaml @@ -0,0 +1,12 @@ +# Specify the pod-identity via the aadpodidbinding label +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: credentials-sync + namespace: flux-system +spec: + template: + metadata: + labels: + aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/gcp/bind-irsa-patch.yaml b/manifests/integrations/registry-credentials-sync/gcp/bind-irsa-patch.yaml new file mode 100644 index 0000000000..829f184d1b --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/gcp/bind-irsa-patch.yaml @@ -0,0 +1,9 @@ +# Bind to the GCP service-account +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: credentials-sync + namespace: flux-system + annotations: + iam.gke.io/gcp-service-account: @.iam.gserviceaccount.com # set the GCP service-account diff --git a/manifests/integrations/registry-credentials-sync/gcp/config-patches.yaml b/manifests/integrations/registry-credentials-sync/gcp/config-map-patch.yaml similarity index 53% rename from manifests/integrations/registry-credentials-sync/gcp/config-patches.yaml rename to manifests/integrations/registry-credentials-sync/gcp/config-map-patch.yaml index dda354ce1b..8bbefcf6b4 100644 --- a/manifests/integrations/registry-credentials-sync/gcp/config-patches.yaml +++ b/manifests/integrations/registry-credentials-sync/gcp/config-map-patch.yaml @@ -7,14 +7,3 @@ data: GCR_REGISTRY: gcr.io # set the registry KUBE_SECRET: gcr-credentials # does not yet exist -- will be created in the same Namespace SYNC_PERIOD: "1800" # 30m -- GCR tokens expire every hour; refresh faster than that - - -# Bind to the GCP service-account ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system - annotations: - iam.gke.io/gcp-service-account: @.iam.gserviceaccount.com # set the GCP service-account diff --git a/manifests/integrations/registry-credentials-sync/gcp/kustomization.yaml b/manifests/integrations/registry-credentials-sync/gcp/kustomization.yaml index ea28e0b609..975ab32360 100644 --- a/manifests/integrations/registry-credentials-sync/gcp/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/gcp/kustomization.yaml @@ -7,9 +7,10 @@ commonLabels: namespace: flux-system -bases: +resources: - ../_base -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml +patches: +- path: config-map-patch.yaml +- path: bind-irsa-patch.yaml +- path: reconcile-patch.yaml