How to automatically renew Azure eventhub

To use JWT to communicate with Azure eventhub we need to renew the JWT credentials from time to time. This example yaml helps out with that * Supports both deployment and cronjob based renewal * static service principal * aad-pod-identity in azure Signed-off-by: Edvin Norling <edvin.norling@xenit.se>
2026-02-07 03:05:56 +00:00 · 2021-05-05 13:40:37 +02:00
parent f880e93df4
commit 0404790df9
30 changed files with 871 additions and 0 deletions
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml
@@ -0,0 +1,27 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonLabels:
+  app: credentials-sync-eventhub
+
+resources:
+  - sync.yaml
+
+vars:
+  - name: KUBE_SECRET
+    objref:
+      kind: ConfigMap
+      name: credentials-sync-eventhub
+      apiVersion: v1
+    fieldref:
+      fieldpath: data.KUBE_SECRET
+  - name: ADDRESS
+    objref:
+      kind: ConfigMap
+      name: credentials-sync-eventhub
+      apiVersion: v1
+    fieldref:
+      fieldpath: data.ADDRESS
+
+configurations:
+  - kustomizeconfig.yaml
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml
@@ -0,0 +1,3 @@
+varReference:
+- path: rules/resourceNames
+  kind: Role
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml
@@ -0,0 +1,109 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync-eventhub
+data:
+  # Patch this ConfigMap with additional values needed for your cloud
+  KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
+  ADDRESS: "fluxv2" # the Azure Event Hub name
+
+---
+# This CronJob frequently fetches registry tokens and applies them as an imagePullSecret.
+# note: CronJob scheduling can block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
+# To run the job immediately, do `kubectl create job --from=cronjob/credentials-sync-eventhub -n flux-system credentials-sync-eventhub-init`
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+spec:
+  suspend: false
+  schedule: 0 */6 * * *
+  failedJobsHistoryLimit: 1
+  successfulJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: credentials-sync-eventhub
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1001
+          restartPolicy: Never
+          containers:
+            - image: busybox # override this with a cloud-specific image
+              name: sync
+              envFrom:
+                - configMapRef:
+                    name: credentials-sync-eventhub
+              env:
+                - name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
+                  value: |-
+                    reconcile() {
+                      echo reconciling...
+                    }
+              command:
+                - bash
+                - -ceu
+                - |-
+                  # template reconcile() into the script
+                  # env var is expanded by k8s before the pod starts
+                  $(RECONCILE_SH)
+
+                  apply-secret() {
+                    /kbin/kubectl create secret generic "${1}" \
+                      --from-literal=token="${2}" \
+                      --from-literal=address="${3}" \
+                      --dry-run=client -o=yaml \
+                      | grep -v "creationTimestamp:" \
+                      | /kbin/kubectl apply -f -
+                  }
+
+                  reconcile
+              resources: {}
+              volumeMounts:
+                - mountPath: /.azure
+                  name: cache-volume
+          volumes:
+            - emptyDir: {}
+              name: cache-volume
+
+# RBAC necessary for our Deployment to apply our secret that will store the JWT token
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+rules:
+  - apiGroups: [""]
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+      - update
+      - patch
+    # # Lock this down to the specific Secret name  (Optional)
+    #resourceNames:
+    #  - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+subjects:
+  - kind: ServiceAccount
+    name: credentials-sync-eventhub
+roleRef:
+  kind: Role
+  name: credentials-sync-eventhub
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system