How to automatically renew Azure eventhub

To use JWT to communicate with Azure eventhub we need to renew the JWT credentials from time to time. This example yaml helps out with that * Supports both deployment and cronjob based renewal * static service principal * aad-pod-identity in azure Signed-off-by: Edvin Norling <edvin.norling@xenit.se>
2026-02-06 19:05:55 +00:00 · 2021-05-05 13:40:37 +02:00
parent f880e93df4
commit 0404790df9
30 changed files with 871 additions and 0 deletions
--- a/manifests/integrations/eventhub-credentials-sync/generic/config-patches.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/generic/config-patches.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync-eventhub
+data:
+  KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
+  ADDRESS: "fluxv2" # the Azure Event Hub name
+  SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
+
+# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
+#     az identity create -n eventhub-write
+#     az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
+# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
+#     az identity show -n eventhub-write -otsv --query clientId
+#     az identity show -n eventhub-write -otsv --query resourceId
+# Specify the pod-identity via the aadpodidbinding label
--- a/manifests/integrations/eventhub-credentials-sync/generic/kubectl-patch.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/generic/kubectl-patch.yaml
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+spec:
+  template:
+    spec:
+      initContainers:
+        - image: bitnami/kubectl
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+          name: copy-kubectl
+          # it's okay to do this because kubectl is a statically linked binary
+          command:
+            - sh
+            - -ceu
+            - cp $(which kubectl) /kbin/
+          resources: {}
+          volumeMounts:
+            - name: kbin
+              mountPath: /kbin
+      containers:
+        - name: sync
+          volumeMounts:
+            - name: kbin
+              mountPath: /kbin
+      volumes:
+        - name: kbin
+          emptyDir: {}
--- a/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml
@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namePrefix: jwt-
+commonLabels:
+  app: jwt-eventhub-credentials-sync
+
+namespace: flux-system
+
+bases:
+  - ../_base
+resources:
+  - secret-azure-credentials.yaml
+
+patchesStrategicMerge:
+  - config-patches.yaml
+  - kubectl-patch.yaml
+  - reconcile-patch.yaml
+
+configurations:
+  - kustomizeconfig.yaml
--- a/manifests/integrations/eventhub-credentials-sync/generic/kustomizeconfig.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/generic/kustomizeconfig.yaml
@@ -0,0 +1,3 @@
+varReference:
+- path: spec/template/metadata/labels
+  kind: Deployment
--- a/manifests/integrations/eventhub-credentials-sync/generic/reconcile-patch.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/generic/reconcile-patch.yaml
@@ -0,0 +1,41 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+spec:
+  template:
+    spec:
+      containers:
+        - name: sync
+          image: mcr.microsoft.com/azure-cli
+          env:
+            - name: RECONCILE_SH
+              value: |-
+                reconcile() {
+                  echo "Starting JWT token sync -- $(date)"
+                  echo "Logging into Azure"
+                  az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID}
+                  echo "Getting JWT token"
+                  token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
+                  echo "Creating secret: ${KUBE_SECRET}"
+                  apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
+                  echo "Finished JWT token sync -- $(date)"
+                  echo
+                }
+            - name: AZURE_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: azure-credentials
+                  key: AZURE_CLIENT_ID
+            - name: AZURE_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: azure-credentials
+                  key: AZURE_CLIENT_SECRET
+            - name: AZURE_TENANT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: azure-credentials
+                  key: AZURE_TENANT_ID
--- a/manifests/integrations/eventhub-credentials-sync/generic/secret-azure-credentials.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/generic/secret-azure-credentials.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+data:
+  AZURE_CLIENT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
+  AZURE_CLIENT_SECRET: c28tbXVjaC1zZWNyZXQ=
+  AZURE_TENANT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
+kind: Secret
+metadata:
+  name: azure-credentials
+  namespace: flux-system
+type: Opaque
+# This is just a example secret, you should never store secrets in git.
+# One way forward can be to use sealed-secrets or SOPS
+# https://fluxcd.io/docs/guides/sealed-secrets/
+# https://fluxcd.io/docs/guides/mozilla-sops/