From 2bb40d335bfd6eee4d7e2a7848b05d93f4abb28b Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Tue, 26 Jan 2021 12:57:00 +0200 Subject: [PATCH] Replace the default service account in docs Signed-off-by: Stefan Prodan --- docs/guides/installation.md | 3 --- docs/guides/mozilla-sops.md | 12 ++++++------ 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/docs/guides/installation.md b/docs/guides/installation.md index 58001f71..43023b9a 100644 --- a/docs/guides/installation.md +++ b/docs/guides/installation.md @@ -242,9 +242,7 @@ mkdir -p ./clusters/my-cluster/flux-system Generate the Flux manifests with: ```sh -# on ARM64/AARCH64 clusters use --arch=arm64 flux install --version=latest \ - --arch=amd64 \ --export > ./clusters/my-cluster/flux-system/gotk-components.yaml ``` @@ -388,7 +386,6 @@ Kubernetes manifests that can be used to install or upgrade Flux: ```hcl data "flux_install" "main" { target_path = "clusters/my-cluster" - arch = "amd64" network_policy = false version = "latest" } diff --git a/docs/guides/mozilla-sops.md b/docs/guides/mozilla-sops.md index cfd9a492..4ff88850 100644 --- a/docs/guides/mozilla-sops.md +++ b/docs/guides/mozilla-sops.md @@ -107,8 +107,9 @@ secrets by iterating over all the private keys until it finds one that works. ### Using various cloud providers When using AWS/GCP KMS, you don't have to include the gpg `secretRef` under -`spec.provider` (you can skip the `--decryption-secret` flag when running `flux create kustomization`), instead you'll have to bind an IAM Role with access to the KMS -keys to the `default` service account of the `flux-system` namespace for +`spec.provider` (you can skip the `--decryption-secret` flag when running `flux create kustomization`), +instead you'll have to bind an IAM Role with access to the KMS +keys to the `kustomize-controller` service account of the `flux-system` namespace for kustomize-controller to be able to fetch keys from KMS. #### AWS @@ -145,13 +146,12 @@ or with [add-pod-identity](https://github.com/Azure/aad-pod-identity). Please ensure that the GKE cluster has Workload Identity enabled. 1. Create a service account with the role `Cloud KMS CryptoKey Encrypter/Decrypter`. -2. Create an IAM policy binding between the GCP service account to the `default` service account of the `flux-system`. -3. Annotate the `default` service account in the `flux-system` with the GCP service account. +2. Create an IAM policy binding between the GCP service account to the `kustomize-controller` service account of the `flux-system`. +3. Annotate the `kustomize-controller` service account in the `flux-system` with the GCP service account. ```sh -kubectl annotate serviceaccount \ +kubectl annotate serviceaccount kustomize-controller \ --namespace flux-system \ - default \ iam.gke.io/gcp-service-account=@project-id.iam.gserviceaccount.com ```