Mirrors/flux2
1
0
Fork 0
mirror of synced 2026-02-06 19:05:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Replace the default service account in docs

Browse Source 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan
2021-01-26 12:57:00 +02:00
parent 1b581d6f51
commit 2bb40d335b
2 changed files with 6 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/guides/installation.md
View File

@@ -242,9 +242,7 @@ mkdir -p ./clusters/my-cluster/flux-system
Generate the Flux manifests with:
```sh
# on ARM64/AARCH64 clusters use --arch=arm64
flux install --version=latest \
--arch=amd64 \
--export > ./clusters/my-cluster/flux-system/gotk-components.yaml
```
@@ -388,7 +386,6 @@ Kubernetes manifests that can be used to install or upgrade Flux:
```hcl
data "flux_install" "main" {
target_path = "clusters/my-cluster"
arch = "amd64"
network_policy = false
version = "latest"
}

12
docs/guides/mozilla-sops.md
View File

@@ -107,8 +107,9 @@ secrets by iterating over all the private keys until it finds one that works.
### Using various cloud providers
When using AWS/GCP KMS, you don't have to include the gpg `secretRef` under
`spec.provider` (you can skip the `--decryption-secret` flag when running `flux create kustomization`), instead you'll have to bind an IAM Role with access to the KMS
keys to the `default` service account of the `flux-system` namespace for
`spec.provider` (you can skip the `--decryption-secret` flag when running `flux create kustomization`),
instead you'll have to bind an IAM Role with access to the KMS
keys to the `kustomize-controller` service account of the `flux-system` namespace for
kustomize-controller to be able to fetch keys from KMS.
#### AWS
@@ -145,13 +146,12 @@ or with [add-pod-identity](https://github.com/Azure/aad-pod-identity).
Please ensure that the GKE cluster has Workload Identity enabled.
1. Create a service account with the role `Cloud KMS CryptoKey Encrypter/Decrypter`.
2. Create an IAM policy binding between the GCP service account to the `default` service account of the `flux-system`.
3. Annotate the `default` service account in the `flux-system` with the GCP service account.
2. Create an IAM policy binding between the GCP service account to the `kustomize-controller` service account of the `flux-system`.
3. Annotate the `kustomize-controller` service account in the `flux-system` with the GCP service account.
```sh
kubectl annotate serviceaccount \
kubectl annotate serviceaccount kustomize-controller \
--namespace flux-system \
default \
iam.gke.io/gcp-service-account=<name-of-serviceaccount>@project-id.iam.gserviceaccount.com
```