Mirrors/flux2
1
0
Fork 0
mirror of synced 2026-02-07 03:05:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add registry cred Deployments/CronJobs for aws/gcp/azure via kustomize

Browse Source 
Signed-off-by: leigh capili <leigh@null.net>
This commit is contained in:
leigh capili
2021-02-08 01:14:53 -07:00
parent afffdfbc5c
commit 99825f2663
32 changed files with 949 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml Normal file
View File

@@ -0,0 +1,52 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: credentials-sync
data:
ECR_REGION: us-east-1 # set the region
ECR_REGISTRY: <account id>.dkr.ecr.<region>.amazonaws.com # fill in the account id and region
KUBE_SECRET: ecr-credentials # does not yet exist -- will be created in the same Namespace
# Bind IRSA for the ServiceAccount
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: credentials-sync
namespace: flux-system
annotations:
eks.amazonaws.com/role-arn: <role arn> # set the ARN for your role
# Set the reconcile period
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: credentials-sync
namespace: flux-system
spec:
schedule: 0 */6 * * * # every 6hrs -- ECR tokens expire every 12 hours; refresh faster than that
## If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
## Store these values in a Secret and load them in the container using envFrom.
## For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build.
## https://toolkit.fluxcd.io/guides/mozilla-sops/
## https://toolkit.fluxcd.io/guides/sealed-secrets/
# ---
# apiVersion: apps/v1
# kind: Deployment
# metadata:
# name: credentials-sync
# namespace: flux-system
# spec:
# template:
# spec:
# containers:
# - name: sync
# envFrom:
# secretRef:
# name: $(ECR_SECRET_NAME) # uncomment the var for this in kustomization.yaml

30
manifests/integrations/registry-credentials-sync/_cronjobs/aws/kubectl-patch.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: credentials-sync
namespace: flux-system
spec:
jobTemplate:
spec:
template:
spec:
initContainers:
- image: bitnami/kubectl
name: copy-kubectl
# it's okay to do this because kubectl is a statically linked binary
command:
- sh
- -ceu
- cp $(which kubectl) /kbin/
resources: {}
volumeMounts:
- name: kbin
mountPath: /kbin
containers:
- name: sync
volumeMounts:
- name: kbin
mountPath: /kbin
volumes:
- name: kbin
emptyDir: {}

26
manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namePrefix: ecr-
commonLabels:
app: ecr-credentials-sync
namespace: flux-system
bases:
- ../_base
## If not using IRSA, consider creating the following file via SOPS or SealedSecrets
# - encrypted-secret.yaml
patchesStrategicMerge:
- config-patches.yaml
- kubectl-patch.yaml
- reconcile-patch.yaml
## uncomment if using encrypted-secret.yaml
# vars:
# - name: ECR_SECRET_NAME
# objref:
# kind: Secret
# name: credentials-sync
# apiVersion: v1

29
manifests/integrations/registry-credentials-sync/_cronjobs/aws/reconcile-patch.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: credentials-sync
namespace: flux-system
spec:
jobTemplate:
spec:
template:
spec:
containers:
- name: sync
image: mcr.microsoft.com/azure-cli
env:
- name: RECONCILE_SH
value: |-
reconcile() {
echo "Starting ECR token sync -- $(date)"
echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}"
token="$(aws ecr get-login-password --region "${ECR_REGION}")"
user="AWS"
server="${ECR_REGISTRY}"
echo "Creating secret: ${KUBE_SECRET}"
apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}"
echo "Finished ECR token sync -- $(date)"
echo
}