Add registry cred Deployments/CronJobs for aws/gcp/azure via kustomize

Signed-off-by: leigh capili <leigh@null.net>
2026-02-07 03:05:56 +00:00 · 2021-02-08 01:14:53 -07:00
parent afffdfbc5c
commit 99825f2663
32 changed files with 949 additions and 0 deletions
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml
@@ -0,0 +1,7 @@
+# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentity
+metadata:
+  name: credentials-sync  # if this is changed, also change in config-patches.yaml
+  namespace: flux-system
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml
@@ -0,0 +1,41 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync
+data:
+  ACR_NAME: my-registry
+  KUBE_SECRET: acr-my-registry  # does not yet exist -- will be created in the same Namespace
+
+# Create an identity in Azure and assign it a role to pull from ACR  (note: the identity's resourceGroup should match the desired ACR):
+#     az identity create -n acr-sync
+#     az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)"
+# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
+#     az identity show -n acr-sync -otsv --query clientId
+#     az identity show -n acr-sync -otsv --query resourceId
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentity
+metadata:
+  name: credentials-sync  # name must match the stub-resource in az-identity.yaml
+  namespace: flux-system
+spec:
+  clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
+  resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync
+  type: 0  # user-managed identity
+
+# Set the reconcile period + specify the pod-identity via the aadpodidbinding label
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+spec:
+  schedule: 0 * * * *  # ACR tokens expire every 3 hours; refresh faster than that
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            aadpodidbinding: $(AZ_IDENTITY_NAME)  # match the AzureIdentity name
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kubectl-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kubectl-patch.yaml
@@ -0,0 +1,30 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+spec:
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          initContainers:
+          - image: bitnami/kubectl
+            name: copy-kubectl
+            # it's okay to do this because kubectl is a statically linked binary
+            command:
+            - sh
+            - -ceu
+            - cp $(which kubectl) /kbin/
+            resources: {}
+            volumeMounts:
+            - name: kbin
+              mountPath: /kbin
+          containers:
+          - name: sync
+            volumeMounts:
+            - name: kbin
+              mountPath: /kbin
+          volumes:
+          - name: kbin
+            emptyDir: {}
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml
@@ -0,0 +1,28 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namePrefix: acr-
+commonLabels:
+  app: acr-credentials-sync
+
+namespace: flux-system
+
+bases:
+- ../_base
+resources:
+- az-identity.yaml
+
+patchesStrategicMerge:
+- config-patches.yaml
+- kubectl-patch.yaml
+- reconcile-patch.yaml
+
+vars:
+- name: AZ_IDENTITY_NAME
+  objref:
+    kind: AzureIdentity
+    name: credentials-sync
+    apiVersion: aadpodidentity.k8s.io/v1
+
+configurations:
+- kustomizeconfig.yaml
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml
@@ -0,0 +1,3 @@
+varReference:
+- path: spec/jobTemplate/spec/template/metadata/labels
+  kind: Deployment
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/reconcile-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/reconcile-patch.yaml
@@ -0,0 +1,37 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+spec:
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: sync
+            image: mcr.microsoft.com/azure-cli
+            env:
+            - name: RECONCILE_SH
+              value: |-
+                reconcile() {
+                  echo "Starting ACR token sync -- $(date)"
+                  echo "Logging into Azure"
+                  az login --identity
+                  echo "Logging into ACR: ${ACR_NAME}"
+                  output="$(az acr login --expose-token -o=tsv -n "${ACR_NAME}")"
+                  read token server <<< "${output}"
+                  user="00000000-0000-0000-0000-000000000000"
+
+                  echo "Creating secret: ${KUBE_SECRET}"
+                  /kbin/kubectl create secret docker-registry "${KUBE_SECRET}" \
+                    --docker-server="${server}" \
+                    --docker-username="00000000-0000-0000-0000-000000000000" \
+                    --docker-password="${token}" \
+                    --dry-run=client -o=yaml \
+                    | grep -v "creationTimestamp:" \
+                    | /kbin/kubectl apply -f -
+
+                  echo "Finished ACR token sync -- $(date)"
+                  echo
+                }