Add registry cred Deployments/CronJobs for aws/gcp/azure via kustomize

Signed-off-by: leigh capili <leigh@null.net>
2026-02-07 03:05:56 +00:00 · 2021-02-08 01:14:53 -07:00
parent afffdfbc5c
commit 99825f2663
32 changed files with 949 additions and 0 deletions
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync
+data:
+  GCR_REGISTRY: gcr.io  # set the registry
+  KUBE_SECRET: gcr-credentials  # does not yet exist -- will be created in the same Namespace
+
+# Bind to the GCP service-account
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+  annotations:
+    iam.gke.io/gcp-service-account: <name>@<project-id>.iam.gserviceaccount.com # set the GCP service-account
+
+# Set the reconcile period
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+spec:
+  schedule: 0,30 * * * *  # 30m interval -- GCR tokens expire every hour; refresh faster than that
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namePrefix: gcr-
+commonLabels:
+  app: gcr-credentials-sync
+
+namespace: flux-system
+
+bases:
+- ../_base
+
+patchesStrategicMerge:
+- config-patches.yaml
+- reconcile-patch.yaml
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml
@@ -0,0 +1,29 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+spec:
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: sync
+            image: aws/aws-cli
+            env:
+            - name: RECONCILE_SH
+              value: |-
+                reconcile() {
+                  echo "Starting GCR token sync -- $(date)"
+                  echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}"
+                  token="$(gcloud auth print-access-token)"
+                  user="oauth2accesstoken "
+                  server="${GCR_REGISTRY}"
+
+                  echo "Creating secret: ${KUBE_SECRET}"
+                  apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}"
+
+                  echo "Finished GCR token sync -- $(date)"
+                  echo
+                }