Add registry cred Deployments/CronJobs for aws/gcp/azure via kustomize

Signed-off-by: leigh capili <leigh@null.net>

manifests/integrations/registry-credentials-sync/aws/config-patches.yaml

@@ -0,0 +1,42 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync
+data:
+  ECR_REGION: us-east-1  # set the region
+  ECR_REGISTRY: <account id>.dkr.ecr.<region>.amazonaws.com  # fill in the account id and region
+  KUBE_SECRET: ecr-credentials  # does not yet exist -- will be created in the same Namespace
+  SYNC_PERIOD: "21600"  # 6hrs -- ECR tokens expire every 12 hours; refresh faster than that
+
+
+# Bind IRSA for the ServiceAccount 
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+  annotations:
+    eks.amazonaws.com/role-arn: <role arn>  # set the ARN for your role
+
+
+## If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
+## Store these values in a Secret and load them in the container using envFrom.
+## For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build.
+##   https://toolkit.fluxcd.io/guides/mozilla-sops/
+##   https://toolkit.fluxcd.io/guides/sealed-secrets/
+# ---
+# apiVersion: apps/v1
+# kind: Deployment
+# metadata:
+#   name: credentials-sync
+#   namespace: flux-system
+# spec:
+#   template:
+#     spec:
+#       containers:
+#       - name: sync
+#         envFrom:
+#           secretRef:
+#             name: $(ECR_SECRET_NAME)  # uncomment the var for this in kustomization.yaml

manifests/integrations/registry-credentials-sync/aws/kubectl-patch.yaml

@@ -0,0 +1,28 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+spec:
+  template:
+    spec:
+      initContainers:
+      - image: bitnami/kubectl
+        name: copy-kubectl
+        # it's okay to do this because kubectl is a statically linked binary
+        command:
+        - sh
+        - -ceu
+        - cp $(which kubectl) /kbin/
+        resources: {}
+        volumeMounts:
+        - name: kbin
+          mountPath: /kbin
+      containers:
+      - name: sync
+        volumeMounts:
+        - name: kbin
+          mountPath: /kbin
+      volumes:
+      - name: kbin
+        emptyDir: {}

manifests/integrations/registry-credentials-sync/aws/kustomization.yaml

@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namePrefix: ecr-
+commonLabels:
+  app: ecr-credentials-sync
+
+namespace: flux-system
+
+bases:
+- ../_base
+## If not using IRSA, consider creating the following file via SOPS or SealedSecrets
+# - encrypted-secret.yaml
+
+patchesStrategicMerge:
+- config-patches.yaml
+- kubectl-patch.yaml
+- reconcile-patch.yaml
+
+## uncomment if using encrypted-secret.yaml
+# vars:
+# - name: ECR_SECRET_NAME
+#   objref:
+#     kind: Secret
+#     name: credentials-sync
+#     apiVersion: v1

manifests/integrations/registry-credentials-sync/aws/reconcile-patch.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+spec:
+  template:
+    spec:
+      containers:
+      - name: sync
+        image: aws/aws-cli
+        env:
+        - name: RECONCILE_SH
+          value: |-
+            reconcile() {
+              echo "Starting ECR token sync -- $(date)"
+              echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}"
+              token="$(aws ecr get-login-password --region "${ECR_REGION}")"
+              user="AWS"
+              server="${ECR_REGISTRY}"
+
+              echo "Creating secret: ${KUBE_SECRET}"
+              apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}"
+
+              echo "Finished ECR token sync -- $(date)"
+              echo
+            }