mirror of https://github.com/fluxcd/flux2.git
Merge pull request #5347 from fluxcd/remove-manifests
Remove credentials sync manifestspull/5389/head
Matheus Pimenta
1 week ago
committed by
GitHub
commit
99e6791f4b
@ -1,14 +0,0 @@
|
||||
|
||||
bases := $(shell dirname $(shell find | grep kustomization.yaml | sort))
|
||||
|
||||
all: $(bases)
|
||||
|
||||
permutations := $(bases) $(addsuffix /,$(bases))
|
||||
.PHONY: $(permutations)
|
||||
$(permutations):
|
||||
@echo $@
|
||||
@warnings=$$(kustomize build $@ -o /dev/null 2>&1); \
|
||||
if [ "$$warnings" ]; then \
|
||||
echo "$$warnings"; \
|
||||
false; \
|
||||
fi
|
||||
@ -1,32 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
initContainers:
|
||||
- image: ghcr.io/fluxcd/flux-cli:v0.17.2
|
||||
securityContext:
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
name: copy-kubectl
|
||||
# it's okay to do this because kubectl is a statically linked binary
|
||||
command:
|
||||
- sh
|
||||
- -ceu
|
||||
- cp $(which kubectl) /kbin/
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
containers:
|
||||
- name: sync
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
volumes:
|
||||
- name: kbin
|
||||
emptyDir: {}
|
||||
@ -1,23 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
commonLabels:
|
||||
app: credentials-sync-eventhub
|
||||
|
||||
resources:
|
||||
- sync.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- kubectl-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: KUBE_SECRET
|
||||
objref:
|
||||
kind: ConfigMap
|
||||
name: credentials-sync-eventhub
|
||||
apiVersion: v1
|
||||
fieldref:
|
||||
fieldpath: data.KUBE_SECRET
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
@ -1,3 +0,0 @@
|
||||
varReference:
|
||||
- path: rules/resourceNames
|
||||
kind: Role
|
||||
@ -1,133 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
data:
|
||||
# Patch this ConfigMap with additional values needed for your cloud
|
||||
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
|
||||
ADDRESS: "fluxv2" # the Azure Event Hub name
|
||||
SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
|
||||
|
||||
---
|
||||
# This Deployment frequently fetches registry tokens and applies them as an imagePullSecret.
|
||||
# It's done as a 1-replica Deployment rather than a CronJob, because CronJob scheduling can
|
||||
# block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
|
||||
# This deployment will immediately fetch a token, which reduces latency for working image updates.
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: credentials-sync-eventhub
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1001
|
||||
containers:
|
||||
- image: busybox # override this with a cloud-specific image
|
||||
name: sync
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: credentials-sync-eventhub
|
||||
env:
|
||||
- name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
|
||||
value: |-
|
||||
reconcile() {
|
||||
echo reconciling...
|
||||
}
|
||||
command:
|
||||
- bash
|
||||
- -ceu
|
||||
- |-
|
||||
# template reconcile() into the script
|
||||
# env var is expanded by k8s before the pod starts
|
||||
$(RECONCILE_SH)
|
||||
|
||||
apply-secret() {
|
||||
/kbin/kubectl create secret generic "$1" \
|
||||
--from-literal=token="$2" \
|
||||
--from-literal=address="$3" \
|
||||
--dry-run=client -o=yaml \
|
||||
| grep -v "creationTimestamp:" \
|
||||
| /kbin/kubectl apply -f -
|
||||
}
|
||||
|
||||
pause_loop() {
|
||||
sleep "$SYNC_PERIOD" || true
|
||||
}
|
||||
|
||||
graceful_exit() {
|
||||
echo "Trapped signal -- $(date)"
|
||||
job_ids="$(
|
||||
jobs \
|
||||
| grep "pause_loop" \
|
||||
| cut -d] -f1 \
|
||||
| tr [ %
|
||||
)"
|
||||
# shellcheck disable=SC2086
|
||||
if [ "$job_ids" ]; then
|
||||
kill $job_ids
|
||||
fi
|
||||
wait
|
||||
echo "Graceful exit -- $(date)"
|
||||
}
|
||||
|
||||
trap graceful_exit INT TERM
|
||||
|
||||
echo "Loop started (period: $SYNC_PERIOD s) -- $(date)"
|
||||
while true; do
|
||||
reconcile & wait $!
|
||||
pause_loop & wait $!
|
||||
done
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- mountPath: /.azure
|
||||
name: cache-volume
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: cache-volume
|
||||
|
||||
# RBAC necessary for our Deployment to apply our secret that will store the JWT token
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
# Lock this down to the specific Secret name (Optional)
|
||||
#resourceNames:
|
||||
# - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: credentials-sync-eventhub
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: credentials-sync-eventhub
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
@ -1,30 +0,0 @@
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
initContainers:
|
||||
- image: ghcr.io/fluxcd/flux-cli:v0.17.2
|
||||
name: copy-kubectl
|
||||
# it's okay to do this because kubectl is a statically linked binary
|
||||
command:
|
||||
- sh
|
||||
- -ceu
|
||||
- cp $(which kubectl) /kbin/
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
containers:
|
||||
- name: sync
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
volumes:
|
||||
- name: kbin
|
||||
emptyDir: {}
|
||||
@ -1,23 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
commonLabels:
|
||||
app: credentials-sync-eventhub
|
||||
|
||||
resources:
|
||||
- sync.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- kubectl-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: KUBE_SECRET
|
||||
objref:
|
||||
kind: ConfigMap
|
||||
name: credentials-sync-eventhub
|
||||
apiVersion: v1
|
||||
fieldref:
|
||||
fieldpath: data.KUBE_SECRET
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
@ -1,3 +0,0 @@
|
||||
varReference:
|
||||
- path: rules/resourceNames
|
||||
kind: Role
|
||||
@ -1,109 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
data:
|
||||
# Patch this ConfigMap with additional values needed for your cloud
|
||||
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
|
||||
ADDRESS: "fluxv2" # the Azure Event Hub name
|
||||
|
||||
---
|
||||
# This CronJob frequently fetches registry tokens and applies them as an imagePullSecret.
|
||||
# note: CronJob scheduling can block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
|
||||
# To run the job immediately, do `kubectl create job --from=cronjob/credentials-sync-eventhub -n flux-system credentials-sync-eventhub-init`
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
suspend: false
|
||||
schedule: 0 */6 * * *
|
||||
failedJobsHistoryLimit: 1
|
||||
successfulJobsHistoryLimit: 1
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: credentials-sync-eventhub
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1001
|
||||
restartPolicy: Never
|
||||
containers:
|
||||
- image: busybox # override this with a cloud-specific image
|
||||
name: sync
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: credentials-sync-eventhub
|
||||
env:
|
||||
- name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
|
||||
value: |-
|
||||
reconcile() {
|
||||
echo reconciling...
|
||||
}
|
||||
command:
|
||||
- bash
|
||||
- -ceu
|
||||
- |-
|
||||
# template reconcile() into the script
|
||||
# env var is expanded by k8s before the pod starts
|
||||
$(RECONCILE_SH)
|
||||
|
||||
apply-secret() {
|
||||
/kbin/kubectl create secret generic "$1" \
|
||||
--from-literal=token="$2" \
|
||||
--from-literal=address="$3" \
|
||||
--dry-run=client -o=yaml \
|
||||
| grep -v "creationTimestamp:" \
|
||||
| /kbin/kubectl apply -f -
|
||||
}
|
||||
|
||||
reconcile
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- mountPath: /.azure
|
||||
name: cache-volume
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: cache-volume
|
||||
|
||||
# RBAC necessary for our Deployment to apply our secret that will store the JWT token
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
# Lock this down to the specific Secret name (Optional)
|
||||
resourceNames:
|
||||
- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: credentials-sync-eventhub
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: credentials-sync-eventhub
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
@ -1,16 +0,0 @@
|
||||
# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentity
|
||||
metadata:
|
||||
name: lab # if this is changed, also change in config-patches.yaml
|
||||
namespace: flux-system
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: lab
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
@ -1,41 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
data:
|
||||
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
|
||||
ADDRESS: "fluxv2" # the Azure Event Hub name
|
||||
|
||||
# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
|
||||
# az identity create -n eventhub-write
|
||||
# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
|
||||
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
|
||||
# az identity show -n eventhub-write -otsv --query clientId
|
||||
# az identity show -n eventhub-write -otsv --query resourceId
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentity
|
||||
metadata:
|
||||
name: lab
|
||||
namespace: flux-system
|
||||
spec:
|
||||
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
|
||||
resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
|
||||
type: 0
|
||||
|
||||
# Set the reconcile period + specify the pod-identity via the aadpodidbinding label
|
||||
---
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
schedule: 0 * * * * # JWT tokens expire every 24 hours; refresh faster than that
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
@ -1,27 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namePrefix: jwt-
|
||||
commonLabels:
|
||||
app: jwt-eventhub-credentials-sync
|
||||
|
||||
namespace: flux-system
|
||||
|
||||
bases:
|
||||
- ../_base
|
||||
resources:
|
||||
- az-identity.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: AZ_IDENTITY_NAME
|
||||
objref:
|
||||
kind: AzureIdentity
|
||||
name: lab
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
@ -1,7 +0,0 @@
|
||||
varReference:
|
||||
- path: spec/jobTemplate/spec/template/metadata/labels
|
||||
kind: CronJob
|
||||
- path: spec/azureIdentity
|
||||
kind: AzureIdentityBinding
|
||||
- path: spec/selector
|
||||
kind: AzureIdentityBinding
|
||||
@ -1,27 +0,0 @@
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: sync
|
||||
image: mcr.microsoft.com/azure-cli
|
||||
env:
|
||||
- name: RECONCILE_SH
|
||||
value: |-
|
||||
reconcile() {
|
||||
echo "Starting JWT token sync -- $(date)"
|
||||
echo "Logging into Azure"
|
||||
az login --identity
|
||||
echo "Getting JWT token"
|
||||
token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
|
||||
echo "Creating secret: ${KUBE_SECRET}"
|
||||
apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
|
||||
echo "Finished JWT token sync -- $(date)"
|
||||
echo
|
||||
}
|
||||
@ -1,15 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
data:
|
||||
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
|
||||
ADDRESS: "fluxv2" # the Azure Event Hub name
|
||||
|
||||
# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
|
||||
# az identity create -n eventhub-write
|
||||
# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
|
||||
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
|
||||
# az identity show -n eventhub-write -otsv --query clientId
|
||||
# az identity show -n eventhub-write -otsv --query resourceId
|
||||
@ -1,17 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namePrefix: jwt-
|
||||
commonLabels:
|
||||
app: jwt-eventhub-credentials-sync
|
||||
|
||||
namespace: flux-system
|
||||
|
||||
bases:
|
||||
- ../_base
|
||||
resources:
|
||||
- secret-azure-credentials.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- reconcile-patch.yaml
|
||||
@ -1,42 +0,0 @@
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: sync
|
||||
image: mcr.microsoft.com/azure-cli
|
||||
env:
|
||||
- name: RECONCILE_SH
|
||||
value: |-
|
||||
reconcile() {
|
||||
echo "Starting JWT token sync -- $(date)"
|
||||
echo "Logging into Azure"
|
||||
az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID}
|
||||
echo "Getting JWT token"
|
||||
token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
|
||||
echo "Creating secret: ${KUBE_SECRET}"
|
||||
apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
|
||||
echo "Finished JWT token sync -- $(date)"
|
||||
echo
|
||||
}
|
||||
- name: AZURE_CLIENT_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: azure-credentials
|
||||
key: AZURE_CLIENT_ID
|
||||
- name: AZURE_CLIENT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: azure-credentials
|
||||
key: AZURE_CLIENT_SECRET
|
||||
- name: AZURE_TENANT_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: azure-credentials
|
||||
key: AZURE_TENANT_ID
|
||||
@ -1,14 +0,0 @@
|
||||
apiVersion: v1
|
||||
data:
|
||||
AZURE_CLIENT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
|
||||
AZURE_CLIENT_SECRET: c28tbXVjaC1zZWNyZXQ=
|
||||
AZURE_TENANT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: azure-credentials
|
||||
namespace: flux-system
|
||||
type: Opaque
|
||||
# This is just a example secret, you should never store secrets in git.
|
||||
# One way forward can be to use sealed-secrets or SOPS
|
||||
# https://fluxcd.io/flux/guides/sealed-secrets/
|
||||
# https://fluxcd.io/flux/guides/mozilla-sops/
|
||||
@ -1,16 +0,0 @@
|
||||
# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentity
|
||||
metadata:
|
||||
name: lab # if this is changed, also change in config-patches.yaml
|
||||
namespace: flux-system
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: lab # this can have a different name, but it's nice to keep them the same
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
@ -1,39 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
data:
|
||||
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
|
||||
ADDRESS: "fluxv2" # the Azure Event Hub name
|
||||
SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
|
||||
|
||||
# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
|
||||
# az identity create -n eventhub-write
|
||||
# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
|
||||
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
|
||||
# az identity show -n eventhub-write -otsv --query clientId
|
||||
# az identity show -n eventhub-write -otsv --query resourceId
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentity
|
||||
metadata:
|
||||
name: lab
|
||||
namespace: flux-system
|
||||
spec:
|
||||
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
|
||||
resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
|
||||
type: 0
|
||||
|
||||
# Specify the pod-identity via the aadpodidbinding label
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
@ -1,27 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namePrefix: jwt-
|
||||
commonLabels:
|
||||
app: jwt-eventhub-credentials-sync
|
||||
|
||||
namespace: flux-system
|
||||
|
||||
bases:
|
||||
- ../_base
|
||||
resources:
|
||||
- az-identity.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: AZ_IDENTITY_NAME
|
||||
objref:
|
||||
kind: AzureIdentity
|
||||
name: lab
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
@ -1,7 +0,0 @@
|
||||
varReference:
|
||||
- path: spec/template/metadata/labels
|
||||
kind: Deployment
|
||||
- path: spec/azureIdentity
|
||||
kind: AzureIdentityBinding
|
||||
- path: spec/selector
|
||||
kind: AzureIdentityBinding
|
||||
@ -1,26 +0,0 @@
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: sync
|
||||
image: mcr.microsoft.com/azure-cli
|
||||
env:
|
||||
- name: RECONCILE_SH
|
||||
value: |-
|
||||
reconcile() {
|
||||
echo "Starting JWT token sync -- $(date)"
|
||||
echo "Logging into Azure"
|
||||
az login --identity
|
||||
echo "Getting JWT token"
|
||||
token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
|
||||
echo "Creating secret: ${KUBE_SECRET}"
|
||||
apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
|
||||
echo "Finished JWT token sync -- $(date)"
|
||||
echo
|
||||
}
|
||||
@ -1,17 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
data:
|
||||
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
|
||||
ADDRESS: "fluxv2" # the Azure Event Hub name
|
||||
SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
|
||||
|
||||
# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
|
||||
# az identity create -n eventhub-write
|
||||
# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
|
||||
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
|
||||
# az identity show -n eventhub-write -otsv --query clientId
|
||||
# az identity show -n eventhub-write -otsv --query resourceId
|
||||
# Specify the pod-identity via the aadpodidbinding label
|
||||
@ -1,17 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namePrefix: jwt-
|
||||
commonLabels:
|
||||
app: jwt-eventhub-credentials-sync
|
||||
|
||||
namespace: flux-system
|
||||
|
||||
bases:
|
||||
- ../_base
|
||||
resources:
|
||||
- secret-azure-credentials.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- reconcile-patch.yaml
|
||||
@ -1,41 +0,0 @@
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: sync
|
||||
image: mcr.microsoft.com/azure-cli
|
||||
env:
|
||||
- name: RECONCILE_SH
|
||||
value: |-
|
||||
reconcile() {
|
||||
echo "Starting JWT token sync -- $(date)"
|
||||
echo "Logging into Azure"
|
||||
az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID}
|
||||
echo "Getting JWT token"
|
||||
token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
|
||||
echo "Creating secret: ${KUBE_SECRET}"
|
||||
apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
|
||||
echo "Finished JWT token sync -- $(date)"
|
||||
echo
|
||||
}
|
||||
- name: AZURE_CLIENT_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: azure-credentials
|
||||
key: AZURE_CLIENT_ID
|
||||
- name: AZURE_CLIENT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: azure-credentials
|
||||
key: AZURE_CLIENT_SECRET
|
||||
- name: AZURE_TENANT_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: azure-credentials
|
||||
key: AZURE_TENANT_ID
|
||||
@ -1,14 +0,0 @@
|
||||
apiVersion: v1
|
||||
data:
|
||||
AZURE_CLIENT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
|
||||
AZURE_CLIENT_SECRET: c28tbXVjaC1zZWNyZXQ=
|
||||
AZURE_TENANT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: azure-credentials
|
||||
namespace: flux-system
|
||||
type: Opaque
|
||||
# This is just a example secret, you should never store secrets in git.
|
||||
# One way forward can be to use sealed-secrets or SOPS
|
||||
# https://fluxcd.io/docs/guides/sealed-secrets/
|
||||
# https://fluxcd.io/docs/guides/mozilla-sops/
|
||||
@ -1,28 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
initContainers:
|
||||
- image: ghcr.io/fluxcd/flux-cli:v0.17.2
|
||||
name: copy-kubectl
|
||||
# it's okay to do this because kubectl is a statically linked binary
|
||||
command:
|
||||
- sh
|
||||
- -ceu
|
||||
- cp $(which kubectl) /kbin/
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
containers:
|
||||
- name: sync
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
volumes:
|
||||
- name: kbin
|
||||
emptyDir: {}
|
||||
@ -1,23 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
commonLabels:
|
||||
app: credentials-sync
|
||||
|
||||
resources:
|
||||
- sync.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- kubectl-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: KUBE_SECRET
|
||||
objref:
|
||||
kind: ConfigMap
|
||||
name: credentials-sync
|
||||
apiVersion: v1
|
||||
fieldref:
|
||||
fieldpath: data.KUBE_SECRET
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
@ -1,3 +0,0 @@
|
||||
varReference:
|
||||
- path: rules/resourceNames
|
||||
kind: Role
|
||||
@ -1,125 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
data:
|
||||
# Patch this ConfigMap with additional values needed for your cloud
|
||||
KUBE_SECRET: my-registry-token # does not yet exist -- will be created in the same Namespace
|
||||
SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
|
||||
|
||||
---
|
||||
# This Deployment frequently fetches registry tokens and applies them as an imagePullSecret.
|
||||
# It's done as a 1-replica Deployment rather than a CronJob, because CronJob scheduling can
|
||||
# block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
|
||||
# This deployment will immediately fetch a token, which reduces latency for working image updates.
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: credentials-sync
|
||||
containers:
|
||||
- image: busybox # override this with a cloud-specific image
|
||||
name: sync
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: credentials-sync
|
||||
env:
|
||||
- name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
|
||||
value: |-
|
||||
reconcile() {
|
||||
echo reconciling...
|
||||
}
|
||||
command:
|
||||
- bash
|
||||
- -ceu
|
||||
- |-
|
||||
# template reconcile() into the script
|
||||
# env var is expanded by k8s before the pod starts
|
||||
$(RECONCILE_SH)
|
||||
|
||||
apply-secret() {
|
||||
/kbin/kubectl create secret docker-registry "$1" \
|
||||
--docker-password="$2" \
|
||||
--docker-username="$3" \
|
||||
--docker-server="$4" \
|
||||
--dry-run=client -o=yaml \
|
||||
| grep -v "creationTimestamp:" \
|
||||
| /kbin/kubectl apply -f -
|
||||
}
|
||||
|
||||
pause_loop() {
|
||||
sleep "$SYNC_PERIOD" || true
|
||||
}
|
||||
|
||||
graceful_exit() {
|
||||
echo "Trapped signal -- $(date)"
|
||||
job_ids="$(
|
||||
jobs \
|
||||
| grep "pause_loop" \
|
||||
| cut -d] -f1 \
|
||||
| tr [ %
|
||||
)"
|
||||
# shellcheck disable=SC2086
|
||||
if [ "$job_ids" ]; then
|
||||
kill $job_ids
|
||||
fi
|
||||
wait
|
||||
echo "Graceful exit -- $(date)"
|
||||
}
|
||||
|
||||
trap graceful_exit INT TERM
|
||||
|
||||
echo "Loop started (period: $SYNC_PERIOD s) -- $(date)"
|
||||
while true; do
|
||||
reconcile & wait $!
|
||||
pause_loop & wait $!
|
||||
done
|
||||
resources: {}
|
||||
|
||||
|
||||
# RBAC necessary for our Deployment to apply our imagePullSecret
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
# # Lock this down to the specific Secret name (Optional)
|
||||
#resourceNames:
|
||||
#- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: credentials-sync
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: credentials-sync
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
@ -1,30 +0,0 @@
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
initContainers:
|
||||
- image: ghcr.io/fluxcd/flux-cli:v0.17.2
|
||||
name: copy-kubectl
|
||||
# it's okay to do this because kubectl is a statically linked binary
|
||||
command:
|
||||
- sh
|
||||
- -ceu
|
||||
- cp $(which kubectl) /kbin/
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
containers:
|
||||
- name: sync
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
volumes:
|
||||
- name: kbin
|
||||
emptyDir: {}
|
||||
@ -1,23 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
commonLabels:
|
||||
app: credentials-sync
|
||||
|
||||
resources:
|
||||
- sync.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- kubectl-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: KUBE_SECRET
|
||||
objref:
|
||||
kind: ConfigMap
|
||||
name: credentials-sync
|
||||
apiVersion: v1
|
||||
fieldref:
|
||||
fieldpath: data.KUBE_SECRET
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
@ -1,3 +0,0 @@
|
||||
varReference:
|
||||
- path: rules/resourceNames
|
||||
kind: Role
|
||||
@ -1,101 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
data:
|
||||
# Patch this ConfigMap with additional values needed for your cloud
|
||||
KUBE_SECRET: my-registry-token # does not yet exist -- will be created in the same Namespace
|
||||
|
||||
---
|
||||
# This CronJob frequently fetches registry tokens and applies them as an imagePullSecret.
|
||||
# note: CronJob scheduling can block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
|
||||
# To run the job immediately, do `kubectl create job --from=cronjob/credentials-sync -n flux-system credentials-sync-init`
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
suspend: false
|
||||
schedule: 0 */6 * * *
|
||||
failedJobsHistoryLimit: 1
|
||||
successfulJobsHistoryLimit: 1
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: credentials-sync
|
||||
restartPolicy: Never
|
||||
containers:
|
||||
- image: busybox # override this with a cloud-specific image
|
||||
name: sync
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: credentials-sync
|
||||
env:
|
||||
- name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
|
||||
value: |-
|
||||
reconcile() {
|
||||
echo reconciling...
|
||||
}
|
||||
command:
|
||||
- bash
|
||||
- -ceu
|
||||
- |-
|
||||
# template reconcile() into the script
|
||||
# env var is expanded by k8s before the pod starts
|
||||
$(RECONCILE_SH)
|
||||
|
||||
apply-secret() {
|
||||
/kbin/kubectl create secret docker-registry "$1" \
|
||||
--docker-password="$2" \
|
||||
--docker-username="$3" \
|
||||
--docker-server="$4" \
|
||||
--dry-run=client -o=yaml \
|
||||
| grep -v "creationTimestamp:" \
|
||||
| /kbin/kubectl apply -f -
|
||||
}
|
||||
|
||||
reconcile
|
||||
resources: {}
|
||||
|
||||
|
||||
# RBAC necessary for our Deployment to apply our imagePullSecret
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
# # Lock this down to the specific Secret name (Optional)
|
||||
resourceNames:
|
||||
- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: credentials-sync
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: credentials-sync
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
@ -1,52 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
data:
|
||||
ECR_REGION: us-east-1 # set the region
|
||||
ECR_REGISTRY: <account id>.dkr.ecr.<region>.amazonaws.com # fill in the account id and region
|
||||
KUBE_SECRET: ecr-credentials # does not yet exist -- will be created in the same Namespace
|
||||
|
||||
|
||||
# Bind IRSA for the ServiceAccount
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
annotations:
|
||||
eks.amazonaws.com/role-arn: <role arn> # set the ARN for your role
|
||||
|
||||
|
||||
# Set the reconcile period
|
||||
---
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
schedule: 0 */6 * * * # every 6hrs -- ECR tokens expire every 12 hours; refresh faster than that
|
||||
|
||||
|
||||
## If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
|
||||
## Store these values in a Secret and load them in the container using envFrom.
|
||||
## For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build.
|
||||
## https://fluxcd.io/docs/guides/mozilla-sops/
|
||||
## https://fluxcd.io/docs/guides/sealed-secrets/
|
||||
# ---
|
||||
# apiVersion: apps/v1
|
||||
# kind: Deployment
|
||||
# metadata:
|
||||
# name: credentials-sync
|
||||
# namespace: flux-system
|
||||
# spec:
|
||||
# template:
|
||||
# spec:
|
||||
# containers:
|
||||
# - name: sync
|
||||
# envFrom:
|
||||
# secretRef:
|
||||
# name: $(ECR_SECRET_NAME) # uncomment the var for this in kustomization.yaml
|
||||
@ -1,25 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namePrefix: ecr-
|
||||
commonLabels:
|
||||
app: ecr-credentials-sync
|
||||
|
||||
namespace: flux-system
|
||||
|
||||
bases:
|
||||
- ../_base
|
||||
## If not using IRSA, consider creating the following file via SOPS or SealedSecrets
|
||||
# - encrypted-secret.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
## uncomment if using encrypted-secret.yaml
|
||||
# vars:
|
||||
# - name: ECR_SECRET_NAME
|
||||
# objref:
|
||||
# kind: Secret
|
||||
# name: credentials-sync
|
||||
# apiVersion: v1
|
||||
@ -1,29 +0,0 @@
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: sync
|
||||
image: mcr.microsoft.com/azure-cli
|
||||
env:
|
||||
- name: RECONCILE_SH
|
||||
value: |-
|
||||
reconcile() {
|
||||
echo "Starting ECR token sync -- $(date)"
|
||||
echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}"
|
||||
token="$(aws ecr get-login-password --region "${ECR_REGION}")"
|
||||
user="AWS"
|
||||
server="${ECR_REGISTRY}"
|
||||
|
||||
echo "Creating secret: ${KUBE_SECRET}"
|
||||
apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}"
|
||||
|
||||
echo "Finished ECR token sync -- $(date)"
|
||||
echo
|
||||
}
|
||||
@ -1,16 +0,0 @@
|
||||
# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentity
|
||||
metadata:
|
||||
name: credentials-sync # if this is changed, also change in config-patches.yaml
|
||||
namespace: flux-system
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: credentials-sync # this can have a different name, but it's nice to keep them the same
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
@ -1,41 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
data:
|
||||
ACR_NAME: my-registry
|
||||
KUBE_SECRET: acr-my-registry # does not yet exist -- will be created in the same Namespace
|
||||
|
||||
# Create an identity in Azure and assign it a role to pull from ACR (note: the identity's resourceGroup should match the desired ACR):
|
||||
# az identity create -n acr-sync
|
||||
# az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)"
|
||||
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
|
||||
# az identity show -n acr-sync -otsv --query clientId
|
||||
# az identity show -n acr-sync -otsv --query resourceId
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentity
|
||||
metadata:
|
||||
name: credentials-sync # name must match the stub-resource in az-identity.yaml
|
||||
namespace: flux-system
|
||||
spec:
|
||||
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
|
||||
resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync
|
||||
type: 0 # user-managed identity
|
||||
|
||||
# Set the reconcile period + specify the pod-identity via the aadpodidbinding label
|
||||
---
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
schedule: 0 * * * * # ACR tokens expire every 3 hours; refresh faster than that
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
@ -1,27 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namePrefix: acr-
|
||||
commonLabels:
|
||||
app: acr-credentials-sync
|
||||
|
||||
namespace: flux-system
|
||||
|
||||
bases:
|
||||
- ../_base
|
||||
resources:
|
||||
- az-identity.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: AZ_IDENTITY_NAME
|
||||
objref:
|
||||
kind: AzureIdentity
|
||||
name: credentials-sync
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
@ -1,7 +0,0 @@
|
||||
varReference:
|
||||
- path: spec/jobTemplate/spec/template/metadata/labels
|
||||
kind: CronJob
|
||||
- path: spec/azureIdentity
|
||||
kind: AzureIdentityBinding
|
||||
- path: spec/selector
|
||||
kind: AzureIdentityBinding
|
||||
@ -1,30 +0,0 @@
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: sync
|
||||
image: mcr.microsoft.com/azure-cli
|
||||
env:
|
||||
- name: RECONCILE_SH
|
||||
value: |-
|
||||
reconcile() {
|
||||
echo "Starting ACR token sync -- $(date)"
|
||||
echo "Logging into Azure"
|
||||
az login --identity
|
||||
echo "Logging into ACR: ${ACR_NAME}"
|
||||
output="$(az acr login --expose-token -o=tsv -n "${ACR_NAME}")"
|
||||
read token server <<< "${output}"
|
||||
user="00000000-0000-0000-0000-000000000000"
|
||||
|
||||
apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}"
|
||||
|
||||
echo "Finished ACR token sync -- $(date)"
|
||||
echo
|
||||
}
|
||||
@ -1,28 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
data:
|
||||
GCR_REGISTRY: gcr.io # set the registry
|
||||
KUBE_SECRET: gcr-credentials # does not yet exist -- will be created in the same Namespace
|
||||
|
||||
# Bind to the GCP service-account
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
annotations:
|
||||
iam.gke.io/gcp-service-account: <name>@<project-id>.iam.gserviceaccount.com # set the GCP service-account
|
||||
|
||||
# Set the reconcile period
|
||||
---
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
schedule: 0,30 * * * * # 30m interval -- GCR tokens expire every hour; refresh faster than that
|
||||
@ -1,15 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namePrefix: gcr-
|
||||
commonLabels:
|
||||
app: gcr-credentials-sync
|
||||
|
||||
namespace: flux-system
|
||||
|
||||
bases:
|
||||
- ../_base
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- reconcile-patch.yaml
|
||||
@ -1,29 +0,0 @@
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: sync
|
||||
image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
|
||||
env:
|
||||
- name: RECONCILE_SH
|
||||
value: |-
|
||||
reconcile() {
|
||||
echo "Starting GCR token sync -- $(date)"
|
||||
echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}"
|
||||
token="$(gcloud auth print-access-token)"
|
||||
user="oauth2accesstoken "
|
||||
server="${GCR_REGISTRY}"
|
||||
|
||||
echo "Creating secret: ${KUBE_SECRET}"
|
||||
apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}"
|
||||
|
||||
echo "Finished GCR token sync -- $(date)"
|
||||
echo
|
||||
}
|
||||
@ -1,42 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
data:
|
||||
ECR_REGION: us-east-1 # set the region
|
||||
ECR_REGISTRY: <account id>.dkr.ecr.<region>.amazonaws.com # fill in the account id and region
|
||||
KUBE_SECRET: ecr-credentials # does not yet exist -- will be created in the same Namespace
|
||||
SYNC_PERIOD: "21600" # 6hrs -- ECR tokens expire every 12 hours; refresh faster than that
|
||||
|
||||
|
||||
# Bind IRSA for the ServiceAccount
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
annotations:
|
||||
eks.amazonaws.com/role-arn: <role arn> # set the ARN for your role
|
||||
|
||||
|
||||
## If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
|
||||
## Store these values in a Secret and load them in the container using envFrom.
|
||||
## For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build.
|
||||
## https://fluxcd.io/flux/guides/mozilla-sops/
|
||||
## https://fluxcd.io/flux/guides/sealed-secrets/
|
||||
# ---
|
||||
# apiVersion: apps/v1
|
||||
# kind: Deployment
|
||||
# metadata:
|
||||
# name: credentials-sync
|
||||
# namespace: flux-system
|
||||
# spec:
|
||||
# template:
|
||||
# spec:
|
||||
# containers:
|
||||
# - name: sync
|
||||
# envFrom:
|
||||
# secretRef:
|
||||
# name: $(ECR_SECRET_NAME) # uncomment the var for this in kustomization.yaml
|
||||
@ -1,25 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namePrefix: ecr-
|
||||
commonLabels:
|
||||
app: ecr-credentials-sync
|
||||
|
||||
namespace: flux-system
|
||||
|
||||
bases:
|
||||
- ../_base
|
||||
## If not using IRSA, consider creating the following file via SOPS or SealedSecrets
|
||||
# - encrypted-secret.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
## uncomment if using encrypted-secret.yaml
|
||||
# vars:
|
||||
# - name: ECR_SECRET_NAME
|
||||
# objref:
|
||||
# kind: Secret
|
||||
# name: credentials-sync
|
||||
# apiVersion: v1
|
||||
@ -1,28 +0,0 @@
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: sync
|
||||
image: aws/aws-cli
|
||||
env:
|
||||
- name: RECONCILE_SH
|
||||
value: |-
|
||||
reconcile() {
|
||||
echo "Starting ECR token sync -- $(date)"
|
||||
echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}"
|
||||
token="$(aws ecr get-login-password --region "${ECR_REGION}")"
|
||||
user="AWS"
|
||||
server="${ECR_REGISTRY}"
|
||||
|
||||
echo "Creating secret: ${KUBE_SECRET}"
|
||||
apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}"
|
||||
|
||||
echo "Finished ECR token sync -- $(date)"
|
||||
echo
|
||||
}
|
||||
@ -1,16 +0,0 @@
|
||||
# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentity
|
||||
metadata:
|
||||
name: credentials-sync # if this is changed, also change in config-patches.yaml
|
||||
namespace: flux-system
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: credentials-sync # this can have a different name, but it's nice to keep them the same
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
@ -1,39 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
data:
|
||||
ACR_NAME: my-registry
|
||||
KUBE_SECRET: acr-my-registry # does not yet exist -- will be created in the same Namespace
|
||||
SYNC_PERIOD: "3600" # ACR tokens expire every 3 hours; refresh faster than that
|
||||
|
||||
# Create an identity in Azure and assign it a role to pull from ACR (note: the identity's resourceGroup should match the desired ACR):
|
||||
# az identity create -n acr-sync
|
||||
# az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)"
|
||||
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
|
||||
# az identity show -n acr-sync -otsv --query clientId
|
||||
# az identity show -n acr-sync -otsv --query resourceId
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentity
|
||||
metadata:
|
||||
name: credentials-sync # name must match the stub-resource in az-identity.yaml
|
||||
namespace: flux-system
|
||||
spec:
|
||||
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
|
||||
resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync
|
||||
type: 0 # user-managed identity
|
||||
|
||||
# Specify the pod-identity via the aadpodidbinding label
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
@ -1,27 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namePrefix: acr-
|
||||
commonLabels:
|
||||
app: acr-credentials-sync
|
||||
|
||||
namespace: flux-system
|
||||
|
||||
bases:
|
||||
- ../_base
|
||||
resources:
|
||||
- az-identity.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: AZ_IDENTITY_NAME
|
||||
objref:
|
||||
kind: AzureIdentity
|
||||
name: credentials-sync
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
@ -1,7 +0,0 @@
|
||||
varReference:
|
||||
- path: spec/template/metadata/labels
|
||||
kind: Deployment
|
||||
- path: spec/azureIdentity
|
||||
kind: AzureIdentityBinding
|
||||
- path: spec/selector
|
||||
kind: AzureIdentityBinding
|
||||
@ -1,30 +0,0 @@
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: sync
|
||||
image: mcr.microsoft.com/azure-cli
|
||||
env:
|
||||
- name: RECONCILE_SH
|
||||
value: |-
|
||||
reconcile() {
|
||||
echo "Starting ACR token sync -- $(date)"
|
||||
echo "Logging into Azure"
|
||||
az login --identity
|
||||
echo "Logging into ACR: $ACR_NAME"
|
||||
output="$(az acr login --expose-token -o=tsv -n "$ACR_NAME")"
|
||||
read token server <<< "$output"
|
||||
user="00000000-0000-0000-0000-000000000000"
|
||||
|
||||
echo "Creating secret: $KUBE_SECRET"
|
||||
apply-secret "$KUBE_SECRET" "$token" "$user" "$server"
|
||||
|
||||
echo "Finished ACR token sync -- $(date)"
|
||||
echo
|
||||
}
|
||||
@ -1,20 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
data:
|
||||
GCR_REGISTRY: gcr.io # set the registry
|
||||
KUBE_SECRET: gcr-credentials # does not yet exist -- will be created in the same Namespace
|
||||
SYNC_PERIOD: "1800" # 30m -- GCR tokens expire every hour; refresh faster than that
|
||||
|
||||
|
||||
# Bind to the GCP service-account
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
annotations:
|
||||
iam.gke.io/gcp-service-account: <name>@<project-id>.iam.gserviceaccount.com # set the GCP service-account
|
||||
@ -1,15 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namePrefix: gcr-
|
||||
commonLabels:
|
||||
app: gcr-credentials-sync
|
||||
|
||||
namespace: flux-system
|
||||
|
||||
bases:
|
||||
- ../_base
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- reconcile-patch.yaml
|
||||
@ -1,28 +0,0 @@
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: sync
|
||||
image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
|
||||
env:
|
||||
- name: RECONCILE_SH
|
||||
value: |-
|
||||
reconcile() {
|
||||
echo "Starting GCR token sync -- $(date)"
|
||||
echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}"
|
||||
token="$(gcloud auth print-access-token)"
|
||||
user="oauth2accesstoken "
|
||||
server="${GCR_REGISTRY}"
|
||||
|
||||
echo "Creating secret: ${KUBE_SECRET}"
|
||||
apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}"
|
||||
|
||||
echo "Finished GCR token sync -- $(date)"
|
||||
echo
|
||||
}
|
||||
Loading…
Reference in New Issue