From 9cad95dda538d4751ac82725da66dc7a6b645fcf Mon Sep 17 00:00:00 2001 From: Matheus Pimenta Date: Wed, 14 May 2025 09:04:44 +0100 Subject: [PATCH] Remove credentials sync manifests Signed-off-by: Matheus Pimenta --- manifests/integrations/Makefile | 14 -- .../_base/kubectl-patch.yaml | 32 ----- .../_base/kustomization.yaml | 23 --- .../_base/kustomizeconfig.yaml | 3 - .../eventhub-credentials-sync/_base/sync.yaml | 133 ------------------ .../_cronjobs/_base/kubectl-patch.yaml | 30 ---- .../_cronjobs/_base/kustomization.yaml | 23 --- .../_cronjobs/_base/kustomizeconfig.yaml | 3 - .../_cronjobs/_base/sync.yaml | 109 -------------- .../_cronjobs/azure/az-identity.yaml | 16 --- .../_cronjobs/azure/config-patches.yaml | 41 ------ .../_cronjobs/azure/kustomization.yaml | 27 ---- .../_cronjobs/azure/kustomizeconfig.yaml | 7 - .../_cronjobs/azure/reconcile-patch.yaml | 27 ---- .../_cronjobs/generic/config-patches.yaml | 15 -- .../_cronjobs/generic/kustomization.yaml | 17 --- .../_cronjobs/generic/reconcile-patch.yaml | 42 ------ .../generic/secret-azure-credentials.yaml | 14 -- .../azure/az-identity.yaml | 16 --- .../azure/config-patches.yaml | 39 ----- .../azure/kustomization.yaml | 27 ---- .../azure/kustomizeconfig.yaml | 7 - .../azure/reconcile-patch.yaml | 26 ---- .../generic/config-patches.yaml | 17 --- .../generic/kustomization.yaml | 17 --- .../generic/reconcile-patch.yaml | 41 ------ .../generic/secret-azure-credentials.yaml | 14 -- .../_base/kubectl-patch.yaml | 28 ---- .../_base/kustomization.yaml | 23 --- .../_base/kustomizeconfig.yaml | 3 - .../registry-credentials-sync/_base/sync.yaml | 125 ---------------- .../_cronjobs/_base/kubectl-patch.yaml | 30 ---- .../_cronjobs/_base/kustomization.yaml | 23 --- .../_cronjobs/_base/kustomizeconfig.yaml | 3 - .../_cronjobs/_base/sync.yaml | 101 ------------- .../_cronjobs/aws/config-patches.yaml | 52 ------- .../_cronjobs/aws/kustomization.yaml | 25 ---- .../_cronjobs/aws/reconcile-patch.yaml | 29 ---- .../_cronjobs/azure/az-identity.yaml | 16 --- .../_cronjobs/azure/config-patches.yaml | 41 ------ .../_cronjobs/azure/kustomization.yaml | 27 ---- .../_cronjobs/azure/kustomizeconfig.yaml | 7 - .../_cronjobs/azure/reconcile-patch.yaml | 30 ---- .../_cronjobs/gcp/config-patches.yaml | 28 ---- .../_cronjobs/gcp/kustomization.yaml | 15 -- .../_cronjobs/gcp/reconcile-patch.yaml | 29 ---- .../aws/config-patches.yaml | 42 ------ .../aws/kustomization.yaml | 25 ---- .../aws/reconcile-patch.yaml | 28 ---- .../azure/az-identity.yaml | 16 --- .../azure/config-patches.yaml | 39 ----- .../azure/kustomization.yaml | 27 ---- .../azure/kustomizeconfig.yaml | 7 - .../azure/reconcile-patch.yaml | 30 ---- .../gcp/config-patches.yaml | 20 --- .../gcp/kustomization.yaml | 15 -- .../gcp/reconcile-patch.yaml | 28 ---- 57 files changed, 1692 deletions(-) delete mode 100644 manifests/integrations/Makefile delete mode 100644 manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_base/kustomizeconfig.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_base/sync.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/reconcile-patch.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/reconcile-patch.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/secret-azure-credentials.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/azure/reconcile-patch.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/generic/config-patches.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/generic/reconcile-patch.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/generic/secret-azure-credentials.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_base/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_base/kustomizeconfig.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_base/sync.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/_base/sync.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/aws/reconcile-patch.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/azure/reconcile-patch.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/aws/config-patches.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/aws/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/aws/reconcile-patch.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/azure/az-identity.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/azure/config-patches.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/azure/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/azure/reconcile-patch.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/gcp/config-patches.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/gcp/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml diff --git a/manifests/integrations/Makefile b/manifests/integrations/Makefile deleted file mode 100644 index ebe8d320..00000000 --- a/manifests/integrations/Makefile +++ /dev/null @@ -1,14 +0,0 @@ - -bases := $(shell dirname $(shell find | grep kustomization.yaml | sort)) - -all: $(bases) - -permutations := $(bases) $(addsuffix /,$(bases)) -.PHONY: $(permutations) -$(permutations): - @echo $@ - @warnings=$$(kustomize build $@ -o /dev/null 2>&1); \ - if [ "$$warnings" ]; then \ - echo "$$warnings"; \ - false; \ - fi diff --git a/manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml deleted file mode 100644 index 552c16de..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - template: - spec: - initContainers: - - image: ghcr.io/fluxcd/flux-cli:v0.17.2 - securityContext: - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - name: copy-kubectl - # it's okay to do this because kubectl is a statically linked binary - command: - - sh - - -ceu - - cp $(which kubectl) /kbin/ - resources: {} - volumeMounts: - - name: kbin - mountPath: /kbin - containers: - - name: sync - volumeMounts: - - name: kbin - mountPath: /kbin - volumes: - - name: kbin - emptyDir: {} diff --git a/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml deleted file mode 100644 index c4a8a062..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -commonLabels: - app: credentials-sync-eventhub - -resources: - - sync.yaml - -patchesStrategicMerge: - - kubectl-patch.yaml - -vars: - - name: KUBE_SECRET - objref: - kind: ConfigMap - name: credentials-sync-eventhub - apiVersion: v1 - fieldref: - fieldpath: data.KUBE_SECRET - -configurations: - - kustomizeconfig.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/_base/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/_base/kustomizeconfig.yaml deleted file mode 100644 index 61edffd4..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_base/kustomizeconfig.yaml +++ /dev/null @@ -1,3 +0,0 @@ -varReference: -- path: rules/resourceNames - kind: Role diff --git a/manifests/integrations/eventhub-credentials-sync/_base/sync.yaml b/manifests/integrations/eventhub-credentials-sync/_base/sync.yaml deleted file mode 100644 index 9e8ab4f5..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_base/sync.yaml +++ /dev/null @@ -1,133 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync-eventhub -data: - # Patch this ConfigMap with additional values needed for your cloud - KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace - ADDRESS: "fluxv2" # the Azure Event Hub name - SYNC_PERIOD: "3600" # tokens expire; refresh faster than that - ---- -# This Deployment frequently fetches registry tokens and applies them as an imagePullSecret. -# It's done as a 1-replica Deployment rather than a CronJob, because CronJob scheduling can -# block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time. -# This deployment will immediately fetch a token, which reduces latency for working image updates. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - replicas: 1 - strategy: - type: Recreate - template: - spec: - serviceAccountName: credentials-sync-eventhub - securityContext: - runAsNonRoot: true - runAsUser: 1001 - containers: - - image: busybox # override this with a cloud-specific image - name: sync - envFrom: - - configMapRef: - name: credentials-sync-eventhub - env: - - name: RECONCILE_SH # override this env var with a shell function in a kustomize patch - value: |- - reconcile() { - echo reconciling... - } - command: - - bash - - -ceu - - |- - # template reconcile() into the script - # env var is expanded by k8s before the pod starts - $(RECONCILE_SH) - - apply-secret() { - /kbin/kubectl create secret generic "$1" \ - --from-literal=token="$2" \ - --from-literal=address="$3" \ - --dry-run=client -o=yaml \ - | grep -v "creationTimestamp:" \ - | /kbin/kubectl apply -f - - } - - pause_loop() { - sleep "$SYNC_PERIOD" || true - } - - graceful_exit() { - echo "Trapped signal -- $(date)" - job_ids="$( - jobs \ - | grep "pause_loop" \ - | cut -d] -f1 \ - | tr [ % - )" - # shellcheck disable=SC2086 - if [ "$job_ids" ]; then - kill $job_ids - fi - wait - echo "Graceful exit -- $(date)" - } - - trap graceful_exit INT TERM - - echo "Loop started (period: $SYNC_PERIOD s) -- $(date)" - while true; do - reconcile & wait $! - pause_loop & wait $! - done - resources: {} - volumeMounts: - - mountPath: /.azure - name: cache-volume - volumes: - - emptyDir: {} - name: cache-volume - -# RBAC necessary for our Deployment to apply our secret that will store the JWT token ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync-eventhub - namespace: flux-system -rules: - - apiGroups: [""] - resources: - - secrets - verbs: - - get - - create - - update - - patch - # Lock this down to the specific Secret name (Optional) - #resourceNames: - # - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync-eventhub - namespace: flux-system -subjects: - - kind: ServiceAccount - name: credentials-sync-eventhub -roleRef: - kind: Role - name: credentials-sync-eventhub - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync-eventhub - namespace: flux-system diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml deleted file mode 100644 index e9d07a71..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - initContainers: - - image: ghcr.io/fluxcd/flux-cli:v0.17.2 - name: copy-kubectl - # it's okay to do this because kubectl is a statically linked binary - command: - - sh - - -ceu - - cp $(which kubectl) /kbin/ - resources: {} - volumeMounts: - - name: kbin - mountPath: /kbin - containers: - - name: sync - volumeMounts: - - name: kbin - mountPath: /kbin - volumes: - - name: kbin - emptyDir: {} diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml deleted file mode 100644 index c4a8a062..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -commonLabels: - app: credentials-sync-eventhub - -resources: - - sync.yaml - -patchesStrategicMerge: - - kubectl-patch.yaml - -vars: - - name: KUBE_SECRET - objref: - kind: ConfigMap - name: credentials-sync-eventhub - apiVersion: v1 - fieldref: - fieldpath: data.KUBE_SECRET - -configurations: - - kustomizeconfig.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml deleted file mode 100644 index 61edffd4..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml +++ /dev/null @@ -1,3 +0,0 @@ -varReference: -- path: rules/resourceNames - kind: Role diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml deleted file mode 100644 index f2525d96..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml +++ /dev/null @@ -1,109 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync-eventhub -data: - # Patch this ConfigMap with additional values needed for your cloud - KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace - ADDRESS: "fluxv2" # the Azure Event Hub name - ---- -# This CronJob frequently fetches registry tokens and applies them as an imagePullSecret. -# note: CronJob scheduling can block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time. -# To run the job immediately, do `kubectl create job --from=cronjob/credentials-sync-eventhub -n flux-system credentials-sync-eventhub-init` -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - suspend: false - schedule: 0 */6 * * * - failedJobsHistoryLimit: 1 - successfulJobsHistoryLimit: 1 - jobTemplate: - spec: - template: - spec: - serviceAccountName: credentials-sync-eventhub - securityContext: - runAsNonRoot: true - runAsUser: 1001 - restartPolicy: Never - containers: - - image: busybox # override this with a cloud-specific image - name: sync - envFrom: - - configMapRef: - name: credentials-sync-eventhub - env: - - name: RECONCILE_SH # override this env var with a shell function in a kustomize patch - value: |- - reconcile() { - echo reconciling... - } - command: - - bash - - -ceu - - |- - # template reconcile() into the script - # env var is expanded by k8s before the pod starts - $(RECONCILE_SH) - - apply-secret() { - /kbin/kubectl create secret generic "$1" \ - --from-literal=token="$2" \ - --from-literal=address="$3" \ - --dry-run=client -o=yaml \ - | grep -v "creationTimestamp:" \ - | /kbin/kubectl apply -f - - } - - reconcile - resources: {} - volumeMounts: - - mountPath: /.azure - name: cache-volume - volumes: - - emptyDir: {} - name: cache-volume - -# RBAC necessary for our Deployment to apply our secret that will store the JWT token ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync-eventhub - namespace: flux-system -rules: - - apiGroups: [""] - resources: - - secrets - verbs: - - get - - create - - update - - patch - # Lock this down to the specific Secret name (Optional) - resourceNames: - - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync-eventhub - namespace: flux-system -subjects: - - kind: ServiceAccount - name: credentials-sync-eventhub -roleRef: - kind: Role - name: credentials-sync-eventhub - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync-eventhub - namespace: flux-system diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml deleted file mode 100644 index 38fa05ff..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: lab # if this is changed, also change in config-patches.yaml - namespace: flux-system ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentityBinding -metadata: - name: lab - namespace: flux-system -spec: - azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name - selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml deleted file mode 100644 index 8e8bc3a3..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync-eventhub -data: - KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace - ADDRESS: "fluxv2" # the Azure Event Hub name - -# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub): -# az identity create -n eventhub-write -# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)" -# Fetch the clientID and resourceID to configure the AzureIdentity spec below: -# az identity show -n eventhub-write -otsv --query clientId -# az identity show -n eventhub-write -otsv --query resourceId ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: lab - namespace: flux-system -spec: - clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 - resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write - type: 0 - -# Set the reconcile period + specify the pod-identity via the aadpodidbinding label ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - schedule: 0 * * * * # JWT tokens expire every 24 hours; refresh faster than that - jobTemplate: - spec: - template: - metadata: - labels: - aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml deleted file mode 100644 index f5ca8d55..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: jwt- -commonLabels: - app: jwt-eventhub-credentials-sync - -namespace: flux-system - -bases: - - ../_base -resources: - - az-identity.yaml - -patchesStrategicMerge: - - config-patches.yaml - - reconcile-patch.yaml - -vars: - - name: AZ_IDENTITY_NAME - objref: - kind: AzureIdentity - name: lab - apiVersion: aadpodidentity.k8s.io/v1 - -configurations: - - kustomizeconfig.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml deleted file mode 100644 index 09c76747..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ -varReference: -- path: spec/jobTemplate/spec/template/metadata/labels - kind: CronJob -- path: spec/azureIdentity - kind: AzureIdentityBinding -- path: spec/selector - kind: AzureIdentityBinding diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/reconcile-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/reconcile-patch.yaml deleted file mode 100644 index 1e96e536..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/reconcile-patch.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - containers: - - name: sync - image: mcr.microsoft.com/azure-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting JWT token sync -- $(date)" - echo "Logging into Azure" - az login --identity - echo "Getting JWT token" - token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken) - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}" - echo "Finished JWT token sync -- $(date)" - echo - } diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml deleted file mode 100644 index 5eb1d262..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync-eventhub -data: - KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace - ADDRESS: "fluxv2" # the Azure Event Hub name - -# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub): -# az identity create -n eventhub-write -# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)" -# Fetch the clientID and resourceID to configure the AzureIdentity spec below: -# az identity show -n eventhub-write -otsv --query clientId -# az identity show -n eventhub-write -otsv --query resourceId diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml deleted file mode 100644 index c67b113d..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: jwt- -commonLabels: - app: jwt-eventhub-credentials-sync - -namespace: flux-system - -bases: - - ../_base -resources: - - secret-azure-credentials.yaml - -patchesStrategicMerge: - - config-patches.yaml - - reconcile-patch.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/reconcile-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/reconcile-patch.yaml deleted file mode 100644 index 67eebfc9..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/reconcile-patch.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - containers: - - name: sync - image: mcr.microsoft.com/azure-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting JWT token sync -- $(date)" - echo "Logging into Azure" - az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID} - echo "Getting JWT token" - token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken) - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}" - echo "Finished JWT token sync -- $(date)" - echo - } - - name: AZURE_CLIENT_ID - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_CLIENT_ID - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_CLIENT_SECRET - - name: AZURE_TENANT_ID - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_TENANT_ID diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/secret-azure-credentials.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/secret-azure-credentials.yaml deleted file mode 100644 index af2da5b3..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/secret-azure-credentials.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -data: - AZURE_CLIENT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA== - AZURE_CLIENT_SECRET: c28tbXVjaC1zZWNyZXQ= - AZURE_TENANT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA== -kind: Secret -metadata: - name: azure-credentials - namespace: flux-system -type: Opaque -# This is just a example secret, you should never store secrets in git. -# One way forward can be to use sealed-secrets or SOPS -# https://fluxcd.io/flux/guides/sealed-secrets/ -# https://fluxcd.io/flux/guides/mozilla-sops/ diff --git a/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml b/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml deleted file mode 100644 index 32d8b574..00000000 --- a/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: lab # if this is changed, also change in config-patches.yaml - namespace: flux-system ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentityBinding -metadata: - name: lab # this can have a different name, but it's nice to keep them the same - namespace: flux-system -spec: - azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name - selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml deleted file mode 100644 index 3967cbb7..00000000 --- a/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync-eventhub -data: - KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace - ADDRESS: "fluxv2" # the Azure Event Hub name - SYNC_PERIOD: "3600" # tokens expire; refresh faster than that - -# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub): -# az identity create -n eventhub-write -# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)" -# Fetch the clientID and resourceID to configure the AzureIdentity spec below: -# az identity show -n eventhub-write -otsv --query clientId -# az identity show -n eventhub-write -otsv --query resourceId ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: lab - namespace: flux-system -spec: - clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 - resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write - type: 0 - -# Specify the pod-identity via the aadpodidbinding label ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - template: - metadata: - labels: - aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml deleted file mode 100644 index f5ca8d55..00000000 --- a/manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: jwt- -commonLabels: - app: jwt-eventhub-credentials-sync - -namespace: flux-system - -bases: - - ../_base -resources: - - az-identity.yaml - -patchesStrategicMerge: - - config-patches.yaml - - reconcile-patch.yaml - -vars: - - name: AZ_IDENTITY_NAME - objref: - kind: AzureIdentity - name: lab - apiVersion: aadpodidentity.k8s.io/v1 - -configurations: - - kustomizeconfig.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml deleted file mode 100644 index da4d902d..00000000 --- a/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ -varReference: -- path: spec/template/metadata/labels - kind: Deployment -- path: spec/azureIdentity - kind: AzureIdentityBinding -- path: spec/selector - kind: AzureIdentityBinding diff --git a/manifests/integrations/eventhub-credentials-sync/azure/reconcile-patch.yaml b/manifests/integrations/eventhub-credentials-sync/azure/reconcile-patch.yaml deleted file mode 100644 index 88d9086a..00000000 --- a/manifests/integrations/eventhub-credentials-sync/azure/reconcile-patch.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - template: - spec: - containers: - - name: sync - image: mcr.microsoft.com/azure-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting JWT token sync -- $(date)" - echo "Logging into Azure" - az login --identity - echo "Getting JWT token" - token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken) - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}" - echo "Finished JWT token sync -- $(date)" - echo - } diff --git a/manifests/integrations/eventhub-credentials-sync/generic/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/generic/config-patches.yaml deleted file mode 100644 index 9c1ca794..00000000 --- a/manifests/integrations/eventhub-credentials-sync/generic/config-patches.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync-eventhub -data: - KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace - ADDRESS: "fluxv2" # the Azure Event Hub name - SYNC_PERIOD: "3600" # tokens expire; refresh faster than that - -# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub): -# az identity create -n eventhub-write -# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)" -# Fetch the clientID and resourceID to configure the AzureIdentity spec below: -# az identity show -n eventhub-write -otsv --query clientId -# az identity show -n eventhub-write -otsv --query resourceId -# Specify the pod-identity via the aadpodidbinding label diff --git a/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml deleted file mode 100644 index c67b113d..00000000 --- a/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: jwt- -commonLabels: - app: jwt-eventhub-credentials-sync - -namespace: flux-system - -bases: - - ../_base -resources: - - secret-azure-credentials.yaml - -patchesStrategicMerge: - - config-patches.yaml - - reconcile-patch.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/generic/reconcile-patch.yaml b/manifests/integrations/eventhub-credentials-sync/generic/reconcile-patch.yaml deleted file mode 100644 index 89953444..00000000 --- a/manifests/integrations/eventhub-credentials-sync/generic/reconcile-patch.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - template: - spec: - containers: - - name: sync - image: mcr.microsoft.com/azure-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting JWT token sync -- $(date)" - echo "Logging into Azure" - az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID} - echo "Getting JWT token" - token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken) - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}" - echo "Finished JWT token sync -- $(date)" - echo - } - - name: AZURE_CLIENT_ID - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_CLIENT_ID - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_CLIENT_SECRET - - name: AZURE_TENANT_ID - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_TENANT_ID diff --git a/manifests/integrations/eventhub-credentials-sync/generic/secret-azure-credentials.yaml b/manifests/integrations/eventhub-credentials-sync/generic/secret-azure-credentials.yaml deleted file mode 100644 index 8a6d8a2c..00000000 --- a/manifests/integrations/eventhub-credentials-sync/generic/secret-azure-credentials.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -data: - AZURE_CLIENT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA== - AZURE_CLIENT_SECRET: c28tbXVjaC1zZWNyZXQ= - AZURE_TENANT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA== -kind: Secret -metadata: - name: azure-credentials - namespace: flux-system -type: Opaque -# This is just a example secret, you should never store secrets in git. -# One way forward can be to use sealed-secrets or SOPS -# https://fluxcd.io/docs/guides/sealed-secrets/ -# https://fluxcd.io/docs/guides/mozilla-sops/ diff --git a/manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml b/manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml deleted file mode 100644 index 501e940e..00000000 --- a/manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync - namespace: flux-system -spec: - template: - spec: - initContainers: - - image: ghcr.io/fluxcd/flux-cli:v0.17.2 - name: copy-kubectl - # it's okay to do this because kubectl is a statically linked binary - command: - - sh - - -ceu - - cp $(which kubectl) /kbin/ - resources: {} - volumeMounts: - - name: kbin - mountPath: /kbin - containers: - - name: sync - volumeMounts: - - name: kbin - mountPath: /kbin - volumes: - - name: kbin - emptyDir: {} diff --git a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml deleted file mode 100644 index 2218f2b8..00000000 --- a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -commonLabels: - app: credentials-sync - -resources: -- sync.yaml - -patchesStrategicMerge: - - kubectl-patch.yaml - -vars: -- name: KUBE_SECRET - objref: - kind: ConfigMap - name: credentials-sync - apiVersion: v1 - fieldref: - fieldpath: data.KUBE_SECRET - -configurations: -- kustomizeconfig.yaml diff --git a/manifests/integrations/registry-credentials-sync/_base/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/_base/kustomizeconfig.yaml deleted file mode 100644 index 61edffd4..00000000 --- a/manifests/integrations/registry-credentials-sync/_base/kustomizeconfig.yaml +++ /dev/null @@ -1,3 +0,0 @@ -varReference: -- path: rules/resourceNames - kind: Role diff --git a/manifests/integrations/registry-credentials-sync/_base/sync.yaml b/manifests/integrations/registry-credentials-sync/_base/sync.yaml deleted file mode 100644 index 913b94e2..00000000 --- a/manifests/integrations/registry-credentials-sync/_base/sync.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - # Patch this ConfigMap with additional values needed for your cloud - KUBE_SECRET: my-registry-token # does not yet exist -- will be created in the same Namespace - SYNC_PERIOD: "3600" # tokens expire; refresh faster than that - ---- -# This Deployment frequently fetches registry tokens and applies them as an imagePullSecret. -# It's done as a 1-replica Deployment rather than a CronJob, because CronJob scheduling can -# block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time. -# This deployment will immediately fetch a token, which reduces latency for working image updates. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync - namespace: flux-system -spec: - replicas: 1 - strategy: - type: Recreate - template: - spec: - serviceAccountName: credentials-sync - containers: - - image: busybox # override this with a cloud-specific image - name: sync - envFrom: - - configMapRef: - name: credentials-sync - env: - - name: RECONCILE_SH # override this env var with a shell function in a kustomize patch - value: |- - reconcile() { - echo reconciling... - } - command: - - bash - - -ceu - - |- - # template reconcile() into the script - # env var is expanded by k8s before the pod starts - $(RECONCILE_SH) - - apply-secret() { - /kbin/kubectl create secret docker-registry "$1" \ - --docker-password="$2" \ - --docker-username="$3" \ - --docker-server="$4" \ - --dry-run=client -o=yaml \ - | grep -v "creationTimestamp:" \ - | /kbin/kubectl apply -f - - } - - pause_loop() { - sleep "$SYNC_PERIOD" || true - } - - graceful_exit() { - echo "Trapped signal -- $(date)" - job_ids="$( - jobs \ - | grep "pause_loop" \ - | cut -d] -f1 \ - | tr [ % - )" - # shellcheck disable=SC2086 - if [ "$job_ids" ]; then - kill $job_ids - fi - wait - echo "Graceful exit -- $(date)" - } - - trap graceful_exit INT TERM - - echo "Loop started (period: $SYNC_PERIOD s) -- $(date)" - while true; do - reconcile & wait $! - pause_loop & wait $! - done - resources: {} - - -# RBAC necessary for our Deployment to apply our imagePullSecret ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync - namespace: flux-system -rules: -- apiGroups: [""] - resources: - - secrets - verbs: - - get - - create - - update - - patch - # # Lock this down to the specific Secret name (Optional) - #resourceNames: - #- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync - namespace: flux-system -subjects: -- kind: ServiceAccount - name: credentials-sync -roleRef: - kind: Role - name: credentials-sync - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml deleted file mode 100644 index ad4e6404..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - initContainers: - - image: ghcr.io/fluxcd/flux-cli:v0.17.2 - name: copy-kubectl - # it's okay to do this because kubectl is a statically linked binary - command: - - sh - - -ceu - - cp $(which kubectl) /kbin/ - resources: {} - volumeMounts: - - name: kbin - mountPath: /kbin - containers: - - name: sync - volumeMounts: - - name: kbin - mountPath: /kbin - volumes: - - name: kbin - emptyDir: {} diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml deleted file mode 100644 index 2218f2b8..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -commonLabels: - app: credentials-sync - -resources: -- sync.yaml - -patchesStrategicMerge: - - kubectl-patch.yaml - -vars: -- name: KUBE_SECRET - objref: - kind: ConfigMap - name: credentials-sync - apiVersion: v1 - fieldref: - fieldpath: data.KUBE_SECRET - -configurations: -- kustomizeconfig.yaml diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml deleted file mode 100644 index 61edffd4..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml +++ /dev/null @@ -1,3 +0,0 @@ -varReference: -- path: rules/resourceNames - kind: Role diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/sync.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/sync.yaml deleted file mode 100644 index fc00a3c6..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/sync.yaml +++ /dev/null @@ -1,101 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - # Patch this ConfigMap with additional values needed for your cloud - KUBE_SECRET: my-registry-token # does not yet exist -- will be created in the same Namespace - ---- -# This CronJob frequently fetches registry tokens and applies them as an imagePullSecret. -# note: CronJob scheduling can block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time. -# To run the job immediately, do `kubectl create job --from=cronjob/credentials-sync -n flux-system credentials-sync-init` -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - suspend: false - schedule: 0 */6 * * * - failedJobsHistoryLimit: 1 - successfulJobsHistoryLimit: 1 - jobTemplate: - spec: - template: - spec: - serviceAccountName: credentials-sync - restartPolicy: Never - containers: - - image: busybox # override this with a cloud-specific image - name: sync - envFrom: - - configMapRef: - name: credentials-sync - env: - - name: RECONCILE_SH # override this env var with a shell function in a kustomize patch - value: |- - reconcile() { - echo reconciling... - } - command: - - bash - - -ceu - - |- - # template reconcile() into the script - # env var is expanded by k8s before the pod starts - $(RECONCILE_SH) - - apply-secret() { - /kbin/kubectl create secret docker-registry "$1" \ - --docker-password="$2" \ - --docker-username="$3" \ - --docker-server="$4" \ - --dry-run=client -o=yaml \ - | grep -v "creationTimestamp:" \ - | /kbin/kubectl apply -f - - } - - reconcile - resources: {} - - -# RBAC necessary for our Deployment to apply our imagePullSecret ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync - namespace: flux-system -rules: -- apiGroups: [""] - resources: - - secrets - verbs: - - get - - create - - update - - patch - # # Lock this down to the specific Secret name (Optional) - resourceNames: - - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync - namespace: flux-system -subjects: -- kind: ServiceAccount - name: credentials-sync -roleRef: - kind: Role - name: credentials-sync - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml deleted file mode 100644 index 3c849225..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - ECR_REGION: us-east-1 # set the region - ECR_REGISTRY: .dkr.ecr..amazonaws.com # fill in the account id and region - KUBE_SECRET: ecr-credentials # does not yet exist -- will be created in the same Namespace - - -# Bind IRSA for the ServiceAccount ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system - annotations: - eks.amazonaws.com/role-arn: # set the ARN for your role - - -# Set the reconcile period ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - schedule: 0 */6 * * * # every 6hrs -- ECR tokens expire every 12 hours; refresh faster than that - - -## If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables -## Store these values in a Secret and load them in the container using envFrom. -## For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build. -## https://fluxcd.io/docs/guides/mozilla-sops/ -## https://fluxcd.io/docs/guides/sealed-secrets/ -# --- -# apiVersion: apps/v1 -# kind: Deployment -# metadata: -# name: credentials-sync -# namespace: flux-system -# spec: -# template: -# spec: -# containers: -# - name: sync -# envFrom: -# secretRef: -# name: $(ECR_SECRET_NAME) # uncomment the var for this in kustomization.yaml diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml deleted file mode 100644 index 6e58e58b..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: ecr- -commonLabels: - app: ecr-credentials-sync - -namespace: flux-system - -bases: -- ../_base -## If not using IRSA, consider creating the following file via SOPS or SealedSecrets -# - encrypted-secret.yaml - -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml - -## uncomment if using encrypted-secret.yaml -# vars: -# - name: ECR_SECRET_NAME -# objref: -# kind: Secret -# name: credentials-sync -# apiVersion: v1 diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/reconcile-patch.yaml deleted file mode 100644 index 98264fed..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/reconcile-patch.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - containers: - - name: sync - image: mcr.microsoft.com/azure-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting ECR token sync -- $(date)" - echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}" - token="$(aws ecr get-login-password --region "${ECR_REGION}")" - user="AWS" - server="${ECR_REGISTRY}" - - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}" - - echo "Finished ECR token sync -- $(date)" - echo - } diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml deleted file mode 100644 index 8b365507..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: credentials-sync # if this is changed, also change in config-patches.yaml - namespace: flux-system ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentityBinding -metadata: - name: credentials-sync # this can have a different name, but it's nice to keep them the same - namespace: flux-system -spec: - azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name - selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml deleted file mode 100644 index a6428860..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - ACR_NAME: my-registry - KUBE_SECRET: acr-my-registry # does not yet exist -- will be created in the same Namespace - -# Create an identity in Azure and assign it a role to pull from ACR (note: the identity's resourceGroup should match the desired ACR): -# az identity create -n acr-sync -# az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)" -# Fetch the clientID and resourceID to configure the AzureIdentity spec below: -# az identity show -n acr-sync -otsv --query clientId -# az identity show -n acr-sync -otsv --query resourceId ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: credentials-sync # name must match the stub-resource in az-identity.yaml - namespace: flux-system -spec: - clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 - resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync - type: 0 # user-managed identity - -# Set the reconcile period + specify the pod-identity via the aadpodidbinding label ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - schedule: 0 * * * * # ACR tokens expire every 3 hours; refresh faster than that - jobTemplate: - spec: - template: - metadata: - labels: - aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml deleted file mode 100644 index 54c333a9..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: acr- -commonLabels: - app: acr-credentials-sync - -namespace: flux-system - -bases: -- ../_base -resources: -- az-identity.yaml - -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml - -vars: -- name: AZ_IDENTITY_NAME - objref: - kind: AzureIdentity - name: credentials-sync - apiVersion: aadpodidentity.k8s.io/v1 - -configurations: -- kustomizeconfig.yaml diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml deleted file mode 100644 index 09c76747..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ -varReference: -- path: spec/jobTemplate/spec/template/metadata/labels - kind: CronJob -- path: spec/azureIdentity - kind: AzureIdentityBinding -- path: spec/selector - kind: AzureIdentityBinding diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/reconcile-patch.yaml deleted file mode 100644 index 2a500af4..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/reconcile-patch.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - containers: - - name: sync - image: mcr.microsoft.com/azure-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting ACR token sync -- $(date)" - echo "Logging into Azure" - az login --identity - echo "Logging into ACR: ${ACR_NAME}" - output="$(az acr login --expose-token -o=tsv -n "${ACR_NAME}")" - read token server <<< "${output}" - user="00000000-0000-0000-0000-000000000000" - - apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}" - - echo "Finished ACR token sync -- $(date)" - echo - } diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml deleted file mode 100644 index fdbb39d1..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - GCR_REGISTRY: gcr.io # set the registry - KUBE_SECRET: gcr-credentials # does not yet exist -- will be created in the same Namespace - -# Bind to the GCP service-account ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system - annotations: - iam.gke.io/gcp-service-account: @.iam.gserviceaccount.com # set the GCP service-account - -# Set the reconcile period ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - schedule: 0,30 * * * * # 30m interval -- GCR tokens expire every hour; refresh faster than that diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml deleted file mode 100644 index ea28e0b6..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: gcr- -commonLabels: - app: gcr-credentials-sync - -namespace: flux-system - -bases: -- ../_base - -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml deleted file mode 100644 index 84dea7d3..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - containers: - - name: sync - image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting GCR token sync -- $(date)" - echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}" - token="$(gcloud auth print-access-token)" - user="oauth2accesstoken " - server="${GCR_REGISTRY}" - - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}" - - echo "Finished GCR token sync -- $(date)" - echo - } diff --git a/manifests/integrations/registry-credentials-sync/aws/config-patches.yaml b/manifests/integrations/registry-credentials-sync/aws/config-patches.yaml deleted file mode 100644 index f57ccf79..00000000 --- a/manifests/integrations/registry-credentials-sync/aws/config-patches.yaml +++ /dev/null @@ -1,42 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - ECR_REGION: us-east-1 # set the region - ECR_REGISTRY: .dkr.ecr..amazonaws.com # fill in the account id and region - KUBE_SECRET: ecr-credentials # does not yet exist -- will be created in the same Namespace - SYNC_PERIOD: "21600" # 6hrs -- ECR tokens expire every 12 hours; refresh faster than that - - -# Bind IRSA for the ServiceAccount ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system - annotations: - eks.amazonaws.com/role-arn: # set the ARN for your role - - -## If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables -## Store these values in a Secret and load them in the container using envFrom. -## For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build. -## https://fluxcd.io/flux/guides/mozilla-sops/ -## https://fluxcd.io/flux/guides/sealed-secrets/ -# --- -# apiVersion: apps/v1 -# kind: Deployment -# metadata: -# name: credentials-sync -# namespace: flux-system -# spec: -# template: -# spec: -# containers: -# - name: sync -# envFrom: -# secretRef: -# name: $(ECR_SECRET_NAME) # uncomment the var for this in kustomization.yaml diff --git a/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml b/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml deleted file mode 100644 index 6e58e58b..00000000 --- a/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: ecr- -commonLabels: - app: ecr-credentials-sync - -namespace: flux-system - -bases: -- ../_base -## If not using IRSA, consider creating the following file via SOPS or SealedSecrets -# - encrypted-secret.yaml - -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml - -## uncomment if using encrypted-secret.yaml -# vars: -# - name: ECR_SECRET_NAME -# objref: -# kind: Secret -# name: credentials-sync -# apiVersion: v1 diff --git a/manifests/integrations/registry-credentials-sync/aws/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/aws/reconcile-patch.yaml deleted file mode 100644 index edac3a11..00000000 --- a/manifests/integrations/registry-credentials-sync/aws/reconcile-patch.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync - namespace: flux-system -spec: - template: - spec: - containers: - - name: sync - image: aws/aws-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting ECR token sync -- $(date)" - echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}" - token="$(aws ecr get-login-password --region "${ECR_REGION}")" - user="AWS" - server="${ECR_REGISTRY}" - - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}" - - echo "Finished ECR token sync -- $(date)" - echo - } diff --git a/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml b/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml deleted file mode 100644 index 8b365507..00000000 --- a/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: credentials-sync # if this is changed, also change in config-patches.yaml - namespace: flux-system ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentityBinding -metadata: - name: credentials-sync # this can have a different name, but it's nice to keep them the same - namespace: flux-system -spec: - azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name - selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/azure/config-patches.yaml b/manifests/integrations/registry-credentials-sync/azure/config-patches.yaml deleted file mode 100644 index d386a497..00000000 --- a/manifests/integrations/registry-credentials-sync/azure/config-patches.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - ACR_NAME: my-registry - KUBE_SECRET: acr-my-registry # does not yet exist -- will be created in the same Namespace - SYNC_PERIOD: "3600" # ACR tokens expire every 3 hours; refresh faster than that - -# Create an identity in Azure and assign it a role to pull from ACR (note: the identity's resourceGroup should match the desired ACR): -# az identity create -n acr-sync -# az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)" -# Fetch the clientID and resourceID to configure the AzureIdentity spec below: -# az identity show -n acr-sync -otsv --query clientId -# az identity show -n acr-sync -otsv --query resourceId ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: credentials-sync # name must match the stub-resource in az-identity.yaml - namespace: flux-system -spec: - clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 - resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync - type: 0 # user-managed identity - -# Specify the pod-identity via the aadpodidbinding label ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync - namespace: flux-system -spec: - template: - metadata: - labels: - aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml b/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml deleted file mode 100644 index 54c333a9..00000000 --- a/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: acr- -commonLabels: - app: acr-credentials-sync - -namespace: flux-system - -bases: -- ../_base -resources: -- az-identity.yaml - -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml - -vars: -- name: AZ_IDENTITY_NAME - objref: - kind: AzureIdentity - name: credentials-sync - apiVersion: aadpodidentity.k8s.io/v1 - -configurations: -- kustomizeconfig.yaml diff --git a/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml deleted file mode 100644 index da4d902d..00000000 --- a/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ -varReference: -- path: spec/template/metadata/labels - kind: Deployment -- path: spec/azureIdentity - kind: AzureIdentityBinding -- path: spec/selector - kind: AzureIdentityBinding diff --git a/manifests/integrations/registry-credentials-sync/azure/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/azure/reconcile-patch.yaml deleted file mode 100644 index b713053b..00000000 --- a/manifests/integrations/registry-credentials-sync/azure/reconcile-patch.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync - namespace: flux-system -spec: - template: - spec: - containers: - - name: sync - image: mcr.microsoft.com/azure-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting ACR token sync -- $(date)" - echo "Logging into Azure" - az login --identity - echo "Logging into ACR: $ACR_NAME" - output="$(az acr login --expose-token -o=tsv -n "$ACR_NAME")" - read token server <<< "$output" - user="00000000-0000-0000-0000-000000000000" - - echo "Creating secret: $KUBE_SECRET" - apply-secret "$KUBE_SECRET" "$token" "$user" "$server" - - echo "Finished ACR token sync -- $(date)" - echo - } diff --git a/manifests/integrations/registry-credentials-sync/gcp/config-patches.yaml b/manifests/integrations/registry-credentials-sync/gcp/config-patches.yaml deleted file mode 100644 index dda354ce..00000000 --- a/manifests/integrations/registry-credentials-sync/gcp/config-patches.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - GCR_REGISTRY: gcr.io # set the registry - KUBE_SECRET: gcr-credentials # does not yet exist -- will be created in the same Namespace - SYNC_PERIOD: "1800" # 30m -- GCR tokens expire every hour; refresh faster than that - - -# Bind to the GCP service-account ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system - annotations: - iam.gke.io/gcp-service-account: @.iam.gserviceaccount.com # set the GCP service-account diff --git a/manifests/integrations/registry-credentials-sync/gcp/kustomization.yaml b/manifests/integrations/registry-credentials-sync/gcp/kustomization.yaml deleted file mode 100644 index ea28e0b6..00000000 --- a/manifests/integrations/registry-credentials-sync/gcp/kustomization.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: gcr- -commonLabels: - app: gcr-credentials-sync - -namespace: flux-system - -bases: -- ../_base - -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml diff --git a/manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml deleted file mode 100644 index 8b637f3f..00000000 --- a/manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync - namespace: flux-system -spec: - template: - spec: - containers: - - name: sync - image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting GCR token sync -- $(date)" - echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}" - token="$(gcloud auth print-access-token)" - user="oauth2accesstoken " - server="${GCR_REGISTRY}" - - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}" - - echo "Finished GCR token sync -- $(date)" - echo - }