mirror of https://github.com/fluxcd/flux2.git
Remove credentials sync manifests
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>pull/5347/head
Matheus Pimenta
1 month ago
parent
76c584e751
commit
9cad95dda5
@ -1,14 +0,0 @@
|
|||||||
|
|
||||||
bases := $(shell dirname $(shell find | grep kustomization.yaml | sort))
|
|
||||||
|
|
||||||
all: $(bases)
|
|
||||||
|
|
||||||
permutations := $(bases) $(addsuffix /,$(bases))
|
|
||||||
.PHONY: $(permutations)
|
|
||||||
$(permutations):
|
|
||||||
@echo $@
|
|
||||||
@warnings=$$(kustomize build $@ -o /dev/null 2>&1); \
|
|
||||||
if [ "$$warnings" ]; then \
|
|
||||||
echo "$$warnings"; \
|
|
||||||
false; \
|
|
||||||
fi
|
|
||||||
@ -1,32 +0,0 @@
|
|||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
initContainers:
|
|
||||||
- image: ghcr.io/fluxcd/flux-cli:v0.17.2
|
|
||||||
securityContext:
|
|
||||||
privileged: false
|
|
||||||
readOnlyRootFilesystem: true
|
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
name: copy-kubectl
|
|
||||||
# it's okay to do this because kubectl is a statically linked binary
|
|
||||||
command:
|
|
||||||
- sh
|
|
||||||
- -ceu
|
|
||||||
- cp $(which kubectl) /kbin/
|
|
||||||
resources: {}
|
|
||||||
volumeMounts:
|
|
||||||
- name: kbin
|
|
||||||
mountPath: /kbin
|
|
||||||
containers:
|
|
||||||
- name: sync
|
|
||||||
volumeMounts:
|
|
||||||
- name: kbin
|
|
||||||
mountPath: /kbin
|
|
||||||
volumes:
|
|
||||||
- name: kbin
|
|
||||||
emptyDir: {}
|
|
||||||
@ -1,23 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
commonLabels:
|
|
||||||
app: credentials-sync-eventhub
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- sync.yaml
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- kubectl-patch.yaml
|
|
||||||
|
|
||||||
vars:
|
|
||||||
- name: KUBE_SECRET
|
|
||||||
objref:
|
|
||||||
kind: ConfigMap
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
apiVersion: v1
|
|
||||||
fieldref:
|
|
||||||
fieldpath: data.KUBE_SECRET
|
|
||||||
|
|
||||||
configurations:
|
|
||||||
- kustomizeconfig.yaml
|
|
||||||
@ -1,3 +0,0 @@
|
|||||||
varReference:
|
|
||||||
- path: rules/resourceNames
|
|
||||||
kind: Role
|
|
||||||
@ -1,133 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
data:
|
|
||||||
# Patch this ConfigMap with additional values needed for your cloud
|
|
||||||
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
|
|
||||||
ADDRESS: "fluxv2" # the Azure Event Hub name
|
|
||||||
SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
|
|
||||||
|
|
||||||
---
|
|
||||||
# This Deployment frequently fetches registry tokens and applies them as an imagePullSecret.
|
|
||||||
# It's done as a 1-replica Deployment rather than a CronJob, because CronJob scheduling can
|
|
||||||
# block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
|
|
||||||
# This deployment will immediately fetch a token, which reduces latency for working image updates.
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
strategy:
|
|
||||||
type: Recreate
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
serviceAccountName: credentials-sync-eventhub
|
|
||||||
securityContext:
|
|
||||||
runAsNonRoot: true
|
|
||||||
runAsUser: 1001
|
|
||||||
containers:
|
|
||||||
- image: busybox # override this with a cloud-specific image
|
|
||||||
name: sync
|
|
||||||
envFrom:
|
|
||||||
- configMapRef:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
env:
|
|
||||||
- name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
|
|
||||||
value: |-
|
|
||||||
reconcile() {
|
|
||||||
echo reconciling...
|
|
||||||
}
|
|
||||||
command:
|
|
||||||
- bash
|
|
||||||
- -ceu
|
|
||||||
- |-
|
|
||||||
# template reconcile() into the script
|
|
||||||
# env var is expanded by k8s before the pod starts
|
|
||||||
$(RECONCILE_SH)
|
|
||||||
|
|
||||||
apply-secret() {
|
|
||||||
/kbin/kubectl create secret generic "$1" \
|
|
||||||
--from-literal=token="$2" \
|
|
||||||
--from-literal=address="$3" \
|
|
||||||
--dry-run=client -o=yaml \
|
|
||||||
| grep -v "creationTimestamp:" \
|
|
||||||
| /kbin/kubectl apply -f -
|
|
||||||
}
|
|
||||||
|
|
||||||
pause_loop() {
|
|
||||||
sleep "$SYNC_PERIOD" || true
|
|
||||||
}
|
|
||||||
|
|
||||||
graceful_exit() {
|
|
||||||
echo "Trapped signal -- $(date)"
|
|
||||||
job_ids="$(
|
|
||||||
jobs \
|
|
||||||
| grep "pause_loop" \
|
|
||||||
| cut -d] -f1 \
|
|
||||||
| tr [ %
|
|
||||||
)"
|
|
||||||
# shellcheck disable=SC2086
|
|
||||||
if [ "$job_ids" ]; then
|
|
||||||
kill $job_ids
|
|
||||||
fi
|
|
||||||
wait
|
|
||||||
echo "Graceful exit -- $(date)"
|
|
||||||
}
|
|
||||||
|
|
||||||
trap graceful_exit INT TERM
|
|
||||||
|
|
||||||
echo "Loop started (period: $SYNC_PERIOD s) -- $(date)"
|
|
||||||
while true; do
|
|
||||||
reconcile & wait $!
|
|
||||||
pause_loop & wait $!
|
|
||||||
done
|
|
||||||
resources: {}
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /.azure
|
|
||||||
name: cache-volume
|
|
||||||
volumes:
|
|
||||||
- emptyDir: {}
|
|
||||||
name: cache-volume
|
|
||||||
|
|
||||||
# RBAC necessary for our Deployment to apply our secret that will store the JWT token
|
|
||||||
---
|
|
||||||
kind: Role
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- create
|
|
||||||
- update
|
|
||||||
- patch
|
|
||||||
# Lock this down to the specific Secret name (Optional)
|
|
||||||
#resourceNames:
|
|
||||||
# - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
|
||||||
---
|
|
||||||
kind: RoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
roleRef:
|
|
||||||
kind: Role
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
@ -1,30 +0,0 @@
|
|||||||
apiVersion: batch/v1beta1
|
|
||||||
kind: CronJob
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
jobTemplate:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
initContainers:
|
|
||||||
- image: ghcr.io/fluxcd/flux-cli:v0.17.2
|
|
||||||
name: copy-kubectl
|
|
||||||
# it's okay to do this because kubectl is a statically linked binary
|
|
||||||
command:
|
|
||||||
- sh
|
|
||||||
- -ceu
|
|
||||||
- cp $(which kubectl) /kbin/
|
|
||||||
resources: {}
|
|
||||||
volumeMounts:
|
|
||||||
- name: kbin
|
|
||||||
mountPath: /kbin
|
|
||||||
containers:
|
|
||||||
- name: sync
|
|
||||||
volumeMounts:
|
|
||||||
- name: kbin
|
|
||||||
mountPath: /kbin
|
|
||||||
volumes:
|
|
||||||
- name: kbin
|
|
||||||
emptyDir: {}
|
|
||||||
@ -1,23 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
commonLabels:
|
|
||||||
app: credentials-sync-eventhub
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- sync.yaml
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- kubectl-patch.yaml
|
|
||||||
|
|
||||||
vars:
|
|
||||||
- name: KUBE_SECRET
|
|
||||||
objref:
|
|
||||||
kind: ConfigMap
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
apiVersion: v1
|
|
||||||
fieldref:
|
|
||||||
fieldpath: data.KUBE_SECRET
|
|
||||||
|
|
||||||
configurations:
|
|
||||||
- kustomizeconfig.yaml
|
|
||||||
@ -1,3 +0,0 @@
|
|||||||
varReference:
|
|
||||||
- path: rules/resourceNames
|
|
||||||
kind: Role
|
|
||||||
@ -1,109 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
data:
|
|
||||||
# Patch this ConfigMap with additional values needed for your cloud
|
|
||||||
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
|
|
||||||
ADDRESS: "fluxv2" # the Azure Event Hub name
|
|
||||||
|
|
||||||
---
|
|
||||||
# This CronJob frequently fetches registry tokens and applies them as an imagePullSecret.
|
|
||||||
# note: CronJob scheduling can block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
|
|
||||||
# To run the job immediately, do `kubectl create job --from=cronjob/credentials-sync-eventhub -n flux-system credentials-sync-eventhub-init`
|
|
||||||
apiVersion: batch/v1beta1
|
|
||||||
kind: CronJob
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
suspend: false
|
|
||||||
schedule: 0 */6 * * *
|
|
||||||
failedJobsHistoryLimit: 1
|
|
||||||
successfulJobsHistoryLimit: 1
|
|
||||||
jobTemplate:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
serviceAccountName: credentials-sync-eventhub
|
|
||||||
securityContext:
|
|
||||||
runAsNonRoot: true
|
|
||||||
runAsUser: 1001
|
|
||||||
restartPolicy: Never
|
|
||||||
containers:
|
|
||||||
- image: busybox # override this with a cloud-specific image
|
|
||||||
name: sync
|
|
||||||
envFrom:
|
|
||||||
- configMapRef:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
env:
|
|
||||||
- name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
|
|
||||||
value: |-
|
|
||||||
reconcile() {
|
|
||||||
echo reconciling...
|
|
||||||
}
|
|
||||||
command:
|
|
||||||
- bash
|
|
||||||
- -ceu
|
|
||||||
- |-
|
|
||||||
# template reconcile() into the script
|
|
||||||
# env var is expanded by k8s before the pod starts
|
|
||||||
$(RECONCILE_SH)
|
|
||||||
|
|
||||||
apply-secret() {
|
|
||||||
/kbin/kubectl create secret generic "$1" \
|
|
||||||
--from-literal=token="$2" \
|
|
||||||
--from-literal=address="$3" \
|
|
||||||
--dry-run=client -o=yaml \
|
|
||||||
| grep -v "creationTimestamp:" \
|
|
||||||
| /kbin/kubectl apply -f -
|
|
||||||
}
|
|
||||||
|
|
||||||
reconcile
|
|
||||||
resources: {}
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /.azure
|
|
||||||
name: cache-volume
|
|
||||||
volumes:
|
|
||||||
- emptyDir: {}
|
|
||||||
name: cache-volume
|
|
||||||
|
|
||||||
# RBAC necessary for our Deployment to apply our secret that will store the JWT token
|
|
||||||
---
|
|
||||||
kind: Role
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- create
|
|
||||||
- update
|
|
||||||
- patch
|
|
||||||
# Lock this down to the specific Secret name (Optional)
|
|
||||||
resourceNames:
|
|
||||||
- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
|
||||||
---
|
|
||||||
kind: RoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
roleRef:
|
|
||||||
kind: Role
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
@ -1,16 +0,0 @@
|
|||||||
# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file
|
|
||||||
---
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
kind: AzureIdentity
|
|
||||||
metadata:
|
|
||||||
name: lab # if this is changed, also change in config-patches.yaml
|
|
||||||
namespace: flux-system
|
|
||||||
---
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
kind: AzureIdentityBinding
|
|
||||||
metadata:
|
|
||||||
name: lab
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
|
||||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
|
||||||
@ -1,41 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
data:
|
|
||||||
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
|
|
||||||
ADDRESS: "fluxv2" # the Azure Event Hub name
|
|
||||||
|
|
||||||
# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
|
|
||||||
# az identity create -n eventhub-write
|
|
||||||
# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
|
|
||||||
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
|
|
||||||
# az identity show -n eventhub-write -otsv --query clientId
|
|
||||||
# az identity show -n eventhub-write -otsv --query resourceId
|
|
||||||
---
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
kind: AzureIdentity
|
|
||||||
metadata:
|
|
||||||
name: lab
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
|
|
||||||
resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
|
|
||||||
type: 0
|
|
||||||
|
|
||||||
# Set the reconcile period + specify the pod-identity via the aadpodidbinding label
|
|
||||||
---
|
|
||||||
apiVersion: batch/v1beta1
|
|
||||||
kind: CronJob
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
schedule: 0 * * * * # JWT tokens expire every 24 hours; refresh faster than that
|
|
||||||
jobTemplate:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
|
||||||
@ -1,27 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
namePrefix: jwt-
|
|
||||||
commonLabels:
|
|
||||||
app: jwt-eventhub-credentials-sync
|
|
||||||
|
|
||||||
namespace: flux-system
|
|
||||||
|
|
||||||
bases:
|
|
||||||
- ../_base
|
|
||||||
resources:
|
|
||||||
- az-identity.yaml
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- config-patches.yaml
|
|
||||||
- reconcile-patch.yaml
|
|
||||||
|
|
||||||
vars:
|
|
||||||
- name: AZ_IDENTITY_NAME
|
|
||||||
objref:
|
|
||||||
kind: AzureIdentity
|
|
||||||
name: lab
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
|
|
||||||
configurations:
|
|
||||||
- kustomizeconfig.yaml
|
|
||||||
@ -1,7 +0,0 @@
|
|||||||
varReference:
|
|
||||||
- path: spec/jobTemplate/spec/template/metadata/labels
|
|
||||||
kind: CronJob
|
|
||||||
- path: spec/azureIdentity
|
|
||||||
kind: AzureIdentityBinding
|
|
||||||
- path: spec/selector
|
|
||||||
kind: AzureIdentityBinding
|
|
||||||
@ -1,27 +0,0 @@
|
|||||||
apiVersion: batch/v1beta1
|
|
||||||
kind: CronJob
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
jobTemplate:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: sync
|
|
||||||
image: mcr.microsoft.com/azure-cli
|
|
||||||
env:
|
|
||||||
- name: RECONCILE_SH
|
|
||||||
value: |-
|
|
||||||
reconcile() {
|
|
||||||
echo "Starting JWT token sync -- $(date)"
|
|
||||||
echo "Logging into Azure"
|
|
||||||
az login --identity
|
|
||||||
echo "Getting JWT token"
|
|
||||||
token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
|
|
||||||
echo "Creating secret: ${KUBE_SECRET}"
|
|
||||||
apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
|
|
||||||
echo "Finished JWT token sync -- $(date)"
|
|
||||||
echo
|
|
||||||
}
|
|
||||||
@ -1,15 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
data:
|
|
||||||
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
|
|
||||||
ADDRESS: "fluxv2" # the Azure Event Hub name
|
|
||||||
|
|
||||||
# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
|
|
||||||
# az identity create -n eventhub-write
|
|
||||||
# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
|
|
||||||
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
|
|
||||||
# az identity show -n eventhub-write -otsv --query clientId
|
|
||||||
# az identity show -n eventhub-write -otsv --query resourceId
|
|
||||||
@ -1,17 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
namePrefix: jwt-
|
|
||||||
commonLabels:
|
|
||||||
app: jwt-eventhub-credentials-sync
|
|
||||||
|
|
||||||
namespace: flux-system
|
|
||||||
|
|
||||||
bases:
|
|
||||||
- ../_base
|
|
||||||
resources:
|
|
||||||
- secret-azure-credentials.yaml
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- config-patches.yaml
|
|
||||||
- reconcile-patch.yaml
|
|
||||||
@ -1,42 +0,0 @@
|
|||||||
apiVersion: batch/v1beta1
|
|
||||||
kind: CronJob
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
jobTemplate:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: sync
|
|
||||||
image: mcr.microsoft.com/azure-cli
|
|
||||||
env:
|
|
||||||
- name: RECONCILE_SH
|
|
||||||
value: |-
|
|
||||||
reconcile() {
|
|
||||||
echo "Starting JWT token sync -- $(date)"
|
|
||||||
echo "Logging into Azure"
|
|
||||||
az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID}
|
|
||||||
echo "Getting JWT token"
|
|
||||||
token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
|
|
||||||
echo "Creating secret: ${KUBE_SECRET}"
|
|
||||||
apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
|
|
||||||
echo "Finished JWT token sync -- $(date)"
|
|
||||||
echo
|
|
||||||
}
|
|
||||||
- name: AZURE_CLIENT_ID
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: azure-credentials
|
|
||||||
key: AZURE_CLIENT_ID
|
|
||||||
- name: AZURE_CLIENT_SECRET
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: azure-credentials
|
|
||||||
key: AZURE_CLIENT_SECRET
|
|
||||||
- name: AZURE_TENANT_ID
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: azure-credentials
|
|
||||||
key: AZURE_TENANT_ID
|
|
||||||
@ -1,14 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
AZURE_CLIENT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
|
|
||||||
AZURE_CLIENT_SECRET: c28tbXVjaC1zZWNyZXQ=
|
|
||||||
AZURE_TENANT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: azure-credentials
|
|
||||||
namespace: flux-system
|
|
||||||
type: Opaque
|
|
||||||
# This is just a example secret, you should never store secrets in git.
|
|
||||||
# One way forward can be to use sealed-secrets or SOPS
|
|
||||||
# https://fluxcd.io/flux/guides/sealed-secrets/
|
|
||||||
# https://fluxcd.io/flux/guides/mozilla-sops/
|
|
||||||
@ -1,16 +0,0 @@
|
|||||||
# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file
|
|
||||||
---
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
kind: AzureIdentity
|
|
||||||
metadata:
|
|
||||||
name: lab # if this is changed, also change in config-patches.yaml
|
|
||||||
namespace: flux-system
|
|
||||||
---
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
kind: AzureIdentityBinding
|
|
||||||
metadata:
|
|
||||||
name: lab # this can have a different name, but it's nice to keep them the same
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
|
||||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
|
||||||
@ -1,39 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
data:
|
|
||||||
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
|
|
||||||
ADDRESS: "fluxv2" # the Azure Event Hub name
|
|
||||||
SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
|
|
||||||
|
|
||||||
# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
|
|
||||||
# az identity create -n eventhub-write
|
|
||||||
# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
|
|
||||||
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
|
|
||||||
# az identity show -n eventhub-write -otsv --query clientId
|
|
||||||
# az identity show -n eventhub-write -otsv --query resourceId
|
|
||||||
---
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
kind: AzureIdentity
|
|
||||||
metadata:
|
|
||||||
name: lab
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
|
|
||||||
resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
|
|
||||||
type: 0
|
|
||||||
|
|
||||||
# Specify the pod-identity via the aadpodidbinding label
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
|
||||||
@ -1,27 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
namePrefix: jwt-
|
|
||||||
commonLabels:
|
|
||||||
app: jwt-eventhub-credentials-sync
|
|
||||||
|
|
||||||
namespace: flux-system
|
|
||||||
|
|
||||||
bases:
|
|
||||||
- ../_base
|
|
||||||
resources:
|
|
||||||
- az-identity.yaml
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- config-patches.yaml
|
|
||||||
- reconcile-patch.yaml
|
|
||||||
|
|
||||||
vars:
|
|
||||||
- name: AZ_IDENTITY_NAME
|
|
||||||
objref:
|
|
||||||
kind: AzureIdentity
|
|
||||||
name: lab
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
|
|
||||||
configurations:
|
|
||||||
- kustomizeconfig.yaml
|
|
||||||
@ -1,7 +0,0 @@
|
|||||||
varReference:
|
|
||||||
- path: spec/template/metadata/labels
|
|
||||||
kind: Deployment
|
|
||||||
- path: spec/azureIdentity
|
|
||||||
kind: AzureIdentityBinding
|
|
||||||
- path: spec/selector
|
|
||||||
kind: AzureIdentityBinding
|
|
||||||
@ -1,26 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: sync
|
|
||||||
image: mcr.microsoft.com/azure-cli
|
|
||||||
env:
|
|
||||||
- name: RECONCILE_SH
|
|
||||||
value: |-
|
|
||||||
reconcile() {
|
|
||||||
echo "Starting JWT token sync -- $(date)"
|
|
||||||
echo "Logging into Azure"
|
|
||||||
az login --identity
|
|
||||||
echo "Getting JWT token"
|
|
||||||
token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
|
|
||||||
echo "Creating secret: ${KUBE_SECRET}"
|
|
||||||
apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
|
|
||||||
echo "Finished JWT token sync -- $(date)"
|
|
||||||
echo
|
|
||||||
}
|
|
||||||
@ -1,17 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
data:
|
|
||||||
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
|
|
||||||
ADDRESS: "fluxv2" # the Azure Event Hub name
|
|
||||||
SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
|
|
||||||
|
|
||||||
# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
|
|
||||||
# az identity create -n eventhub-write
|
|
||||||
# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
|
|
||||||
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
|
|
||||||
# az identity show -n eventhub-write -otsv --query clientId
|
|
||||||
# az identity show -n eventhub-write -otsv --query resourceId
|
|
||||||
# Specify the pod-identity via the aadpodidbinding label
|
|
||||||
@ -1,17 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
namePrefix: jwt-
|
|
||||||
commonLabels:
|
|
||||||
app: jwt-eventhub-credentials-sync
|
|
||||||
|
|
||||||
namespace: flux-system
|
|
||||||
|
|
||||||
bases:
|
|
||||||
- ../_base
|
|
||||||
resources:
|
|
||||||
- secret-azure-credentials.yaml
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- config-patches.yaml
|
|
||||||
- reconcile-patch.yaml
|
|
||||||
@ -1,41 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync-eventhub
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: sync
|
|
||||||
image: mcr.microsoft.com/azure-cli
|
|
||||||
env:
|
|
||||||
- name: RECONCILE_SH
|
|
||||||
value: |-
|
|
||||||
reconcile() {
|
|
||||||
echo "Starting JWT token sync -- $(date)"
|
|
||||||
echo "Logging into Azure"
|
|
||||||
az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID}
|
|
||||||
echo "Getting JWT token"
|
|
||||||
token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
|
|
||||||
echo "Creating secret: ${KUBE_SECRET}"
|
|
||||||
apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
|
|
||||||
echo "Finished JWT token sync -- $(date)"
|
|
||||||
echo
|
|
||||||
}
|
|
||||||
- name: AZURE_CLIENT_ID
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: azure-credentials
|
|
||||||
key: AZURE_CLIENT_ID
|
|
||||||
- name: AZURE_CLIENT_SECRET
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: azure-credentials
|
|
||||||
key: AZURE_CLIENT_SECRET
|
|
||||||
- name: AZURE_TENANT_ID
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: azure-credentials
|
|
||||||
key: AZURE_TENANT_ID
|
|
||||||
@ -1,14 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
AZURE_CLIENT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
|
|
||||||
AZURE_CLIENT_SECRET: c28tbXVjaC1zZWNyZXQ=
|
|
||||||
AZURE_TENANT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: azure-credentials
|
|
||||||
namespace: flux-system
|
|
||||||
type: Opaque
|
|
||||||
# This is just a example secret, you should never store secrets in git.
|
|
||||||
# One way forward can be to use sealed-secrets or SOPS
|
|
||||||
# https://fluxcd.io/docs/guides/sealed-secrets/
|
|
||||||
# https://fluxcd.io/docs/guides/mozilla-sops/
|
|
||||||
@ -1,28 +0,0 @@
|
|||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
initContainers:
|
|
||||||
- image: ghcr.io/fluxcd/flux-cli:v0.17.2
|
|
||||||
name: copy-kubectl
|
|
||||||
# it's okay to do this because kubectl is a statically linked binary
|
|
||||||
command:
|
|
||||||
- sh
|
|
||||||
- -ceu
|
|
||||||
- cp $(which kubectl) /kbin/
|
|
||||||
resources: {}
|
|
||||||
volumeMounts:
|
|
||||||
- name: kbin
|
|
||||||
mountPath: /kbin
|
|
||||||
containers:
|
|
||||||
- name: sync
|
|
||||||
volumeMounts:
|
|
||||||
- name: kbin
|
|
||||||
mountPath: /kbin
|
|
||||||
volumes:
|
|
||||||
- name: kbin
|
|
||||||
emptyDir: {}
|
|
||||||
@ -1,23 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
commonLabels:
|
|
||||||
app: credentials-sync
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- sync.yaml
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- kubectl-patch.yaml
|
|
||||||
|
|
||||||
vars:
|
|
||||||
- name: KUBE_SECRET
|
|
||||||
objref:
|
|
||||||
kind: ConfigMap
|
|
||||||
name: credentials-sync
|
|
||||||
apiVersion: v1
|
|
||||||
fieldref:
|
|
||||||
fieldpath: data.KUBE_SECRET
|
|
||||||
|
|
||||||
configurations:
|
|
||||||
- kustomizeconfig.yaml
|
|
||||||
@ -1,3 +0,0 @@
|
|||||||
varReference:
|
|
||||||
- path: rules/resourceNames
|
|
||||||
kind: Role
|
|
||||||
@ -1,125 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
data:
|
|
||||||
# Patch this ConfigMap with additional values needed for your cloud
|
|
||||||
KUBE_SECRET: my-registry-token # does not yet exist -- will be created in the same Namespace
|
|
||||||
SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
|
|
||||||
|
|
||||||
---
|
|
||||||
# This Deployment frequently fetches registry tokens and applies them as an imagePullSecret.
|
|
||||||
# It's done as a 1-replica Deployment rather than a CronJob, because CronJob scheduling can
|
|
||||||
# block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
|
|
||||||
# This deployment will immediately fetch a token, which reduces latency for working image updates.
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
strategy:
|
|
||||||
type: Recreate
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
serviceAccountName: credentials-sync
|
|
||||||
containers:
|
|
||||||
- image: busybox # override this with a cloud-specific image
|
|
||||||
name: sync
|
|
||||||
envFrom:
|
|
||||||
- configMapRef:
|
|
||||||
name: credentials-sync
|
|
||||||
env:
|
|
||||||
- name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
|
|
||||||
value: |-
|
|
||||||
reconcile() {
|
|
||||||
echo reconciling...
|
|
||||||
}
|
|
||||||
command:
|
|
||||||
- bash
|
|
||||||
- -ceu
|
|
||||||
- |-
|
|
||||||
# template reconcile() into the script
|
|
||||||
# env var is expanded by k8s before the pod starts
|
|
||||||
$(RECONCILE_SH)
|
|
||||||
|
|
||||||
apply-secret() {
|
|
||||||
/kbin/kubectl create secret docker-registry "$1" \
|
|
||||||
--docker-password="$2" \
|
|
||||||
--docker-username="$3" \
|
|
||||||
--docker-server="$4" \
|
|
||||||
--dry-run=client -o=yaml \
|
|
||||||
| grep -v "creationTimestamp:" \
|
|
||||||
| /kbin/kubectl apply -f -
|
|
||||||
}
|
|
||||||
|
|
||||||
pause_loop() {
|
|
||||||
sleep "$SYNC_PERIOD" || true
|
|
||||||
}
|
|
||||||
|
|
||||||
graceful_exit() {
|
|
||||||
echo "Trapped signal -- $(date)"
|
|
||||||
job_ids="$(
|
|
||||||
jobs \
|
|
||||||
| grep "pause_loop" \
|
|
||||||
| cut -d] -f1 \
|
|
||||||
| tr [ %
|
|
||||||
)"
|
|
||||||
# shellcheck disable=SC2086
|
|
||||||
if [ "$job_ids" ]; then
|
|
||||||
kill $job_ids
|
|
||||||
fi
|
|
||||||
wait
|
|
||||||
echo "Graceful exit -- $(date)"
|
|
||||||
}
|
|
||||||
|
|
||||||
trap graceful_exit INT TERM
|
|
||||||
|
|
||||||
echo "Loop started (period: $SYNC_PERIOD s) -- $(date)"
|
|
||||||
while true; do
|
|
||||||
reconcile & wait $!
|
|
||||||
pause_loop & wait $!
|
|
||||||
done
|
|
||||||
resources: {}
|
|
||||||
|
|
||||||
|
|
||||||
# RBAC necessary for our Deployment to apply our imagePullSecret
|
|
||||||
---
|
|
||||||
kind: Role
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- create
|
|
||||||
- update
|
|
||||||
- patch
|
|
||||||
# # Lock this down to the specific Secret name (Optional)
|
|
||||||
#resourceNames:
|
|
||||||
#- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
|
||||||
---
|
|
||||||
kind: RoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: credentials-sync
|
|
||||||
roleRef:
|
|
||||||
kind: Role
|
|
||||||
name: credentials-sync
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
@ -1,30 +0,0 @@
|
|||||||
apiVersion: batch/v1beta1
|
|
||||||
kind: CronJob
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
jobTemplate:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
initContainers:
|
|
||||||
- image: ghcr.io/fluxcd/flux-cli:v0.17.2
|
|
||||||
name: copy-kubectl
|
|
||||||
# it's okay to do this because kubectl is a statically linked binary
|
|
||||||
command:
|
|
||||||
- sh
|
|
||||||
- -ceu
|
|
||||||
- cp $(which kubectl) /kbin/
|
|
||||||
resources: {}
|
|
||||||
volumeMounts:
|
|
||||||
- name: kbin
|
|
||||||
mountPath: /kbin
|
|
||||||
containers:
|
|
||||||
- name: sync
|
|
||||||
volumeMounts:
|
|
||||||
- name: kbin
|
|
||||||
mountPath: /kbin
|
|
||||||
volumes:
|
|
||||||
- name: kbin
|
|
||||||
emptyDir: {}
|
|
||||||
@ -1,23 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
commonLabels:
|
|
||||||
app: credentials-sync
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- sync.yaml
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- kubectl-patch.yaml
|
|
||||||
|
|
||||||
vars:
|
|
||||||
- name: KUBE_SECRET
|
|
||||||
objref:
|
|
||||||
kind: ConfigMap
|
|
||||||
name: credentials-sync
|
|
||||||
apiVersion: v1
|
|
||||||
fieldref:
|
|
||||||
fieldpath: data.KUBE_SECRET
|
|
||||||
|
|
||||||
configurations:
|
|
||||||
- kustomizeconfig.yaml
|
|
||||||
@ -1,3 +0,0 @@
|
|||||||
varReference:
|
|
||||||
- path: rules/resourceNames
|
|
||||||
kind: Role
|
|
||||||
@ -1,101 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
data:
|
|
||||||
# Patch this ConfigMap with additional values needed for your cloud
|
|
||||||
KUBE_SECRET: my-registry-token # does not yet exist -- will be created in the same Namespace
|
|
||||||
|
|
||||||
---
|
|
||||||
# This CronJob frequently fetches registry tokens and applies them as an imagePullSecret.
|
|
||||||
# note: CronJob scheduling can block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
|
|
||||||
# To run the job immediately, do `kubectl create job --from=cronjob/credentials-sync -n flux-system credentials-sync-init`
|
|
||||||
apiVersion: batch/v1beta1
|
|
||||||
kind: CronJob
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
suspend: false
|
|
||||||
schedule: 0 */6 * * *
|
|
||||||
failedJobsHistoryLimit: 1
|
|
||||||
successfulJobsHistoryLimit: 1
|
|
||||||
jobTemplate:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
serviceAccountName: credentials-sync
|
|
||||||
restartPolicy: Never
|
|
||||||
containers:
|
|
||||||
- image: busybox # override this with a cloud-specific image
|
|
||||||
name: sync
|
|
||||||
envFrom:
|
|
||||||
- configMapRef:
|
|
||||||
name: credentials-sync
|
|
||||||
env:
|
|
||||||
- name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
|
|
||||||
value: |-
|
|
||||||
reconcile() {
|
|
||||||
echo reconciling...
|
|
||||||
}
|
|
||||||
command:
|
|
||||||
- bash
|
|
||||||
- -ceu
|
|
||||||
- |-
|
|
||||||
# template reconcile() into the script
|
|
||||||
# env var is expanded by k8s before the pod starts
|
|
||||||
$(RECONCILE_SH)
|
|
||||||
|
|
||||||
apply-secret() {
|
|
||||||
/kbin/kubectl create secret docker-registry "$1" \
|
|
||||||
--docker-password="$2" \
|
|
||||||
--docker-username="$3" \
|
|
||||||
--docker-server="$4" \
|
|
||||||
--dry-run=client -o=yaml \
|
|
||||||
| grep -v "creationTimestamp:" \
|
|
||||||
| /kbin/kubectl apply -f -
|
|
||||||
}
|
|
||||||
|
|
||||||
reconcile
|
|
||||||
resources: {}
|
|
||||||
|
|
||||||
|
|
||||||
# RBAC necessary for our Deployment to apply our imagePullSecret
|
|
||||||
---
|
|
||||||
kind: Role
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- create
|
|
||||||
- update
|
|
||||||
- patch
|
|
||||||
# # Lock this down to the specific Secret name (Optional)
|
|
||||||
resourceNames:
|
|
||||||
- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
|
||||||
---
|
|
||||||
kind: RoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: credentials-sync
|
|
||||||
roleRef:
|
|
||||||
kind: Role
|
|
||||||
name: credentials-sync
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
@ -1,52 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
data:
|
|
||||||
ECR_REGION: us-east-1 # set the region
|
|
||||||
ECR_REGISTRY: <account id>.dkr.ecr.<region>.amazonaws.com # fill in the account id and region
|
|
||||||
KUBE_SECRET: ecr-credentials # does not yet exist -- will be created in the same Namespace
|
|
||||||
|
|
||||||
|
|
||||||
# Bind IRSA for the ServiceAccount
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
annotations:
|
|
||||||
eks.amazonaws.com/role-arn: <role arn> # set the ARN for your role
|
|
||||||
|
|
||||||
|
|
||||||
# Set the reconcile period
|
|
||||||
---
|
|
||||||
apiVersion: batch/v1beta1
|
|
||||||
kind: CronJob
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
schedule: 0 */6 * * * # every 6hrs -- ECR tokens expire every 12 hours; refresh faster than that
|
|
||||||
|
|
||||||
|
|
||||||
## If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
|
|
||||||
## Store these values in a Secret and load them in the container using envFrom.
|
|
||||||
## For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build.
|
|
||||||
## https://fluxcd.io/docs/guides/mozilla-sops/
|
|
||||||
## https://fluxcd.io/docs/guides/sealed-secrets/
|
|
||||||
# ---
|
|
||||||
# apiVersion: apps/v1
|
|
||||||
# kind: Deployment
|
|
||||||
# metadata:
|
|
||||||
# name: credentials-sync
|
|
||||||
# namespace: flux-system
|
|
||||||
# spec:
|
|
||||||
# template:
|
|
||||||
# spec:
|
|
||||||
# containers:
|
|
||||||
# - name: sync
|
|
||||||
# envFrom:
|
|
||||||
# secretRef:
|
|
||||||
# name: $(ECR_SECRET_NAME) # uncomment the var for this in kustomization.yaml
|
|
||||||
@ -1,25 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
namePrefix: ecr-
|
|
||||||
commonLabels:
|
|
||||||
app: ecr-credentials-sync
|
|
||||||
|
|
||||||
namespace: flux-system
|
|
||||||
|
|
||||||
bases:
|
|
||||||
- ../_base
|
|
||||||
## If not using IRSA, consider creating the following file via SOPS or SealedSecrets
|
|
||||||
# - encrypted-secret.yaml
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- config-patches.yaml
|
|
||||||
- reconcile-patch.yaml
|
|
||||||
|
|
||||||
## uncomment if using encrypted-secret.yaml
|
|
||||||
# vars:
|
|
||||||
# - name: ECR_SECRET_NAME
|
|
||||||
# objref:
|
|
||||||
# kind: Secret
|
|
||||||
# name: credentials-sync
|
|
||||||
# apiVersion: v1
|
|
||||||
@ -1,29 +0,0 @@
|
|||||||
apiVersion: batch/v1beta1
|
|
||||||
kind: CronJob
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
jobTemplate:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: sync
|
|
||||||
image: mcr.microsoft.com/azure-cli
|
|
||||||
env:
|
|
||||||
- name: RECONCILE_SH
|
|
||||||
value: |-
|
|
||||||
reconcile() {
|
|
||||||
echo "Starting ECR token sync -- $(date)"
|
|
||||||
echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}"
|
|
||||||
token="$(aws ecr get-login-password --region "${ECR_REGION}")"
|
|
||||||
user="AWS"
|
|
||||||
server="${ECR_REGISTRY}"
|
|
||||||
|
|
||||||
echo "Creating secret: ${KUBE_SECRET}"
|
|
||||||
apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}"
|
|
||||||
|
|
||||||
echo "Finished ECR token sync -- $(date)"
|
|
||||||
echo
|
|
||||||
}
|
|
||||||
@ -1,16 +0,0 @@
|
|||||||
# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file
|
|
||||||
---
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
kind: AzureIdentity
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync # if this is changed, also change in config-patches.yaml
|
|
||||||
namespace: flux-system
|
|
||||||
---
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
kind: AzureIdentityBinding
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync # this can have a different name, but it's nice to keep them the same
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
|
||||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
|
||||||
@ -1,41 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
data:
|
|
||||||
ACR_NAME: my-registry
|
|
||||||
KUBE_SECRET: acr-my-registry # does not yet exist -- will be created in the same Namespace
|
|
||||||
|
|
||||||
# Create an identity in Azure and assign it a role to pull from ACR (note: the identity's resourceGroup should match the desired ACR):
|
|
||||||
# az identity create -n acr-sync
|
|
||||||
# az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)"
|
|
||||||
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
|
|
||||||
# az identity show -n acr-sync -otsv --query clientId
|
|
||||||
# az identity show -n acr-sync -otsv --query resourceId
|
|
||||||
---
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
kind: AzureIdentity
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync # name must match the stub-resource in az-identity.yaml
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
|
|
||||||
resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync
|
|
||||||
type: 0 # user-managed identity
|
|
||||||
|
|
||||||
# Set the reconcile period + specify the pod-identity via the aadpodidbinding label
|
|
||||||
---
|
|
||||||
apiVersion: batch/v1beta1
|
|
||||||
kind: CronJob
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
schedule: 0 * * * * # ACR tokens expire every 3 hours; refresh faster than that
|
|
||||||
jobTemplate:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
|
||||||
@ -1,27 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
namePrefix: acr-
|
|
||||||
commonLabels:
|
|
||||||
app: acr-credentials-sync
|
|
||||||
|
|
||||||
namespace: flux-system
|
|
||||||
|
|
||||||
bases:
|
|
||||||
- ../_base
|
|
||||||
resources:
|
|
||||||
- az-identity.yaml
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- config-patches.yaml
|
|
||||||
- reconcile-patch.yaml
|
|
||||||
|
|
||||||
vars:
|
|
||||||
- name: AZ_IDENTITY_NAME
|
|
||||||
objref:
|
|
||||||
kind: AzureIdentity
|
|
||||||
name: credentials-sync
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
|
|
||||||
configurations:
|
|
||||||
- kustomizeconfig.yaml
|
|
||||||
@ -1,7 +0,0 @@
|
|||||||
varReference:
|
|
||||||
- path: spec/jobTemplate/spec/template/metadata/labels
|
|
||||||
kind: CronJob
|
|
||||||
- path: spec/azureIdentity
|
|
||||||
kind: AzureIdentityBinding
|
|
||||||
- path: spec/selector
|
|
||||||
kind: AzureIdentityBinding
|
|
||||||
@ -1,30 +0,0 @@
|
|||||||
apiVersion: batch/v1beta1
|
|
||||||
kind: CronJob
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
jobTemplate:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: sync
|
|
||||||
image: mcr.microsoft.com/azure-cli
|
|
||||||
env:
|
|
||||||
- name: RECONCILE_SH
|
|
||||||
value: |-
|
|
||||||
reconcile() {
|
|
||||||
echo "Starting ACR token sync -- $(date)"
|
|
||||||
echo "Logging into Azure"
|
|
||||||
az login --identity
|
|
||||||
echo "Logging into ACR: ${ACR_NAME}"
|
|
||||||
output="$(az acr login --expose-token -o=tsv -n "${ACR_NAME}")"
|
|
||||||
read token server <<< "${output}"
|
|
||||||
user="00000000-0000-0000-0000-000000000000"
|
|
||||||
|
|
||||||
apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}"
|
|
||||||
|
|
||||||
echo "Finished ACR token sync -- $(date)"
|
|
||||||
echo
|
|
||||||
}
|
|
||||||
@ -1,28 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
data:
|
|
||||||
GCR_REGISTRY: gcr.io # set the registry
|
|
||||||
KUBE_SECRET: gcr-credentials # does not yet exist -- will be created in the same Namespace
|
|
||||||
|
|
||||||
# Bind to the GCP service-account
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
annotations:
|
|
||||||
iam.gke.io/gcp-service-account: <name>@<project-id>.iam.gserviceaccount.com # set the GCP service-account
|
|
||||||
|
|
||||||
# Set the reconcile period
|
|
||||||
---
|
|
||||||
apiVersion: batch/v1beta1
|
|
||||||
kind: CronJob
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
schedule: 0,30 * * * * # 30m interval -- GCR tokens expire every hour; refresh faster than that
|
|
||||||
@ -1,15 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
namePrefix: gcr-
|
|
||||||
commonLabels:
|
|
||||||
app: gcr-credentials-sync
|
|
||||||
|
|
||||||
namespace: flux-system
|
|
||||||
|
|
||||||
bases:
|
|
||||||
- ../_base
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- config-patches.yaml
|
|
||||||
- reconcile-patch.yaml
|
|
||||||
@ -1,29 +0,0 @@
|
|||||||
apiVersion: batch/v1beta1
|
|
||||||
kind: CronJob
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
jobTemplate:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: sync
|
|
||||||
image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
|
|
||||||
env:
|
|
||||||
- name: RECONCILE_SH
|
|
||||||
value: |-
|
|
||||||
reconcile() {
|
|
||||||
echo "Starting GCR token sync -- $(date)"
|
|
||||||
echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}"
|
|
||||||
token="$(gcloud auth print-access-token)"
|
|
||||||
user="oauth2accesstoken "
|
|
||||||
server="${GCR_REGISTRY}"
|
|
||||||
|
|
||||||
echo "Creating secret: ${KUBE_SECRET}"
|
|
||||||
apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}"
|
|
||||||
|
|
||||||
echo "Finished GCR token sync -- $(date)"
|
|
||||||
echo
|
|
||||||
}
|
|
||||||
@ -1,42 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
data:
|
|
||||||
ECR_REGION: us-east-1 # set the region
|
|
||||||
ECR_REGISTRY: <account id>.dkr.ecr.<region>.amazonaws.com # fill in the account id and region
|
|
||||||
KUBE_SECRET: ecr-credentials # does not yet exist -- will be created in the same Namespace
|
|
||||||
SYNC_PERIOD: "21600" # 6hrs -- ECR tokens expire every 12 hours; refresh faster than that
|
|
||||||
|
|
||||||
|
|
||||||
# Bind IRSA for the ServiceAccount
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
annotations:
|
|
||||||
eks.amazonaws.com/role-arn: <role arn> # set the ARN for your role
|
|
||||||
|
|
||||||
|
|
||||||
## If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
|
|
||||||
## Store these values in a Secret and load them in the container using envFrom.
|
|
||||||
## For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build.
|
|
||||||
## https://fluxcd.io/flux/guides/mozilla-sops/
|
|
||||||
## https://fluxcd.io/flux/guides/sealed-secrets/
|
|
||||||
# ---
|
|
||||||
# apiVersion: apps/v1
|
|
||||||
# kind: Deployment
|
|
||||||
# metadata:
|
|
||||||
# name: credentials-sync
|
|
||||||
# namespace: flux-system
|
|
||||||
# spec:
|
|
||||||
# template:
|
|
||||||
# spec:
|
|
||||||
# containers:
|
|
||||||
# - name: sync
|
|
||||||
# envFrom:
|
|
||||||
# secretRef:
|
|
||||||
# name: $(ECR_SECRET_NAME) # uncomment the var for this in kustomization.yaml
|
|
||||||
@ -1,25 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
namePrefix: ecr-
|
|
||||||
commonLabels:
|
|
||||||
app: ecr-credentials-sync
|
|
||||||
|
|
||||||
namespace: flux-system
|
|
||||||
|
|
||||||
bases:
|
|
||||||
- ../_base
|
|
||||||
## If not using IRSA, consider creating the following file via SOPS or SealedSecrets
|
|
||||||
# - encrypted-secret.yaml
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- config-patches.yaml
|
|
||||||
- reconcile-patch.yaml
|
|
||||||
|
|
||||||
## uncomment if using encrypted-secret.yaml
|
|
||||||
# vars:
|
|
||||||
# - name: ECR_SECRET_NAME
|
|
||||||
# objref:
|
|
||||||
# kind: Secret
|
|
||||||
# name: credentials-sync
|
|
||||||
# apiVersion: v1
|
|
||||||
@ -1,28 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: sync
|
|
||||||
image: aws/aws-cli
|
|
||||||
env:
|
|
||||||
- name: RECONCILE_SH
|
|
||||||
value: |-
|
|
||||||
reconcile() {
|
|
||||||
echo "Starting ECR token sync -- $(date)"
|
|
||||||
echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}"
|
|
||||||
token="$(aws ecr get-login-password --region "${ECR_REGION}")"
|
|
||||||
user="AWS"
|
|
||||||
server="${ECR_REGISTRY}"
|
|
||||||
|
|
||||||
echo "Creating secret: ${KUBE_SECRET}"
|
|
||||||
apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}"
|
|
||||||
|
|
||||||
echo "Finished ECR token sync -- $(date)"
|
|
||||||
echo
|
|
||||||
}
|
|
||||||
@ -1,16 +0,0 @@
|
|||||||
# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file
|
|
||||||
---
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
kind: AzureIdentity
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync # if this is changed, also change in config-patches.yaml
|
|
||||||
namespace: flux-system
|
|
||||||
---
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
kind: AzureIdentityBinding
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync # this can have a different name, but it's nice to keep them the same
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
|
||||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
|
||||||
@ -1,39 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
data:
|
|
||||||
ACR_NAME: my-registry
|
|
||||||
KUBE_SECRET: acr-my-registry # does not yet exist -- will be created in the same Namespace
|
|
||||||
SYNC_PERIOD: "3600" # ACR tokens expire every 3 hours; refresh faster than that
|
|
||||||
|
|
||||||
# Create an identity in Azure and assign it a role to pull from ACR (note: the identity's resourceGroup should match the desired ACR):
|
|
||||||
# az identity create -n acr-sync
|
|
||||||
# az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)"
|
|
||||||
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
|
|
||||||
# az identity show -n acr-sync -otsv --query clientId
|
|
||||||
# az identity show -n acr-sync -otsv --query resourceId
|
|
||||||
---
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
kind: AzureIdentity
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync # name must match the stub-resource in az-identity.yaml
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
|
|
||||||
resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync
|
|
||||||
type: 0 # user-managed identity
|
|
||||||
|
|
||||||
# Specify the pod-identity via the aadpodidbinding label
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
|
||||||
@ -1,27 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
namePrefix: acr-
|
|
||||||
commonLabels:
|
|
||||||
app: acr-credentials-sync
|
|
||||||
|
|
||||||
namespace: flux-system
|
|
||||||
|
|
||||||
bases:
|
|
||||||
- ../_base
|
|
||||||
resources:
|
|
||||||
- az-identity.yaml
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- config-patches.yaml
|
|
||||||
- reconcile-patch.yaml
|
|
||||||
|
|
||||||
vars:
|
|
||||||
- name: AZ_IDENTITY_NAME
|
|
||||||
objref:
|
|
||||||
kind: AzureIdentity
|
|
||||||
name: credentials-sync
|
|
||||||
apiVersion: aadpodidentity.k8s.io/v1
|
|
||||||
|
|
||||||
configurations:
|
|
||||||
- kustomizeconfig.yaml
|
|
||||||
@ -1,7 +0,0 @@
|
|||||||
varReference:
|
|
||||||
- path: spec/template/metadata/labels
|
|
||||||
kind: Deployment
|
|
||||||
- path: spec/azureIdentity
|
|
||||||
kind: AzureIdentityBinding
|
|
||||||
- path: spec/selector
|
|
||||||
kind: AzureIdentityBinding
|
|
||||||
@ -1,30 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: sync
|
|
||||||
image: mcr.microsoft.com/azure-cli
|
|
||||||
env:
|
|
||||||
- name: RECONCILE_SH
|
|
||||||
value: |-
|
|
||||||
reconcile() {
|
|
||||||
echo "Starting ACR token sync -- $(date)"
|
|
||||||
echo "Logging into Azure"
|
|
||||||
az login --identity
|
|
||||||
echo "Logging into ACR: $ACR_NAME"
|
|
||||||
output="$(az acr login --expose-token -o=tsv -n "$ACR_NAME")"
|
|
||||||
read token server <<< "$output"
|
|
||||||
user="00000000-0000-0000-0000-000000000000"
|
|
||||||
|
|
||||||
echo "Creating secret: $KUBE_SECRET"
|
|
||||||
apply-secret "$KUBE_SECRET" "$token" "$user" "$server"
|
|
||||||
|
|
||||||
echo "Finished ACR token sync -- $(date)"
|
|
||||||
echo
|
|
||||||
}
|
|
||||||
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
data:
|
|
||||||
GCR_REGISTRY: gcr.io # set the registry
|
|
||||||
KUBE_SECRET: gcr-credentials # does not yet exist -- will be created in the same Namespace
|
|
||||||
SYNC_PERIOD: "1800" # 30m -- GCR tokens expire every hour; refresh faster than that
|
|
||||||
|
|
||||||
|
|
||||||
# Bind to the GCP service-account
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
annotations:
|
|
||||||
iam.gke.io/gcp-service-account: <name>@<project-id>.iam.gserviceaccount.com # set the GCP service-account
|
|
||||||
@ -1,15 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
namePrefix: gcr-
|
|
||||||
commonLabels:
|
|
||||||
app: gcr-credentials-sync
|
|
||||||
|
|
||||||
namespace: flux-system
|
|
||||||
|
|
||||||
bases:
|
|
||||||
- ../_base
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- config-patches.yaml
|
|
||||||
- reconcile-patch.yaml
|
|
||||||
@ -1,28 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: credentials-sync
|
|
||||||
namespace: flux-system
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: sync
|
|
||||||
image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
|
|
||||||
env:
|
|
||||||
- name: RECONCILE_SH
|
|
||||||
value: |-
|
|
||||||
reconcile() {
|
|
||||||
echo "Starting GCR token sync -- $(date)"
|
|
||||||
echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}"
|
|
||||||
token="$(gcloud auth print-access-token)"
|
|
||||||
user="oauth2accesstoken "
|
|
||||||
server="${GCR_REGISTRY}"
|
|
||||||
|
|
||||||
echo "Creating secret: ${KUBE_SECRET}"
|
|
||||||
apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}"
|
|
||||||
|
|
||||||
echo "Finished GCR token sync -- $(date)"
|
|
||||||
echo
|
|
||||||
}
|
|
||||||
Loading…
Reference in New Issue