From bd255800db86535d29f8471e65e1d427e34ca940 Mon Sep 17 00:00:00 2001 From: leigh capili Date: Tue, 1 Jun 2021 10:31:01 -0600 Subject: [PATCH] Template AzureIdentityBinding using $(AZ_IDENTITY_NAME) for integrations Signed-off-by: leigh capili --- .../_cronjobs/azure/az-identity.yaml | 4 ++-- .../_cronjobs/azure/config-patches.yaml | 9 --------- .../_cronjobs/azure/kustomizeconfig.yaml | 8 ++++++-- .../eventhub-credentials-sync/azure/az-identity.yaml | 6 +++--- .../eventhub-credentials-sync/azure/config-patches.yaml | 9 --------- .../eventhub-credentials-sync/azure/kustomizeconfig.yaml | 4 ++++ .../_cronjobs/azure/az-identity.yaml | 9 +++++++++ .../_cronjobs/azure/kustomizeconfig.yaml | 6 +++++- .../registry-credentials-sync/azure/az-identity.yaml | 9 +++++++++ .../registry-credentials-sync/azure/kustomizeconfig.yaml | 4 ++++ 10 files changed, 42 insertions(+), 26 deletions(-) diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml index 1591126b..38fa05ff 100644 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml @@ -12,5 +12,5 @@ metadata: name: lab namespace: flux-system spec: - azureIdentity: lab - selector: lab + azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name + selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml index 3d0ffac4..8e8bc3a3 100644 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml @@ -23,15 +23,6 @@ spec: clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write type: 0 ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentityBinding -metadata: - name: lab - namespace: flux-system -spec: - azureIdentity: jwt-lab - selector: jwt-lab # Set the reconcile period + specify the pod-identity via the aadpodidbinding label --- diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml index 175f04a2..09c76747 100644 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml @@ -1,3 +1,7 @@ varReference: - - path: spec/jobTemplate/spec/template/metadata/labels - kind: CronJob +- path: spec/jobTemplate/spec/template/metadata/labels + kind: CronJob +- path: spec/azureIdentity + kind: AzureIdentityBinding +- path: spec/selector + kind: AzureIdentityBinding diff --git a/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml b/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml index 1591126b..32d8b574 100644 --- a/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml +++ b/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml @@ -9,8 +9,8 @@ metadata: apiVersion: aadpodidentity.k8s.io/v1 kind: AzureIdentityBinding metadata: - name: lab + name: lab # this can have a different name, but it's nice to keep them the same namespace: flux-system spec: - azureIdentity: lab - selector: lab + azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name + selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml index c285ed2c..3967cbb7 100644 --- a/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml +++ b/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml @@ -24,15 +24,6 @@ spec: clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write type: 0 ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentityBinding -metadata: - name: lab - namespace: flux-system -spec: - azureIdentity: jwt-lab - selector: jwt-lab # Specify the pod-identity via the aadpodidbinding label --- diff --git a/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml index afd68fe5..da4d902d 100644 --- a/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml +++ b/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml @@ -1,3 +1,7 @@ varReference: - path: spec/template/metadata/labels kind: Deployment +- path: spec/azureIdentity + kind: AzureIdentityBinding +- path: spec/selector + kind: AzureIdentityBinding diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml index c3c6be81..8b365507 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml @@ -5,3 +5,12 @@ kind: AzureIdentity metadata: name: credentials-sync # if this is changed, also change in config-patches.yaml namespace: flux-system +--- +apiVersion: aadpodidentity.k8s.io/v1 +kind: AzureIdentityBinding +metadata: + name: credentials-sync # this can have a different name, but it's nice to keep them the same + namespace: flux-system +spec: + azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name + selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml index 22524c1d..09c76747 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml @@ -1,3 +1,7 @@ varReference: - path: spec/jobTemplate/spec/template/metadata/labels - kind: Deployment + kind: CronJob +- path: spec/azureIdentity + kind: AzureIdentityBinding +- path: spec/selector + kind: AzureIdentityBinding diff --git a/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml b/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml index c3c6be81..8b365507 100644 --- a/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml +++ b/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml @@ -5,3 +5,12 @@ kind: AzureIdentity metadata: name: credentials-sync # if this is changed, also change in config-patches.yaml namespace: flux-system +--- +apiVersion: aadpodidentity.k8s.io/v1 +kind: AzureIdentityBinding +metadata: + name: credentials-sync # this can have a different name, but it's nice to keep them the same + namespace: flux-system +spec: + azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name + selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml index afd68fe5..da4d902d 100644 --- a/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml +++ b/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml @@ -1,3 +1,7 @@ varReference: - path: spec/template/metadata/labels kind: Deployment +- path: spec/azureIdentity + kind: AzureIdentityBinding +- path: spec/selector + kind: AzureIdentityBinding