chore(integrations/registry): remove deprecated kustomize features

Signed-off-by: Artem <67638547+Stringls@users.noreply.github.com>
1 year ago · e0dcd85e52
parent 659ce798c9
commit e0dcd85e52
34 changed files with 242 additions and 218 deletions
--- a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml
@ -7,8 +7,8 @@ commonLabels:
 resources:
 - sync.yaml
-patchesStrategicMerge:
+patches:
-  - kubectl-patch.yaml
+- path: kubectl-patch.yaml
 vars:
 - name: KUBE_SECRET
--- a/manifests/integrations/registry-credentials-sync/_base/sync.yaml
+++ b/manifests/integrations/registry-credentials-sync/_base/sync.yaml
@ -101,9 +101,9 @@ rules:
  - create
  - update
  - patch
-  # # Lock this down to the specific Secret name  (Optional)
+  # Lock this down to the specific Secret name  (Optional)
-  #resourceNames:
+  resourceNames:
-  #- $(KUBE_SECRET)  # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+  - $(KUBE_SECRET)  # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml
@ -7,8 +7,8 @@ commonLabels:
 resources:
 - sync.yaml
-patchesStrategicMerge:
+patches:
-  - kubectl-patch.yaml
+- path: kubectl-patch.yaml
 vars:
 - name: KUBE_SECRET
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/bind-irsa-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/bind-irsa-patch.yaml
@ -0,0 +1,9 @@
 # Bind IRSA for the ServiceAccount 
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: credentials-sync
  namespace: flux-system
  annotations:
    eks.amazonaws.com/role-arn: <role arn>  # set the ARN for your role
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-map-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-map-patch.yaml
@ -0,0 +1,9 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: credentials-sync
 data:
  ECR_REGION: us-east-1  # set the region
  ECR_REGISTRY: <account id>.dkr.ecr.<region>.amazonaws.com  # fill in the account id and region
  KUBE_SECRET: ecr-credentials  # does not yet exist -- will be created in the same Namespace
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml
@ -1,52 +0,0 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: credentials-sync
 data:
  ECR_REGION: us-east-1  # set the region
  ECR_REGISTRY: <account id>.dkr.ecr.<region>.amazonaws.com  # fill in the account id and region
  KUBE_SECRET: ecr-credentials  # does not yet exist -- will be created in the same Namespace
 # Bind IRSA for the ServiceAccount 
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: credentials-sync
  namespace: flux-system
  annotations:
    eks.amazonaws.com/role-arn: <role arn>  # set the ARN for your role
 # Set the reconcile period
 ---
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
  name: credentials-sync
  namespace: flux-system
 spec:
  schedule: 0 */6 * * *  # every 6hrs -- ECR tokens expire every 12 hours; refresh faster than that
 ## If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
 ## Store these values in a Secret and load them in the container using envFrom.
 ## For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build.
 ##   https://fluxcd.io/docs/guides/mozilla-sops/
 ##   https://fluxcd.io/docs/guides/sealed-secrets/
 # ---
 # apiVersion: apps/v1
 # kind: Deployment
 # metadata:
 #   name: credentials-sync
 #   namespace: flux-system
 # spec:
 #   template:
 #     spec:
 #       containers:
 #       - name: sync
 #         envFrom:
 #           secretRef:
 #             name: $(ECR_SECRET_NAME)  # uncomment the var for this in kustomization.yaml
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/credentials-injection-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/credentials-injection-patch.yaml
@ -0,0 +1,21 @@
 # If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
 # Store these values in a Secret and load them in the container using envFrom.
 # For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build.
 #   https://fluxcd.io/docs/guides/mozilla-sops/
 #   https://fluxcd.io/docs/guides/sealed-secrets/
 ---
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
  name: credentials-sync
  namespace: flux-system
 spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: sync
            envFrom:
            - secretRef:
                name: $(ECR_SECRET_NAME)  # uncomment the var for this in kustomization.yaml
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/ecr-token-refresh-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/ecr-token-refresh-patch.yaml
@ -0,0 +1,9 @@
 # Set the reconcile period
 ---
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
  name: credentials-sync
  namespace: flux-system
 spec:
  schedule: 0 */6 * * *  # every 6hrs -- ECR tokens expire every 12 hours; refresh faster than that
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/encrypted-secret.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/encrypted-secret.yaml
@ -0,0 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: credentials-sync
 data:
    AWS_ACCESS_KEY_ID: Zm9vCg==
    AWS_SECRET_ACCESS_KEY: YmFyCg==
 type: Opaque
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml
@ -7,19 +7,26 @@ commonLabels:
 namespace: flux-system
-bases:
+resources:
 - ../_base
-## If not using IRSA, consider creating the following file via SOPS or SealedSecrets
+# # If not using IRSA, consider creating the following file via SOPS or SealedSecrets
 # - encrypted-secret.yaml
-patchesStrategicMerge:
+patches:
- config-patches.yaml
+- path: config-map-patch.yaml
- reconcile-patch.yaml
+- path: reconcile-patch.yaml
 - path: ecr-token-refresh-patch.yaml
 # Comment out bind-irsa-patch.yaml if not using IRSA
 - path: bind-irsa-patch.yaml
 # # Uncomment if not using IRSA, please also check credentials-injection-patch.yaml
 # - path: credentials-injection-patch.yaml
-## uncomment if using encrypted-secret.yaml
+# # Uncomment if using encrypted-secret.yaml
 # vars:
 # - name: ECR_SECRET_NAME
 #   objref:
 #     kind: Secret
 #     name: credentials-sync
 #     apiVersion: v1
 # configurations:
 # - kustomizeconfig.yaml
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomizeconfig.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomizeconfig.yaml
@ -0,0 +1,3 @@
 varReference:
 - path: spec/jobTemplate/spec/template/spec/containers/envFrom/secretRef
  kind: CronJob
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/azure-identity-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/azure-identity-patch.yaml
@ -1,13 +1,3 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: credentials-sync
 data:
  ACR_NAME: my-registry
  KUBE_SECRET: acr-my-registry  # does not yet exist -- will be created in the same Namespace
  SYNC_PERIOD: "3600"  # ACR tokens expire every 3 hours; refresh faster than that
 # Create an identity in Azure and assign it a role to pull from ACR  (note: the identity's resourceGroup should match the desired ACR):
 #     az identity create -n acr-sync
 #     az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)"
@ -24,16 +14,3 @@ spec:
  clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
  resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync
  type: 0  # user-managed identity
 # Specify the pod-identity via the aadpodidbinding label
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: credentials-sync
  namespace: flux-system
 spec:
  template:
    metadata:
      labels:
        aadpodidbinding: $(AZ_IDENTITY_NAME)  # match the AzureIdentity name
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-map-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-map-patch.yaml
@ -0,0 +1,8 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: credentials-sync
 data:
  ACR_NAME: my-registry
  KUBE_SECRET: acr-my-registry  # does not yet exist -- will be created in the same Namespace
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml
@ -7,14 +7,15 @@ commonLabels:
 namespace: flux-system
 bases:
 - ../_base
 resources:
 - ../_base
 - az-identity.yaml
-patchesStrategicMerge:
+patches:
- config-patches.yaml
+- path: config-map-patch.yaml
- reconcile-patch.yaml
+- path: azure-identity-patch.yaml
 - path: token-refresh-and-identity-injection-patch.yaml
 - path: reconcile-patch.yaml
 vars:
 - name: AZ_IDENTITY_NAME
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/token-refresh-and-identity-injection-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/token-refresh-and-identity-injection-patch.yaml
@ -0,0 +1,15 @@
 # Set the reconcile period + specify the pod-identity via the aadpodidbinding label
 ---
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
  name: credentials-sync
  namespace: flux-system
 spec:
  schedule: 0 * * * *  # ACR tokens expire every 3 hours; refresh faster than that
  jobTemplate:
    spec:
      template:
        metadata:
          labels:
            aadpodidbinding: $(AZ_IDENTITY_NAME)  # match the AzureIdentity name
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/bind-irsa-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/bind-irsa-patch.yaml
@ -0,0 +1,9 @@
 # Bind to the GCP service-account
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: credentials-sync
  namespace: flux-system
  annotations:
    iam.gke.io/gcp-service-account: <name>@<project-id>.iam.gserviceaccount.com # set the GCP service-account
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-map-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-map-patch.yaml
@ -0,0 +1,8 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: credentials-sync
 data:
  GCR_REGISTRY: gcr.io  # set the registry
  KUBE_SECRET: gcr-credentials  # does not yet exist -- will be created in the same Namespace
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml
@ -1,28 +0,0 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: credentials-sync
 data:
  GCR_REGISTRY: gcr.io  # set the registry
  KUBE_SECRET: gcr-credentials  # does not yet exist -- will be created in the same Namespace
 # Bind to the GCP service-account
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: credentials-sync
  namespace: flux-system
  annotations:
    iam.gke.io/gcp-service-account: <name>@<project-id>.iam.gserviceaccount.com # set the GCP service-account
 # Set the reconcile period
 ---
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
  name: credentials-sync
  namespace: flux-system
 spec:
  schedule: 0,30 * * * *  # 30m interval -- GCR tokens expire every hour; refresh faster than that
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/gcr-token-refresh-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/gcr-token-refresh-patch.yaml
@ -0,0 +1,9 @@
 # Set the reconcile period
 ---
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
  name: credentials-sync
  namespace: flux-system
 spec:
  schedule: 0,30 * * * *  # 30m interval -- GCR tokens expire every hour; refresh faster than that
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml
@ -7,9 +7,11 @@ commonLabels:
 namespace: flux-system
-bases:
+resources:
 - ../_base
-patchesStrategicMerge:
+patches:
- config-patches.yaml
+- path: config-map-patch.yaml
- reconcile-patch.yaml
+- path: bind-irsa-patch.yaml
 - path: gcr-token-refresh-patch.yaml
 - path: reconcile-patch.yaml
--- a/manifests/integrations/registry-credentials-sync/aws/bind-irsa-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/aws/bind-irsa-patch.yaml
@ -0,0 +1,9 @@
 # Bind IRSA for the ServiceAccount 
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: credentials-sync
  namespace: flux-system
  annotations:
    eks.amazonaws.com/role-arn: <role arn>  # set the ARN for your role
--- a/manifests/integrations/registry-credentials-sync/aws/config-map-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/aws/config-map-patch.yaml
@ -0,0 +1,10 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: credentials-sync
 data:
  ECR_REGION: us-east-1  # set the region
  ECR_REGISTRY: <account id>.dkr.ecr.<region>.amazonaws.com  # fill in the account id and region
  KUBE_SECRET: ecr-credentials  # does not yet exist -- will be created in the same Namespace
  SYNC_PERIOD: "21600"  # 6hrs -- ECR tokens expire every 12 hours; refresh faster than that
--- a/manifests/integrations/registry-credentials-sync/aws/config-patches.yaml
+++ b/manifests/integrations/registry-credentials-sync/aws/config-patches.yaml
@ -1,42 +0,0 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: credentials-sync
 data:
  ECR_REGION: us-east-1  # set the region
  ECR_REGISTRY: <account id>.dkr.ecr.<region>.amazonaws.com  # fill in the account id and region
  KUBE_SECRET: ecr-credentials  # does not yet exist -- will be created in the same Namespace
  SYNC_PERIOD: "21600"  # 6hrs -- ECR tokens expire every 12 hours; refresh faster than that
 # Bind IRSA for the ServiceAccount 
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: credentials-sync
  namespace: flux-system
  annotations:
    eks.amazonaws.com/role-arn: <role arn>  # set the ARN for your role
 ## If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
 ## Store these values in a Secret and load them in the container using envFrom.
 ## For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build.
 ##   https://fluxcd.io/flux/guides/mozilla-sops/
 ##   https://fluxcd.io/flux/guides/sealed-secrets/
 # ---
 # apiVersion: apps/v1
 # kind: Deployment
 # metadata:
 #   name: credentials-sync
 #   namespace: flux-system
 # spec:
 #   template:
 #     spec:
 #       containers:
 #       - name: sync
 #         envFrom:
 #           secretRef:
 #             name: $(ECR_SECRET_NAME)  # uncomment the var for this in kustomization.yaml
--- a/manifests/integrations/registry-credentials-sync/aws/credentials-injection-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/aws/credentials-injection-patch.yaml
@ -0,0 +1,19 @@
 # If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
 # Store these values in a Secret and load them in the container using envFrom.
 # For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build.
 #   https://fluxcd.io/flux/guides/mozilla-sops/
 #   https://fluxcd.io/flux/guides/sealed-secrets/
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: credentials-sync
  namespace: flux-system
 spec:
  template:
    spec:
      containers:
      - name: sync
        envFrom:
        - secretRef:
            name: $(ECR_SECRET_NAME)  # uncomment the var for this in kustomization.yaml
--- a/manifests/integrations/registry-credentials-sync/aws/encrypted-secret.yaml
+++ b/manifests/integrations/registry-credentials-sync/aws/encrypted-secret.yaml
@ -0,0 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: credentials-sync
 data:
    AWS_ACCESS_KEY_ID: Zm9vCg==
    AWS_SECRET_ACCESS_KEY: YmFyCg==
 type: Opaque
--- a/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml
@ -7,19 +7,25 @@ commonLabels:
 namespace: flux-system
-bases:
+resources:
 - ../_base
-## If not using IRSA, consider creating the following file via SOPS or SealedSecrets
+# # If not using IRSA, consider creating the following file via SOPS or SealedSecrets
 # - encrypted-secret.yaml
-patchesStrategicMerge:
+patches:
- config-patches.yaml
+- path: config-map-patch.yaml
- reconcile-patch.yaml
+- path: reconcile-patch.yaml
 # Comment out bind-irsa-patch.yaml if not using IRSA
 - path: bind-irsa-patch.yaml
 # # Uncomment if not using IRSA, please also check credentials-injection-patch.yaml
 # - path: credentials-injection-patch.yaml
-## uncomment if using encrypted-secret.yaml
+# # Uncomment if using encrypted-secret.yaml
 # vars:
 # - name: ECR_SECRET_NAME
 #   objref:
 #     kind: Secret
 #     name: credentials-sync
 #     apiVersion: v1
 # configurations:
 # - kustomizeconfig.yaml
--- a/manifests/integrations/registry-credentials-sync/aws/kustomizeconfig.yaml
+++ b/manifests/integrations/registry-credentials-sync/aws/kustomizeconfig.yaml
@ -0,0 +1,3 @@
 varReference:
 - path: spec/template/spec/containers/envFrom/secretRef
  kind: Deployment
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml
@ -1,12 +1,3 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: credentials-sync
 data:
  ACR_NAME: my-registry
  KUBE_SECRET: acr-my-registry  # does not yet exist -- will be created in the same Namespace
 # Create an identity in Azure and assign it a role to pull from ACR  (note: the identity's resourceGroup should match the desired ACR):
 #     az identity create -n acr-sync
 #     az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)"
@ -23,19 +14,3 @@ spec:
  clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
  resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync
  type: 0  # user-managed identity
 # Set the reconcile period + specify the pod-identity via the aadpodidbinding label
 ---
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
  name: credentials-sync
  namespace: flux-system
 spec:
  schedule: 0 * * * *  # ACR tokens expire every 3 hours; refresh faster than that
  jobTemplate:
    spec:
      template:
        metadata:
          labels:
            aadpodidbinding: $(AZ_IDENTITY_NAME)  # match the AzureIdentity name
--- a/manifests/integrations/registry-credentials-sync/azure/config-map-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/azure/config-map-patch.yaml
@ -0,0 +1,9 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: credentials-sync
 data:
  ACR_NAME: my-registry
  KUBE_SECRET: acr-my-registry  # does not yet exist -- will be created in the same Namespace
  SYNC_PERIOD: "3600"  # ACR tokens expire every 3 hours; refresh faster than that
--- a/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml
@ -7,14 +7,15 @@ commonLabels:
 namespace: flux-system
 bases:
 - ../_base
 resources:
 - ../_base
 - az-identity.yaml
-patchesStrategicMerge:
+patches:
- config-patches.yaml
+- path: config-map-patch.yaml
- reconcile-patch.yaml
+- path: azure-identity-patch.yaml
 - path: pod-identity-injection-patch.yaml
 - path: reconcile-patch.yaml
 vars:
 - name: AZ_IDENTITY_NAME
--- a/manifests/integrations/registry-credentials-sync/azure/pod-identity-injection-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/azure/pod-identity-injection-patch.yaml
@ -0,0 +1,12 @@
 # Specify the pod-identity via the aadpodidbinding label
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: credentials-sync
  namespace: flux-system
 spec:
  template:
    metadata:
      labels:
        aadpodidbinding: $(AZ_IDENTITY_NAME)  # match the AzureIdentity name
--- a/manifests/integrations/registry-credentials-sync/gcp/bind-irsa-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/gcp/bind-irsa-patch.yaml
@ -0,0 +1,9 @@
 # Bind to the GCP service-account
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: credentials-sync
  namespace: flux-system
  annotations:
    iam.gke.io/gcp-service-account: <name>@<project-id>.iam.gserviceaccount.com # set the GCP service-account
--- a/manifests/integrations/registry-credentials-sync/gcp/config-map-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/gcp/config-map-patch.yaml
@ -7,14 +7,3 @@ data:
  GCR_REGISTRY: gcr.io  # set the registry
  KUBE_SECRET: gcr-credentials  # does not yet exist -- will be created in the same Namespace
  SYNC_PERIOD: "1800"  # 30m -- GCR tokens expire every hour; refresh faster than that
 # Bind to the GCP service-account
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: credentials-sync
  namespace: flux-system
  annotations:
    iam.gke.io/gcp-service-account: <name>@<project-id>.iam.gserviceaccount.com # set the GCP service-account
--- a/manifests/integrations/registry-credentials-sync/gcp/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/gcp/kustomization.yaml
@ -7,9 +7,10 @@ commonLabels:
 namespace: flux-system
-bases:
+resources:
 - ../_base
-patchesStrategicMerge:
+patches:
- config-patches.yaml
+- path: config-map-patch.yaml
- reconcile-patch.yaml
+- path: bind-irsa-patch.yaml
 - path: reconcile-patch.yaml