diff --git a/manifests/integrations/Makefile b/manifests/integrations/Makefile new file mode 100644 index 00000000..ebe8d320 --- /dev/null +++ b/manifests/integrations/Makefile @@ -0,0 +1,14 @@ + +bases := $(shell dirname $(shell find | grep kustomization.yaml | sort)) + +all: $(bases) + +permutations := $(bases) $(addsuffix /,$(bases)) +.PHONY: $(permutations) +$(permutations): + @echo $@ + @warnings=$$(kustomize build $@ -o /dev/null 2>&1); \ + if [ "$$warnings" ]; then \ + echo "$$warnings"; \ + false; \ + fi diff --git a/manifests/integrations/eventhub-credentials-sync/azure/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml similarity index 100% rename from manifests/integrations/eventhub-credentials-sync/azure/kubectl-patch.yaml rename to manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml index dfd56766..c4a8a062 100644 --- a/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml @@ -7,6 +7,9 @@ commonLabels: resources: - sync.yaml +patchesStrategicMerge: + - kubectl-patch.yaml + vars: - name: KUBE_SECRET objref: @@ -15,13 +18,6 @@ vars: apiVersion: v1 fieldref: fieldpath: data.KUBE_SECRET - - name: ADDRESS - objref: - kind: ConfigMap - name: credentials-sync-eventhub - apiVersion: v1 - fieldref: - fieldpath: data.ADDRESS configurations: - kustomizeconfig.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/_base/sync.yaml b/manifests/integrations/eventhub-credentials-sync/_base/sync.yaml index 62ea86f0..409db4fd 100644 --- a/manifests/integrations/eventhub-credentials-sync/_base/sync.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_base/sync.yaml @@ -109,9 +109,9 @@ rules: - create - update - patch - # # Lock this down to the specific Secret name (Optional) - #resourceNames: - # - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml + # Lock this down to the specific Secret name (Optional) + resourceNames: + - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml similarity index 95% rename from manifests/integrations/registry-credentials-sync/_cronjobs/azure/kubectl-patch.yaml rename to manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml index b4d83e22..8d2164b1 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kubectl-patch.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml @@ -1,7 +1,7 @@ apiVersion: batch/v1beta1 kind: CronJob metadata: - name: credentials-sync + name: credentials-sync-eventhub namespace: flux-system spec: jobTemplate: diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml index dfd56766..c4a8a062 100644 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml @@ -7,6 +7,9 @@ commonLabels: resources: - sync.yaml +patchesStrategicMerge: + - kubectl-patch.yaml + vars: - name: KUBE_SECRET objref: @@ -15,13 +18,6 @@ vars: apiVersion: v1 fieldref: fieldpath: data.KUBE_SECRET - - name: ADDRESS - objref: - kind: ConfigMap - name: credentials-sync-eventhub - apiVersion: v1 - fieldref: - fieldpath: data.ADDRESS configurations: - kustomizeconfig.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml index e7fd16a7..56d47856 100644 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml @@ -85,9 +85,9 @@ rules: - create - update - patch - # # Lock this down to the specific Secret name (Optional) - #resourceNames: - # - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml + # Lock this down to the specific Secret name (Optional) + resourceNames: + - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml index 1591126b..38fa05ff 100644 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml @@ -12,5 +12,5 @@ metadata: name: lab namespace: flux-system spec: - azureIdentity: lab - selector: lab + azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name + selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml index 3d0ffac4..8e8bc3a3 100644 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml @@ -23,15 +23,6 @@ spec: clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write type: 0 ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentityBinding -metadata: - name: lab - namespace: flux-system -spec: - azureIdentity: jwt-lab - selector: jwt-lab # Set the reconcile period + specify the pod-identity via the aadpodidbinding label --- diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kubectl-patch.yaml deleted file mode 100644 index d05c07e5..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kubectl-patch.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - initContainers: - - image: bitnami/kubectl - securityContext: - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - name: copy-kubectl - # it's okay to do this because kubectl is a statically linked binary - command: - - sh - - -ceu - - cp $(which kubectl) /kbin/ - resources: {} - volumeMounts: - - name: kbin - mountPath: /kbin - containers: - - name: sync - volumeMounts: - - name: kbin - mountPath: /kbin - volumes: - - name: kbin - emptyDir: {} diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml index 14a0d59f..f5ca8d55 100644 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml @@ -14,7 +14,6 @@ resources: patchesStrategicMerge: - config-patches.yaml - - kubectl-patch.yaml - reconcile-patch.yaml vars: diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml index 175f04a2..09c76747 100644 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml @@ -1,3 +1,7 @@ varReference: - - path: spec/jobTemplate/spec/template/metadata/labels - kind: CronJob +- path: spec/jobTemplate/spec/template/metadata/labels + kind: CronJob +- path: spec/azureIdentity + kind: AzureIdentityBinding +- path: spec/selector + kind: AzureIdentityBinding diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml index b2374ac0..5eb1d262 100644 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: credentials-sync-eventhub - namespace: flux-system data: KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace ADDRESS: "fluxv2" # the Azure Event Hub name diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kubectl-patch.yaml deleted file mode 100644 index d05c07e5..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kubectl-patch.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - initContainers: - - image: bitnami/kubectl - securityContext: - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - name: copy-kubectl - # it's okay to do this because kubectl is a statically linked binary - command: - - sh - - -ceu - - cp $(which kubectl) /kbin/ - resources: {} - volumeMounts: - - name: kbin - mountPath: /kbin - containers: - - name: sync - volumeMounts: - - name: kbin - mountPath: /kbin - volumes: - - name: kbin - emptyDir: {} diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml index 109f3a07..c67b113d 100644 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml @@ -14,8 +14,4 @@ resources: patchesStrategicMerge: - config-patches.yaml - - kubectl-patch.yaml - reconcile-patch.yaml - -configurations: - - kustomizeconfig.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomizeconfig.yaml deleted file mode 100644 index 175f04a2..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomizeconfig.yaml +++ /dev/null @@ -1,3 +0,0 @@ -varReference: - - path: spec/jobTemplate/spec/template/metadata/labels - kind: CronJob diff --git a/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml b/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml index 1591126b..32d8b574 100644 --- a/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml +++ b/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml @@ -9,8 +9,8 @@ metadata: apiVersion: aadpodidentity.k8s.io/v1 kind: AzureIdentityBinding metadata: - name: lab + name: lab # this can have a different name, but it's nice to keep them the same namespace: flux-system spec: - azureIdentity: lab - selector: lab + azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name + selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml index c285ed2c..3967cbb7 100644 --- a/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml +++ b/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml @@ -24,15 +24,6 @@ spec: clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write type: 0 ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentityBinding -metadata: - name: lab - namespace: flux-system -spec: - azureIdentity: jwt-lab - selector: jwt-lab # Specify the pod-identity via the aadpodidbinding label --- diff --git a/manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml index 14a0d59f..f5ca8d55 100644 --- a/manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml +++ b/manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml @@ -14,7 +14,6 @@ resources: patchesStrategicMerge: - config-patches.yaml - - kubectl-patch.yaml - reconcile-patch.yaml vars: diff --git a/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml index afd68fe5..da4d902d 100644 --- a/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml +++ b/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml @@ -1,3 +1,7 @@ varReference: - path: spec/template/metadata/labels kind: Deployment +- path: spec/azureIdentity + kind: AzureIdentityBinding +- path: spec/selector + kind: AzureIdentityBinding diff --git a/manifests/integrations/eventhub-credentials-sync/generic/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/generic/kubectl-patch.yaml deleted file mode 100644 index 65226a0f..00000000 --- a/manifests/integrations/eventhub-credentials-sync/generic/kubectl-patch.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - template: - spec: - initContainers: - - image: bitnami/kubectl - securityContext: - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - name: copy-kubectl - # it's okay to do this because kubectl is a statically linked binary - command: - - sh - - -ceu - - cp $(which kubectl) /kbin/ - resources: {} - volumeMounts: - - name: kbin - mountPath: /kbin - containers: - - name: sync - volumeMounts: - - name: kbin - mountPath: /kbin - volumes: - - name: kbin - emptyDir: {} diff --git a/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml index 109f3a07..c67b113d 100644 --- a/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml +++ b/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml @@ -14,8 +14,4 @@ resources: patchesStrategicMerge: - config-patches.yaml - - kubectl-patch.yaml - reconcile-patch.yaml - -configurations: - - kustomizeconfig.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/generic/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/generic/kustomizeconfig.yaml deleted file mode 100644 index afd68fe5..00000000 --- a/manifests/integrations/eventhub-credentials-sync/generic/kustomizeconfig.yaml +++ /dev/null @@ -1,3 +0,0 @@ -varReference: -- path: spec/template/metadata/labels - kind: Deployment diff --git a/manifests/integrations/registry-credentials-sync/aws/kubectl-patch.yaml b/manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml similarity index 100% rename from manifests/integrations/registry-credentials-sync/aws/kubectl-patch.yaml rename to manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml diff --git a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml index c26a2c0a..2218f2b8 100644 --- a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml @@ -7,6 +7,9 @@ commonLabels: resources: - sync.yaml +patchesStrategicMerge: + - kubectl-patch.yaml + vars: - name: KUBE_SECRET objref: diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kubectl-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml similarity index 100% rename from manifests/integrations/registry-credentials-sync/_cronjobs/aws/kubectl-patch.yaml rename to manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml index c26a2c0a..2218f2b8 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml @@ -7,6 +7,9 @@ commonLabels: resources: - sync.yaml +patchesStrategicMerge: + - kubectl-patch.yaml + vars: - name: KUBE_SECRET objref: diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml index 11eea1b4..6e58e58b 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml @@ -14,7 +14,6 @@ bases: patchesStrategicMerge: - config-patches.yaml -- kubectl-patch.yaml - reconcile-patch.yaml ## uncomment if using encrypted-secret.yaml diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml index c3c6be81..8b365507 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml @@ -5,3 +5,12 @@ kind: AzureIdentity metadata: name: credentials-sync # if this is changed, also change in config-patches.yaml namespace: flux-system +--- +apiVersion: aadpodidentity.k8s.io/v1 +kind: AzureIdentityBinding +metadata: + name: credentials-sync # this can have a different name, but it's nice to keep them the same + namespace: flux-system +spec: + azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name + selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml index 1dd497e0..54c333a9 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml @@ -14,7 +14,6 @@ resources: patchesStrategicMerge: - config-patches.yaml -- kubectl-patch.yaml - reconcile-patch.yaml vars: diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml index 22524c1d..09c76747 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml @@ -1,3 +1,7 @@ varReference: - path: spec/jobTemplate/spec/template/metadata/labels - kind: Deployment + kind: CronJob +- path: spec/azureIdentity + kind: AzureIdentityBinding +- path: spec/selector + kind: AzureIdentityBinding diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml index 5b5ced3f..84dea7d3 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml @@ -10,7 +10,7 @@ spec: spec: containers: - name: sync - image: aws/aws-cli + image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine env: - name: RECONCILE_SH value: |- diff --git a/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml b/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml index 11eea1b4..6e58e58b 100644 --- a/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml @@ -14,7 +14,6 @@ bases: patchesStrategicMerge: - config-patches.yaml -- kubectl-patch.yaml - reconcile-patch.yaml ## uncomment if using encrypted-secret.yaml diff --git a/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml b/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml index c3c6be81..8b365507 100644 --- a/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml +++ b/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml @@ -5,3 +5,12 @@ kind: AzureIdentity metadata: name: credentials-sync # if this is changed, also change in config-patches.yaml namespace: flux-system +--- +apiVersion: aadpodidentity.k8s.io/v1 +kind: AzureIdentityBinding +metadata: + name: credentials-sync # this can have a different name, but it's nice to keep them the same + namespace: flux-system +spec: + azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name + selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/azure/kubectl-patch.yaml b/manifests/integrations/registry-credentials-sync/azure/kubectl-patch.yaml deleted file mode 100644 index b054d7ce..00000000 --- a/manifests/integrations/registry-credentials-sync/azure/kubectl-patch.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync - namespace: flux-system -spec: - template: - spec: - initContainers: - - image: bitnami/kubectl - name: copy-kubectl - # it's okay to do this because kubectl is a statically linked binary - command: - - sh - - -ceu - - cp $(which kubectl) /kbin/ - resources: {} - volumeMounts: - - name: kbin - mountPath: /kbin - containers: - - name: sync - volumeMounts: - - name: kbin - mountPath: /kbin - volumes: - - name: kbin - emptyDir: {} diff --git a/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml b/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml index 1dd497e0..54c333a9 100644 --- a/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml @@ -14,7 +14,6 @@ resources: patchesStrategicMerge: - config-patches.yaml -- kubectl-patch.yaml - reconcile-patch.yaml vars: diff --git a/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml index afd68fe5..da4d902d 100644 --- a/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml +++ b/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml @@ -1,3 +1,7 @@ varReference: - path: spec/template/metadata/labels kind: Deployment +- path: spec/azureIdentity + kind: AzureIdentityBinding +- path: spec/selector + kind: AzureIdentityBinding diff --git a/manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml index 9c78e4f4..8b637f3f 100644 --- a/manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml +++ b/manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml @@ -9,7 +9,7 @@ spec: spec: containers: - name: sync - image: aws/aws-cli + image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine env: - name: RECONCILE_SH value: |-