Merge pull request #1472 from fluxcd/go-git-v5.4.2

Update go-git to v5.4.2

go.mod

@@ -7,17 +7,17 @@ require (
 	github.com/cyphar/filepath-securejoin v0.2.2
 	github.com/fluxcd/go-git-providers v0.1.1
 	github.com/fluxcd/helm-controller/api v0.10.1
-	github.com/fluxcd/image-automation-controller/api v0.10.0
+	github.com/fluxcd/image-automation-controller/api v0.11.0
 	github.com/fluxcd/image-reflector-controller/api v0.9.1
-	github.com/fluxcd/kustomize-controller/api v0.12.1
+	github.com/fluxcd/kustomize-controller/api v0.12.2
 	github.com/fluxcd/notification-controller/api v0.14.1
 	github.com/fluxcd/pkg/apis/meta v0.9.0
 	github.com/fluxcd/pkg/runtime v0.11.0
 	github.com/fluxcd/pkg/ssh v0.0.5
 	github.com/fluxcd/pkg/untar v0.0.5
 	github.com/fluxcd/pkg/version v0.0.1
-	github.com/fluxcd/source-controller/api v0.13.1
+	github.com/fluxcd/source-controller/api v0.13.2
-	github.com/go-git/go-git/v5 v5.4.1
+	github.com/go-git/go-git/v5 v5.4.2
 	github.com/google/go-containerregistry v0.2.0
 	github.com/manifoldco/promptui v0.7.0
 	github.com/olekukonko/tablewriter v0.0.4

go.sum

@@ -196,12 +196,12 @@ github.com/fluxcd/go-git-providers v0.1.1 h1:R4VafMOo1IlfEZcImApCeElge/HajhFvRzD
 github.com/fluxcd/go-git-providers v0.1.1/go.mod h1:nRgNpHZmZhrsyNSma1JcAhjUG9xrqMGJcIUr9K7M7vk=
 github.com/fluxcd/helm-controller/api v0.10.1 h1:p0zlz6Z8SLgN+xXNPgCC8mUKMDQHnhMwt80NZA1qecs=
 github.com/fluxcd/helm-controller/api v0.10.1/go.mod h1:IZ/d5VdxolemPILdN4xeVnHO7kXpUTND/9vJ/rnS/7U=
-github.com/fluxcd/image-automation-controller/api v0.10.0 h1:iZJAxD3Zyh2p1+TCI6oRASzORL67x+zMTDDkeatcF3A=
+github.com/fluxcd/image-automation-controller/api v0.11.0 h1:YWO3tBM+rcKJ1JMVPYhRR+yC8HwnY6EjpSxCusRTxdU=
-github.com/fluxcd/image-automation-controller/api v0.10.0/go.mod h1:fsRQZMN60ZJ8uNW79ikiEJE0UeL4tmRQdSBWC1wSgbU=
+github.com/fluxcd/image-automation-controller/api v0.11.0/go.mod h1:L6m0LDs0sDhLH0+LRqTNlVt+6H3RyMgFbaLCaMV46ss=
 github.com/fluxcd/image-reflector-controller/api v0.9.1 h1:l1PrkVcdjb5hR3xaKX1ULv2LaMPYAfky/xYHAwhvro0=
 github.com/fluxcd/image-reflector-controller/api v0.9.1/go.mod h1:gFoTJFs977JhE1H6RQSlGwYJGw12aIFDi5ljAn3rtUc=
-github.com/fluxcd/kustomize-controller/api v0.12.1 h1:ynwdZtUqD6yLCbgXcf25En2Yk/EWNHuZEvBNk3k8eo0=
+github.com/fluxcd/kustomize-controller/api v0.12.2 h1:Tl0ZmytU5bDJxncZeugyCgj6ImfXIsneNsuf3VE4t90=
-github.com/fluxcd/kustomize-controller/api v0.12.1/go.mod h1:jBVfw3uQ09Iitt83lZVbCKO7ep+diWprt8CoP6yeSsw=
+github.com/fluxcd/kustomize-controller/api v0.12.2/go.mod h1:jBVfw3uQ09Iitt83lZVbCKO7ep+diWprt8CoP6yeSsw=
 github.com/fluxcd/notification-controller/api v0.14.1 h1:K24AyIz2UDlnAaYTwYpL0BqOjjJrkO7RxrZCQIKCZYg=
 github.com/fluxcd/notification-controller/api v0.14.1/go.mod h1:0ndWAtU/nlhbiWhOk8ai4/M9q7csjbWVcXcWREs2A10=
 github.com/fluxcd/pkg/apis/kustomize v0.0.1 h1:TkA80R0GopRY27VJqzKyS6ifiKIAfwBd7OHXtV3t2CI=
@@ -216,9 +216,8 @@ github.com/fluxcd/pkg/untar v0.0.5 h1:UGI3Ch1UIEIaqQvMicmImL1s9npQa64DJ/ozqHKB7g
 github.com/fluxcd/pkg/untar v0.0.5/go.mod h1:O6V9+rtl8c1mHBafgqFlJN6zkF1HS5SSYn7RpQJ/nfw=
 github.com/fluxcd/pkg/version v0.0.1 h1:/8asQoDXSThz3csiwi4Qo8Zb6blAxLXbtxNgeMJ9bCg=
 github.com/fluxcd/pkg/version v0.0.1/go.mod h1:WAF4FEEA9xyhngF8TDxg3UPu5fA1qhEYV8Pmi2Il01Q=
-github.com/fluxcd/source-controller/api v0.13.0/go.mod h1:+EPyhxC7Y+hUnq7EwAkkLtfbwCxJxF5yfmiyzDk43KY=
+github.com/fluxcd/source-controller/api v0.13.2 h1:LdWeapRXal3FmxTKEMh6wshg7u8Z3V3IDiB8TOPwM9o=
-github.com/fluxcd/source-controller/api v0.13.1 h1:KzWAECWZBfVROCd7pXojPTd+s/YKu0RFsdTTDi1Djy4=
+github.com/fluxcd/source-controller/api v0.13.2/go.mod h1:+EPyhxC7Y+hUnq7EwAkkLtfbwCxJxF5yfmiyzDk43KY=
-github.com/fluxcd/source-controller/api v0.13.1/go.mod h1:+EPyhxC7Y+hUnq7EwAkkLtfbwCxJxF5yfmiyzDk43KY=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
@@ -242,8 +241,8 @@ github.com/go-git/go-billy/v5 v5.3.1 h1:CPiOUAzKtMRvolEKw+bG1PLRpT7D3LIs3/3ey4Ai
 github.com/go-git/go-billy/v5 v5.3.1/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0=
 github.com/go-git/go-git-fixtures/v4 v4.2.1 h1:n9gGL1Ct/yIw+nfsfr8s4+sbhT+Ncu2SubfXjIWgci8=
 github.com/go-git/go-git-fixtures/v4 v4.2.1/go.mod h1:K8zd3kDUAykwTdDCr+I0per6Y6vMiRR/nnVTBtavnB0=
-github.com/go-git/go-git/v5 v5.4.1 h1:2RJXJuTMac944e419pJJJ3mOJBcr3A3M6SN6wQKZ/Gs=
+github.com/go-git/go-git/v5 v5.4.2 h1:BXyZu9t0VkbiHtqrsvdq39UDhGJTl1h55VW6CSC4aY4=
-github.com/go-git/go-git/v5 v5.4.1/go.mod h1:gQ1kArt6d+n+BGd+/B/I74HwRTLhth2+zti4ihgckDc=
+github.com/go-git/go-git/v5 v5.4.2/go.mod h1:gQ1kArt6d+n+BGd+/B/I74HwRTLhth2+zti4ihgckDc=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=

manifests/bases/image-automation-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.10.0/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.11.0/image-automation-controller.crds.yaml
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.10.0/image-automation-controller.deployment.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.11.0/image-automation-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/kustomize-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.1/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.2/kustomize-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.1/kustomize-controller.deployment.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.2/kustomize-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/source-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.13.1/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.13.2/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v0.13.1/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.13.2/source-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/crds/kustomization.yaml

@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.13.1/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.13.2/source-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.1/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.2/kustomize-controller.crds.yaml
 - https://github.com/fluxcd/helm-controller/releases/download/v0.10.1/helm-controller.crds.yaml
 - https://github.com/fluxcd/notification-controller/releases/download/v0.14.1/notification-controller.crds.yaml
 - https://github.com/fluxcd/image-reflector-controller/releases/download/v0.9.1/image-reflector-controller.crds.yaml
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.10.0/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.11.0/image-automation-controller.crds.yaml

manifests/integrations/Makefile

@@ -0,0 +1,14 @@
+
+bases := $(shell dirname $(shell find | grep kustomization.yaml | sort))
+
+all: $(bases)
+
+permutations := $(bases) $(addsuffix /,$(bases))
+.PHONY: $(permutations)
+$(permutations):
+	@echo $@
+	@warnings=$$(kustomize build $@ -o /dev/null 2>&1); \
+		if [ "$$warnings" ]; then \
+			echo "$$warnings"; \
+			false; \
+		fi

manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml

@@ -7,6 +7,9 @@ commonLabels:
 resources:
   - sync.yaml
 
+patchesStrategicMerge:
+  - kubectl-patch.yaml
+
 vars:
   - name: KUBE_SECRET
     objref:
@@ -15,13 +18,6 @@ vars:
       apiVersion: v1
     fieldref:
       fieldpath: data.KUBE_SECRET
-  - name: ADDRESS
-    objref:
-      kind: ConfigMap
-      name: credentials-sync-eventhub
-      apiVersion: v1
-    fieldref:
-      fieldpath: data.ADDRESS
 
 configurations:
   - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/_base/sync.yaml

@@ -109,9 +109,9 @@ rules:
       - create
       - update
       - patch
-    # # Lock this down to the specific Secret name  (Optional)
+    # Lock this down to the specific Secret name  (Optional)
-    #resourceNames:
+    resourceNames:
-    #  - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+     - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml

@@ -1,7 +1,7 @@
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
-  name: credentials-sync
+  name: credentials-sync-eventhub
   namespace: flux-system
 spec:
   jobTemplate:

manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml

@@ -7,6 +7,9 @@ commonLabels:
 resources:
   - sync.yaml
 
+patchesStrategicMerge:
+  - kubectl-patch.yaml
+
 vars:
   - name: KUBE_SECRET
     objref:
@@ -15,13 +18,6 @@ vars:
       apiVersion: v1
     fieldref:
       fieldpath: data.KUBE_SECRET
-  - name: ADDRESS
-    objref:
-      kind: ConfigMap
-      name: credentials-sync-eventhub
-      apiVersion: v1
-    fieldref:
-      fieldpath: data.ADDRESS
 
 configurations:
   - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml

@@ -85,9 +85,9 @@ rules:
       - create
       - update
       - patch
-    # # Lock this down to the specific Secret name  (Optional)
+    # Lock this down to the specific Secret name  (Optional)
-    #resourceNames:
+    resourceNames:
-    #  - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+     - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml

@@ -12,5 +12,5 @@ metadata:
   name: lab
   namespace: flux-system
 spec:
-  azureIdentity: lab
+  azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
-  selector: lab
+  selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml

@@ -23,15 +23,6 @@ spec:
   clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
   resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
   type: 0
----
-apiVersion: aadpodidentity.k8s.io/v1
-kind: AzureIdentityBinding
-metadata:
-  name: lab
-  namespace: flux-system
-spec:
-  azureIdentity: jwt-lab
-  selector: jwt-lab
 
 # Set the reconcile period + specify the pod-identity via the aadpodidbinding label
 ---

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kubectl-patch.yaml

@@ -1,34 +0,0 @@
-apiVersion: batch/v1beta1
-kind: CronJob
-metadata:
-  name: credentials-sync-eventhub
-  namespace: flux-system
-spec:
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          initContainers:
-            - image: bitnami/kubectl
-              securityContext:
-                privileged: false
-                readOnlyRootFilesystem: true
-                allowPrivilegeEscalation: false
-              name: copy-kubectl
-              # it's okay to do this because kubectl is a statically linked binary
-              command:
-                - sh
-                - -ceu
-                - cp $(which kubectl) /kbin/
-              resources: {}
-              volumeMounts:
-                - name: kbin
-                  mountPath: /kbin
-          containers:
-            - name: sync
-              volumeMounts:
-                - name: kbin
-                  mountPath: /kbin
-          volumes:
-            - name: kbin
-              emptyDir: {}

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml

@@ -14,7 +14,6 @@ resources:
 
 patchesStrategicMerge:
   - config-patches.yaml
-  - kubectl-patch.yaml
   - reconcile-patch.yaml
 
 vars:

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml

@@ -1,3 +1,7 @@
 varReference:
-  - path: spec/jobTemplate/spec/template/metadata/labels
+- path: spec/jobTemplate/spec/template/metadata/labels
-    kind: CronJob
+  kind: CronJob
+- path: spec/azureIdentity
+  kind: AzureIdentityBinding
+- path: spec/selector
+  kind: AzureIdentityBinding

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml

@@ -3,7 +3,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: credentials-sync-eventhub
-  namespace: flux-system
 data:
   KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
   ADDRESS: "fluxv2" # the Azure Event Hub name

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kubectl-patch.yaml

@@ -1,34 +0,0 @@
-apiVersion: batch/v1beta1
-kind: CronJob
-metadata:
-  name: credentials-sync-eventhub
-  namespace: flux-system
-spec:
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          initContainers:
-            - image: bitnami/kubectl
-              securityContext:
-                privileged: false
-                readOnlyRootFilesystem: true
-                allowPrivilegeEscalation: false
-              name: copy-kubectl
-              # it's okay to do this because kubectl is a statically linked binary
-              command:
-                - sh
-                - -ceu
-                - cp $(which kubectl) /kbin/
-              resources: {}
-              volumeMounts:
-                - name: kbin
-                  mountPath: /kbin
-          containers:
-            - name: sync
-              volumeMounts:
-                - name: kbin
-                  mountPath: /kbin
-          volumes:
-            - name: kbin
-              emptyDir: {}

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml

@@ -14,8 +14,4 @@ resources:
 
 patchesStrategicMerge:
   - config-patches.yaml
-  - kubectl-patch.yaml
   - reconcile-patch.yaml
-
-configurations:
-  - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomizeconfig.yaml

@@ -1,3 +0,0 @@
-varReference:
-  - path: spec/jobTemplate/spec/template/metadata/labels
-    kind: CronJob

manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml

@@ -9,8 +9,8 @@ metadata:
 apiVersion: aadpodidentity.k8s.io/v1
 kind: AzureIdentityBinding
 metadata:
-  name: lab
+  name: lab # this can have a different name, but it's nice to keep them the same
   namespace: flux-system
 spec:
-  azureIdentity: lab
+  azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
-  selector: lab
+  selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml

@@ -24,15 +24,6 @@ spec:
   clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
   resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
   type: 0
----
-apiVersion: aadpodidentity.k8s.io/v1
-kind: AzureIdentityBinding
-metadata:
-  name: lab
-  namespace: flux-system
-spec:
-  azureIdentity: jwt-lab
-  selector: jwt-lab
 
 # Specify the pod-identity via the aadpodidbinding label
 ---

manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml

@@ -14,7 +14,6 @@ resources:
 
 patchesStrategicMerge:
   - config-patches.yaml
-  - kubectl-patch.yaml
   - reconcile-patch.yaml
 
 vars:

manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml

@@ -1,3 +1,7 @@
 varReference:
 - path: spec/template/metadata/labels
   kind: Deployment
+- path: spec/azureIdentity
+  kind: AzureIdentityBinding
+- path: spec/selector
+  kind: AzureIdentityBinding

manifests/integrations/eventhub-credentials-sync/generic/kubectl-patch.yaml

@@ -1,32 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: credentials-sync-eventhub
-  namespace: flux-system
-spec:
-  template:
-    spec:
-      initContainers:
-        - image: bitnami/kubectl
-          securityContext:
-            privileged: false
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
-          name: copy-kubectl
-          # it's okay to do this because kubectl is a statically linked binary
-          command:
-            - sh
-            - -ceu
-            - cp $(which kubectl) /kbin/
-          resources: {}
-          volumeMounts:
-            - name: kbin
-              mountPath: /kbin
-      containers:
-        - name: sync
-          volumeMounts:
-            - name: kbin
-              mountPath: /kbin
-      volumes:
-        - name: kbin
-          emptyDir: {}

manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml

@@ -14,8 +14,4 @@ resources:
 
 patchesStrategicMerge:
   - config-patches.yaml
-  - kubectl-patch.yaml
   - reconcile-patch.yaml
-
-configurations:
-  - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/generic/kustomizeconfig.yaml

@@ -1,3 +0,0 @@
-varReference:
-- path: spec/template/metadata/labels
-  kind: Deployment

manifests/integrations/registry-credentials-sync/_base/kustomization.yaml

@@ -7,6 +7,9 @@ commonLabels:
 resources:
 - sync.yaml
 
+patchesStrategicMerge:
+  - kubectl-patch.yaml
+
 vars:
 - name: KUBE_SECRET
   objref:

manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml

@@ -7,6 +7,9 @@ commonLabels:
 resources:
 - sync.yaml
 
+patchesStrategicMerge:
+  - kubectl-patch.yaml
+
 vars:
 - name: KUBE_SECRET
   objref:

manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml

@@ -14,7 +14,6 @@ bases:
 
 patchesStrategicMerge:
 - config-patches.yaml
-- kubectl-patch.yaml
 - reconcile-patch.yaml
 
 ## uncomment if using encrypted-secret.yaml

manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml

@@ -5,3 +5,12 @@ kind: AzureIdentity
 metadata:
   name: credentials-sync  # if this is changed, also change in config-patches.yaml
   namespace: flux-system
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentityBinding
+metadata:
+  name: credentials-sync  # this can have a different name, but it's nice to keep them the same
+  namespace: flux-system
+spec:
+  azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+  selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml

@@ -14,7 +14,6 @@ resources:
 
 patchesStrategicMerge:
 - config-patches.yaml
-- kubectl-patch.yaml
 - reconcile-patch.yaml
 
 vars:

manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml

@@ -1,3 +1,7 @@
 varReference:
 - path: spec/jobTemplate/spec/template/metadata/labels
-  kind: Deployment
+  kind: CronJob
+- path: spec/azureIdentity
+  kind: AzureIdentityBinding
+- path: spec/selector
+  kind: AzureIdentityBinding

manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml

@@ -10,7 +10,7 @@ spec:
         spec:
           containers:
           - name: sync
-            image: aws/aws-cli
+            image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
             env:
             - name: RECONCILE_SH
               value: |-

manifests/integrations/registry-credentials-sync/aws/kustomization.yaml

@@ -14,7 +14,6 @@ bases:
 
 patchesStrategicMerge:
 - config-patches.yaml
-- kubectl-patch.yaml
 - reconcile-patch.yaml
 
 ## uncomment if using encrypted-secret.yaml

manifests/integrations/registry-credentials-sync/azure/az-identity.yaml

@@ -5,3 +5,12 @@ kind: AzureIdentity
 metadata:
   name: credentials-sync  # if this is changed, also change in config-patches.yaml
   namespace: flux-system
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentityBinding
+metadata:
+  name: credentials-sync  # this can have a different name, but it's nice to keep them the same
+  namespace: flux-system
+spec:
+  azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+  selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/registry-credentials-sync/azure/kubectl-patch.yaml

@@ -1,28 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: credentials-sync
-  namespace: flux-system
-spec:
-  template:
-    spec:
-      initContainers:
-      - image: bitnami/kubectl
-        name: copy-kubectl
-        # it's okay to do this because kubectl is a statically linked binary
-        command:
-        - sh
-        - -ceu
-        - cp $(which kubectl) /kbin/
-        resources: {}
-        volumeMounts:
-        - name: kbin
-          mountPath: /kbin
-      containers:
-      - name: sync
-        volumeMounts:
-        - name: kbin
-          mountPath: /kbin
-      volumes:
-      - name: kbin
-        emptyDir: {}

manifests/integrations/registry-credentials-sync/azure/kustomization.yaml

@@ -14,7 +14,6 @@ resources:
 
 patchesStrategicMerge:
 - config-patches.yaml
-- kubectl-patch.yaml
 - reconcile-patch.yaml
 
 vars:

manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml

@@ -1,3 +1,7 @@
 varReference:
 - path: spec/template/metadata/labels
   kind: Deployment
+- path: spec/azureIdentity
+  kind: AzureIdentityBinding
+- path: spec/selector
+  kind: AzureIdentityBinding

manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml

@@ -9,7 +9,7 @@ spec:
     spec:
       containers:
       - name: sync
-        image: aws/aws-cli
+        image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
         env:
         - name: RECONCILE_SH
           value: |-