--- apiVersion: v1 kind: ConfigMap metadata: name: credentials-sync-eventhub data: KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace ADDRESS: "fluxv2" # the Azure Event Hub name # Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub): # az identity create -n eventhub-write # az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)" # Fetch the clientID and resourceID to configure the AzureIdentity spec below: # az identity show -n eventhub-write -otsv --query clientId # az identity show -n eventhub-write -otsv --query resourceId --- apiVersion: aadpodidentity.k8s.io/v1 kind: AzureIdentity metadata: name: lab namespace: flux-system spec: clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write type: 0 # Set the reconcile period + specify the pod-identity via the aadpodidbinding label --- apiVersion: batch/v1beta1 kind: CronJob metadata: name: credentials-sync-eventhub namespace: flux-system spec: schedule: 0 * * * * # JWT tokens expire every 24 hours; refresh faster than that jobTemplate: spec: template: metadata: labels: aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name