mirror of https://github.com/fluxcd/flux2.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
40 lines
1.5 KiB
YAML
40 lines
1.5 KiB
YAML
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: credentials-sync
|
|
data:
|
|
ACR_NAME: my-registry
|
|
KUBE_SECRET: acr-my-registry # does not yet exist -- will be created in the same Namespace
|
|
SYNC_PERIOD: "3600" # ACR tokens expire every 3 hours; refresh faster than that
|
|
|
|
# Create an identity in Azure and assign it a role to pull from ACR (note: the identity's resourceGroup should match the desired ACR):
|
|
# az identity create -n acr-sync
|
|
# az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)"
|
|
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
|
|
# az identity show -n acr-sync -otsv --query clientId
|
|
# az identity show -n acr-sync -otsv --query resourceId
|
|
---
|
|
apiVersion: aadpodidentity.k8s.io/v1
|
|
kind: AzureIdentity
|
|
metadata:
|
|
name: credentials-sync # name must match the stub-resource in az-identity.yaml
|
|
namespace: flux-system
|
|
spec:
|
|
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
|
|
resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync
|
|
type: 0 # user-managed identity
|
|
|
|
# Specify the pod-identity via the aadpodidbinding label
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: credentials-sync
|
|
namespace: flux-system
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels:
|
|
aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|