mirror of https://github.com/fluxcd/flux2.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
102 lines
2.8 KiB
YAML
102 lines
2.8 KiB
YAML
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: credentials-sync
|
|
data:
|
|
# Patch this ConfigMap with additional values needed for your cloud
|
|
KUBE_SECRET: my-registry-token # does not yet exist -- will be created in the same Namespace
|
|
|
|
---
|
|
# This CronJob frequently fetches registry tokens and applies them as an imagePullSecret.
|
|
# note: CronJob scheduling can block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
|
|
# To run the job immediately, do `kubectl create job --from=cronjob/credentials-sync -n flux-system credentials-sync-init`
|
|
apiVersion: batch/v1beta1
|
|
kind: CronJob
|
|
metadata:
|
|
name: credentials-sync
|
|
namespace: flux-system
|
|
spec:
|
|
suspend: false
|
|
schedule: 0 */6 * * *
|
|
failedJobsHistoryLimit: 1
|
|
successfulJobsHistoryLimit: 1
|
|
jobTemplate:
|
|
spec:
|
|
template:
|
|
spec:
|
|
serviceAccountName: credentials-sync
|
|
restartPolicy: Never
|
|
containers:
|
|
- image: busybox # override this with a cloud-specific image
|
|
name: sync
|
|
envFrom:
|
|
- configMapRef:
|
|
name: credentials-sync
|
|
env:
|
|
- name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
|
|
value: |-
|
|
reconcile() {
|
|
echo reconciling...
|
|
}
|
|
command:
|
|
- bash
|
|
- -ceu
|
|
- |-
|
|
# template reconcile() into the script
|
|
# env var is expanded by k8s before the pod starts
|
|
$(RECONCILE_SH)
|
|
|
|
apply-secret() {
|
|
/kbin/kubectl create secret docker-registry "${1}" \
|
|
--docker-password="${2}" \
|
|
--docker-username="${3}" \
|
|
--docker-server="${4}" \
|
|
--dry-run=client -o=yaml \
|
|
| grep -v "creationTimestamp:" \
|
|
| /kbin/kubectl apply -f -
|
|
}
|
|
|
|
reconcile
|
|
resources: {}
|
|
|
|
|
|
# RBAC necessary for our Deployment to apply our imagePullSecret
|
|
---
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: credentials-sync
|
|
namespace: flux-system
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- get
|
|
- create
|
|
- update
|
|
- patch
|
|
# # Lock this down to the specific Secret name (Optional)
|
|
resourceNames:
|
|
- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: credentials-sync
|
|
namespace: flux-system
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: credentials-sync
|
|
roleRef:
|
|
kind: Role
|
|
name: credentials-sync
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: credentials-sync
|
|
namespace: flux-system
|