From 7905f6041af4e38dce77ca64918f601e1cb724de Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 30 Mar 2023 09:20:00 +0200 Subject: [PATCH] docs: various nits in Bucket spec Signed-off-by: Hidde Beydals --- docs/spec/v1beta2/buckets.md | 34 +++++++++++++++------------ docs/spec/v1beta2/helmrepositories.md | 4 ++-- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/docs/spec/v1beta2/buckets.md b/docs/spec/v1beta2/buckets.md index 74d7767f4..6e85d7d60 100644 --- a/docs/spec/v1beta2/buckets.md +++ b/docs/spec/v1beta2/buckets.md @@ -440,8 +440,8 @@ data: ##### Workload Identity If you have [Workload Identity mutating webhook](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html) -installed on your cluster. You would need to create an Azure Identity and -give it access to Azure Blob Storage. +installed on your cluster. You need to create an Azure Identity and give it +access to Azure Blob Storage. ```shell export IDENTITY_NAME="blob-access" @@ -451,7 +451,7 @@ az role assignment create --role "Storage Blob Data Reader" \ --scope "/subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts//blobServices/default/containers/" ``` -Establish federated identity between the identity and the source-controller +Establish a federated identity between the Identity and the source-controller ServiceAccount. ```shell @@ -500,7 +500,7 @@ patches: azure.workload.identity/use: "true" ``` -If you have set Workload Identity up correctly and labeled the source-controller +If you have set up Workload Identity correctly and labeled the source-controller Pod and ServiceAccount, then you don't need to reference a Secret. For more information, please see [documentation](https://azure.github.io/azure-workload-identity/docs/quick-start.html). @@ -520,7 +520,7 @@ spec: ##### Managed Identity with AAD Pod Identity If you are using [aad pod identity](https://azure.github.io/aad-pod-identity/docs), -you can create an identity that has access to Azure Storage. +You need to create an Azure Identity and give it access to Azure Blob Storage. ```sh export IDENTITY_NAME="blob-access" @@ -533,7 +533,7 @@ export IDENTITY_CLIENT_ID="$(az identity show -n ${IDENTITY_NAME} -g ${RESOURCE_ export IDENTITY_RESOURCE_ID="$(az identity show -n ${IDENTITY_NAME} -otsv --query id)" ``` -Create an `AzureIdentity` object that references the identity created above: +Create an AzureIdentity object that references the identity created above: ```yaml --- @@ -548,7 +548,8 @@ spec: type: 0 # user-managed identity ``` -Create an `AzureIdentityBinding` object that binds pods with a specific selector with the `AzureIdentity` created: +Create an AzureIdentityBinding object that binds Pods with a specific selector +with the AzureIdentity created: ```yaml apiVersion: "aadpodidentity.k8s.io/v1" @@ -575,7 +576,7 @@ spec: aadpodidbinding: ${IDENTITY_NAME} # match the AzureIdentity name ``` -If you have set aad-pod-identity up correctly and labeled the source-controller +If you have set up aad-pod-identity correctly and labeled the source-controller pod, then you don't need to reference a secret. ```yaml @@ -618,13 +619,16 @@ data: sasKey: ``` -The sasKey only contains the SAS token e.g `?sv=2020-08-0&ss=bfqt&srt=co&sp=rwdlacupitfx&se=2022-05-26T21:55:35Z&st=2022-05...`. -The leading question mark is optional. -The query values from the `sasKey` data field in the Secrets gets merged with the ones in the `spec.endpoint` of the `Bucket`. -If the same key is present in the both of them, the value in the `sasKey` takes precedence. +The `sasKey` only contains the SAS token e.g +`?sv=2020-08-0&ss=bfqt&srt=co&sp=rwdlacupitfx&se=2022-05-26T21:55:35Z&st=2022-05...`. +The leading question mark (`?`) is optional. The query values from the `sasKey` +data field in the Secrets gets merged with the ones in the `.spec.endpoint` of +the Bucket. If the same key is present in the both of them, the value in the +`sasKey` takes precedence. -**Note:** The SAS token has an expiry date and it must be updated before it expires to allow Flux to -continue to access Azure Storage. It is allowed to use an account-level or container-level SAS token. +**Note:** The SAS token has an expiry date, and it must be updated before it +expires to allow Flux to continue to access Azure Storage. It is allowed to use +an account-level or container-level SAS token. The minimum permissions for an account-level SAS token are: @@ -839,7 +843,7 @@ spec: ### Triggering a reconcile -To manually tell the source-controller to reconcile a Bucket outside of the +To manually tell the source-controller to reconcile a Bucket outside the [specified interval window](#interval), a Bucket can be annotated with `reconcile.fluxcd.io/requestedAt: `. Annotating the resource queues the Bucket for reconciliation if the `` differs from diff --git a/docs/spec/v1beta2/helmrepositories.md b/docs/spec/v1beta2/helmrepositories.md index 5de5de5ff..c9f99fa7d 100644 --- a/docs/spec/v1beta2/helmrepositories.md +++ b/docs/spec/v1beta2/helmrepositories.md @@ -233,7 +233,7 @@ by extension gain access to ACR. When the kubelet managed identity has access to ACR, source-controller running on it will also have access to ACR. -##### Workload Identity +##### Azure Workload Identity When using Workload Identity to enable access to ACR, add the following patch to your bootstrap repository, in the `flux-system/kustomization.yaml` file: @@ -317,7 +317,7 @@ Workload Identity, and by extension gain access to GCR or Artifact Registry. When the GKE nodes have the appropriate OAuth scope for accessing GCR and Artifact Registry, source-controller running on it will also have access to them. -#### Workload Identity +#### GKE Workload Identity When using Workload Identity to enable access to GCR or Artifact Registry, add the following patch to your bootstrap repository, in the `flux-system/kustomization.yaml`