Add docs for autologin(ACR/ECR/GCR) #702
Conversation
Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
stefanprodan
changed the title
Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
|
I'm testing the Google Cloud Workload Identity work, I ran into this error applying one of the patches from these examples: I suspect it would work fine if I had used patchesStrategicMerge instead: kubernetes-sigs/kustomize#2986 (comment) tl;dr from the link above, json patch 6902 cannot really be used to add a path that does not exist, if you have a hash then you can add a field to it, but if there is no hash "annotations" which I think there generally isn't, it will not be created in a json patch. Maybe this works if you annotate the service account by hand with the I tried this patch instead and it worked: apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml
patches:
- target:
version: v1
group: apps
kind: Deployment
name: image-reflector-controller
namespace: flux-system
patch: |-
- op: add
path: /spec/template/spec/containers/0/args/-
value: --gcp-autologin-for-gcr
patchesStrategicMerge:
- |-
apiVersion: v1
kind: ServiceAccount
metadata:
name: image-reflector-controller
namespace: flux-system
annotations:
iam.gke.io/gcp-service-account: kingdon-test-gcr-sa@dx-kingdon.iam.gserviceaccount.com
images: # []
- name: ghcr.io/fluxcd/image-reflector-controller
newName: docker.io/somma/image-reflector-controller
newTag: test-autologin-18df01042I'm sending you some corrections for the issues I ran into 👍 the good news is, I was able to confirm the GKE workload identity can access my I know I'm annotating the SA correctly now, because when it was incorrect I got a 400 "bad request" error. There is a |
|
This is great work It gets a 👍 from me, please note the suggestions I've made after testing GKE Workload Identity. I'm going to grab the actual roles I assigned through the wizard and bring them back here so we can review them, also give the "artifact registry" a try since I've been able to get through "container registry" with Workload Identity and overcome all of the IAM hurdles, I think they are actually a different permission set, and that's what I'm hyper-focusing on here now. If there are different role-permissions required for the SA to access Artifact Registry and Container Registry, then we should mention both roles in the doc. |
|
I can adopt this branch myself, and reissue it with my suggestions incorporated as a new PR (if that helps!) |
|
@somtochiama please add @kingdonb to your fork so he can push to to your branch. |
|
@kingdonb I have sent out an invite to my fork of this repo |
When fluxcd/website#702 merges, this patch will have been incorporated into the Image Update Guide. Add a link to the more directly relevant Image Update Guide here instead, since it has the example, and it doesn't belong in the API docs nor need to be repeated here, per the discussion from the earlier PR number fluxcd#193. Signed-off-by: Kingdon Barrett <kingdon@weave.works>
Workload Identity (the same link repeated from cron-job-image-auth.md) Signed-off-by: Kingdon Barrett <kingdon@weave.works>
kingdonb
force-pushed
the
gcr-acr-autologin
branch
from
56a4e13
to
1f9240b
Compare
|
My approval is pending the merge of the following PR: The draft status of this PR reflects that the depended on PR has not been merged yet. |
Co-authored-by: Stefan Prodan <stefan.prodan@gmail.com> Signed-off-by: Kingdon Barrett <kingdon@weave.works>
kingdonb
force-pushed
the
gcr-acr-autologin
branch
from
8850aca
to
7eb2fe2
Compare
Squashed commits: follow the convention of using footer-style links I noticed that some links might not be good, and all of the new links added in this PR were not following the convention of link targets in the footer. Correct those issues. Signed-off-by: Kingdon Barrett <kingdon@weave.works> Update docs/spec/v1beta1/imagerepositories.md Signed-off-by: Kingdon Barrett <kingdon@weave.works> update docs Signed-off-by: Kingdon Barrett <kingdon@weave.works> Link to the Image Update guide When fluxcd/website#702 merges, this patch will have been incorporated into the Image Update Guide. Add a link to the more directly relevant Image Update Guide here instead, since it has the example, and it doesn't belong in the API docs nor need to be repeated here, per the discussion from the earlier PR number fluxcd#193. Signed-off-by: Kingdon Barrett <kingdon@weave.works> remove orphaned link URLs Signed-off-by: Kingdon Barrett <kingdon@weave.works>
Link to the Image Update guide When fluxcd/website#702 merges, this patch will have been incorporated into the Image Update Guide. Add a link to the more directly relevant Image Update Guide here instead, since it has the example, and it doesn't belong in the API docs nor need to be repeated here, per the discussion from the earlier PR number fluxcd#193. Signed-off-by: Kingdon Barrett <kingdon@weave.works> remove orphaned link URLs Signed-off-by: Kingdon Barrett <kingdon@weave.works> Signed-off-by: Kingdon Barrett <yebyen@gmail.com>
Link to the Image Update guide When fluxcd/website#702 merges, this patch will have been incorporated into the Image Update Guide. Add a link to the more directly relevant Image Update Guide here instead, since it has the example, and it doesn't belong in the API docs nor need to be repeated here, per the discussion from the earlier PR number fluxcd#193. Signed-off-by: Kingdon Barrett <kingdon@weave.works> remove orphaned link URLs Signed-off-by: Kingdon Barrett <kingdon@weave.works> Signed-off-by: Kingdon Barrett <yebyen@gmail.com>
Link to the Image Update guide When fluxcd/website#702 merges, this patch will have been incorporated into the Image Update Guide. Add a link to the more directly relevant Image Update Guide here instead, since it has the example, and it doesn't belong in the API docs nor need to be repeated here, per the discussion from the earlier PR number fluxcd#193. Signed-off-by: Kingdon Barrett <kingdon@weave.works> remove orphaned link URLs Signed-off-by: Kingdon Barrett <kingdon@weave.works> Signed-off-by: Kingdon Barrett <yebyen@gmail.com>
| @@ -0,0 +1,377 @@ | |||
| --- | |||
| title: "How to use cron jobs to sync image repository credentials" | |||
| linkTitle: "cron jobs for image repository cretentions" | |||
There was a problem hiding this comment.
| linkTitle: "cron jobs for image repository cretentions" | |
| linkTitle: "Configure image automation authentication" |
| @@ -0,0 +1,377 @@ | |||
| --- | |||
| title: "How to use cron jobs to sync image repository credentials" | |||
There was a problem hiding this comment.
| title: "How to use cron jobs to sync image repository credentials" | |
| title: "Configure image automation authentication" |
This pull request adds documentation for GCR/ACR auto-login Integration and also moves the docs on using cron jobs to a separate page.
Part of: fluxcd/flux2#2308
Signed-off-by: Somtochi Onyekwere somtochionyekwere@gmail.com