fluxcd
/
image-reflector-controller
mirror of https://github.com/fluxcd/image-reflector-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[RFC-0010] Link workload identity docs to complete guide 

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
This commit is contained in:
Matheus Pimenta 2025-05-26 23:38:30 +01:00
parent 6275ee05c6
commit 3e212d2f68
No known key found for this signature in database
GPG Key ID: DE594AAD698A94DE
1 changed files with 25 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
docs/spec/v1beta2/imagerepositories.md
View File

@ -168,10 +168,22 @@ reference.
### ServiceAccount name
`.spec.serviceAccountName` is an optional field to specify a name reference to a
ServiceAccount in the same namespace as the ImageRepository, with an image pull
secret attached to it. For detailed instructions about attaching an image pull
secret to a ServiceAccount, see [Add image pull secret to service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-image-pull-secret-to-service-account).
`.spec.serviceAccountName` is an optional field to specify a Service Account
in the same namespace as ImageRepository with purpose depending on the value of
the `.spec.provider` field:
- When `.spec.provider` is set to `generic`, the controller will fetch the image
pull secrets attached to the Service Account and use them for authentication.
- When `.spec.provider` is set to `aws`, `azure`, or `gcp`, the Service Account
will be used for Workload Identity authentication. In this case, the controller
feature gate `ObjectLevelWorkloadIdentity` must be enabled, otherwise the
controller will error out.
**Note:** that for a publicly accessible image repository, you don't need to
provide a `secretRef` nor `serviceAccountName`.
For a complete guide on how to set up authentication for cloud providers,
see the integration [docs](/flux/integrations/).
### Certificate secret reference
@ -368,8 +380,8 @@ container registry.
### Provider
`.spec.provider` is an optional field that allows specifying an OIDC provider
used for authentication purposes.
`.spec.provider` is an optional field that allows specifying an OIDC provider used for
authentication purposes.
Supported options are:
@ -378,10 +390,13 @@ Supported options are:
- `azure`
- `gcp`
The `generic` provider can be used for public repositories or when static
credentials are used for authentication, either with `.spec.secretRef` or
`.spec.serviceAccount`. If `.spec.provider` is not specified, it defaults to
`generic`.
The `generic` provider can be used for public repositories or when
static credentials are used for authentication, either with
`spec.secretRef` or `spec.serviceAccountName`.
If you do not specify `.spec.provider`, it defaults to `generic`.
For a complete guide on how to set up authentication for cloud providers,
see the integration [docs](/flux/integrations/).
#### AWS