fluxcd
/
source-controller
mirror of https://github.com/fluxcd/source-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update docs on azure 

Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
This commit is contained in:
Somtochi Onyekwere 2023-07-14 01:42:49 +01:00
parent 36ca723ad7
commit fb2c74de23
3 changed files with 42 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
docs/spec/v1beta2/buckets.md
View File

@ -439,8 +439,8 @@ data:
##### Workload Identity ##### Workload Identity
If you have [Workload Identity mutating webhook](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html) If you have [Workload Identity](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html)
installed on your cluster. You need to create an Azure Identity and give it set up on your cluster, you need to create an Azure Identity and give it
access to Azure Blob Storage. access to Azure Blob Storage.
```shell ```shell
@ -465,7 +465,7 @@ az identity federated-credential create \
--subject "system:serviceaccount:flux-system:source-controller" --subject "system:serviceaccount:flux-system:source-controller"
``` ```
Add a patch to label and annotate the source-controller Pods and ServiceAccount Add a patch to label and annotate the source-controller Deployment and ServiceAccount
correctly so that it can match an identity binding: correctly so that it can match an identity binding:
```yaml ```yaml
@ -501,7 +501,7 @@ patches:
``` ```
If you have set up Workload Identity correctly and labeled the source-controller If you have set up Workload Identity correctly and labeled the source-controller
Pod and ServiceAccount, then you don't need to reference a Secret. For more information, Deployment and ServiceAccount, then you don't need to reference a Secret. For more information,
please see [documentation](https://azure.github.io/azure-workload-identity/docs/quick-start.html). please see [documentation](https://azure.github.io/azure-workload-identity/docs/quick-start.html).
```yaml ```yaml
@ -517,7 +517,7 @@ spec:
endpoint: https://testfluxsas.blob.core.windows.net endpoint: https://testfluxsas.blob.core.windows.net
``` ```
##### Managed Identity with AAD Pod Identity ##### Deprecated: Managed Identity with AAD Pod Identity
If you are using [aad pod identity](https://azure.github.io/aad-pod-identity/docs), If you are using [aad pod identity](https://azure.github.io/aad-pod-identity/docs),
You need to create an Azure Identity and give it access to Azure Blob Storage. You need to create an Azure Identity and give it access to Azure Blob Storage.
@ -561,7 +561,7 @@ spec:
selector: ${IDENTITY_NAME} selector: ${IDENTITY_NAME}
``` ```
Label the source-controller correctly so that it can match an identity binding: Label the source-controller Deployment correctly so that it can match an identity binding:
```yaml ```yaml
apiVersion: apps/v1 apiVersion: apps/v1
@ -577,7 +577,7 @@ spec:
``` ```
If you have set up aad-pod-identity correctly and labeled the source-controller If you have set up aad-pod-identity correctly and labeled the source-controller
Pod, then you don't need to reference a Secret. Deployment, then you don't need to reference a Secret.
```yaml ```yaml
apiVersion: source.toolkit.fluxcd.io/v1beta2 apiVersion: source.toolkit.fluxcd.io/v1beta2

24
docs/spec/v1beta2/helmrepositories.md
View File

@ -224,8 +224,8 @@ to the IAM role when using IRSA.
#### Azure #### Azure
The `azure` provider can be used to authenticate automatically using kubelet managed The `azure` provider can be used to authenticate automatically using Workload Identity, Kubelet Managed
identity or Azure Active Directory pod-managed identity (aad-pod-identity), and Identity or Azure Active Directory pod-managed identity (aad-pod-identity), and
by extension gain access to ACR. by extension gain access to ACR.
##### Kubelet Managed Identity ##### Kubelet Managed Identity
@ -233,6 +233,12 @@ by extension gain access to ACR.
When the kubelet managed identity has access to ACR, source-controller running on When the kubelet managed identity has access to ACR, source-controller running on
it will also have access to ACR. it will also have access to ACR.
**Note:** If you have more than one identity configured on the cluster, you have to specify which one to use
by setting the `AZURE_CLIENT_ID` environment variable in the source-controller deployment.
If you are running into further issues, please look at the
[troubleshooting guide](https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/TROUBLESHOOTING.md#azure-virtual-machine-managed-identity).
##### Azure Workload Identity ##### Azure Workload Identity
When using Workload Identity to enable access to ACR, add the following patch to When using Workload Identity to enable access to ACR, add the following patch to
@ -270,13 +276,17 @@ patches:
azure.workload.identity/use: "true" azure.workload.identity/use: "true"
``` ```
To use Workload Identity, you have to install the Workload Identity Ensure Workload Identity is properly set up on your cluster and the mutating webhook is installed.
mutating webhook and create an identity that has access to ACR. Next, establish Create an identity that has access to ACR. Next, establish
a federated identity between the source-controller ServiceAccount and the a federated identity between the source-controller ServiceAccount and the
identity. Patch the source-controller Pod and ServiceAccount as shown in the patch identity. Patch the source-controller Deployment and ServiceAccount as shown in the patch
above. Please take a look at this [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject). above. Please take a look at this [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject).
##### AAD Pod Identity ##### Deprecated: AAD Pod Identity
**Warning:** The AAD Pod Identity project will be archived in
[September 2023](https://github.com/Azure/aad-pod-identity#-announcement),
and you are advised to use Workload Identity instead.
When using aad-pod-identity to enable access to ACR, add the following patch to When using aad-pod-identity to enable access to ACR, add the following patch to
your bootstrap repository, in the `flux-system/kustomization.yaml` file: your bootstrap repository, in the `flux-system/kustomization.yaml` file:
@ -302,7 +312,7 @@ to give the `source-controller` pod access to the ACR. To do this, you have to i
`aad-pod-identity` on your cluster, create a managed identity that has access to the `aad-pod-identity` on your cluster, create a managed identity that has access to the
container registry (this can also be the Kubelet identity if it has `AcrPull` role container registry (this can also be the Kubelet identity if it has `AcrPull` role
assignment on the ACR), create an `AzureIdentity` and `AzureIdentityBinding` that describe assignment on the ACR), create an `AzureIdentity` and `AzureIdentityBinding` that describe
the managed identity and then label the `source-controller` pods with the name of the the managed identity and then label the `source-controller` deployment with the name of the
AzureIdentity as shown in the patch above. Please take a look at [this guide](https://azure.github.io/aad-pod-identity/docs/) AzureIdentity as shown in the patch above. Please take a look at [this guide](https://azure.github.io/aad-pod-identity/docs/)
or [this one](https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity) or [this one](https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity)
if you want to use AKS pod-managed identities add-on that is in preview. if you want to use AKS pod-managed identities add-on that is in preview.

24
docs/spec/v1beta2/ocirepositories.md
View File

@ -157,8 +157,8 @@ to the IAM role when using IRSA.
#### Azure #### Azure
The `azure` provider can be used to authenticate automatically using kubelet The `azure` provider can be used to authenticate automatically using Workload Identity, Kubelet Managed
managed identity or Azure Active Directory pod-managed identity (aad-pod-identity), Identity or Azure Active Directory pod-managed identity (aad-pod-identity),
and by extension gain access to ACR. and by extension gain access to ACR.
##### Kubelet Managed Identity ##### Kubelet Managed Identity
@ -166,6 +166,12 @@ and by extension gain access to ACR.
When the kubelet managed identity has access to ACR, source-controller running When the kubelet managed identity has access to ACR, source-controller running
on it will also have access to ACR. on it will also have access to ACR.
**Note:** If you have more than one identity configured on the cluster, you have to specify which one to use
by setting the `AZURE_CLIENT_ID` environment variable in the source-controller deployment.
If you are running into further issues, please look at the
[troubleshooting guide](https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/TROUBLESHOOTING.md#azure-virtual-machine-managed-identity).
##### Workload Identity ##### Workload Identity
When using Workload Identity to enable access to ACR, add the following patch to When using Workload Identity to enable access to ACR, add the following patch to
@ -203,13 +209,17 @@ patches:
azure.workload.identity/use: "true" azure.workload.identity/use: "true"
``` ```
To use Workload Identity, you have to install the Workload Identity Ensure Workload Identity is properly set up on your cluster and the mutating webhook is installed.
mutating webhook and create an identity that has access to ACR. Next, establish Create an identity that has access to ACR. Next, establish
a federated identity between the source-controller ServiceAccount and the a federated identity between the source-controller ServiceAccount and the
identity. Patch the source-controller Pod and ServiceAccount as shown in the patch identity. Patch the source-controller Deployment and ServiceAccount as shown in the patch
above. Please take a look at this [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject). above. Please take a look at this [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject).
##### AAD Pod Identity ##### Deprecated: AAD Pod Identity
**Note:** The AAD Pod Identity project will be archived in [September 2023](https://github.com/Azure/aad-pod-identity#-announcement),
and you are advised to use Workload Identity instead.
When using aad-pod-identity to enable access to ACR, add the following patch to When using aad-pod-identity to enable access to ACR, add the following patch to
your bootstrap repository, in the `flux-system/kustomization.yaml` file: your bootstrap repository, in the `flux-system/kustomization.yaml` file:
@ -234,7 +244,7 @@ has to be used to give the `source-controller` pod access to the ACR.
To do this, you have to install `aad-pod-identity` on your cluster, create a managed identity To do this, you have to install `aad-pod-identity` on your cluster, create a managed identity
that has access to the container registry (this can also be the Kubelet identity that has access to the container registry (this can also be the Kubelet identity
if it has `AcrPull` role assignment on the ACR), create an `AzureIdentity` and `AzureIdentityBinding` if it has `AcrPull` role assignment on the ACR), create an `AzureIdentity` and `AzureIdentityBinding`
that describe the managed identity and then label the `source-controller` pods that describe the managed identity and then label the `source-controller` deployment
with the name of the AzureIdentity as shown in the patch above. Please take a look with the name of the AzureIdentity as shown in the patch above. Please take a look
at [this guide](https://azure.github.io/aad-pod-identity/docs/) or at [this guide](https://azure.github.io/aad-pod-identity/docs/) or
[this one](https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity) [this one](https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity)