Skip to content

Commit

Permalink
Merge branch 'main' into sas-key-azure-blob
Browse files Browse the repository at this point in the history
  • Loading branch information
Paulo Gomes authored Aug 12, 2022
2 parents 3526863 + c63f362 commit 106d3fc
Showing 1 changed file with 25 additions and 15 deletions.
40 changes: 25 additions & 15 deletions docs/spec/v1beta2/ocirepositories.md
Original file line number Diff line number Diff line change
Expand Up @@ -120,11 +120,15 @@ If you do not specify `.spec.provider`, it defaults to `generic`.

#### AWS

The `aws` provider can be used when the source-controller service account
is associated with an AWS IAM Role using IRSA that grants read-only access to ECR.
The `aws` provider can be used to authenticate automatically using the EKS
worker node IAM role or IAM Role for Service Accounts (IRSA), and by extension
gain access to ECR.

To enable access to ECR, add the following patch to your bootstrap repository,
in the `flux-system/kustomization.yaml` file:
When the worker node IAM role has access to ECR, source-controller running on it
will also have access to ECR.

When using IRSA to enable access to ECR, add the following patch to your
bootstrap repository, in the `flux-system/kustomization.yaml` file:

```yaml
apiVersion: kustomize.config.k8s.io/v1beta1
Expand All @@ -150,11 +154,15 @@ to the IAM role when using IRSA.

#### Azure

The `azure` provider can be used when the source-controller pods are associated
with an Azure AAD Pod Identity that grants read-only access to ACR.
The `azure` provider can be used to authenticate automatically using kubelet
managed identity or Azure Active Directory pod-managed identity (aad-pod-identity),
and by extension gain access to ACR.

When the kubelet managed identity has access to ACR, source-controller running
on it will also have access to ACR.

To enable access to ACR, add the following patch to your bootstrap repository,
in the `flux-system/kustomization.yaml` file:
When using aad-pod-identity to enable access to ECR, add the following patch to
your bootstrap repository, in the `flux-system/kustomization.yaml` file:

```yaml
apiVersion: kustomize.config.k8s.io/v1beta1
Expand All @@ -172,7 +180,7 @@ patches:
name: source-controller
```

When using managed identity on an AKS cluster, AAD Pod Identity
When using pod-managed identity on an AKS cluster, AAD Pod Identity
has to be used to give the `source-controller` pod access to the ACR.
To do this, you have to install `aad-pod-identity` on your cluster, create a managed identity
that has access to the container registry (this can also be the Kubelet identity
Expand All @@ -185,13 +193,15 @@ if you want to use AKS pod-managed identities add-on that is in preview.

#### GCP

The `gcp` provider can be used when the source-controller service account
is associated with a GCP IAM Role using Workload Identity that grants
read-only access to Artifact Registry.
The `gcp` provider can be used to authenticate automatically using OAuth scopes
or Workload Identity, and by extension gain access to GCR or Artifact Registry.

When the GKE nodes have the appropriate OAuth scope for accessing GCR and
Artifact Registry, source-controller running on it will also have access to them.

To enable access to Google Artifact Registry or GCR,
add the following patch to your bootstrap repository,
in the `flux-system/kustomization.yaml` file:
When using Workload Identity to enable access to GCR or Artifact Registry, add
the following patch to your bootstrap repository, in the
`flux-system/kustomization.yaml` file:

```yaml
apiVersion: kustomize.config.k8s.io/v1beta1
Expand Down

0 comments on commit 106d3fc

Please sign in to comment.