Merge pull request #1469 from stealthybox/integrations-fixes

Fix and Refactor integrations

manifests/integrations/Makefile

+
+bases := $(shell dirname $(shell find | grep kustomization.yaml | sort))
+
+all: $(bases)
+
+permutations := $(bases) $(addsuffix /,$(bases))
+.PHONY: $(permutations)
+$(permutations):
+	@echo $@
+	@warnings=$$(kustomize build $@ -o /dev/null 2>&1); \
+		if [ "$$warnings" ]; then \
+			echo "$$warnings"; \
+			false; \
+		fi

manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml

@@ -7,6 +7,9 @@ commonLabels:
 resources:
   - sync.yaml
 
+patchesStrategicMerge:
+  - kubectl-patch.yaml
+
 vars:
   - name: KUBE_SECRET
     objref:
@@ -15,13 +18,6 @@ vars:
       apiVersion: v1
     fieldref:
       fieldpath: data.KUBE_SECRET
-  - name: ADDRESS
-    objref:
-      kind: ConfigMap
-      name: credentials-sync-eventhub
-      apiVersion: v1
-    fieldref:
-      fieldpath: data.ADDRESS
 
 configurations:
   - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/_base/sync.yaml

@@ -109,9 +109,9 @@ rules:
       - create
       - update
       - patch
-    # # Lock this down to the specific Secret name  (Optional)
-    #resourceNames:
-    #  - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+    # Lock this down to the specific Secret name  (Optional)
+    resourceNames:
+     - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/integrations/registry-credentials-sync/_cronjobs/azure/kubectl-patch.yaml → manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml

 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
-  name: credentials-sync
+  name: credentials-sync-eventhub
   namespace: flux-system
 spec:
   jobTemplate:

manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml

@@ -7,6 +7,9 @@ commonLabels:
 resources:
   - sync.yaml
 
+patchesStrategicMerge:
+  - kubectl-patch.yaml
+
 vars:
   - name: KUBE_SECRET
     objref:
@@ -15,13 +18,6 @@ vars:
       apiVersion: v1
     fieldref:
       fieldpath: data.KUBE_SECRET
-  - name: ADDRESS
-    objref:
-      kind: ConfigMap
-      name: credentials-sync-eventhub
-      apiVersion: v1
-    fieldref:
-      fieldpath: data.ADDRESS
 
 configurations:
   - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml

@@ -85,9 +85,9 @@ rules:
       - create
       - update
       - patch
-    # # Lock this down to the specific Secret name  (Optional)
-    #resourceNames:
-    #  - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+    # Lock this down to the specific Secret name  (Optional)
+    resourceNames:
+     - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml

@@ -12,5 +12,5 @@ metadata:
   name: lab
   namespace: flux-system
 spec:
-  azureIdentity: lab
-  selector: lab
+  azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+  selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml

@@ -23,15 +23,6 @@ spec:
   clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
   resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
   type: 0
----
-apiVersion: aadpodidentity.k8s.io/v1
-kind: AzureIdentityBinding
-metadata:
-  name: lab
-  namespace: flux-system
-spec:
-  azureIdentity: jwt-lab
-  selector: jwt-lab
 
 # Set the reconcile period + specify the pod-identity via the aadpodidbinding label
 ---

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kubectl-patch.yaml

-apiVersion: batch/v1beta1
-kind: CronJob
-metadata:
-  name: credentials-sync-eventhub
-  namespace: flux-system
-spec:
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          initContainers:
-            - image: bitnami/kubectl
-              securityContext:
-                privileged: false
-                readOnlyRootFilesystem: true
-                allowPrivilegeEscalation: false
-              name: copy-kubectl
-              # it's okay to do this because kubectl is a statically linked binary
-              command:
-                - sh
-                - -ceu
-                - cp $(which kubectl) /kbin/
-              resources: {}
-              volumeMounts:
-                - name: kbin
-                  mountPath: /kbin
-          containers:
-            - name: sync
-              volumeMounts:
-                - name: kbin
-                  mountPath: /kbin
-          volumes:
-            - name: kbin
-              emptyDir: {}

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml

@@ -14,7 +14,6 @@ resources:
 
 patchesStrategicMerge:
   - config-patches.yaml
-  - kubectl-patch.yaml
   - reconcile-patch.yaml
 
 vars:

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml

 varReference:
-  - path: spec/jobTemplate/spec/template/metadata/labels
-    kind: CronJob
+- path: spec/jobTemplate/spec/template/metadata/labels
+  kind: CronJob
+- path: spec/azureIdentity
+  kind: AzureIdentityBinding
+- path: spec/selector
+  kind: AzureIdentityBinding

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml

@@ -3,7 +3,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: credentials-sync-eventhub
-  namespace: flux-system
 data:
   KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
   ADDRESS: "fluxv2" # the Azure Event Hub name

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kubectl-patch.yaml

-apiVersion: batch/v1beta1
-kind: CronJob
-metadata:
-  name: credentials-sync-eventhub
-  namespace: flux-system
-spec:
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          initContainers:
-            - image: bitnami/kubectl
-              securityContext:
-                privileged: false
-                readOnlyRootFilesystem: true
-                allowPrivilegeEscalation: false
-              name: copy-kubectl
-              # it's okay to do this because kubectl is a statically linked binary
-              command:
-                - sh
-                - -ceu
-                - cp $(which kubectl) /kbin/
-              resources: {}
-              volumeMounts:
-                - name: kbin
-                  mountPath: /kbin
-          containers:
-            - name: sync
-              volumeMounts:
-                - name: kbin
-                  mountPath: /kbin
-          volumes:
-            - name: kbin
-              emptyDir: {}

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml

@@ -14,8 +14,4 @@ resources:
 
 patchesStrategicMerge:
   - config-patches.yaml
-  - kubectl-patch.yaml
   - reconcile-patch.yaml
-
-configurations:
-  - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomizeconfig.yaml

-varReference:
-  - path: spec/jobTemplate/spec/template/metadata/labels
-    kind: CronJob

manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml

@@ -9,8 +9,8 @@ metadata:
 apiVersion: aadpodidentity.k8s.io/v1
 kind: AzureIdentityBinding
 metadata:
-  name: lab
+  name: lab # this can have a different name, but it's nice to keep them the same
   namespace: flux-system
 spec:
-  azureIdentity: lab
-  selector: lab
+  azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+  selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml

@@ -24,15 +24,6 @@ spec:
   clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
   resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
   type: 0
----
-apiVersion: aadpodidentity.k8s.io/v1
-kind: AzureIdentityBinding
-metadata:
-  name: lab
-  namespace: flux-system
-spec:
-  azureIdentity: jwt-lab
-  selector: jwt-lab
 
 # Specify the pod-identity via the aadpodidbinding label
 ---

manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml

@@ -14,7 +14,6 @@ resources:
 
 patchesStrategicMerge:
   - config-patches.yaml
-  - kubectl-patch.yaml
   - reconcile-patch.yaml
 
 vars:

manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml

 varReference:
 - path: spec/template/metadata/labels
   kind: Deployment
+- path: spec/azureIdentity
+  kind: AzureIdentityBinding
+- path: spec/selector
+  kind: AzureIdentityBinding