diff --git a/manifests/integrations/Makefile b/manifests/integrations/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..ebe8d3208d97dd76aa3323ecbc2ca38bb45ecd4b
--- /dev/null
+++ b/manifests/integrations/Makefile
@@ -0,0 +1,14 @@
+
+bases := $(shell dirname $(shell find | grep kustomization.yaml | sort))
+
+all: $(bases)
+
+permutations := $(bases) $(addsuffix /,$(bases))
+.PHONY: $(permutations)
+$(permutations):
+ @echo $@
+ @warnings=$$(kustomize build $@ -o /dev/null 2>&1); \
+ if [ "$$warnings" ]; then \
+ echo "$$warnings"; \
+ false; \
+ fi
diff --git a/manifests/integrations/eventhub-credentials-sync/azure/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml
similarity index 100%
rename from manifests/integrations/eventhub-credentials-sync/azure/kubectl-patch.yaml
rename to manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml
diff --git a/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml
index dfd56766df09ef46f0c3911750ac2d6acfe95c75..c4a8a062e7610a7f4be3fccdd1e8205bcfa2df40 100644
--- a/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml
@@ -7,6 +7,9 @@ commonLabels:
resources:
- sync.yaml
+patchesStrategicMerge:
+ - kubectl-patch.yaml
+
vars:
- name: KUBE_SECRET
objref:
@@ -15,13 +18,6 @@ vars:
apiVersion: v1
fieldref:
fieldpath: data.KUBE_SECRET
- - name: ADDRESS
- objref:
- kind: ConfigMap
- name: credentials-sync-eventhub
- apiVersion: v1
- fieldref:
- fieldpath: data.ADDRESS
configurations:
- kustomizeconfig.yaml
diff --git a/manifests/integrations/eventhub-credentials-sync/_base/sync.yaml b/manifests/integrations/eventhub-credentials-sync/_base/sync.yaml
index 62ea86f0d9205bdf131cabaf4597f3023c9d03de..409db4fdf2fffff8928b50ddde3ee85466e54bfb 100644
--- a/manifests/integrations/eventhub-credentials-sync/_base/sync.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_base/sync.yaml
@@ -109,9 +109,9 @@ rules:
- create
- update
- patch
- # # Lock this down to the specific Secret name (Optional)
- #resourceNames:
- # - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+ # Lock this down to the specific Secret name (Optional)
+ resourceNames:
+ - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml
similarity index 95%
rename from manifests/integrations/registry-credentials-sync/_cronjobs/azure/kubectl-patch.yaml
rename to manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml
index b4d83e225dea5a10109fa363905769dfd4589033..8d2164b1664af315598576e6b2047d8e8a4f8007 100644
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kubectl-patch.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml
@@ -1,7 +1,7 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
- name: credentials-sync
+ name: credentials-sync-eventhub
namespace: flux-system
spec:
jobTemplate:
diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml
index dfd56766df09ef46f0c3911750ac2d6acfe95c75..c4a8a062e7610a7f4be3fccdd1e8205bcfa2df40 100644
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml
@@ -7,6 +7,9 @@ commonLabels:
resources:
- sync.yaml
+patchesStrategicMerge:
+ - kubectl-patch.yaml
+
vars:
- name: KUBE_SECRET
objref:
@@ -15,13 +18,6 @@ vars:
apiVersion: v1
fieldref:
fieldpath: data.KUBE_SECRET
- - name: ADDRESS
- objref:
- kind: ConfigMap
- name: credentials-sync-eventhub
- apiVersion: v1
- fieldref:
- fieldpath: data.ADDRESS
configurations:
- kustomizeconfig.yaml
diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml
index e7fd16a71a9883fad20d1ae98fb90ff1d3d321d5..56d47856fc53549279d783a37cacc58aaba96e1b 100644
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml
@@ -85,9 +85,9 @@ rules:
- create
- update
- patch
- # # Lock this down to the specific Secret name (Optional)
- #resourceNames:
- # - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+ # Lock this down to the specific Secret name (Optional)
+ resourceNames:
+ - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml
index 1591126b0bdf40e58d5b4b1e8ce04ffa82352b20..38fa05ff7a1ae1eca927f94b93fd33cc43b40ab3 100644
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml
@@ -12,5 +12,5 @@ metadata:
name: lab
namespace: flux-system
spec:
- azureIdentity: lab
- selector: lab
+ azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+ selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml
index 3d0ffac40991ba338a3abba5ad13c55f2c0925d2..8e8bc3a35abc0a1a21f1c5837b2c783a7b8c764f 100644
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml
@@ -23,15 +23,6 @@ spec:
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
type: 0
----
-apiVersion: aadpodidentity.k8s.io/v1
-kind: AzureIdentityBinding
-metadata:
- name: lab
- namespace: flux-system
-spec:
- azureIdentity: jwt-lab
- selector: jwt-lab
# Set the reconcile period + specify the pod-identity via the aadpodidbinding label
---
diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kubectl-patch.yaml
deleted file mode 100644
index d05c07e597668d558ebf01a0760c48f0542ac70a..0000000000000000000000000000000000000000
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kubectl-patch.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-apiVersion: batch/v1beta1
-kind: CronJob
-metadata:
- name: credentials-sync-eventhub
- namespace: flux-system
-spec:
- jobTemplate:
- spec:
- template:
- spec:
- initContainers:
- - image: bitnami/kubectl
- securityContext:
- privileged: false
- readOnlyRootFilesystem: true
- allowPrivilegeEscalation: false
- name: copy-kubectl
- # it's okay to do this because kubectl is a statically linked binary
- command:
- - sh
- - -ceu
- - cp $(which kubectl) /kbin/
- resources: {}
- volumeMounts:
- - name: kbin
- mountPath: /kbin
- containers:
- - name: sync
- volumeMounts:
- - name: kbin
- mountPath: /kbin
- volumes:
- - name: kbin
- emptyDir: {}
diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml
index 14a0d59ff3538013b9bc4a35d1b7f71120ad3869..f5ca8d5580c66395f1bc72b512bf36144f802651 100644
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml
@@ -14,7 +14,6 @@ resources:
patchesStrategicMerge:
- config-patches.yaml
- - kubectl-patch.yaml
- reconcile-patch.yaml
vars:
diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml
index 175f04a29544d00c2c0000493fb7cea43434a163..09c76747588935004f084252252f075062c7db0c 100644
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml
@@ -1,3 +1,7 @@
varReference:
- - path: spec/jobTemplate/spec/template/metadata/labels
- kind: CronJob
+- path: spec/jobTemplate/spec/template/metadata/labels
+ kind: CronJob
+- path: spec/azureIdentity
+ kind: AzureIdentityBinding
+- path: spec/selector
+ kind: AzureIdentityBinding
diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml
index b2374ac04c6cd91af63d4502b39d16187d3d009e..5eb1d2629de8d717147ae72a0789059d3334cf49 100644
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml
@@ -3,7 +3,6 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: credentials-sync-eventhub
- namespace: flux-system
data:
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
ADDRESS: "fluxv2" # the Azure Event Hub name
diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kubectl-patch.yaml
deleted file mode 100644
index d05c07e597668d558ebf01a0760c48f0542ac70a..0000000000000000000000000000000000000000
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kubectl-patch.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-apiVersion: batch/v1beta1
-kind: CronJob
-metadata:
- name: credentials-sync-eventhub
- namespace: flux-system
-spec:
- jobTemplate:
- spec:
- template:
- spec:
- initContainers:
- - image: bitnami/kubectl
- securityContext:
- privileged: false
- readOnlyRootFilesystem: true
- allowPrivilegeEscalation: false
- name: copy-kubectl
- # it's okay to do this because kubectl is a statically linked binary
- command:
- - sh
- - -ceu
- - cp $(which kubectl) /kbin/
- resources: {}
- volumeMounts:
- - name: kbin
- mountPath: /kbin
- containers:
- - name: sync
- volumeMounts:
- - name: kbin
- mountPath: /kbin
- volumes:
- - name: kbin
- emptyDir: {}
diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml
index 109f3a07d53f28e4f5443dbdfb10070171da749b..c67b113dd01b24ac34bfaf7d5a21ea736ce726a4 100644
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml
@@ -14,8 +14,4 @@ resources:
patchesStrategicMerge:
- config-patches.yaml
- - kubectl-patch.yaml
- reconcile-patch.yaml
-
-configurations:
- - kustomizeconfig.yaml
diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomizeconfig.yaml
deleted file mode 100644
index 175f04a29544d00c2c0000493fb7cea43434a163..0000000000000000000000000000000000000000
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomizeconfig.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
-varReference:
- - path: spec/jobTemplate/spec/template/metadata/labels
- kind: CronJob
diff --git a/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml b/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml
index 1591126b0bdf40e58d5b4b1e8ce04ffa82352b20..32d8b5742e68a501cd9f085fbe46f6f44319a836 100644
--- a/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml
@@ -9,8 +9,8 @@ metadata:
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentityBinding
metadata:
- name: lab
+ name: lab # this can have a different name, but it's nice to keep them the same
namespace: flux-system
spec:
- azureIdentity: lab
- selector: lab
+ azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+ selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
diff --git a/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml
index c285ed2c426234657943754ed84436f6b8d49e1e..3967cbb795a706e51883a49c5e76cb6684999b96 100644
--- a/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml
@@ -24,15 +24,6 @@ spec:
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
type: 0
----
-apiVersion: aadpodidentity.k8s.io/v1
-kind: AzureIdentityBinding
-metadata:
- name: lab
- namespace: flux-system
-spec:
- azureIdentity: jwt-lab
- selector: jwt-lab
# Specify the pod-identity via the aadpodidbinding label
---
diff --git a/manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml
index 14a0d59ff3538013b9bc4a35d1b7f71120ad3869..f5ca8d5580c66395f1bc72b512bf36144f802651 100644
--- a/manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml
@@ -14,7 +14,6 @@ resources:
patchesStrategicMerge:
- config-patches.yaml
- - kubectl-patch.yaml
- reconcile-patch.yaml
vars:
diff --git a/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml
index afd68fe5de0524199549ab8c094377089ffbec79..da4d902df75ff83ac0c18ec7878ca54507040328 100644
--- a/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml
@@ -1,3 +1,7 @@
varReference:
- path: spec/template/metadata/labels
kind: Deployment
+- path: spec/azureIdentity
+ kind: AzureIdentityBinding
+- path: spec/selector
+ kind: AzureIdentityBinding
diff --git a/manifests/integrations/eventhub-credentials-sync/generic/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/generic/kubectl-patch.yaml
deleted file mode 100644
index 65226a0f79f79b2e76c00e006096381c8cdcc896..0000000000000000000000000000000000000000
--- a/manifests/integrations/eventhub-credentials-sync/generic/kubectl-patch.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: credentials-sync-eventhub
- namespace: flux-system
-spec:
- template:
- spec:
- initContainers:
- - image: bitnami/kubectl
- securityContext:
- privileged: false
- readOnlyRootFilesystem: true
- allowPrivilegeEscalation: false
- name: copy-kubectl
- # it's okay to do this because kubectl is a statically linked binary
- command:
- - sh
- - -ceu
- - cp $(which kubectl) /kbin/
- resources: {}
- volumeMounts:
- - name: kbin
- mountPath: /kbin
- containers:
- - name: sync
- volumeMounts:
- - name: kbin
- mountPath: /kbin
- volumes:
- - name: kbin
- emptyDir: {}
diff --git a/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml
index 109f3a07d53f28e4f5443dbdfb10070171da749b..c67b113dd01b24ac34bfaf7d5a21ea736ce726a4 100644
--- a/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml
@@ -14,8 +14,4 @@ resources:
patchesStrategicMerge:
- config-patches.yaml
- - kubectl-patch.yaml
- reconcile-patch.yaml
-
-configurations:
- - kustomizeconfig.yaml
diff --git a/manifests/integrations/eventhub-credentials-sync/generic/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/generic/kustomizeconfig.yaml
deleted file mode 100644
index afd68fe5de0524199549ab8c094377089ffbec79..0000000000000000000000000000000000000000
--- a/manifests/integrations/eventhub-credentials-sync/generic/kustomizeconfig.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
-varReference:
-- path: spec/template/metadata/labels
- kind: Deployment
diff --git a/manifests/integrations/registry-credentials-sync/aws/kubectl-patch.yaml b/manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml
similarity index 100%
rename from manifests/integrations/registry-credentials-sync/aws/kubectl-patch.yaml
rename to manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml
diff --git a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml
index c26a2c0ab0d5e058948dff58bd308ba31ad3fe0c..2218f2b8f3100ca5cc91c78fbb04d90632425a67 100644
--- a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml
@@ -7,6 +7,9 @@ commonLabels:
resources:
- sync.yaml
+patchesStrategicMerge:
+ - kubectl-patch.yaml
+
vars:
- name: KUBE_SECRET
objref:
diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kubectl-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml
similarity index 100%
rename from manifests/integrations/registry-credentials-sync/_cronjobs/aws/kubectl-patch.yaml
rename to manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml
diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml
index c26a2c0ab0d5e058948dff58bd308ba31ad3fe0c..2218f2b8f3100ca5cc91c78fbb04d90632425a67 100644
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml
@@ -7,6 +7,9 @@ commonLabels:
resources:
- sync.yaml
+patchesStrategicMerge:
+ - kubectl-patch.yaml
+
vars:
- name: KUBE_SECRET
objref:
diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml
index 11eea1b4622f7157363581177b39e2cd63edb622..6e58e58bb443a4dc01d6fc44acc145933539d6fc 100644
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml
@@ -14,7 +14,6 @@ bases:
patchesStrategicMerge:
- config-patches.yaml
-- kubectl-patch.yaml
- reconcile-patch.yaml
## uncomment if using encrypted-secret.yaml
diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml
index c3c6be81e3ac83dae8d3f4173f100d3212e2f64d..8b365507c733797204becf225c56cb90b133aa42 100644
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml
@@ -5,3 +5,12 @@ kind: AzureIdentity
metadata:
name: credentials-sync # if this is changed, also change in config-patches.yaml
namespace: flux-system
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentityBinding
+metadata:
+ name: credentials-sync # this can have a different name, but it's nice to keep them the same
+ namespace: flux-system
+spec:
+ azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+ selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml
index 1dd497e05489bec2272d54ec73fcca7bc4f4c005..54c333a989e78e30f1a930353137346d356a4bdf 100644
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml
@@ -14,7 +14,6 @@ resources:
patchesStrategicMerge:
- config-patches.yaml
-- kubectl-patch.yaml
- reconcile-patch.yaml
vars:
diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml
index 22524c1d750ffdcbce997314084ea91337d482af..09c76747588935004f084252252f075062c7db0c 100644
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml
@@ -1,3 +1,7 @@
varReference:
- path: spec/jobTemplate/spec/template/metadata/labels
- kind: Deployment
+ kind: CronJob
+- path: spec/azureIdentity
+ kind: AzureIdentityBinding
+- path: spec/selector
+ kind: AzureIdentityBinding
diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml
index 5b5ced3f79e6a3032ef2a5932beb8b17f2835f4c..84dea7d3f4eb6433222a8bdb57c208f1bca8e20f 100644
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml
@@ -10,7 +10,7 @@ spec:
spec:
containers:
- name: sync
- image: aws/aws-cli
+ image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
env:
- name: RECONCILE_SH
value: |-
diff --git a/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml b/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml
index 11eea1b4622f7157363581177b39e2cd63edb622..6e58e58bb443a4dc01d6fc44acc145933539d6fc 100644
--- a/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml
@@ -14,7 +14,6 @@ bases:
patchesStrategicMerge:
- config-patches.yaml
-- kubectl-patch.yaml
- reconcile-patch.yaml
## uncomment if using encrypted-secret.yaml
diff --git a/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml b/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml
index c3c6be81e3ac83dae8d3f4173f100d3212e2f64d..8b365507c733797204becf225c56cb90b133aa42 100644
--- a/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml
+++ b/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml
@@ -5,3 +5,12 @@ kind: AzureIdentity
metadata:
name: credentials-sync # if this is changed, also change in config-patches.yaml
namespace: flux-system
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentityBinding
+metadata:
+ name: credentials-sync # this can have a different name, but it's nice to keep them the same
+ namespace: flux-system
+spec:
+ azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+ selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
diff --git a/manifests/integrations/registry-credentials-sync/azure/kubectl-patch.yaml b/manifests/integrations/registry-credentials-sync/azure/kubectl-patch.yaml
deleted file mode 100644
index b054d7ce5badf689ae6cd1c87f36077c3e981e3a..0000000000000000000000000000000000000000
--- a/manifests/integrations/registry-credentials-sync/azure/kubectl-patch.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: credentials-sync
- namespace: flux-system
-spec:
- template:
- spec:
- initContainers:
- - image: bitnami/kubectl
- name: copy-kubectl
- # it's okay to do this because kubectl is a statically linked binary
- command:
- - sh
- - -ceu
- - cp $(which kubectl) /kbin/
- resources: {}
- volumeMounts:
- - name: kbin
- mountPath: /kbin
- containers:
- - name: sync
- volumeMounts:
- - name: kbin
- mountPath: /kbin
- volumes:
- - name: kbin
- emptyDir: {}
diff --git a/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml b/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml
index 1dd497e05489bec2272d54ec73fcca7bc4f4c005..54c333a989e78e30f1a930353137346d356a4bdf 100644
--- a/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml
@@ -14,7 +14,6 @@ resources:
patchesStrategicMerge:
- config-patches.yaml
-- kubectl-patch.yaml
- reconcile-patch.yaml
vars:
diff --git a/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml
index afd68fe5de0524199549ab8c094377089ffbec79..da4d902df75ff83ac0c18ec7878ca54507040328 100644
--- a/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml
+++ b/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml
@@ -1,3 +1,7 @@
varReference:
- path: spec/template/metadata/labels
kind: Deployment
+- path: spec/azureIdentity
+ kind: AzureIdentityBinding
+- path: spec/selector
+ kind: AzureIdentityBinding
diff --git a/manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml
index 9c78e4f4db28d993bcbd0c1a6283f49b7843fc43..8b637f3ff507a1df348582a098e5fb1fbe8f2cc2 100644
--- a/manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml
+++ b/manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml
@@ -9,7 +9,7 @@ spec:
spec:
containers:
- name: sync
- image: aws/aws-cli
+ image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
env:
- name: RECONCILE_SH
value: |-