diff --git a/manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..65226a0f79f79b2e76c00e006096381c8cdcc896
--- /dev/null
+++ b/manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: credentials-sync-eventhub
+ namespace: flux-system
+spec:
+ template:
+ spec:
+ initContainers:
+ - image: bitnami/kubectl
+ securityContext:
+ privileged: false
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ name: copy-kubectl
+ # it's okay to do this because kubectl is a statically linked binary
+ command:
+ - sh
+ - -ceu
+ - cp $(which kubectl) /kbin/
+ resources: {}
+ volumeMounts:
+ - name: kbin
+ mountPath: /kbin
+ containers:
+ - name: sync
+ volumeMounts:
+ - name: kbin
+ mountPath: /kbin
+ volumes:
+ - name: kbin
+ emptyDir: {}
diff --git a/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml
index dfd56766df09ef46f0c3911750ac2d6acfe95c75..7250314869c4e992df07259b266034d50bc949b0 100644
--- a/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml
@@ -7,6 +7,9 @@ commonLabels:
resources:
- sync.yaml
+patchesStrategicMerge:
+ - kubectl-patch.yaml
+
vars:
- name: KUBE_SECRET
objref:
diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8d2164b1664af315598576e6b2047d8e8a4f8007
--- /dev/null
+++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml
@@ -0,0 +1,30 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ name: credentials-sync-eventhub
+ namespace: flux-system
+spec:
+ jobTemplate:
+ spec:
+ template:
+ spec:
+ initContainers:
+ - image: bitnami/kubectl
+ name: copy-kubectl
+ # it's okay to do this because kubectl is a statically linked binary
+ command:
+ - sh
+ - -ceu
+ - cp $(which kubectl) /kbin/
+ resources: {}
+ volumeMounts:
+ - name: kbin
+ mountPath: /kbin
+ containers:
+ - name: sync
+ volumeMounts:
+ - name: kbin
+ mountPath: /kbin
+ volumes:
+ - name: kbin
+ emptyDir: {}
diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml
index dfd56766df09ef46f0c3911750ac2d6acfe95c75..7250314869c4e992df07259b266034d50bc949b0 100644
--- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml
+++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml
@@ -7,6 +7,9 @@ commonLabels:
resources:
- sync.yaml
+patchesStrategicMerge:
+ - kubectl-patch.yaml
+
vars:
- name: KUBE_SECRET
objref:
diff --git a/manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml b/manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b054d7ce5badf689ae6cd1c87f36077c3e981e3a
--- /dev/null
+++ b/manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml
@@ -0,0 +1,28 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: credentials-sync
+ namespace: flux-system
+spec:
+ template:
+ spec:
+ initContainers:
+ - image: bitnami/kubectl
+ name: copy-kubectl
+ # it's okay to do this because kubectl is a statically linked binary
+ command:
+ - sh
+ - -ceu
+ - cp $(which kubectl) /kbin/
+ resources: {}
+ volumeMounts:
+ - name: kbin
+ mountPath: /kbin
+ containers:
+ - name: sync
+ volumeMounts:
+ - name: kbin
+ mountPath: /kbin
+ volumes:
+ - name: kbin
+ emptyDir: {}
diff --git a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml
index c26a2c0ab0d5e058948dff58bd308ba31ad3fe0c..2218f2b8f3100ca5cc91c78fbb04d90632425a67 100644
--- a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml
@@ -7,6 +7,9 @@ commonLabels:
resources:
- sync.yaml
+patchesStrategicMerge:
+ - kubectl-patch.yaml
+
vars:
- name: KUBE_SECRET
objref:
diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b4d83e225dea5a10109fa363905769dfd4589033
--- /dev/null
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml
@@ -0,0 +1,30 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ name: credentials-sync
+ namespace: flux-system
+spec:
+ jobTemplate:
+ spec:
+ template:
+ spec:
+ initContainers:
+ - image: bitnami/kubectl
+ name: copy-kubectl
+ # it's okay to do this because kubectl is a statically linked binary
+ command:
+ - sh
+ - -ceu
+ - cp $(which kubectl) /kbin/
+ resources: {}
+ volumeMounts:
+ - name: kbin
+ mountPath: /kbin
+ containers:
+ - name: sync
+ volumeMounts:
+ - name: kbin
+ mountPath: /kbin
+ volumes:
+ - name: kbin
+ emptyDir: {}
diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml
index c26a2c0ab0d5e058948dff58bd308ba31ad3fe0c..2218f2b8f3100ca5cc91c78fbb04d90632425a67 100644
--- a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml
+++ b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml
@@ -7,6 +7,9 @@ commonLabels:
resources:
- sync.yaml
+patchesStrategicMerge:
+ - kubectl-patch.yaml
+
vars:
- name: KUBE_SECRET
objref: