Closed grubint closed 3 weeks ago
Alternatively allow defining AZURE_CLIENT_ID
for the source-controller, as described here
In the meantime, an other workaround based on Flux FAQ:
apiVersion: apps/v1
kind: Deployment
metadata:
name: source-controller
namespace: flux-system
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: merge
spec:
selector:
matchLabels:
app: source-controller
template:
metadata:
labels:
app: source-controller
app.kubernetes.io/name: microsoft.flux
spec:
containers:
- name: manager
env:
- name: AZURE_CLIENT_ID
value: <Kubelet Managed Identity Client ID>
Hey,
since Version 1.8.0 of the AKS Flux extension workload identity is supported via the config settings workloadIdentity.enable
and workloadIdentity.azureClientId
. This is documented here.
With this flux can pull images or helm charts from your private ACR. I will close the issue. Feel free to re-open.
Is your feature request related to a problem? Please describe. I would like to pull OCI images for helmRepositories and OCIRepositories from my private ACR registry. Unmanaged flux installation recommends patching the related service account and deployment, but this is not an option with the extension currently.
Describe the solution you'd like Give an option to assing a workload identity in
--configuration-settings
.Describe alternatives you've considered I could create ACR token, push that to a key vault, create a secret with secrets-store-csi referencing it and use it as a secretRef for the mentioned resources.
Additional context None.