grubint
commented
3 weeks ago Alternatively allow defining AZURE_CLIENT_ID for the source-controller, as described here
Closed grubint closed 3 weeks ago
grubint
commented
3 weeks ago Alternatively allow defining AZURE_CLIENT_ID for the source-controller, as described here
grubint
commented
3 weeks ago In the meantime, an other workaround based on Flux FAQ:
apiVersion: apps/v1
kind: Deployment
metadata:
name: source-controller
namespace: flux-system
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: merge
spec:
selector:
matchLabels:
app: source-controller
template:
metadata:
labels:
app: source-controller
app.kubernetes.io/name: microsoft.flux
spec:
containers:
- name: manager
env:
- name: AZURE_CLIENT_ID
value: <Kubelet Managed Identity Client ID>
philwelz
commented
3 weeks ago Hey,
since Version 1.8.0 of the AKS Flux extension workload identity is supported via the config settings workloadIdentity.enable and workloadIdentity.azureClientId. This is documented here.
With this flux can pull images or helm charts from your private ACR. I will close the issue. Feel free to re-open.
Is your feature request related to a problem? Please describe. I would like to pull OCI images for helmRepositories and OCIRepositories from my private ACR registry. Unmanaged flux installation recommends patching the related service account and deployment, but this is not an option with the extension currently.
Describe the solution you'd like Give an option to assing a workload identity in
--configuration-settings.Describe alternatives you've considered I could create ACR token, push that to a key vault, create a secret with secrets-store-csi referencing it and use it as a secretRef for the mentioned resources.
Additional context None.