Skip to content

Commit

Permalink
*: add acrpull controller, binding
Browse files Browse the repository at this point in the history
Signed-off-by: Steve Kuznetsov <[email protected]>
  • Loading branch information
stevekuznetsov committed Dec 19, 2024
1 parent 91aa5af commit d4d4a7a
Show file tree
Hide file tree
Showing 25 changed files with 870 additions and 2 deletions.
13 changes: 13 additions & 0 deletions acrpull/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
-include ../setup-env.mk

deploy:
kubectl create namespace acrpull --dry-run=client -o json | kubectl apply -f - && \
helm upgrade --install ${HELM_DRY_RUN} acrpull \
deploy/helm/acrpull/ \
--set image=mcr.microsoft.com/aks/msi-acrpull@${ACRPULL_DIGEST} \
--namespace acrpull
.PHONY: deploy

undeploy:
helm uninstall acrpull --namespace acrpull
.PHONY: undeploy
6 changes: 6 additions & 0 deletions acrpull/deploy/helm/acrpull/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v2
name: acrpull
description: Controller for injecting pull credentials from managed identities into AKS clusters.
type: application
version: 0.1.0
appVersion: "v0.1.5"
Original file line number Diff line number Diff line change
@@ -0,0 +1,175 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: acrpullbindings.acrpull.microsoft.com
spec:
group: acrpull.microsoft.com
names:
kind: AcrPullBinding
listKind: AcrPullBindingList
plural: acrpullbindings
shortNames:
- apb
- apbs
singular: acrpullbinding
scope: Namespaced
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: AcrPullBinding is the Schema for the acrpullbindings API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: AcrPullBindingSpec defines the desired state of AcrPullBinding
properties:
acr:
description: ACR holds specifics of the Azure Container Registry for
which credentials are projected.
properties:
cloudConfig:
description: AirgappedCloudConfiguration configures a custom cloud
to interact with when running air-gapped.
properties:
entraAuthorityHost:
description: EntraAuthorityHost configures a custom Entra
host endpoint.
minLength: 1
type: string
resourceManagerAudience:
description: ResourceManagerAudience configures the audience
for which tokens will be requested from Entra.
minLength: 1
type: string
required:
- entraAuthorityHost
- resourceManagerAudience
type: object
environment:
default: PublicCloud
description: Environment specifies the Azure Cloud environment
in which the ACR is deployed.
enum:
- PublicCloud
- USGovernmentCloud
- ChinaCloud
- AirgappedCloud
example: PublicCloud
type: string
scope:
description: |-
Scope defines the scope for the access token, e.g. pull/push access for a repository.
Note: you need to pin it down to the repository level, there is no wildcard available,
however a list of space-delimited scopes is acceptable.
See docs for details: https://distribution.github.io/distribution/spec/auth/scope/
Examples:
repository:my-repository:pull,push
repository:my-repository:pull repository:other-repository:push,pull
example: repository:my-repository:pull,push
minLength: 1
type: string
server:
description: Server is the FQDN for the Azure Container Registry,
e.g. example.azurecr.io
example: example.azurecr.io
type: string
x-kubernetes-validations:
- message: server must be a fully-qualified domain name
rule: isURL('https://' + self) && url('https://' + self).getHostname()
== self
required:
- environment
- scope
- server
type: object
x-kubernetes-validations:
- message: a custom cloud configuration must be present for air-gapped
cloud environments
rule: 'self.environment == ''ArigappedCloud'' ? has(self.cloudConfig)
: !has(self.cloudConfig)'
auth:
description: Auth determines how we will authenticate to the Azure
Container Registry. Only one method may be provided.
properties:
managedIdentity:
description: ManagedIdentity uses Azure Managed Identity to authenticate
with Azure.
properties:
clientID:
description: ClientID is the client identifier for the managed
identity. Either provide the client ID or the resource ID.
example: 1b461305-28be-5271-beda-bd9fd2e24251
type: string
resourceID:
description: ResourceID is the resource identifier for the
managed identity. Either provide the client ID or the resource
ID.
example: /subscriptions/sub-name/resourceGroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/1b461305-28be-5271-beda-bd9fd2e24251
type: string
type: object
x-kubernetes-validations:
- message: only client or resource ID can be set
rule: '[has(self.clientID), has(self.resourceID)].exists_one(x,
x)'
workloadIdentity:
description: WorkloadIdentity uses Azure Workload Identity to
authenticate with Azure.
properties:
serviceAccountRef:
description: |-
ServiceAccountName specifies the name of the service account
that should be used when authenticating with WorkloadIdentity.
type: string
type: object
type: object
x-kubernetes-validations:
- message: only one authentication type can be set
rule: '[has(self.managedIdentity), has(self.workloadIdentity)].exists_one(x,
x)'
serviceAccountName:
description: The name of the service account to associate the image
pull secret with.
type: string
type: object
status:
description: AcrPullBindingStatus defines the observed state of AcrPullBinding
properties:
error:
description: Error message if there was an error updating the token.
type: string
lastTokenRefreshTime:
description: Information when was the last time the ACR token was
refreshed.
format: date-time
type: string
tokenExpirationTime:
description: The expiration date of the current ACR token.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
79 changes: 79 additions & 0 deletions acrpull/deploy/helm/acrpull/templates/controller_role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: acrpull-controller
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- '*'
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
- apiGroups:
- acrpull.microsoft.com
resources:
- acrpullbindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- acrpull.microsoft.com
resources:
- acrpullbindings/finalizers
verbs:
- update
- apiGroups:
- acrpull.microsoft.com
resources:
- acrpullbindings/status
verbs:
- get
- patch
- update
- apiGroups:
- msi-acrpull.microsoft.com
resources:
- acrpullbindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- msi-acrpull.microsoft.com
resources:
- acrpullbindings/finalizers
verbs:
- update
- apiGroups:
- msi-acrpull.microsoft.com
resources:
- acrpullbindings/status
verbs:
- get
- patch
- update
15 changes: 15 additions & 0 deletions acrpull/deploy/helm/acrpull/templates/controller_role_binding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: acrpull
app.kubernetes.io/managed-by: Helm
name: acrpull-controller-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: acrpull-controller
subjects:
- kind: ServiceAccount
name: acrpull
namespace: {{ .Values.namespace }}
77 changes: 77 additions & 0 deletions acrpull/deploy/helm/acrpull/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: acrpull
namespace: {{ .Values.namespace }}
labels:
app.kubernetes.io/name: acrpull
app.kubernetes.io/managed-by: Helm
spec:
selector:
matchLabels:
app.kubernetes.io/name: acrpull
replicas: 2
template:
metadata:
labels:
app.kubernetes.io/name: acrpull
spec:
securityContext:
runAsNonRoot: true
containers:
- command:
- /manager
args:
- "--health-probe-bind-address=:8081"
- "--metrics-bind-address=127.0.0.1:8080"
- "--leader-elect"
image: "{{ .Values.image }}"
name: acrpull-controller
ports:
- containerPort: 8080
protocol: TCP
name: metrics
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 3000
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 20Mi
serviceAccountName: acrpull
terminationGracePeriodSeconds: 10
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
Loading

0 comments on commit d4d4a7a

Please sign in to comment.