-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Steve Kuznetsov <[email protected]>
- Loading branch information
1 parent
91aa5af
commit d4d4a7a
Showing
25 changed files
with
870 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
-include ../setup-env.mk | ||
|
||
deploy: | ||
kubectl create namespace acrpull --dry-run=client -o json | kubectl apply -f - && \ | ||
helm upgrade --install ${HELM_DRY_RUN} acrpull \ | ||
deploy/helm/acrpull/ \ | ||
--set image=mcr.microsoft.com/aks/msi-acrpull@${ACRPULL_DIGEST} \ | ||
--namespace acrpull | ||
.PHONY: deploy | ||
|
||
undeploy: | ||
helm uninstall acrpull --namespace acrpull | ||
.PHONY: undeploy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
apiVersion: v2 | ||
name: acrpull | ||
description: Controller for injecting pull credentials from managed identities into AKS clusters. | ||
type: application | ||
version: 0.1.0 | ||
appVersion: "v0.1.5" |
175 changes: 175 additions & 0 deletions
175
acrpull/deploy/helm/acrpull/templates/acrpull.microsoft.com_acrpullbindings.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,175 @@ | ||
--- | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
controller-gen.kubebuilder.io/version: v0.14.0 | ||
name: acrpullbindings.acrpull.microsoft.com | ||
spec: | ||
group: acrpull.microsoft.com | ||
names: | ||
kind: AcrPullBinding | ||
listKind: AcrPullBindingList | ||
plural: acrpullbindings | ||
shortNames: | ||
- apb | ||
- apbs | ||
singular: acrpullbinding | ||
scope: Namespaced | ||
versions: | ||
- name: v1beta2 | ||
schema: | ||
openAPIV3Schema: | ||
description: AcrPullBinding is the Schema for the acrpullbindings API | ||
properties: | ||
apiVersion: | ||
description: |- | ||
APIVersion defines the versioned schema of this representation of an object. | ||
Servers should convert recognized schemas to the latest internal value, and | ||
may reject unrecognized values. | ||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | ||
type: string | ||
kind: | ||
description: |- | ||
Kind is a string value representing the REST resource this object represents. | ||
Servers may infer this from the endpoint the client submits requests to. | ||
Cannot be updated. | ||
In CamelCase. | ||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
description: AcrPullBindingSpec defines the desired state of AcrPullBinding | ||
properties: | ||
acr: | ||
description: ACR holds specifics of the Azure Container Registry for | ||
which credentials are projected. | ||
properties: | ||
cloudConfig: | ||
description: AirgappedCloudConfiguration configures a custom cloud | ||
to interact with when running air-gapped. | ||
properties: | ||
entraAuthorityHost: | ||
description: EntraAuthorityHost configures a custom Entra | ||
host endpoint. | ||
minLength: 1 | ||
type: string | ||
resourceManagerAudience: | ||
description: ResourceManagerAudience configures the audience | ||
for which tokens will be requested from Entra. | ||
minLength: 1 | ||
type: string | ||
required: | ||
- entraAuthorityHost | ||
- resourceManagerAudience | ||
type: object | ||
environment: | ||
default: PublicCloud | ||
description: Environment specifies the Azure Cloud environment | ||
in which the ACR is deployed. | ||
enum: | ||
- PublicCloud | ||
- USGovernmentCloud | ||
- ChinaCloud | ||
- AirgappedCloud | ||
example: PublicCloud | ||
type: string | ||
scope: | ||
description: |- | ||
Scope defines the scope for the access token, e.g. pull/push access for a repository. | ||
Note: you need to pin it down to the repository level, there is no wildcard available, | ||
however a list of space-delimited scopes is acceptable. | ||
See docs for details: https://distribution.github.io/distribution/spec/auth/scope/ | ||
Examples: | ||
repository:my-repository:pull,push | ||
repository:my-repository:pull repository:other-repository:push,pull | ||
example: repository:my-repository:pull,push | ||
minLength: 1 | ||
type: string | ||
server: | ||
description: Server is the FQDN for the Azure Container Registry, | ||
e.g. example.azurecr.io | ||
example: example.azurecr.io | ||
type: string | ||
x-kubernetes-validations: | ||
- message: server must be a fully-qualified domain name | ||
rule: isURL('https://' + self) && url('https://' + self).getHostname() | ||
== self | ||
required: | ||
- environment | ||
- scope | ||
- server | ||
type: object | ||
x-kubernetes-validations: | ||
- message: a custom cloud configuration must be present for air-gapped | ||
cloud environments | ||
rule: 'self.environment == ''ArigappedCloud'' ? has(self.cloudConfig) | ||
: !has(self.cloudConfig)' | ||
auth: | ||
description: Auth determines how we will authenticate to the Azure | ||
Container Registry. Only one method may be provided. | ||
properties: | ||
managedIdentity: | ||
description: ManagedIdentity uses Azure Managed Identity to authenticate | ||
with Azure. | ||
properties: | ||
clientID: | ||
description: ClientID is the client identifier for the managed | ||
identity. Either provide the client ID or the resource ID. | ||
example: 1b461305-28be-5271-beda-bd9fd2e24251 | ||
type: string | ||
resourceID: | ||
description: ResourceID is the resource identifier for the | ||
managed identity. Either provide the client ID or the resource | ||
ID. | ||
example: /subscriptions/sub-name/resourceGroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/1b461305-28be-5271-beda-bd9fd2e24251 | ||
type: string | ||
type: object | ||
x-kubernetes-validations: | ||
- message: only client or resource ID can be set | ||
rule: '[has(self.clientID), has(self.resourceID)].exists_one(x, | ||
x)' | ||
workloadIdentity: | ||
description: WorkloadIdentity uses Azure Workload Identity to | ||
authenticate with Azure. | ||
properties: | ||
serviceAccountRef: | ||
description: |- | ||
ServiceAccountName specifies the name of the service account | ||
that should be used when authenticating with WorkloadIdentity. | ||
type: string | ||
type: object | ||
type: object | ||
x-kubernetes-validations: | ||
- message: only one authentication type can be set | ||
rule: '[has(self.managedIdentity), has(self.workloadIdentity)].exists_one(x, | ||
x)' | ||
serviceAccountName: | ||
description: The name of the service account to associate the image | ||
pull secret with. | ||
type: string | ||
type: object | ||
status: | ||
description: AcrPullBindingStatus defines the observed state of AcrPullBinding | ||
properties: | ||
error: | ||
description: Error message if there was an error updating the token. | ||
type: string | ||
lastTokenRefreshTime: | ||
description: Information when was the last time the ACR token was | ||
refreshed. | ||
format: date-time | ||
type: string | ||
tokenExpirationTime: | ||
description: The expiration date of the current ACR token. | ||
format: date-time | ||
type: string | ||
type: object | ||
type: object | ||
served: true | ||
storage: true | ||
subresources: | ||
status: {} |
79 changes: 79 additions & 0 deletions
79
acrpull/deploy/helm/acrpull/templates/controller_role.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: acrpull-controller | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- secrets | ||
verbs: | ||
- '*' | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- serviceaccounts | ||
verbs: | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- serviceaccounts/token | ||
verbs: | ||
- create | ||
- apiGroups: | ||
- acrpull.microsoft.com | ||
resources: | ||
- acrpullbindings | ||
verbs: | ||
- create | ||
- delete | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- acrpull.microsoft.com | ||
resources: | ||
- acrpullbindings/finalizers | ||
verbs: | ||
- update | ||
- apiGroups: | ||
- acrpull.microsoft.com | ||
resources: | ||
- acrpullbindings/status | ||
verbs: | ||
- get | ||
- patch | ||
- update | ||
- apiGroups: | ||
- msi-acrpull.microsoft.com | ||
resources: | ||
- acrpullbindings | ||
verbs: | ||
- create | ||
- delete | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- msi-acrpull.microsoft.com | ||
resources: | ||
- acrpullbindings/finalizers | ||
verbs: | ||
- update | ||
- apiGroups: | ||
- msi-acrpull.microsoft.com | ||
resources: | ||
- acrpullbindings/status | ||
verbs: | ||
- get | ||
- patch | ||
- update |
15 changes: 15 additions & 0 deletions
15
acrpull/deploy/helm/acrpull/templates/controller_role_binding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
labels: | ||
app.kubernetes.io/name: acrpull | ||
app.kubernetes.io/managed-by: Helm | ||
name: acrpull-controller-binding | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: acrpull-controller | ||
subjects: | ||
- kind: ServiceAccount | ||
name: acrpull | ||
namespace: {{ .Values.namespace }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: acrpull | ||
namespace: {{ .Values.namespace }} | ||
labels: | ||
app.kubernetes.io/name: acrpull | ||
app.kubernetes.io/managed-by: Helm | ||
spec: | ||
selector: | ||
matchLabels: | ||
app.kubernetes.io/name: acrpull | ||
replicas: 2 | ||
template: | ||
metadata: | ||
labels: | ||
app.kubernetes.io/name: acrpull | ||
spec: | ||
securityContext: | ||
runAsNonRoot: true | ||
containers: | ||
- command: | ||
- /manager | ||
args: | ||
- "--health-probe-bind-address=:8081" | ||
- "--metrics-bind-address=127.0.0.1:8080" | ||
- "--leader-elect" | ||
image: "{{ .Values.image }}" | ||
name: acrpull-controller | ||
ports: | ||
- containerPort: 8080 | ||
protocol: TCP | ||
name: metrics | ||
securityContext: | ||
runAsNonRoot: true | ||
seccompProfile: | ||
type: RuntimeDefault | ||
allowPrivilegeEscalation: false | ||
capabilities: | ||
drop: | ||
- "ALL" | ||
readOnlyRootFilesystem: true | ||
runAsUser: 1000 | ||
runAsGroup: 3000 | ||
livenessProbe: | ||
httpGet: | ||
path: /healthz | ||
port: 8081 | ||
initialDelaySeconds: 15 | ||
periodSeconds: 20 | ||
readinessProbe: | ||
httpGet: | ||
path: /readyz | ||
port: 8081 | ||
initialDelaySeconds: 5 | ||
periodSeconds: 10 | ||
resources: | ||
limits: | ||
cpu: 100m | ||
memory: 100Mi | ||
requests: | ||
cpu: 100m | ||
memory: 20Mi | ||
serviceAccountName: acrpull | ||
terminationGracePeriodSeconds: 10 | ||
{{- with .Values.nodeSelector }} | ||
nodeSelector: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
{{- with .Values.affinity }} | ||
affinity: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
{{- with .Values.tolerations }} | ||
tolerations: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} |
Oops, something went wrong.