|
|
@@ -3424,6 +3424,7 @@ The token is generated for a particular ACR registry defined in <code>spec.regis
|
|
|
</ul>
|
|
|
<p>The generated token will inherit the permissions from the assigned policy. I.e. when you assign a read-only policy all generated tokens will be read-only.
|
|
|
You <strong>must</strong> <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps">assign a Azure RBAC role</a>, such as <code>AcrPush</code> or <code>AcrPull</code> to the service principal or managed identity in order to be able to authenticate with the Azure container registry API.</p>
|
|
|
+<p>You can also use a kubelet managed identity with the default <code>AcrPull</code> role to authenticate to the integrated Azure Container Registry.</p>
|
|
|
<p>You can scope tokens to a particular repository using <code>spec.scope</code>.</p>
|
|
|
<h2 id="scope">Scope</h2>
|
|
|
<p>First, an Azure Active Directory access token is obtained with the desired authentication method.
|
|
|
@@ -3470,9 +3471,9 @@ repository:my-repository:pull
|
|
|
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">az-secret</span>
|
|
|
<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">clientid</span>
|
|
|
|
|
|
-<span class="w"> </span><span class="c1"># option 2:</span>
|
|
|
+<span class="w"> </span><span class="c1"># option 2: use a managed identity Client ID</span>
|
|
|
<span class="w"> </span><span class="nt">managedIdentity</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">identityId</span><span class="p">:</span><span class="w"> </span><span class="s">"xxxxx"</span>
|
|
|
+<span class="w"> </span><span class="nt">identityId</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">11111111-2222-3333-4444-111111111111</span>
|
|
|
|
|
|
<span class="w"> </span><span class="c1"># option 3:</span>
|
|
|
<span class="w"> </span><span class="nt">workloadIdentity</span><span class="p">:</span>
|
|
|
@@ -3481,7 +3482,7 @@ repository:my-repository:pull
|
|
|
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">"my-service-account"</span>
|
|
|
<span class="w"> </span><span class="nt">audiences</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[]</span>
|
|
|
</code></pre></div>
|
|
|
-<p>Example <code>ExternalSecret</code> that references the ACR generator:
|
|
|
+<p>Example <code>ExternalSecret</code> that references the ACR generator:</p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
|
|
|
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
|
|
|
<span class="nt">metadata</span><span class="p">:</span>
|
|
|
@@ -3508,7 +3509,45 @@ repository:my-repository:pull
|
|
|
<span class="w"> </span><span class="no">}</span>
|
|
|
<span class="w"> </span><span class="no">}</span>
|
|
|
<span class="w"> </span><span class="no">}</span>
|
|
|
-</code></pre></div></p>
|
|
|
+</code></pre></div>
|
|
|
+<p>Example using AKS kubelet managed identity to create <a href="https://argo-cd.readthedocs.io/en/latest/operator-manual/declarative-setup/#helm-chart-repositories">Argo CD helm chart repository</a> secret:</p>
|
|
|
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">generators.external-secrets.io/v1alpha1</span>
|
|
|
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ACRAccessToken</span>
|
|
|
+<span class="nt">metadata</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">azurecr</span>
|
|
|
+<span class="nt">spec</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">tenantId</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">11111111-2222-3333-4444-111111111111</span>
|
|
|
+<span class="w"> </span><span class="nt">registry</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example.azurecr.io</span>
|
|
|
+<span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">managedIdentity</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">identityId</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">11111111-2222-3333-4444-111111111111</span>
|
|
|
+<span class="nn">---</span>
|
|
|
+<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
|
|
|
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
|
|
|
+<span class="nt">metadata</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">azurecr-credentials</span>
|
|
|
+<span class="nt">spec</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">dataFrom</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">sourceRef</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">generatorRef</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">generators.external-secrets.io/v1alpha1</span>
|
|
|
+<span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ACRAccessToken</span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">azurecr</span>
|
|
|
+<span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">3h</span>
|
|
|
+<span class="w"> </span><span class="nt">target</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">azurecr-credentials</span>
|
|
|
+<span class="w"> </span><span class="nt">template</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">argocd.argoproj.io/secret-type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">repository</span>
|
|
|
+<span class="w"> </span><span class="nt">data</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">"example.azurecr.io"</span>
|
|
|
+<span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="s">"example.azurecr.io"</span>
|
|
|
+<span class="w"> </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.username</span><span class="nv"> </span><span class="s">}}"</span>
|
|
|
+<span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.password</span><span class="nv"> </span><span class="s">}}"</span>
|
|
|
+<span class="w"> </span><span class="nt">enableOCI</span><span class="p">:</span><span class="w"> </span><span class="s">"true"</span>
|
|
|
+<span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="s">"helm"</span>
|
|
|
+</code></pre></div>
|
|
|
|
|
|
|
|
|
|