1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00

fix: handle managed identity ClientID or ResourceID in acr generator (#4150)

* fix: use ClientID instead of ResourceID in acr generator

Signed-off-by: Dmytro Bondar <git@bonddim.com>

* Handle both cases: with ClientID and ResourceID

Signed-off-by: Dmytro Bondar <git@bonddim.com>

* Update ACR docs

Signed-off-by: Dmytro Bondar <git@bonddim.com>

---------

Signed-off-by: Dmytro Bondar <git@bonddim.com>
This commit is contained in:
Dmytro Bondar 2024-11-28 14:44:30 +01:00 committed by GitHub
parent 2b5ba15163
commit 08566af7c1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 61 additions and 9 deletions

View file

@ -9,7 +9,6 @@ The token is generated for a particular ACR registry defined in `spec.registry`.
| username | username for the `docker login` command | | username | username for the `docker login` command |
| password | password for the `docker login` command | | password | password for the `docker login` command |
## Authentication ## Authentication
You must choose one out of three authentication mechanisms: You must choose one out of three authentication mechanisms:
@ -21,6 +20,8 @@ You must choose one out of three authentication mechanisms:
The generated token will inherit the permissions from the assigned policy. I.e. when you assign a read-only policy all generated tokens will be read-only. The generated token will inherit the permissions from the assigned policy. I.e. when you assign a read-only policy all generated tokens will be read-only.
You **must** [assign a Azure RBAC role](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps), such as `AcrPush` or `AcrPull` to the service principal or managed identity in order to be able to authenticate with the Azure container registry API. You **must** [assign a Azure RBAC role](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps), such as `AcrPush` or `AcrPull` to the service principal or managed identity in order to be able to authenticate with the Azure container registry API.
You can also use a kubelet managed identity with the default `AcrPull` role to authenticate to the integrated Azure Container Registry.
You can scope tokens to a particular repository using `spec.scope`. You can scope tokens to a particular repository using `spec.scope`.
## Scope ## Scope
@ -49,6 +50,13 @@ repository:my-repository:pull
``` ```
Example `ExternalSecret` that references the ACR generator: Example `ExternalSecret` that references the ACR generator:
```yaml ```yaml
{% include 'generator-acr-example.yaml' %} {% include 'generator-acr-example.yaml' %}
``` ```
Example using AKS kubelet managed identity to create [Argo CD helm chart repository](https://argo-cd.readthedocs.io/en/latest/operator-manual/declarative-setup/#helm-chart-repositories) secret:
```yaml
{% include 'generator-acr-argocd-helm-repo.yaml' %}
```

View file

@ -0,0 +1,38 @@
{% raw %}
apiVersion: generators.external-secrets.io/v1alpha1
kind: ACRAccessToken
metadata:
name: azurecr
spec:
tenantId: 11111111-2222-3333-4444-111111111111
registry: example.azurecr.io
auth:
managedIdentity:
identityId: 11111111-2222-3333-4444-111111111111
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: azurecr-credentials
spec:
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: ACRAccessToken
name: azurecr
refreshInterval: 3h
target:
name: azurecr-credentials
template:
metadata:
labels:
argocd.argoproj.io/secret-type: repository
data:
name: "example.azurecr.io"
url: "example.azurecr.io"
username: "{{ .username }}"
password: "{{ .password }}"
enableOCI: "true"
type: "helm"
{% endraw %}

View file

@ -28,13 +28,13 @@ spec:
name: az-secret name: az-secret
key: clientid key: clientid
# option 2: # option 2: use a managed identity Client ID
managedIdentity: managedIdentity:
identityId: "xxxxx" identityId: 11111111-2222-3333-4444-111111111111
# option 3: # option 3:
workloadIdentity: workloadIdentity:
# note: you can reference service accounts across namespaces. # note: you can reference service accounts across namespaces.
serviceAccountRef: serviceAccountRef:
name: "my-service-account" name: "my-service-account"
audiences: [] audiences: []

View file

@ -282,12 +282,18 @@ func accessTokenForWorkloadIdentity(ctx context.Context, crClient client.Client,
} }
func accessTokenForManagedIdentity(ctx context.Context, envType v1beta1.AzureEnvironmentType, identityID string) (string, error) { func accessTokenForManagedIdentity(ctx context.Context, envType v1beta1.AzureEnvironmentType, identityID string) (string, error) {
// handle workload identity // handle managed identity
creds, err := azidentity.NewManagedIdentityCredential( var opts *azidentity.ManagedIdentityCredentialOptions
&azidentity.ManagedIdentityCredentialOptions{ if strings.Contains(identityID, "/") {
opts = &azidentity.ManagedIdentityCredentialOptions{
ID: azidentity.ResourceID(identityID), ID: azidentity.ResourceID(identityID),
}, }
) } else {
opts = &azidentity.ManagedIdentityCredentialOptions{
ID: azidentity.ClientID(identityID),
}
}
creds, err := azidentity.NewManagedIdentityCredential(opts)
if err != nil { if err != nil {
return "", err return "", err
} }