Skip to content
This repository has been archived by the owner on Feb 15, 2022. It is now read-only.

Allow flux to acces ACR via SP #241

Merged
merged 10 commits into from
Mar 22, 2019
Merged

Allow flux to acces ACR via SP #241

merged 10 commits into from
Mar 22, 2019

Conversation

samiyaakhtar
Copy link
Contributor

@samiyaakhtar samiyaakhtar commented Mar 21, 2019
edited by dtzar
Loading

Deploy registry secrets for flux to have access to the ACR using an SP. (Flux uses imagePullSecrets to access the ACR and will not have access to it unless this secret is deployed, even if AKS has access. Without the secret, it's able to deploy the manifest but can't poll changes from registry)

This is related to issue #204

@andrebriggs
Copy link
Member

@samiyaakhtar test failure

TestIT_Bedrock_AzureSimpcommand.go:121: error: exactly one NAME is required, got 0 TestIT_Bedrock_AzureSimpcommand.go:121: See 'kubectl create secret docker-registry -h' for help and examples. TestIT_Bedrock_AzureSimpcommand.go:121: ERROR: Failed to create registry secret -s

@dtzar
Copy link
Member

dtzar commented Mar 22, 2019

This adds a generic kubernetes acr secret which the templates would have to explicitly use and technically should be covered by assigning the SP used to provision the cluster permissions to read ACR.
Shouldn't we be using either of these in the flux helm chart:
registry.acr.enabled=true + registry.acr.hostPath OR
registry.dockercfg.enabled + registry.dockercfg.secretName

@dtzar dtzar self-requested a review March 22, 2019 21:25
dtzar
dtzar suggested changes Mar 22, 2019
View reviewed changes
cluster/common/flux/deploy_flux.sh Outdated
@@ -52,7 +52,7 @@ fi
# git url: where flux monitors for manifests
# git ssh secret: kubernetes secret object for flux to read/write access to manifests repo
echo "generating flux manifests with helm template"
if ! helm template . --name $RELEASE_NAME --namespace $KUBE_NAMESPACE --values values.yaml --output-dir ./$FLUX_MANIFESTS --set git.url=$GITOPS_SSH_URL --set git.branch=$GITOPS_URL_BRANCH --set git.secretName=$KUBE_SECRET_NAME --set git.path=$GITOPS_PATH --set git.pollInterval=$GITOPS_POLL_INTERVAL; then
if ! helm template . --name $RELEASE_NAME --namespace $KUBE_NAMESPACE --values values.yaml --output-dir ./$FLUX_MANIFESTS --set git.url=$GITOPS_SSH_URL --set git.branch=$GITOPS_URL_BRANCH --set git.secretName=$KUBE_SECRET_NAME --set git.path=$GITOPS_PATH --set git.pollInterval=$GITOPS_POLL_INTERVAL --set registry.acr.enabled=true; then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should add a switch via terraform to enable the ACR access in the event people are NOT using ACR.

@samiyaakhtar samiyaakhtar changed the title Deploy registry secrets for flux Allow flux to acces ACR via SP Mar 22, 2019
@dtzar dtzar merged commit ef447bd into microsoft:master Mar 22, 2019
@samiyaakhtar samiyaakhtar deleted the deploy_registry_secrets branch March 22, 2019 22:46
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@dtzar dtzar dtzar approved these changes

Assignees
No one assigned
Labels
services-team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@samiyaakhtar @andrebriggs @dtzar