-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Conversation
Azure Kubernetes Service (AKS) nodes' kubelet can use the cluster's service principal to fetch images from Azure Container Registry (ACR). If azure.json is projected into the Flux pod, consume the service principal credentials when authenticating to azure container registry. Note that this method may eventually be deprecated, possibly replaced by Managed Identity + OAuth, similar to the GCP implementation. See kubernetes/kubernetes#58034
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! A point of order: please gofmt
files you touch (I noticed this because the added lines have spaces rather than tabs). You can probably set this up as a hook in your favoured editor.
I like the idea that you can just do a hostPath
mount to get the credentials, that seems nice and simple. Perhaps consider doing a small explanation in one of the docs files (there's not really a perfect place; site/faq.md would do for now).
I can confirm this is working by adding these changes to the deploy/flux:
|
Splendid, thank you very much for trying it out @4c74356b41 |
Awesome! Let me fix the formatting and docs.... |
ACR user here... Just so I understand, does this PR remove the need to provide Oddly enough, that method works for me, unlike what people are reporting in #1396. But this method looks nicer :-) Also, will this help with ACR Helm authentication at all? |
In my experiments using imagePullSecrets doesnt work if you grant AKS permissions to ACR, so you have to strip AKS permissions on ACR and after that it will work with imagePullSecrets. Not sure what do you mean about helm and ACR. helm is a client side tool |
The SP my cluster is using has AcrPull role assignment, and I'm using a different SP (also with AcrPull) for the credentials used in the Re: the ACR Helm thing - sorry I wasn't clear. ACR can also host Helm charts (i.e. it's a Helm repository), but since it's private it requires authentication. https://docs.microsoft.com/en-us/azure/container-registry/container-registry-helm-repos I'm guessing nobody has tried this or looked at it. I tried briefly using the method described here, but it didn't work. It's not an urgent requirement for us at the moment so I haven't made time to investigate further. The authentication method shown in the docs uses an OAuth token which expires after an hour, so not sure this will work. However when using ACR as a container registry, you can authenticate directly using a service principal (i.e. with |
I'm well aware of that, what I dont understand, with flux all your templates are in the repo already, doesnt matter you have them in a private repo as well? also, if you have acr pull for AKS sp it wont even use imagePullSecrets |
The reason I needed So back to the my original question: my guess is that this PR will provide those same credentials (via the host mount) to Flux, so we don't need the We currently have some internal Helm charts published to ACR, so I wanted to see if Flux could install those. However we don't need to do this, rather we can just install them from Github instead. I'm not sure what you mean by |
oh, ok. I didnt knew you can do that. I thought it needed charts in the same repo. indeed flux doesnt use aks sp credentials (this is why this PR exists), but what I'm telling you is that the solution worked for you because you didnt have ACRpull for the AKS sp, if you did - it wouldnt. |
I have ACR pull on both the AKS SP and the one I use for Before I added |
@squaremo corrected whitespace (via gofmt) in 3cb2179, un-Exported two methods in df5ca66, added docs to faq.md in cf30277. I think that's all the requested changes. I plumbed the hostPath volume mount into helm chart (disabled by default, always readOnly) in 0ce0668. That's an opinionated variant of how |
@alanjcastonguay cool, didnt think about readOnly, makes a lot of sense. |
@alanjcastonguay This is a thorough job, thank you very much! |
hostPath != mountPath Co-Authored-By: alanjcastonguay <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @alanjcastonguay!
Azure Kubernetes Service (AKS) nodes' kubelet can use the cluster's
service principal to fetch images from Azure Container Registry (ACR).
If azure.json is projected into the Flux pod, consume the service
principal credentials when authenticating to azure container registry.
Note that this method may eventually be deprecated, possibly replaced
by Managed Identity + OAuth, similar to the GCP implementation.
See kubernetes/kubernetes#58034
Prompted by discussion with @squaremo on slack