Skip to content

Commit

Permalink
docs: various nits in specs
Browse files Browse the repository at this point in the history
Signed-off-by: Hidde Beydals <[email protected]>
  • Loading branch information
hiddeco committed Mar 30, 2023
1 parent 4995cff commit 531bb5d
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 18 deletions.
36 changes: 20 additions & 16 deletions docs/spec/v1beta2/buckets.md
Original file line number Diff line number Diff line change
Expand Up @@ -440,8 +440,8 @@ data:
##### Workload Identity

If you have [Workload Identity mutating webhook](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html)
installed on your cluster. You would need to create an Azure Identity and
give it access to Azure Blob Storage.
installed on your cluster. You need to create an Azure Identity and give it
access to Azure Blob Storage.

```shell
export IDENTITY_NAME="blob-access"
Expand All @@ -451,7 +451,7 @@ az role assignment create --role "Storage Blob Data Reader" \
--scope "/subscriptions/<SUBSCRIPTION-ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<account-name>/blobServices/default/containers/<container-name>"
```

Establish federated identity between the identity and the source-controller
Establish a federated identity between the Identity and the source-controller
ServiceAccount.

```shell
Expand Down Expand Up @@ -500,7 +500,7 @@ patches:
azure.workload.identity/use: "true"
```

If you have set Workload Identity up correctly and labeled the source-controller
If you have set up Workload Identity correctly and labeled the source-controller
Pod and ServiceAccount, then you don't need to reference a Secret. For more information,
please see [documentation](https://azure.github.io/azure-workload-identity/docs/quick-start.html).

Expand All @@ -520,7 +520,7 @@ spec:
##### Managed Identity with AAD Pod Identity

If you are using [aad pod identity](https://azure.github.io/aad-pod-identity/docs),
you can create an identity that has access to Azure Storage.
You need to create an Azure Identity and give it access to Azure Blob Storage.

```sh
export IDENTITY_NAME="blob-access"
Expand All @@ -533,7 +533,7 @@ export IDENTITY_CLIENT_ID="$(az identity show -n ${IDENTITY_NAME} -g ${RESOURCE_
export IDENTITY_RESOURCE_ID="$(az identity show -n ${IDENTITY_NAME} -otsv --query id)"
```

Create an `AzureIdentity` object that references the identity created above:
Create an AzureIdentity object that references the identity created above:

```yaml
---
Expand All @@ -548,7 +548,8 @@ spec:
type: 0 # user-managed identity
```

Create an `AzureIdentityBinding` object that binds pods with a specific selector with the `AzureIdentity` created:
Create an AzureIdentityBinding object that binds Pods with a specific selector
with the AzureIdentity created:

```yaml
apiVersion: "aadpodidentity.k8s.io/v1"
Expand All @@ -575,8 +576,8 @@ spec:
aadpodidbinding: ${IDENTITY_NAME} # match the AzureIdentity name
```

If you have set aad-pod-identity up correctly and labeled the source-controller
pod, then you don't need to reference a secret.
If you have set up aad-pod-identity correctly and labeled the source-controller
Pod, then you don't need to reference a Secret.

```yaml
apiVersion: source.toolkit.fluxcd.io/v1beta2
Expand Down Expand Up @@ -618,13 +619,16 @@ data:
sasKey: <base64>
```

The sasKey only contains the SAS token e.g `?sv=2020-08-0&ss=bfqt&srt=co&sp=rwdlacupitfx&se=2022-05-26T21:55:35Z&st=2022-05...`.
The leading question mark is optional.
The query values from the `sasKey` data field in the Secrets gets merged with the ones in the `spec.endpoint` of the `Bucket`.
If the same key is present in the both of them, the value in the `sasKey` takes precedence.
The `sasKey` only contains the SAS token e.g
`?sv=2020-08-0&ss=bfqt&srt=co&sp=rwdlacupitfx&se=2022-05-26T21:55:35Z&st=2022-05...`.
The leading question mark (`?`) is optional. The query values from the `sasKey`
data field in the Secrets gets merged with the ones in the `.spec.endpoint` of
the Bucket. If the same key is present in the both of them, the value in the
`sasKey` takes precedence.

**Note:** The SAS token has an expiry date and it must be updated before it expires to allow Flux to
continue to access Azure Storage. It is allowed to use an account-level or container-level SAS token.
**Note:** The SAS token has an expiry date, and it must be updated before it
expires to allow Flux to continue to access Azure Storage. It is allowed to use
an account-level or container-level SAS token.

The minimum permissions for an account-level SAS token are:

Expand Down Expand Up @@ -839,7 +843,7 @@ spec:

### Triggering a reconcile

To manually tell the source-controller to reconcile a Bucket outside of the
To manually tell the source-controller to reconcile a Bucket outside the
[specified interval window](#interval), a Bucket can be annotated with
`reconcile.fluxcd.io/requestedAt: <arbitrary value>`. Annotating the resource
queues the Bucket for reconciliation if the `<arbitrary-value>` differs from
Expand Down
4 changes: 2 additions & 2 deletions docs/spec/v1beta2/helmrepositories.md
Original file line number Diff line number Diff line change
Expand Up @@ -233,7 +233,7 @@ by extension gain access to ACR.
When the kubelet managed identity has access to ACR, source-controller running on
it will also have access to ACR.

##### Workload Identity
##### Azure Workload Identity

When using Workload Identity to enable access to ACR, add the following patch to
your bootstrap repository, in the `flux-system/kustomization.yaml` file:
Expand Down Expand Up @@ -317,7 +317,7 @@ Workload Identity, and by extension gain access to GCR or Artifact Registry.
When the GKE nodes have the appropriate OAuth scope for accessing GCR and Artifact Registry,
source-controller running on it will also have access to them.

#### Workload Identity
#### GKE Workload Identity

When using Workload Identity to enable access to GCR or Artifact Registry, add the
following patch to your bootstrap repository, in the `flux-system/kustomization.yaml`
Expand Down

0 comments on commit 531bb5d

Please sign in to comment.