OCIRepo docs: auto-login setup details

Signed-off-by: Sunny <darkowlzz@protonmail.com>
fluxcd · Aug 11, 2022 · 93fd627 · 93fd627
1 parent 478a182
commit 93fd627
Showing 1 changed file with 23 additions and 15 deletions.
diff --git a/docs/spec/v1beta2/ocirepositories.md b/docs/spec/v1beta2/ocirepositories.md
@@ -120,11 +120,14 @@ If you do not specify `.spec.provider`, it defaults to `generic`.
 
 #### AWS
 
-The `aws` provider can be used when the source-controller service account
-is associated with an AWS IAM Role using IRSA that grants read-only access to ECR.
+The `aws` provider can be used to automatically log into ECR using the EKS
+worker node IAM role or IAM Role for Service Accounts (IRSA).
 
-To enable access to ECR, add the following patch to your bootstrap repository,
-in the `flux-system/kustomization.yaml` file:
+When the worker node IAM role has access to ECR, source-controller running on it
+will also have access to ECR.
+
+When using IRSA to enable access to ECR, add the following patch to your
+bootstrap repository, in the `flux-system/kustomization.yaml` file:
 
 ```yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
@@ -150,11 +153,14 @@ to the IAM role when using IRSA.
 
 #### Azure
 
-The `azure` provider can be used when the source-controller pods are associated
-with an Azure AAD Pod Identity that grants read-only access to ACR.
+The `azure` provider can be used to automatically log into ACR using kubelet
+managed identity or Azure Active Directory pod-managed identity (aad-pod-identity).
+
+When the kubelet managed identity has access to ACR, source-controller running
+on it will also have access to ACR.
 
-To enable access to ACR, add the following patch to your bootstrap repository,
-in the `flux-system/kustomization.yaml` file:
+When using aad-pod-identity to enable access to ECR, add the following patch to
+your bootstrap repository, in the `flux-system/kustomization.yaml` file:
 
 ```yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
@@ -172,7 +178,7 @@ patches:
  name: source-controller
 ``` 
 
-When using managed identity on an AKS cluster, AAD Pod Identity
+When using pod-managed identity on an AKS cluster, AAD Pod Identity
 has to be used to give the `source-controller` pod access to the ACR.
 To do this, you have to install `aad-pod-identity` on your cluster, create a managed identity
 that has access to the container registry (this can also be the Kubelet identity
@@ -185,13 +191,15 @@ if you want to use AKS pod-managed identities add-on that is in preview.
 
 #### GCP
 
-The `gcp` provider can be used when the source-controller service account
-is associated with a GCP IAM Role using Workload Identity that grants
-read-only access to Artifact Registry.
+The `gcp` provider can be used to automatically log into GCR or Artifact
+Registry using OAuth scopes or Workload Identity.
+
+When the GKE nodes have the appropriate OAuth scope for accessing GCR and
+Artifact Registry, source-controller running on it will also have access to them.
 
-To enable access to Google Artifact Registry or GCR,
-add the following patch to your bootstrap repository,
-in the `flux-system/kustomization.yaml` file:
+When using Workload Identity to enable access to GCR or Artifact Registry, add
+the following patch to your bootstrap repository, in the
+`flux-system/kustomization.yaml` file:
 
 ```yaml
 apiVersion: kustomize.config.k8s.io/v1beta1