Skip to content

Commit

Permalink
update docs on azure
Browse files Browse the repository at this point in the history 
Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
  • Loading branch information
@somtochiama
somtochiama committed Jul 14, 2023
1 parent 31101f0 commit e26bf0e
Showing 1 changed file with 12 additions and 4 deletions.
16 changes: 12 additions & 4 deletions docs/spec/v1beta2/helmrepositories.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ to the IAM role when using IRSA.

#### Azure

The `azure` provider can be used to authenticate automatically using kubelet managed
The `azure` provider can be used to authenticate automatically using workload identity, kubelet managed
identity or Azure Active Directory pod-managed identity (aad-pod-identity), and
by extension gain access to ACR.

Expand All @@ -233,6 +233,12 @@ by extension gain access to ACR.
When the kubelet managed identity has access to ACR, source-controller running on
it will also have access to ACR.

*Note*: If you have more identity configured on the cluster, you have to specify which one to use
by setting the `AZURE_CLIENT_ID` variable in the source-controller pod.

If you are running into further issues, please look at the
[troubleshooting guide](https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/TROUBLESHOOTING.md#azure-virtual-machine-managed-identity)

##### Azure Workload Identity

When using Workload Identity to enable access to ACR, add the following patch to
Expand Down Expand Up @@ -270,13 +276,15 @@ patches:
azure.workload.identity/use: "true"
```

To use Workload Identity, you have to install the Workload Identity
mutating webhook and create an identity that has access to ACR. Next, establish
To use Workload Identity, the Workload Identity mutating webhook has to be installed on your cluster and
you have tocreate an identity that has access to ACR. Next, establish
a federated identity between the source-controller ServiceAccount and the
identity. Patch the source-controller Pod and ServiceAccount as shown in the patch
above. Please take a look at this [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject).

##### AAD Pod Identity
##### AAD Pod Identity - Deprecated!

**Note:** AAD Pod Identity will be archived in September 2023, and you are advised to use Workload Identity instead.

When using aad-pod-identity to enable access to ACR, add the following patch to
your bootstrap repository, in the `flux-system/kustomization.yaml` file:
Expand Down

0 comments on commit e26bf0e

Please sign in to comment.