diff --git a/docs/spec/v1beta2/helmrepositories.md b/docs/spec/v1beta2/helmrepositories.md index 34ddfe468..57eeae2e1 100644 --- a/docs/spec/v1beta2/helmrepositories.md +++ b/docs/spec/v1beta2/helmrepositories.md @@ -224,7 +224,7 @@ to the IAM role when using IRSA. #### Azure -The `azure` provider can be used to authenticate automatically using kubelet managed +The `azure` provider can be used to authenticate automatically using workload identity, kubelet managed identity or Azure Active Directory pod-managed identity (aad-pod-identity), and by extension gain access to ACR. @@ -233,6 +233,12 @@ by extension gain access to ACR. When the kubelet managed identity has access to ACR, source-controller running on it will also have access to ACR. +*Note*: If you have more identity configured on the cluster, you have to specify which one to use +by setting the `AZURE_CLIENT_ID` variable in the source-controller pod. + +If you are running into further issues, please look at the +[troubleshooting guide](https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/TROUBLESHOOTING.md#azure-virtual-machine-managed-identity) + ##### Azure Workload Identity When using Workload Identity to enable access to ACR, add the following patch to @@ -270,13 +276,15 @@ patches: azure.workload.identity/use: "true" ``` -To use Workload Identity, you have to install the Workload Identity -mutating webhook and create an identity that has access to ACR. Next, establish +To use Workload Identity, the Workload Identity mutating webhook has to be installed on your cluster and +you have tocreate an identity that has access to ACR. Next, establish a federated identity between the source-controller ServiceAccount and the identity. Patch the source-controller Pod and ServiceAccount as shown in the patch above. Please take a look at this [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject). -##### AAD Pod Identity +##### AAD Pod Identity - Deprecated! + +**Note:** AAD Pod Identity will be archived in September 2023, and you are advised to use Workload Identity instead. When using aad-pod-identity to enable access to ACR, add the following patch to your bootstrap repository, in the `flux-system/kustomization.yaml` file: