Skip to content

Commit

Permalink
Add workload identity user story
Browse files Browse the repository at this point in the history
Signed-off-by: Stefan Prodan <[email protected]>
  • Loading branch information
stefanprodan committed Apr 28, 2024
1 parent ab4692c commit a5bc720
Showing 1 changed file with 34 additions and 2 deletions.
36 changes: 34 additions & 2 deletions rfcs/000X-flux-bootstrap-oci/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ and reconcile the cluster state from OCI artifacts stored in the same or a diffe

## Motivation

After the implementation of [RFC-0003](../0003-kubernetes-oci/README.md) in 2022 and the introduction
of the `OCIRepository` source, we had a recurring ask from users about improving the UX of running
Flux fully decoupled from Git.

Given that OCI registries are evolving into a generic artifact storage solution,
we should allow Flux users who don't want to run a Git server as part of their
production infrastructure to bootstrap and manage their Kubernetes clusters using OCI artifacts.
Expand Down Expand Up @@ -70,6 +74,9 @@ The command performs the following steps based on the `url`, `username`,
a Flux Kustomization object that reconciles the OCI artifact contents.
6. Applies the image pull secret, OCIRepository and Flux Kustomization to the cluster.

Note that the creation of the image pull secret is skipped when
[Kubernetes Workload Identity](#story-2) is used for authentication to the container registry.

Artifacts pushed to the registry:
- `<registry-url>/<flux-manifests>:<checksum>` (immutable artifact)
- `<registry-url>/<flux-manifests>:<tag>` (tag pointing to the immutable artifact)
Expand All @@ -91,6 +98,9 @@ continues with the following steps:
that reconciles the cluster OCI artifact contents.
4. Applies the image pull secret, OCIRepository and Flux Kustomization to the cluster.

Note that the creation of the image pull secret is skipped when
[Kubernetes Workload Identity](#story-2) is used for authentication to the container registry.

Objects created by the command in the `flux-system` namespace:
- `flux-system` Secret
- `flux-system` OCIRepository
Expand Down Expand Up @@ -220,6 +230,28 @@ spec:
#### Story 2
> As a platform operator I want to bootstrap an EKS cluster with Flux
> using OCI artifacts stored in ECR.
The following example demonstrates how to bootstrap a Flux instance using ECR using IAM auth.
Assuming the EKS nodes have read-only access to ECR and the bastion host where
the Flux CLI is running has read and write access to ECR:
```shell
flux bootstrap oci \
--provider=aws \
--url=oci://aws_account_id.dkr.ecr.us-west-2.amazonaws.com/flux-manifests:production \
--kustomization=flux-manifests/kustomization.yaml \
--cluster-url=oci://aws_account_id.dkr.ecr.us-west-2.amazonaws.com/fleet-manifests:production \
--cluster-path=clusters/production
```

Note that when using Kubernetes Workload Identity instead of the worker node IAM role,
the `kustomization.yaml` must contain patches for the source-controller Service Account
as described [here](https://fluxcd.io/flux/installation/configuration/workload-identity/).

#### Story 3

> As a platform operator I want to sync the cluster state with the fleet Git repository.
Push changes from the fleet Git repository to the container registry:
Expand Down Expand Up @@ -251,7 +283,7 @@ The Git repository structure would be similar to the
`infrastructure.yaml` and `apps.yaml`, have the `.spec.sourceRef` set to
`kind: OCIRepository` and `name: flux-system`.

#### Story 3
#### Story 4

> As a platform operator I want to update the Flux controllers on my production cluster
> from CI without access to the Kubernetes API.
Expand Down Expand Up @@ -286,7 +318,7 @@ flux tag artifact oci://ghcr.io/stefanprodan/flux-manifests:${checksum} \

This operation could be simplified by implementing a dedicated CLI command and/or GitHub Action.

#### Story 4
#### Story 5

> As a platform operator I want to update the registry credentials on my clusters.
Expand Down

0 comments on commit a5bc720

Please sign in to comment.