From a5bc7201d59a1625a349165451c01c713464a937 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Sun, 28 Apr 2024 10:30:14 +0300 Subject: [PATCH] Add workload identity user story Signed-off-by: Stefan Prodan --- rfcs/000X-flux-bootstrap-oci/README.md | 36 ++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/rfcs/000X-flux-bootstrap-oci/README.md b/rfcs/000X-flux-bootstrap-oci/README.md index 5223835f31..b6637ab986 100644 --- a/rfcs/000X-flux-bootstrap-oci/README.md +++ b/rfcs/000X-flux-bootstrap-oci/README.md @@ -18,6 +18,10 @@ and reconcile the cluster state from OCI artifacts stored in the same or a diffe ## Motivation +After the implementation of [RFC-0003](../0003-kubernetes-oci/README.md) in 2022 and the introduction +of the `OCIRepository` source, we had a recurring ask from users about improving the UX of running +Flux fully decoupled from Git. + Given that OCI registries are evolving into a generic artifact storage solution, we should allow Flux users who don't want to run a Git server as part of their production infrastructure to bootstrap and manage their Kubernetes clusters using OCI artifacts. @@ -70,6 +74,9 @@ The command performs the following steps based on the `url`, `username`, a Flux Kustomization object that reconciles the OCI artifact contents. 6. Applies the image pull secret, OCIRepository and Flux Kustomization to the cluster. +Note that the creation of the image pull secret is skipped when +[Kubernetes Workload Identity](#story-2) is used for authentication to the container registry. + Artifacts pushed to the registry: - `/:` (immutable artifact) - `/:` (tag pointing to the immutable artifact) @@ -91,6 +98,9 @@ continues with the following steps: that reconciles the cluster OCI artifact contents. 4. Applies the image pull secret, OCIRepository and Flux Kustomization to the cluster. +Note that the creation of the image pull secret is skipped when +[Kubernetes Workload Identity](#story-2) is used for authentication to the container registry. + Objects created by the command in the `flux-system` namespace: - `flux-system` Secret - `flux-system` OCIRepository @@ -220,6 +230,28 @@ spec: #### Story 2 +> As a platform operator I want to bootstrap an EKS cluster with Flux +> using OCI artifacts stored in ECR. + +The following example demonstrates how to bootstrap a Flux instance using ECR using IAM auth. +Assuming the EKS nodes have read-only access to ECR and the bastion host where +the Flux CLI is running has read and write access to ECR: + +```shell +flux bootstrap oci \ +--provider=aws \ +--url=oci://aws_account_id.dkr.ecr.us-west-2.amazonaws.com/flux-manifests:production \ +--kustomization=flux-manifests/kustomization.yaml \ +--cluster-url=oci://aws_account_id.dkr.ecr.us-west-2.amazonaws.com/fleet-manifests:production \ +--cluster-path=clusters/production +``` + +Note that when using Kubernetes Workload Identity instead of the worker node IAM role, +the `kustomization.yaml` must contain patches for the source-controller Service Account +as described [here](https://fluxcd.io/flux/installation/configuration/workload-identity/). + +#### Story 3 + > As a platform operator I want to sync the cluster state with the fleet Git repository. Push changes from the fleet Git repository to the container registry: @@ -251,7 +283,7 @@ The Git repository structure would be similar to the `infrastructure.yaml` and `apps.yaml`, have the `.spec.sourceRef` set to `kind: OCIRepository` and `name: flux-system`. -#### Story 3 +#### Story 4 > As a platform operator I want to update the Flux controllers on my production cluster > from CI without access to the Kubernetes API. @@ -286,7 +318,7 @@ flux tag artifact oci://ghcr.io/stefanprodan/flux-manifests:${checksum} \ This operation could be simplified by implementing a dedicated CLI command and/or GitHub Action. -#### Story 4 +#### Story 5 > As a platform operator I want to update the registry credentials on my clusters.