From e1a42904c95d5a452a70035d7f6716d88723edcf Mon Sep 17 00:00:00 2001
From: Etienne Tremel <995474+etiennetremel@users.noreply.github.com>
Date: Sat, 17 Feb 2024 23:03:14 +0100
Subject: [PATCH 1/3] docs: add instructions to authenticate to Azure Container
 Registry with workload identity

Signed-off-by: Etienne Tremel <995474+etiennetremel@users.noreply.github.com>
---
 .github/actions/spelling/allow.txt | 12 ++++
 docs/configuration/registries.md   | 93 ++++++++++++++++++++++++++++++
 2 files changed, 105 insertions(+)

diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
index a8b63ee2..04424053 100644
--- a/.github/actions/spelling/allow.txt
+++ b/.github/actions/spelling/allow.txt
@@ -1,3 +1,6 @@
+AAD
+ACR
+acr
 aic
 amd
 anyfield
@@ -14,6 +17,7 @@ argoprojlabs
 args
 auths
 aws
+azurecr
 babayaga
 baralias
 baz
@@ -92,6 +96,7 @@ heptio
 hsla
 http
 https
+ietf
 ifdef
 img
 ineffassign
@@ -100,6 +105,7 @@ ioutil
 itl
 jannfis
 json
+jwt
 JWT
 ks
 Ksonnet
@@ -127,6 +133,7 @@ matchfunc
 Matchfunc
 memcache
 metadata
+microsoftonline
 misconfigured
 mkdir
 mkdocs
@@ -148,6 +155,7 @@ noproto
 noreply
 notastring
 notexist
+oauth
 omitempty
 otherimg
 otherparam
@@ -196,12 +204,14 @@ src
 SRCROOT
 ssh
 stderr
+stdin
 stdout
 stretchr
 structcheck
 svg
 svi
 svl
+sys
 SZ
 taglist
 tagsortmode
@@ -223,6 +233,7 @@ unmarshals
 unparam
 updateable
 url
+urlencoded
 Useragent
 username
 usr
@@ -233,6 +244,7 @@ waitgroup
 Warnf
 webkit
 webroot
+wget
 WORKDIR
 workflow
 workflows
diff --git a/docs/configuration/registries.md b/docs/configuration/registries.md
index 015558f5..cf3864cd 100644
--- a/docs/configuration/registries.md
+++ b/docs/configuration/registries.md
@@ -15,6 +15,7 @@ It has been successfully tested against the following popular registries:
 * GitHub Packages Registry (`docker.pkg.github.com`)
 * GitLab Container Registry (`registry.gitlab.com`)
 * Google Container Registry (`gcr.io`)
+* Azure Container Registry (`azurecr.io`)
 
 Chances are, that it will work out of the box for other registries as well.
 
@@ -326,3 +327,95 @@ two strategies to overcome this:
   i.e. for getting EKS credentials from the aws CLI. For example, if the
   token has a lifetime of 12 hours, you can set `credsexpire: 12h` and Argo
   CD Image Updater will get a new token after 12 hours.
+
+### <a name="default-registry"></a>Configuring Azure Container registry with
+Workload identity
+
+Follow the steps described below to authenticate against an Azure Container
+Registry using Azure Workload Identities with an external script.
+
+Create a script to retrieve the ACR refresh token with the Azure Identity
+token:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-image-updater-auth
+data:
+  auth.sh: |
+    AAD_ACCESS_TOKEN=$(cat $AZURE_FEDERATED_TOKEN_FILE)
+
+    ACCESS_TOKEN=$(wget --output-document - --header "Content-Type: application/x-www-form-urlencoded" \
+    --post-data="grant_type=client_credentials&client_id=${AZURE_CLIENT_ID}&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&scope=https://management.azure.com/.default&client_assertion=${AAD_ACCESS_TOKEN}" \
+    https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/v2.0/token \
+    | python3 -c "import sys, json; print(json.load(sys.stdin)['access_token'])")
+
+    ACR_REFRESH_TOKEN=$(wget --quiet --header="Content-Type: application/x-www-form-urlencoded" \
+    --post-data="grant_type=access_token&service=${ACR_NAME}&access_token=${ACCESS_TOKEN}" \
+    --output-document - \
+    "https://${ACR_NAME}/oauth2/exchange" |
+    python3 -c "import sys, json; print(json.load(sys.stdin)['refresh_token'])")
+
+    echo "00000000-0000-0000-0000-000000000000:$ACR_REFRESH_TOKEN"
+```
+
+Configure the Azure registry and map the authentication script:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-image-updater-config
+data:
+  registries.conf: |
+    registries:
+      - name: acr-name
+        prefix: acr-name.azurecr.io
+        api_url: https://acr-name.azurecr.io
+        default: true
+        credentials: ext:/app/auth/auth.sh
+        credsexpire: 1h
+```
+
+Patch the service account with the appropriate Azure Workload identity labels
+and annotations:
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-image-updater
+  labels:
+    azure.workload.identity/use: "true"
+  annotations:
+    azure.workload.identity/client-id: placeholder
+```
+
+Patch the deployment with the appropriate Azure Workload identity labels, mount
+directory and `ACR_NAME` environment variable:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argocd-image-updater
+spec:
+  template:
+    metadata:
+      labels:
+        azure.workload.identity/use: "true"
+    spec:
+      containers:
+        - name: argocd-image-updater
+          env:
+            - name: ACR_NAME
+              value: placeholder
+          volumeMounts:
+            - mountPath: /app/auth
+              name: auth
+      volumes:
+        - configMap:
+            name: argocd-image-updater-auth
+          name: auth
+```

From 194a433f7207898132bd5865faa3556db55b210b Mon Sep 17 00:00:00 2001
From: Etienne Tremel <995474+etiennetremel@users.noreply.github.com>
Date: Thu, 25 Apr 2024 14:33:50 +0100
Subject: [PATCH 2/3] fix: add missing defaultMode, shebang and azurecr.io
 suffix in ACR_NAME

Signed-off-by: Etienne Tremel <995474+etiennetremel@users.noreply.github.com>
---
 docs/configuration/registries.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/docs/configuration/registries.md b/docs/configuration/registries.md
index cf3864cd..858229da 100644
--- a/docs/configuration/registries.md
+++ b/docs/configuration/registries.md
@@ -344,6 +344,8 @@ metadata:
   name: argocd-image-updater-auth
 data:
   auth.sh: |
+    #!/bin/sh
+
     AAD_ACCESS_TOKEN=$(cat $AZURE_FEDERATED_TOKEN_FILE)
 
     ACCESS_TOKEN=$(wget --output-document - --header "Content-Type: application/x-www-form-urlencoded" \
@@ -408,14 +410,20 @@ spec:
     spec:
       containers:
         - name: argocd-image-updater
+          command:
+            - /usr/local/bin/argocd-image-updater
+            - run
+            - --registries-conf-path
+            - /app/config/registries.conf
           env:
             - name: ACR_NAME
-              value: placeholder
+              value: placeholder.azurecr.io
           volumeMounts:
             - mountPath: /app/auth
               name: auth
       volumes:
         - configMap:
             name: argocd-image-updater-auth
+            defaultMode: 493
           name: auth
 ```

From 89f49d63010e82487b02d4524db2bddf8b83fa30 Mon Sep 17 00:00:00 2001
From: Etienne Tremel <995474+etiennetremel@users.noreply.github.com>
Date: Mon, 2 Dec 2024 09:13:30 +0100
Subject: [PATCH 3/3] docs: add missing set -eo pipefail to force fast fail

Signed-off-by: Etienne Tremel <995474+etiennetremel@users.noreply.github.com>
---
 docs/configuration/registries.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/configuration/registries.md b/docs/configuration/registries.md
index 858229da..48c1b95c 100644
--- a/docs/configuration/registries.md
+++ b/docs/configuration/registries.md
@@ -346,6 +346,8 @@ data:
   auth.sh: |
     #!/bin/sh
 
+    set -eo pipefail
+
     AAD_ACCESS_TOKEN=$(cat $AZURE_FEDERATED_TOKEN_FILE)
 
     ACCESS_TOKEN=$(wget --output-document - --header "Content-Type: application/x-www-form-urlencoded" \