Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add instructions to authenticate to Azure Container Registry with workload identity #676

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .github/actions/spelling/allow.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
AAD
ACR
acr
aic
amd
anyfield
Expand All @@ -14,6 +17,7 @@ argoprojlabs
args
auths
aws
azurecr
babayaga
baralias
baz
Expand Down Expand Up @@ -92,6 +96,7 @@ heptio
hsla
http
https
ietf
ifdef
img
ineffassign
Expand All @@ -100,6 +105,7 @@ ioutil
itl
jannfis
json
jwt
JWT
ks
Ksonnet
Expand Down Expand Up @@ -127,6 +133,7 @@ matchfunc
Matchfunc
memcache
metadata
microsoftonline
misconfigured
mkdir
mkdocs
Expand All @@ -148,6 +155,7 @@ noproto
noreply
notastring
notexist
oauth
omitempty
otherimg
otherparam
Expand Down Expand Up @@ -196,12 +204,14 @@ src
SRCROOT
ssh
stderr
stdin
stdout
stretchr
structcheck
svg
svi
svl
sys
SZ
taglist
tagsortmode
Expand All @@ -223,6 +233,7 @@ unmarshals
unparam
updateable
url
urlencoded
Useragent
username
usr
Expand All @@ -233,6 +244,7 @@ waitgroup
Warnf
webkit
webroot
wget
WORKDIR
workflow
workflows
Expand Down
101 changes: 101 additions & 0 deletions docs/configuration/registries.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ It has been successfully tested against the following popular registries:
* GitHub Packages Registry (`docker.pkg.github.com`)
* GitLab Container Registry (`registry.gitlab.com`)
* Google Container Registry (`gcr.io`)
* Azure Container Registry (`azurecr.io`)

Chances are, that it will work out of the box for other registries as well.

Expand Down Expand Up @@ -326,3 +327,103 @@ two strategies to overcome this:
i.e. for getting EKS credentials from the aws CLI. For example, if the
token has a lifetime of 12 hours, you can set `credsexpire: 12h` and Argo
CD Image Updater will get a new token after 12 hours.

### <a name="default-registry"></a>Configuring Azure Container registry with
Workload identity

Follow the steps described below to authenticate against an Azure Container
Registry using Azure Workload Identities with an external script.

Create a script to retrieve the ACR refresh token with the Azure Identity
token:

```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-image-updater-auth
data:
auth.sh: |
#!/bin/sh

AAD_ACCESS_TOKEN=$(cat $AZURE_FEDERATED_TOKEN_FILE)

ACCESS_TOKEN=$(wget --output-document - --header "Content-Type: application/x-www-form-urlencoded" \
--post-data="grant_type=client_credentials&client_id=${AZURE_CLIENT_ID}&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&scope=https://management.azure.com/.default&client_assertion=${AAD_ACCESS_TOKEN}" \
https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/v2.0/token \
| python3 -c "import sys, json; print(json.load(sys.stdin)['access_token'])")

ACR_REFRESH_TOKEN=$(wget --quiet --header="Content-Type: application/x-www-form-urlencoded" \
--post-data="grant_type=access_token&service=${ACR_NAME}&access_token=${ACCESS_TOKEN}" \
--output-document - \
"https://${ACR_NAME}/oauth2/exchange" |
python3 -c "import sys, json; print(json.load(sys.stdin)['refresh_token'])")

echo "00000000-0000-0000-0000-000000000000:$ACR_REFRESH_TOKEN"
```

Configure the Azure registry and map the authentication script:

```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-image-updater-config
data:
registries.conf: |
registries:
- name: acr-name
prefix: acr-name.azurecr.io
api_url: https://acr-name.azurecr.io
default: true
credentials: ext:/app/auth/auth.sh
credsexpire: 1h
```

Patch the service account with the appropriate Azure Workload identity labels
and annotations:

```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: argocd-image-updater
labels:
azure.workload.identity/use: "true"
annotations:
azure.workload.identity/client-id: placeholder
```

Patch the deployment with the appropriate Azure Workload identity labels, mount
directory and `ACR_NAME` environment variable:

```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-image-updater
spec:
template:
metadata:
labels:
azure.workload.identity/use: "true"
spec:
containers:
- name: argocd-image-updater
command:
- /usr/local/bin/argocd-image-updater
- run
- --registries-conf-path
- /app/config/registries.conf
env:
- name: ACR_NAME
value: placeholder.azurecr.io
volumeMounts:
- mountPath: /app/auth
name: auth
volumes:
- configMap:
name: argocd-image-updater-auth
defaultMode: 493
name: auth
```
Loading