chore(integrations/registry): remove deprecated kustomize features

manifests/integrations/registry-credentials-sync/_base/kustomization.yaml

@@ -7,8 +7,8 @@ commonLabels:
 resources:
 - sync.yaml
 
-patchesStrategicMerge:
-  - kubectl-patch.yaml
+patches:
+- path: kubectl-patch.yaml
 
 vars:
 - name: KUBE_SECRET

manifests/integrations/registry-credentials-sync/_base/sync.yaml

@@ -101,9 +101,9 @@ rules:
   - create
   - update
   - patch
-  # # Lock this down to the specific Secret name  (Optional)
-  #resourceNames:
-  #- $(KUBE_SECRET)  # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+  # Lock this down to the specific Secret name  (Optional)
+  resourceNames:
+  - $(KUBE_SECRET)  # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml

@@ -7,8 +7,8 @@ commonLabels:
 resources:
 - sync.yaml
 
-patchesStrategicMerge:
-  - kubectl-patch.yaml
+patches:
+- path: kubectl-patch.yaml
 
 vars:
 - name: KUBE_SECRET

manifests/integrations/registry-credentials-sync/_cronjobs/aws/bind-irsa-patch.yaml

@@ -0,0 +1,9 @@
+# Bind IRSA for the ServiceAccount 
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+  annotations:
+    eks.amazonaws.com/role-arn: <role arn>  # set the ARN for your role

manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-map-patch.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync
+data:
+  ECR_REGION: us-east-1  # set the region
+  ECR_REGISTRY: <account id>.dkr.ecr.<region>.amazonaws.com  # fill in the account id and region
+  KUBE_SECRET: ecr-credentials  # does not yet exist -- will be created in the same Namespace

manifests/integrations/registry-credentials-sync/_cronjobs/aws/credentials-injection-patch.yaml

@@ -0,0 +1,21 @@
+# If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
+# Store these values in a Secret and load them in the container using envFrom.
+# For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build.
+#   https://fluxcd.io/docs/guides/mozilla-sops/
+#   https://fluxcd.io/docs/guides/sealed-secrets/
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+spec:
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: sync
+            envFrom:
+            - secretRef:
+                name: $(ECR_SECRET_NAME)  # uncomment the var for this in kustomization.yaml

manifests/integrations/registry-credentials-sync/_cronjobs/aws/ecr-token-refresh-patch.yaml

@@ -0,0 +1,9 @@
+# Set the reconcile period
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+spec:
+  schedule: 0 */6 * * *  # every 6hrs -- ECR tokens expire every 12 hours; refresh faster than that

manifests/integrations/registry-credentials-sync/_cronjobs/aws/encrypted-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: credentials-sync
+data:
+    AWS_ACCESS_KEY_ID: Zm9vCg==
+    AWS_SECRET_ACCESS_KEY: YmFyCg==
+type: Opaque

manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml

@@ -7,19 +7,26 @@ commonLabels:
 
 namespace: flux-system
 
-bases:
+resources:
 - ../_base
-## If not using IRSA, consider creating the following file via SOPS or SealedSecrets
+# # If not using IRSA, consider creating the following file via SOPS or SealedSecrets
 # - encrypted-secret.yaml
 
-patchesStrategicMerge:
-- config-patches.yaml
-- reconcile-patch.yaml
+patches:
+- path: config-map-patch.yaml
+- path: reconcile-patch.yaml
+- path: ecr-token-refresh-patch.yaml
+# Comment out bind-irsa-patch.yaml if not using IRSA
+- path: bind-irsa-patch.yaml
+# # Uncomment if not using IRSA, please also check credentials-injection-patch.yaml
+# - path: credentials-injection-patch.yaml
 
-## uncomment if using encrypted-secret.yaml
+# # Uncomment if using encrypted-secret.yaml
 # vars:
 # - name: ECR_SECRET_NAME
 #   objref:
 #     kind: Secret
 #     name: credentials-sync
 #     apiVersion: v1
+# configurations:
+# - kustomizeconfig.yaml

manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomizeconfig.yaml

@@ -0,0 +1,3 @@
+varReference:
+- path: spec/jobTemplate/spec/template/spec/containers/envFrom/secretRef
+  kind: CronJob

manifests/integrations/registry-credentials-sync/azure/config-patches.yaml → manifests/integrations/registry-credentials-sync/_cronjobs/azure/azure-identity-patch.yaml

@@ -1,13 +1,3 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: credentials-sync
-data:
-  ACR_NAME: my-registry
-  KUBE_SECRET: acr-my-registry  # does not yet exist -- will be created in the same Namespace
-  SYNC_PERIOD: "3600"  # ACR tokens expire every 3 hours; refresh faster than that
-
 # Create an identity in Azure and assign it a role to pull from ACR  (note: the identity's resourceGroup should match the desired ACR):
 #     az identity create -n acr-sync
 #     az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)"
@@ -24,16 +14,3 @@ spec:
   clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
   resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync
   type: 0  # user-managed identity
-
-# Specify the pod-identity via the aadpodidbinding label
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: credentials-sync
-  namespace: flux-system
-spec:
-  template:
-    metadata:
-      labels:
-        aadpodidbinding: $(AZ_IDENTITY_NAME)  # match the AzureIdentity name

manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-map-patch.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync
+data:
+  ACR_NAME: my-registry
+  KUBE_SECRET: acr-my-registry  # does not yet exist -- will be created in the same Namespace

manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml

@@ -7,14 +7,15 @@ commonLabels:
 
 namespace: flux-system
 
-bases:
-- ../_base
 resources:
+- ../_base
 - az-identity.yaml
 
-patchesStrategicMerge:
-- config-patches.yaml
-- reconcile-patch.yaml
+patches:
+- path: config-map-patch.yaml
+- path: azure-identity-patch.yaml
+- path: token-refresh-and-identity-injection-patch.yaml
+- path: reconcile-patch.yaml
 
 vars:
 - name: AZ_IDENTITY_NAME

manifests/integrations/registry-credentials-sync/_cronjobs/azure/token-refresh-and-identity-injection-patch.yaml

@@ -0,0 +1,15 @@
+# Set the reconcile period + specify the pod-identity via the aadpodidbinding label
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+spec:
+  schedule: 0 * * * *  # ACR tokens expire every 3 hours; refresh faster than that
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            aadpodidbinding: $(AZ_IDENTITY_NAME)  # match the AzureIdentity name

manifests/integrations/registry-credentials-sync/_cronjobs/gcp/bind-irsa-patch.yaml

@@ -0,0 +1,9 @@
+# Bind to the GCP service-account
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+  annotations:
+    iam.gke.io/gcp-service-account: <name>@<project-id>.iam.gserviceaccount.com # set the GCP service-account

manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-map-patch.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync
+data:
+  GCR_REGISTRY: gcr.io  # set the registry
+  KUBE_SECRET: gcr-credentials  # does not yet exist -- will be created in the same Namespace

manifests/integrations/registry-credentials-sync/_cronjobs/gcp/gcr-token-refresh-patch.yaml

@@ -0,0 +1,9 @@
+# Set the reconcile period
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+spec:
+  schedule: 0,30 * * * *  # 30m interval -- GCR tokens expire every hour; refresh faster than that

manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml

@@ -7,9 +7,11 @@ commonLabels:
 
 namespace: flux-system
 
-bases:
+resources:
 - ../_base
 
-patchesStrategicMerge:
-- config-patches.yaml
-- reconcile-patch.yaml
+patches:
+- path: config-map-patch.yaml
+- path: bind-irsa-patch.yaml
+- path: gcr-token-refresh-patch.yaml
+- path: reconcile-patch.yaml

manifests/integrations/registry-credentials-sync/aws/bind-irsa-patch.yaml

@@ -0,0 +1,9 @@
+# Bind IRSA for the ServiceAccount 
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+  annotations:
+    eks.amazonaws.com/role-arn: <role arn>  # set the ARN for your role

manifests/integrations/registry-credentials-sync/aws/config-map-patch.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync
+data:
+  ECR_REGION: us-east-1  # set the region
+  ECR_REGISTRY: <account id>.dkr.ecr.<region>.amazonaws.com  # fill in the account id and region
+  KUBE_SECRET: ecr-credentials  # does not yet exist -- will be created in the same Namespace
+  SYNC_PERIOD: "21600"  # 6hrs -- ECR tokens expire every 12 hours; refresh faster than that