Implemented automatic fetching ACR password from Azure KeyVault
This commit is contained in:
Marcin-Ramotowski
parent
7b12088952
commit
0c02c20995
@ -23,6 +23,13 @@ spec:
|
|||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
storage: 128Mi
|
storage: 128Mi
|
||||||
|
volumes:
|
||||||
|
- name: secrets-store
|
||||||
|
csi:
|
||||||
|
driver: secrets-store.csi.k8s.io
|
||||||
|
readOnly: true
|
||||||
|
volumeAttributes:
|
||||||
|
secretProviderClass: azure-keyvault
|
||||||
templates:
|
templates:
|
||||||
|
|
||||||
# 🔁 Main steps sequence
|
# 🔁 Main steps sequence
|
||||||
@ -112,21 +119,14 @@ spec:
|
|||||||
./dgoss run -e SQLALCHEMY_DATABASE_URI=sqlite:///:memory: $DOCKER_IMAGE > /workspace/goss_junit.xml
|
./dgoss run -e SQLALCHEMY_DATABASE_URI=sqlite:///:memory: $DOCKER_IMAGE > /workspace/goss_junit.xml
|
||||||
|
|
||||||
echo "===> Logging into ACR"
|
echo "===> Logging into ACR"
|
||||||
|
ACR_PASSWORD=$(cat /mnt/secrets/acr-password)
|
||||||
echo "$ACR_PASSWORD" | docker login {{workflow.parameters.registry_server}} -u $ACR_USERNAME --password-stdin
|
echo "$ACR_PASSWORD" | docker login {{workflow.parameters.registry_server}} -u $ACR_USERNAME --password-stdin
|
||||||
|
|
||||||
echo "===> Pushing image to ACR"
|
echo "===> Pushing image to ACR"
|
||||||
docker push $DOCKER_IMAGE
|
docker push $DOCKER_IMAGE
|
||||||
env:
|
env:
|
||||||
- name: ACR_USERNAME
|
- name: ACR_USERNAME
|
||||||
valueFrom:
|
value: marcin00
|
||||||
secretKeyRef:
|
|
||||||
name: acr-creds
|
|
||||||
key: username
|
|
||||||
- name: ACR_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: acr-creds
|
|
||||||
key: password
|
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
@ -134,6 +134,9 @@ spec:
|
|||||||
mountPath: /workspace
|
mountPath: /workspace
|
||||||
- name: docker-library
|
- name: docker-library
|
||||||
mountPath: /var/lib/docker
|
mountPath: /var/lib/docker
|
||||||
|
- name: secrets-store
|
||||||
|
mountPath: "/mnt/secrets"
|
||||||
|
readOnly: true
|
||||||
volumes:
|
volumes:
|
||||||
- name: docker-library
|
- name: docker-library
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
|||||||
25
argo-workflows/secret-store.yaml
Normal file
25
argo-workflows/secret-store.yaml
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
apiVersion: secrets-store.csi.x-k8s.io/v1
|
||||||
|
kind: SecretProviderClass
|
||||||
|
metadata:
|
||||||
|
name: azure-keyvault
|
||||||
|
namespace: argo
|
||||||
|
spec:
|
||||||
|
provider: azure
|
||||||
|
secretObjects:
|
||||||
|
- secretName: acr-creds
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
- objectName: acr-password
|
||||||
|
- key: password
|
||||||
|
parameters:
|
||||||
|
usePodIdentity: "false"
|
||||||
|
useVMManagedIdentity: "true"
|
||||||
|
userAssignedIdentityID: "0c2780e4-8594-4aab-8f1a-8a19f71924bd" # client_id of the user-assigned managed identity
|
||||||
|
clientID: "0c2780e4-8594-4aab-8f1a-8a19f71924bd" # client_id of the user-assigned managed identity
|
||||||
|
keyvaultName: "dev-aks"
|
||||||
|
objects: |
|
||||||
|
array:
|
||||||
|
- |
|
||||||
|
objectName: acr-password
|
||||||
|
objectType: secret
|
||||||
|
tenantID: "f4e3e6f7-d21c-460e-b201-2192174e7f41"
|
||||||
Loading…
x
Reference in New Issue
Block a user