@@ -15,6 +15,7 @@ It has been successfully tested against the following popular registries:
1515* GitHub Packages Registry (` docker.pkg.github.com ` )
1616* GitLab Container Registry (` registry.gitlab.com ` )
1717* Google Container Registry (` gcr.io ` )
18+ * Azure Container Registry (` azurecr.io ` )
1819
1920Chances are, that it will work out of the box for other registries as well.
2021
@@ -326,3 +327,105 @@ two strategies to overcome this:
326327 i.e. for getting EKS credentials from the aws CLI. For example, if the
327328 token has a lifetime of 12 hours, you can set `credsexpire : 12h` and Argo
328329 CD Image Updater will get a new token after 12 hours.
330+
331+ # ## <a name="default-registry"></a>Configuring Azure Container registry with
332+ Workload identity
333+
334+ Follow the steps described below to authenticate against an Azure Container
335+ Registry using Azure Workload Identities with an external script.
336+
337+ Create a script to retrieve the ACR refresh token with the Azure Identity
338+ token :
339+
340+ ` ` ` yaml
341+ apiVersion: v1
342+ kind: ConfigMap
343+ metadata:
344+ name: argocd-image-updater-auth
345+ data:
346+ auth.sh: |
347+ #!/bin/sh
348+
349+ set -eo pipefail
350+
351+ AAD_ACCESS_TOKEN=$(cat $AZURE_FEDERATED_TOKEN_FILE)
352+
353+ ACCESS_TOKEN=$(wget --output-document - --header "Content-Type: application/x-www-form-urlencoded" \
354+ --post-data="grant_type=client_credentials&client_id=${AZURE_CLIENT_ID}&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&scope=https://management.azure.com/.default&client_assertion=${AAD_ACCESS_TOKEN}" \
355+ https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/v2.0/token \
356+ | python3 -c "import sys, json; print(json.load(sys.stdin)['access_token'])")
357+
358+ ACR_REFRESH_TOKEN=$(wget --quiet --header="Content-Type: application/x-www-form-urlencoded" \
359+ --post-data="grant_type=access_token&service=${ACR_NAME}&access_token=${ACCESS_TOKEN}" \
360+ --output-document - \
361+ "https://${ACR_NAME}/oauth2/exchange" |
362+ python3 -c "import sys, json; print(json.load(sys.stdin)['refresh_token'])")
363+
364+ echo "00000000-0000-0000-0000-000000000000:$ACR_REFRESH_TOKEN"
365+ ` ` `
366+
367+ Configure the Azure registry and map the authentication script :
368+
369+ ` ` ` yaml
370+ apiVersion: v1
371+ kind: ConfigMap
372+ metadata:
373+ name: argocd-image-updater-config
374+ data:
375+ registries.conf: |
376+ registries:
377+ - name: acr-name
378+ prefix: acr-name.azurecr.io
379+ api_url: https://acr-name.azurecr.io
380+ default: true
381+ credentials: ext:/app/auth/auth.sh
382+ credsexpire: 1h
383+ ` ` `
384+
385+ Patch the service account with the appropriate Azure Workload identity labels
386+ and annotations :
387+
388+ ` ` ` yaml
389+ apiVersion: v1
390+ kind: ServiceAccount
391+ metadata:
392+ name: argocd-image-updater
393+ labels:
394+ azure.workload.identity/use: "true"
395+ annotations:
396+ azure.workload.identity/client-id: placeholder
397+ ` ` `
398+
399+ Patch the deployment with the appropriate Azure Workload identity labels, mount
400+ directory and `ACR_NAME` environment variable :
401+
402+ ` ` ` yaml
403+ apiVersion: apps/v1
404+ kind: Deployment
405+ metadata:
406+ name: argocd-image-updater
407+ spec:
408+ template:
409+ metadata:
410+ labels:
411+ azure.workload.identity/use: "true"
412+ spec:
413+ containers:
414+ - name: argocd-image-updater
415+ command:
416+ - /usr/local/bin/argocd-image-updater
417+ - run
418+ - --registries-conf-path
419+ - /app/config/registries.conf
420+ env:
421+ - name: ACR_NAME
422+ value: placeholder.azurecr.io
423+ volumeMounts:
424+ - mountPath: /app/auth
425+ name: auth
426+ volumes:
427+ - configMap:
428+ name: argocd-image-updater-auth
429+ defaultMode: 493
430+ name: auth
431+ ` ` `
0 commit comments