[Enhancement]: Add git OIDC authentication

Question

[Enhancement]: Add git OIDC authentication

bcouavoux opened this issue a month ago · 2 comments

Description

Hello

Now that it's possible to authenticate via OIDC & workload indentity since version 2.4 of flux, it would be interesting to port this option to the terraform provider.

At present, we still have to enter a PAT token when we create our cluster, and then modify the configuration afterwards because the resource check the git configuration and need http authentification.

Affected Resource(s) and/or Data Source(s)

flux_bootstrap_git

Potential Terraform Configuration

provider "flux" {
  kubernetes = {
    host                   = xxxx
    client_certificate     = xxx
    client_key             = xxx
    cluster_ca_certificate = xxx
  }
  git = {
      url = "https://dev.azure.com/xxx/_git/xxx"
      provider = azure
      client_id = xxx-xxx-xxx-xxx
  }
}

References

https://fluxcd.io/flux/components/source/gitrepositories/#azure

Would you like to implement a fix?

None

Answer 1 · 2024-11-25T17:17:25.000Z

Implementing bootstrap with Azure OIDC can't be done here in the TF provider, the CLI code must use the same code we have in source-controller first, and only then, the flux2/pkg/bootstrap can be adapted for TF.

As an alternative, you could switch to Flux Operator which doesn't require a push to Git. In the FluxInstance definition you would patch the controllers and GitRepository to use Azure Workload Identity like so:

apiVersion: fluxcd.controlplane.io/v1
kind: FluxInstance
metadata:
  name: flux
  namespace: flux-system
  annotations:
    fluxcd.controlplane.io/reconcile: "enabled"
    fluxcd.controlplane.io/reconcileEvery: "1h"
    fluxcd.controlplane.io/reconcileTimeout: "3m"
spec:
  distribution:
    version: "2.x"
    registry: "ghcr.io/fluxcd"
  cluster:
    type: kubernetes
    multitenant: false
    networkPolicy: true
    domain: "cluster.local"
  sync:
    kind: GitRepository
    url: "https://dev.azure.com/<your-organization>/<your-project>/_git/<your-repo>"
    ref: "refs/heads/main"
    path: "clusters/my-cluster"
  kustomize:
    patches:
      - patch: |
          apiVersion: v1
          kind: ServiceAccount
          metadata:
            name: controller
            annotations:
              azure.workload.identity/client-id: "<AZURE ID>"
            labels:
              azure.workload.identity/use: "true"  
        target:
          kind: ServiceAccount
          name: "(source-controller|image-automation-controller)"       
      - patch: |
          apiVersion: apps/v1
          kind: Deployment
          metadata:
            name: controller
            labels:
              azure.workload.identity/use: "true"
          spec:
            template:
              metadata:
                labels:
                  azure.workload.identity/use: "true"
        target:
          kind: Deployment
          name: "(source-controller|image-automation-controller)"
      - patch: |
          apiVersion: source.toolkit.fluxcd.io/v1
          kind: GitRepository
          metadata:
            name: flux-system
          spec:
            provider: azure
        target:
          kind: GitRepository

A terraform example is available here, you'll need to adapt it with the config posted above.

Answer 2 · 2024-11-25T18:40:43.000Z

Thank you very much @stefanprodan , everything works as I want it to now. I didn't know that existed sorry.. I close the subject