docs: add instructions to authenticate to Azure Container Registry wi…

…th workload identity Signed-off-by: Etienne Tremel <[email protected]>
argoproj-labs · Feb 23, 2024 · 92459cd · 92459cd
1 parent 7d93c7a
commit 92459cd
Show file tree

Hide file tree

Showing 2 changed files with 105 additions and 0 deletions.
diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
@@ -1,3 +1,6 @@
+AAD
+ACR
+acr
 aic
 amd
 anyfield
@@ -14,6 +17,7 @@ argoprojlabs
 args
 auths
 aws
+azurecr
 babayaga
 baralias
 baz
@@ -92,6 +96,7 @@ heptio
 hsla
 http
 https
+ietf
 ifdef
 img
 ineffassign
@@ -100,6 +105,7 @@ ioutil
 itl
 jannfis
 json
+jwt
 JWT
 ks
 Ksonnet
@@ -127,6 +133,7 @@ matchfunc
 Matchfunc
 memcache
 metadata
+microsoftonline
 misconfigured
 mkdir
 mkdocs
@@ -148,6 +155,7 @@ noproto
 noreply
 notastring
 notexist
+oauth
 omitempty
 otherimg
 otherparam
@@ -196,12 +204,14 @@ src
 SRCROOT
 ssh
 stderr
+stdin
 stdout
 stretchr
 structcheck
 svg
 svi
 svl
+sys
 SZ
 taglist
 tagsortmode
@@ -223,6 +233,7 @@ unmarshals
 unparam
 updateable
 url
+urlencoded
 Useragent
 username
 usr
@@ -233,6 +244,7 @@ waitgroup
 Warnf
 webkit
 webroot
+wget
 WORKDIR
 workflow
 workflows

diff --git a/docs/configuration/registries.md b/docs/configuration/registries.md
@@ -15,6 +15,7 @@ It has been successfully tested against the following popular registries:
 * GitHub Packages Registry (`docker.pkg.github.com`)
 * GitLab Container Registry (`registry.gitlab.com`)
 * Google Container Registry (`gcr.io`)
+* Azure Container Registry (`azurecr.io`)
 
 Chances are, that it will work out of the box for other registries as well.
 
@@ -326,3 +327,95 @@ two strategies to overcome this:
   i.e. for getting EKS credentials from the aws CLI. For example, if the
   token has a lifetime of 12 hours, you can set `credsexpire: 12h` and Argo
   CD Image Updater will get a new token after 12 hours.
+
+### <a name="default-registry"></a>Configuring Azure Container registry with
+Workload identity
+
+Follow the steps described below to authenticate against an Azure Container
+Registry using Azure Workload Identities with an external script.
+
+Create a script to retrieve the ACR refresh token with the Azure Identity
+token:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-image-updater-auth
+data:
+  auth.sh: |
+    AAD_ACCESS_TOKEN=$(cat $AZURE_FEDERATED_TOKEN_FILE)
+
+    ACCESS_TOKEN=$(wget --output-document - --header "Content-Type: application/x-www-form-urlencoded" \
+    --post-data="grant_type=client_credentials&client_id=${AZURE_CLIENT_ID}&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&scope=https://management.azure.com/.default&client_assertion=${AAD_ACCESS_TOKEN}" \
+    https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/v2.0/token \
+    | python3 -c "import sys, json; print(json.load(sys.stdin)['access_token'])")
+
+    ACR_REFRESH_TOKEN=$(wget --quiet --header="Content-Type: application/x-www-form-urlencoded" \
+    --post-data="grant_type=access_token&service=${ACR_NAME}&access_token=${ACCESS_TOKEN}" \
+    --output-document - \
+    "https://${ACR_NAME}/oauth2/exchange" |
+    python3 -c "import sys, json; print(json.load(sys.stdin)['refresh_token'])")
+
+    echo "00000000-0000-0000-0000-000000000000:$ACR_REFRESH_TOKEN"
+```
+
+Configure the Azure registry and map the authentication script:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-image-updater-config
+data:
+  registries.conf: |
+    registries:
+      - name: acr-name
+        prefix: acr-name.azurecr.io
+        api_url: https://acr-name.azurecr.io
+        default: true
+        credentials: ext:/app/auth/auth.sh
+        credsexpire: 1h
+```
+
+Patch the service account with the appropriate Azure Workload identity labels
+and annotations:
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-image-updater
+  labels:
+    azure.workload.identity/use: "true"
+  annotations:
+    azure.workload.identity/client-id: placeholder
+```
+
+Patch the deployment with the appropriate Azure Workload identity labels, mount
+directory and `ACR_NAME` environment variable:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argocd-image-updater
+spec:
+  template:
+    metadata:
+      labels:
+        azure.workload.identity/use: "true"
+    spec:
+      containers:
+        - name: argocd-image-updater
+          env:
+            - name: ACR_NAME
+              value: placeholder
+          volumeMounts:
+            - mountPath: /app/auth
+              name: auth
+      volumes:
+        - configMap:
+            name: argocd-image-updater-auth
+          name: auth
+```