Skip to content

Authenticate flux with Google Artifact Registry

What is the issue

Whilst in the process of adopting Flux, we needed to connect it to our Helm Store (Name I've given to the Artifact Registry) that holds all the helm charts

Flux does not support auto login for OCI HelmRepository (See this issue here)

Example error message

failed to fetch Helm repository index: failed to cache index to temporary file: object required

Solution

The solution is to run a Kubernetes CronJob on the 35'th minute of each hour, then on the HelmSource add the secret name

Something that is not in this guide is to give the source-controller KSA Token creator (See here for Workload Identity)

Cron Job

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: source-controller
  namespace: flux-system
rules:
- apiGroups: [""]
  resources:
  - secrets
  verbs:
  - get
  - create
  - patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: source-controller
  namespace: flux-system
subjects:
- kind: ServiceAccount
  name: source-controller
roleRef:
  kind: Role
  name: source-controller
  apiGroup: ""
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: artifact-registry-credentials-sync
  namespace: flux-system
spec:
  suspend: false
  schedule: "*/35 * * * *"
  failedJobsHistoryLimit: 1
  successfulJobsHistoryLimit: 1
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: source-controller
          restartPolicy: Never
          containers:
          - image: google/cloud-sdk:latest
            name: create-secret
            imagePullPolicy: IfNotPresent
            env:
            - name: SECRET_NAME
              value: artifact-registry-credentials
            - name: GCR_REGISTRY
              value: https://europe-west2-docker.pkg.dev
            command:
            - /bin/bash
            - -ce
            - |-
              kubectl create secret docker-registry $SECRET_NAME \
                --dry-run=client \
                --docker-server="$GCR_REGISTRY" \
                --docker-username=oauth2accesstoken \
                --docker-password="$(gcloud auth print-access-token)" \
                -o yaml | kubectl apply -f -

Configure the HelmRepository

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: example
  namespace: flux-system
spec:
  interval: 1m
  timeout: 120s
  type: oci
  url: oci://europe-west2-docker.pkg.dev/sb-devops-ieozhc/test
+  secretRef:
+    name: artifact-registry-credentials

This should then allow the Flux HelmRepository to access Google Cloud Artifact Registry.

Source: fluxcd:source-controller:798

Want to make this site better? Open a PR or help fund hosting costs