chore(integrations/registry): remove deprecated kustomize features

Signed-off-by: Artem <[email protected]>

Author: Stringls

manifests/integrations/registry-credentials-sync/_base/kustomization.yaml

@@ -7,8 +7,8 @@ commonLabels:
 resources:
 - sync.yaml
 
-patchesStrategicMerge:
-  - kubectl-patch.yaml
+patches:
+- path: kubectl-patch.yaml
 
 vars:
 - name: KUBE_SECRET

manifests/integrations/registry-credentials-sync/_base/sync.yaml

@@ -101,9 +101,9 @@ rules:
   - create
   - update
   - patch
-  # # Lock this down to the specific Secret name  (Optional)
-  #resourceNames:
-  #- $(KUBE_SECRET)  # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+  # Lock this down to the specific Secret name  (Optional)
+  resourceNames:
+  - $(KUBE_SECRET)  # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml

@@ -7,8 +7,8 @@ commonLabels:
 resources:
 - sync.yaml
 
-patchesStrategicMerge:
-  - kubectl-patch.yaml
+patches:
+- path: kubectl-patch.yaml
 
 vars:
 - name: KUBE_SECRET

manifests/integrations/registry-credentials-sync/_cronjobs/aws/bind-irsa-patch.yaml

@@ -0,0 +1,9 @@
+# Bind IRSA for the ServiceAccount 
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+  annotations:
+    eks.amazonaws.com/role-arn: <role arn>  # set the ARN for your role

manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-map-patch.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync
+data:
+  ECR_REGION: us-east-1  # set the region
+  ECR_REGISTRY: <account id>.dkr.ecr.<region>.amazonaws.com  # fill in the account id and region
+  KUBE_SECRET: ecr-credentials  # does not yet exist -- will be created in the same Namespace

manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml

@@ -0,0 +1,21 @@
+# If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
+# Store these values in a Secret and load them in the container using envFrom.
+# For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build.
+#   https://fluxcd.io/docs/guides/mozilla-sops/
+#   https://fluxcd.io/docs/guides/sealed-secrets/
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+spec:
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: sync
+            envFrom:
+            - secretRef:
+                name: $(ECR_SECRET_NAME)  # uncomment the var for this in kustomization.yaml

manifests/integrations/registry-credentials-sync/_cronjobs/aws/credentials-injection-patch.yaml

@@ -0,0 +1,9 @@
+# Set the reconcile period
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync
+  namespace: flux-system
+spec:
+  schedule: 0 */6 * * *  # every 6hrs -- ECR tokens expire every 12 hours; refresh faster than that

manifests/integrations/registry-credentials-sync/_cronjobs/aws/ecr-token-refresh-patch.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: credentials-sync
+data:
+    AWS_ACCESS_KEY_ID: Zm9vCg==
+    AWS_SECRET_ACCESS_KEY: YmFyCg==
+type: Opaque

manifests/integrations/registry-credentials-sync/_cronjobs/aws/encrypted-secret.yaml

@@ -7,19 +7,26 @@ commonLabels:
 
 namespace: flux-system
 
-bases:
+resources:
 - ../_base
-## If not using IRSA, consider creating the following file via SOPS or SealedSecrets
+# # If not using IRSA, consider creating the following file via SOPS or SealedSecrets
 # - encrypted-secret.yaml
 
-patchesStrategicMerge:
-- config-patches.yaml
-- reconcile-patch.yaml
+patches:
+- path: config-map-patch.yaml
+- path: reconcile-patch.yaml
+- path: ecr-token-refresh-patch.yaml
+# Comment out bind-irsa-patch.yaml if not using IRSA
+- path: bind-irsa-patch.yaml
+# # Uncomment if not using IRSA, please also check credentials-injection-patch.yaml
+# - path: credentials-injection-patch.yaml
 
-## uncomment if using encrypted-secret.yaml
+# # Uncomment if using encrypted-secret.yaml
 # vars:
 # - name: ECR_SECRET_NAME
 #   objref:
 #     kind: Secret
 #     name: credentials-sync
 #     apiVersion: v1
+# configurations:
+# - kustomizeconfig.yaml