You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/spec/v1beta2/imagerepositories.md
+25-10Lines changed: 25 additions & 10 deletions
Original file line number
Diff line number
Diff line change
@@ -168,10 +168,22 @@ reference.
168
168
169
169
### ServiceAccount name
170
170
171
-
`.spec.serviceAccountName`is an optional field to specify a name reference to a
172
-
ServiceAccount in the same namespace as the ImageRepository, with an image pull
173
-
secret attached to it. For detailed instructions about attaching an image pull
174
-
secret to a ServiceAccount, see [Add image pull secret to service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-image-pull-secret-to-service-account).
171
+
`.spec.serviceAccountName`is an optional field to specify a Service Account
172
+
in the same namespace as ImageRepository with purpose depending on the value of
173
+
the `.spec.provider` field:
174
+
175
+
- When `.spec.provider` is set to `generic`, the controller will fetch the image
176
+
pull secrets attached to the Service Account and use them for authentication.
177
+
- When `.spec.provider` is set to `aws`, `azure`, or `gcp`, the Service Account
178
+
will be used for Workload Identity authentication. In this case, the controller
179
+
feature gate `ObjectLevelWorkloadIdentity` must be enabled, otherwise the
180
+
controller will error out.
181
+
182
+
**Note:** that for a publicly accessible image repository, you don't need to
183
+
provide a `secretRef` nor `serviceAccountName`.
184
+
185
+
For a complete guide on how to set up authentication for cloud providers,
186
+
see the integration [docs](/flux/integrations/).
175
187
176
188
### Certificate secret reference
177
189
@@ -368,8 +380,8 @@ container registry.
368
380
369
381
### Provider
370
382
371
-
`.spec.provider`is an optional field that allows specifying an OIDC provider
372
-
used for authentication purposes.
383
+
`.spec.provider`is an optional field that allows specifying an OIDC provider used for
384
+
authentication purposes.
373
385
374
386
Supported options are:
375
387
@@ -378,10 +390,13 @@ Supported options are:
378
390
- `azure`
379
391
- `gcp`
380
392
381
-
The `generic` provider can be used for public repositories or when static
382
-
credentials are used for authentication, either with `.spec.secretRef` or
383
-
`.spec.serviceAccount`. If `.spec.provider` is not specified, it defaults to
384
-
`generic`.
393
+
The `generic` provider can be used for public repositories or when
394
+
static credentials are used for authentication, either with
395
+
`spec.secretRef`or `spec.serviceAccountName`.
396
+
If you do not specify `.spec.provider`, it defaults to `generic`.
397
+
398
+
For a complete guide on how to set up authentication for cloud providers,
0 commit comments