Merge pull request #1122 from fluxcd/aws-sops

Add AWS IAM role binding example to SOPS guide

README.md

@@ -74,7 +74,7 @@ runtime for Flux v2. The APIs comprise Kubernetes custom resources,
 which can be created and updated by a cluster user, or by other
 automation tooling.
 
-![overview](docs/diagrams/gitops-toolkit.png)
+![overview](docs/_files/gitops-toolkit.png)
 
 You can use the toolkit to extend Flux, or to build your own systems
 for continuous delivery -- see [the developer

docs/guides/image-update.md

@@ -425,7 +425,7 @@ metadata:
   name: flux-system
 spec:
   commit:
-    messsageTemplate: |
+    messageTemplate: |
       Automated image update
 
       Automation name: {{ .AutomationObject }}

docs/guides/mozilla-sops.md

@@ -38,7 +38,8 @@ EOF
 ```
 
 The above configuration creates an rsa4096 key that does not expire.
-For a full list of options to consider for your environment, see [Unattended GPG key generation](https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html).
+For a full list of options to consider for your environment, see
+[Unattended GPG key generation](https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html).
 
 Retrieve the GPG key fingerprint (second row of the sec column):
 
@@ -124,7 +125,8 @@ gpg --import ./clusters/cluster0/.sops.pub.asc
 
 ## Configure the Git directory for encryption
 
-Write a [SOPS config file](https://github.com/mozilla/sops#using-sops-yaml-conf-to-select-kms-pgp-for-new-files) to the specific cluster or namespace directory used
+Write a [SOPS config file](https://github.com/mozilla/sops#using-sops-yaml-conf-to-select-kms-pgp-for-new-files)
+to the specific cluster or namespace directory used
 to store encrypted objects with this particular GPG key's fingerprint.
 
 ```yaml
@@ -148,7 +150,8 @@ You may wish to add other fields if you are encrypting other types of Objects.
     Note that you should encrypt only the `data` or `stringData` section. Encrypting the Kubernetes
     secret metadata, kind or apiVersion is not supported by kustomize-controller.
 
-Ignore all `.sops.yaml` files in a [`.sourceignore`](../components/source/gitrepositories#excluding-files) file at the root of your repo.
+Ignore all `.sops.yaml` files in a [`.sourceignore`](../components/source/gitrepositories#excluding-files)
+file at the root of your repo.
 
 ```sh
 touch .sourceignore
@@ -178,7 +181,8 @@ sops --encrypt --in-place basic-auth.yaml
 You can now commit the encrypted secret to your Git repository.
 
 !!! hint
-    Note that you shouldn't apply the encrypted secrets onto the cluster with kubectl. SOPS encrypted secrets are designed to be consumed by kustomize-controller.
+    Note that you shouldn't apply the encrypted secrets onto the cluster with kubectl.
+    SOPS encrypted secrets are designed to be consumed by kustomize-controller.
 
 ### Using various cloud providers
 
@@ -190,7 +194,13 @@ kustomize-controller to be able to fetch keys from KMS.
 
 #### AWS 
 
-IAM Role example:
+Enabled the [IAM OIDC provider](https://eksctl.io/usage/iamserviceaccounts/) on your EKS cluster:
+
+```sh
+eksctl utils associate-iam-oidc-provider --cluster=<clusterName>
+```
+
+Create an IAM Role with access to AWS KMS e.g.:
 
 ```json
 {
@@ -211,6 +221,23 @@ IAM Role example:
 }
 ```
 
+Bind the IAM role to the `kustomize-controller` service account:
+
+```sh
+eksctl create iamserviceaccount \
+--override-existing-serviceaccounts \
+--name=kustomize-controller \
+--namespace=flux-system \
+--attach-policy-arn=<policyARN> \
+--cluster=<clusterName>
+```
+
+Restart kustomize-controller for the binding to take effect:
+
+```sh
+kubectl -n flux-system rollout restart deployment/kustomize-controller
+```
+
 #### Azure
 
 When using Azure Key Vault you need to authenticate kustomize-controller either with [add-pod-identity](../use-cases/azure.md#aad-pod-identity)
@@ -276,7 +303,8 @@ spec:
           value: msi
 ```
 
-Alternatively, if using a Service Principal stored in a K8s Secret, patch the Pod's envFrom to reference the `AZURE_TENANT_ID`/`AZURE_CLIENT_ID`/`AZURE_CLIENT_SECRET`
+Alternatively, if using a Service Principal stored in a K8s Secret, patch the Pod's envFrom
+to reference the `AZURE_TENANT_ID`/`AZURE_CLIENT_ID`/`AZURE_CLIENT_SECRET`
 fields from your Secret.
 
 ```yaml
@@ -295,10 +323,12 @@ spec:
             name: sops-akv-decryptor-service-principal
 ```
 
-At this point, kustomize-controller is now authorized to decrypt values in SOPS encrypted files from your Sources via the related Key Vault.
+At this point, kustomize-controller is now authorized to decrypt values in
+SOPS encrypted files from your Sources via the related Key Vault.
 
-See Mozilla's guide to [Encrypting Using Azure Key Vault](https://github.com/mozilla/sops#encrypting-using-azure-key-vault) to get started
+See Mozilla's guide to
-committing encrypted files to your Git Repository or other Sources.
+[Encrypting Using Azure Key Vault](https://github.com/mozilla/sops#encrypting-using-azure-key-vault)
+to get started committing encrypted files to your Git Repository or other Sources.
 
 #### Google Cloud
 

docs/index.md

@@ -44,7 +44,7 @@ The `flux` command-line tool is a convenient way to bootstrap the
 system in a cluster, and to access the custom resources that make up
 the API.
 
-![overview](diagrams/gitops-toolkit.png)
+![overview](_files/gitops-toolkit.png)
 
 ## Where do I start?
 

docs/internal/release.md

@@ -24,7 +24,7 @@ Repositories subject to semver releases:
    - dependencies: `github.com/fluxcd/source-controller/api`, `github.com/fluxcd/image-reflector-controller/api`, `github.com/fluxcd/pkg/*`
 1. [fluxcd/notification-controller](https://github.com/fluxcd/notification-controller)
     - modules: `api`
-    - dependencies: `github.com/fluxcd/source-controller/api`, `github.com/fluxcd/pkg/*`
+    - dependencies: `github.com/fluxcd/pkg/*`
 1. [fluxcd/flux2](https://github.com/fluxcd/flux2)
     - modules: `manifestgen`
     - dependencies: `github.com/fluxcd/source-controller/api`, `github.com/fluxcd/kustomize-controller/api`, `github.com/fluxcd/helm-controller/api`, `github.com/fluxcd/image-reflector-controller/api`, `github.com/fluxcd/image-automation-controller/api`, `github.com/fluxcd/notification-controller/api`, `github.com/fluxcd/pkg/*`