Azure Container Registry
The Azure Container Registry (ACR) generator creates a short-lived refresh or access token for accessing ACR.
The token is generated for a particular ACR registry defined in spec.registry
.
Output Keys and Values
Key | Description |
---|---|
username | username for the docker login command |
password | password for the docker login command |
Authentication
You must choose one out of three authentication mechanisms:
- service principal
- managed identity
- workload identity
The generated token will inherit the permissions from the assigned policy. I.e. when you assign a read-only policy all generated tokens will be read-only.
You must assign a Azure RBAC role, such as AcrPush
or AcrPull
to the service principal in order to be able to authenticate with the Azure container registry API.
You can scope tokens to a particular repository using spec.scope
.
Scope
First, an Azure Active Directory access token is obtained with the desired authentication method.
This AAD access token will be used to authenticate against ACR to issue a refresh token or access token.
If spec.scope
if it is defined it obtains an ACR access token. If spec.scope
is missing it obtains an ACR refresh token:
- access tokens are scoped to a specific repository or action (pull,push)
- refresh tokens can are scoped to whatever policy is attached to the identity that creates the acr refresh token
The Scope grammar is defined in the Docker Registry spec.
Note: You can not use a wildcards in the scope parameter, you can match exactly one repository and defined multiple actions like pull
or push
.
Example scopes:
repository:my-repository:pull,push
repository:my-repository:pull
Example Manifest
apiVersion: generators.external-secrets.io/v1alpha1
kind: ACRAccessToken
metadata:
name: my-azurecr
spec:
tenantId: 11111111-2222-3333-4444-111111111111
registry: example.azurecr.io
# optional; scope token down to a single repository/action
# if set, it will generate an access token instead of an refresh token.
scope: "repository:foo:pull,push"
# Specify Azure cloud type, defaults to PublicCloud.
# This is used for authenticating with Azure Active Directory.
# available options: PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
environmentType: "PublicCloud"
# choose one authentication method
auth:
# option 1: point to a secret that contains a client-id and client-secret
servicePrincipal:
secretRef:
clientSecret:
name: az-secret
key: clientsecret
clientId:
name: az-secret
key: clientid
# option 2:
managedIdentity:
identityId: "xxxxx"
# option 3:
workloadIdentity:
# note: you can reference service accounts across namespaces.
serviceAccountRef:
name: "my-service-account"
audiences: []
Example ExternalSecret
that references the ACR generator:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: azurecr-credentials
spec:
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: ACRAccessToken
name: my-azurecr
refreshInterval: 12h
target:
name: azurecr-credentials
template:
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: |
{
"auths": {
"myregistry.azurecr.io": {
"username": "{{ .username }}",
"identitytoken": "{{ .password }}",
}
}
}