Skip to content

Workload Identity

Navecd deployed on Azure AKS, AWS EKS or GCP GKE can be configured to use Workload Identity to access the corresponding cloud container registries.

Azure AKS

Info

See Azure Documentation to learn about how to setup Azure Workload Identity.

Annotate the Kubernetes Service Account used for your GitOpsProject with the Microsoft Entra application client ID:

Note

If no Service Account is provided via the GitOpsProject spec, Navecd uses the ServiceAccount from the Controller Deployment.

primaryServiceAccount: component.#Manifest & {
  dependencies: [ns.id]
  content: {
    apiVersion: "v1"
    kind:       "ServiceAccount"
    metadata: {
      name:      "project-controller-primary"
      namespace: ns.content.metadata.name
      annotations: "azure.workload.identity/client-id": "<client id>"
    }
  }
}

Label Navecd pods to use Workload Identity:

Note

The Navecd Controller Deployment value name contains the shard name when initialized through the Navecd CLI. The default name is "primaryProjectControllerDeployment".

navecd/patch.cue
package navecd

import (
  "github.com/kharf/navecd/schema/component"
)

primaryProjectControllerDeployment: component.#Manifest & {
  content: {
    spec: template: metadata: labels: {
      "azure.workload.identity/use": "true"
    }
  }
}

Update your Helm Release to use Workload Identity:

package myapp

import (
  "github.com/kharf/navecd/schema/component"
  "github.com/kharf/navecd/schema/workloadidentity"
)

release: component.#HelmRelease & {
  dependencies: [ns.id]
  name:      "myapp"
  namespace: ns.content.metadata.name
  chart: {
    name:    "myapp"
    repoURL: "oci://myfakeregistry.azurecr.io"
    version: "1.0.0"
    auth:    workloadidentity.#Azure
  }
}

AWS EKS

Info

See AWS Documentation to learn about how to setup EKS Workload Identity (EKS Pod Identities).

Update your Helm Release to use Workload Identity:

package myapp

import (
  "github.com/kharf/navecd/schema/component"
  "github.com/kharf/navecd/schema/workloadidentity"
)

release: component.#HelmRelease & {
  dependencies: [ns.id]
  name:      "myapp"
  namespace: ns.content.metadata.name
  chart: {
    name:    "myapp"
    repoURL: "oci://myfakeregistry.dkr.ecr.eu-north-1.amazonaws.com"
    version: "1.0.0"
    auth:    workloadidentity.#AWS
  }
}

GCP GKE

Info

See GCP Documentation to learn about how to setup GKE Workload Identity (IAM principal identifiers).

Update your Helm Release to use Workload Identity:

package myapp

import (
  "github.com/kharf/navecd/schema/component"
  "github.com/kharf/navecd/schema/workloadidentity"
)

release: component.#HelmRelease & {
  dependencies: [ns.id]
  name:      "myapp"
  namespace: ns.content.metadata.name
  chart: {
    name:    "myapp"
    repoURL: "oci://europe-west4-docker.pkg.dev/myfakeregistry/charts"
    version: "1.0.0"
    auth:    workloadidentity.#GCP
  }
}