github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-27 10:18:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Migrate from fluxcd-community charts to Flux-Operator (#166)

Browse Source 
Signed-off-by: Kingdon Barrett <kingdon+github@tuesdaystudios.com>
This commit is contained in:
Kingdon Barrett
2024-06-17 09:58:13 -04:00
committed by GitHub
parent 838bee5d25
commit 54017b6e3e
56 changed files with 1180 additions and 12273 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
packages/core/fluxcd/Makefile
View File

@@ -7,14 +7,13 @@ show:
helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS)
apply:
helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl apply -n $(NAMESPACE) -f-
helm template -n $(NAMESPACE) $(NAME) . --no-hooks -f valuesFile.yaml \
--dry-run=server $(API_VERSIONS_FLAGS) | kubectl apply -n $(NAMESPACE) -f-
diff:
helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f-
helm template -n $(NAMESPACE) $(NAME) . --no-hooks -f valuesFile.yaml \
--dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f-
update:
rm -rf charts
helm repo add fluxcd-community https://fluxcd-community.github.io/helm-charts
helm repo update fluxcd-community
helm pull fluxcd-community/flux2 --untar --untardir charts
sed -i 's/\.{{ \.Values\.clusterDomain | default "cluster\.local" }}\.//g' `grep -rl '.{{ .Values.clusterDomain | default "cluster.local" }}.' charts`
helm pull oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --untar --untardir charts

3
packages/core/fluxcd/charts/flux2/.helmignore → packages/core/fluxcd/charts/flux-operator/.helmignore
View File

@@ -21,5 +21,4 @@
.idea/
*.tmproj
.vscode/
tests/
helmdocs.gotmpl

30
packages/core/fluxcd/charts/flux-operator/Chart.yaml Normal file
View File

@@ -0,0 +1,30 @@
annotations:
artifacthub.io/license: AGPL-3.0
artifacthub.io/links: |
- name: Documentation
url: https://fluxcd.control-plane.io/operator
- name: Chart Source
url: https://github.com/controlplaneio-fluxcd/charts
- name: Upstream Project
url: https://github.com/controlplaneio-fluxcd/flux-operator
apiVersion: v2
appVersion: v0.4.0
description: 'A Helm chart for deploying the Flux Operator. '
home: https://github.com/controlplaneio-fluxcd
icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
keywords:
- flux
- fluxcd
- gitops
kubeVersion: '>=1.22.0-0'
maintainers:
- email: stefan.prodan@control-plane.io
name: Stefan Prodan
- name: Soule Ba
url: soule.ba@control-plane.io
name: flux-operator
sources:
- https://github.com/controlplaneio-fluxcd/flux-operator
- https://github.com/controlplaneio-fluxcd/charts
type: application
version: 0.4.0

56
packages/core/fluxcd/charts/flux-operator/README.md Normal file
View File

@@ -0,0 +1,56 @@
# flux-operator
![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.0](https://img.shields.io/badge/AppVersion-v0.4.0-informational?style=flat-square)
The [Flux Operator](https://github.com/controlplaneio-fluxcd) provides a declarative API
for the installation and upgrade of CNCF [Flux](https://fluxcd.io) and the
ControlPlane [enterprise distribution](https://control-plane.io/enterprise-for-flux-cd/).
The operator automates the patching for hotfixes and CVEs affecting the Flux controllers container images
and enables the configuration of multi-tenancy lockdown on Kubernetes and OpenShift clusters.
## Prerequisites
- Kubernetes 1.22+
- Helm 3.8+
## Installing the Chart
To install the operator in the `flux-system` namespace:
```console
helm install flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator \
--namespace flux-system \
--create-namespace \
--wait
```
To deploy the Flux controllers and to configure automated updates,
see the Flux Operator [documentation](https://fluxcd.control-plane.io/operator/).
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]}}}` | Pod affinity and anti-affinity settings. |
| commonAnnotations | object | `{}` | Common annotations to add to all deployed objects including pods. |
| commonLabels | object | `{}` | Common labels to add to all deployed objects including pods. |
| fullnameOverride | string | `""` | |
| hostNetwork | bool | `false` | If `true`, start flux-operator in hostNetwork mode. |
| image | object | `{"pullSecrets":[],"repository":"ghcr.io/controlplaneio-fluxcd/flux-operator","tag":""}` | Container image settings. The image tag defaults to the chart appVersion. |
| installCRDs | bool | `true` | Install and upgrade the custom resource definitions. |
| livenessProbe | object | `{"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":15,"periodSeconds":20}` | Container liveness probe settings. |
| marketplace | object | `{"account":"","license":""}` | Marketplace settings. |
| nameOverride | string | `""` | |
| podSecurityContext | object | `{}` | Pod security context settings. |
| priorityClassName | string | `""` | Pod priority class name. Recommended value is system-cluster-critical. |
| readinessProbe | object | `{"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":5,"periodSeconds":10}` | Container readiness probe settings. |
| resources | object | `{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | Container resources requests and limits settings. |
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context settings. The default is compliant with the pod security restricted profile. |
| serviceAccount | object | `{"automount":true,"name":""}` | Pod service account settings. The name of the service account defaults to the release name. |
| tolerations | list | `[]` | Pod tolerations settings. |
## Source Code
* <https://github.com/controlplaneio-fluxcd/flux-operator>
* <https://github.com/controlplaneio-fluxcd/charts>

1
packages/core/fluxcd/charts/flux-operator/templates/NOTES.txt Normal file
View File

@@ -0,0 +1 @@
Documentation at https://fluxcd.control-plane.io/operator/

58
packages/core/fluxcd/charts/flux-operator/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,58 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "flux-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "flux-operator.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "flux-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "flux-operator.labels" -}}
helm.sh/chart: {{ include "flux-operator.chart" . }}
{{ include "flux-operator.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "flux-operator.selectorLabels" -}}
app.kubernetes.io/name: {{ include "flux-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "flux-operator.serviceAccountName" -}}
{{- default (include "flux-operator.fullname" .) .Values.serviceAccount.name }}
{{- end }}

21
packages/core/fluxcd/charts/flux-operator/templates/clusterrole.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "flux-operator.fullname" . }}
labels:
{{- include "flux-operator.labels" . | nindent 4 }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: {{ include "flux-operator.fullname" . }}
namespace: {{ .Release.Namespace }}

420
packages/core/fluxcd/charts/flux-operator/templates/crds.yaml Normal file
View File

@@ -0,0 +1,420 @@
{{- if and .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/name: '{{ .Chart.Name }}'
app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
name: fluxinstances.fluxcd.controlplane.io
spec:
group: fluxcd.controlplane.io
names:
kind: FluxInstance
listKind: FluxInstanceList
plural: fluxinstances
singular: fluxinstance
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
type: string
- jsonPath: .status.lastAttemptedRevision
name: Revision
type: string
name: v1
schema:
openAPIV3Schema:
description: FluxInstance is the Schema for the fluxinstances API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: FluxInstanceSpec defines the desired state of FluxInstance
properties:
cluster:
description: Cluster holds the specification of the Kubernetes cluster.
properties:
domain:
default: cluster.local
description: |-
Domain is the cluster domain used for generating the FQDN of services.
Defaults to 'cluster.local'.
type: string
multitenant:
description: Multitenant enables the multitenancy lockdown.
type: boolean
networkPolicy:
default: true
description: |-
NetworkPolicy restricts network access to the current namespace.
Defaults to true.
type: boolean
type:
default: kubernetes
description: |-
Type specifies the distro of the Kubernetes cluster.
Defaults to 'kubernetes'.
enum:
- kubernetes
- openshift
- aws
- azure
- gcp
type: string
required:
- domain
- networkPolicy
type: object
components:
description: |-
Components is the list of controllers to install.
Defaults to all controllers.
items:
description: Component is the name of a controller to install.
enum:
- source-controller
- kustomize-controller
- helm-controller
- notification-controller
- image-reflector-controller
- image-automation-controller
type: string
type: array
distribution:
description: Distribution specifies the version and container registry
to pull images from.
properties:
imagePullSecret:
description: |-
ImagePullSecret is the name of the Kubernetes secret
to use for pulling images.
type: string
registry:
description: |-
Registry address to pull the distribution images from
e.g. 'ghcr.io/fluxcd'.
type: string
version:
description: Version semver expression e.g. '2.x', '2.3.x'.
type: string
required:
- registry
- version
type: object
kustomize:
description: |-
Kustomize holds a set of patches that can be applied to the
Flux installation, to customize the way Flux operates.
properties:
patches:
description: |-
Strategic merge and JSON patches, defined as inline YAML objects,
capable of targeting objects based on kind, label and annotation selectors.
items:
description: |-
Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should
be applied to.
properties:
patch:
description: |-
Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with
an array of operation objects.
type: string
target:
description: Target points to the resources that the patch
document should be applied to.
properties:
annotationSelector:
description: |-
AnnotationSelector is a string that follows the label selection expression
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
It matches with the resource annotations.
type: string
group:
description: |-
Group is the API group to select resources from.
Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources.
https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
type: string
kind:
description: |-
Kind of the API Group to select resources from.
Together with Group and Version it is capable of unambiguously
identifying and/or selecting resources.
https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
type: string
labelSelector:
description: |-
LabelSelector is a string that follows the label selection expression
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
It matches with the resource labels.
type: string
name:
description: Name to match resources with.
type: string
namespace:
description: Namespace to select resources from.
type: string
version:
description: |-
Version of the API Group to select resources from.
Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources.
https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
type: string
type: object
required:
- patch
type: object
type: array
type: object
storage:
description: |-
Storage holds the specification of the source-controller
persistent volume claim.
properties:
class:
description: Class is the storage class to use for the PVC.
type: string
size:
description: Size is the size of the PVC.
type: string
required:
- class
- size
type: object
sync:
description: |-
Sync specifies the source for the cluster sync operation.
When set, a Flux source (GitRepository, OCIRepository or Bucket)
and Flux Kustomization are created to sync the cluster state
with the source repository.
properties:
interval:
default: 1m
description: Interval is the time between syncs.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
kind:
description: Kind is the kind of the source.
enum:
- OCIRepository
- GitRepository
- Bucket
type: string
path:
description: |-
Path is the path to the source directory containing
the kustomize overlay or plain Kubernetes manifests.
type: string
pullSecret:
description: |-
PullSecret specifies the Kubernetes Secret containing the
authentication credentials for the source.
For Git over HTTP/S sources, the secret must contain username and password fields.
For Git over SSH sources, the secret must contain known_hosts and identity fields.
For OCI sources, the secret must be of type kubernetes.io/dockerconfigjson.
For Bucket sources, the secret must contain accesskey and secretkey fields.
type: string
ref:
description: |-
Ref is the source reference, can be a Git ref name e.g. 'refs/heads/main',
an OCI tag e.g. 'latest' or a bucket name e.g. 'flux'.
type: string
url:
description: |-
URL is the source URL, can be a Git repository HTTP/S or SSH address,
an OCI repository address or a Bucket endpoint.
type: string
required:
- kind
- path
- ref
- url
type: object
wait:
default: true
description: |-
Wait instructs the controller to check the health of all the reconciled
resources. Defaults to true.
type: boolean
required:
- distribution
- wait
type: object
status:
description: FluxInstanceStatus defines the observed state of FluxInstance
properties:
components:
description: Components contains the container images used by the
components.
items:
description: ComponentImage represents a container image used by
a component.
properties:
digest:
description: Digest of the container image.
type: string
name:
description: Name of the component.
type: string
repository:
description: Repository address of the container image.
type: string
tag:
description: Tag of the container image.
type: string
required:
- name
- repository
- tag
type: object
type: array
conditions:
description: Conditions contains the readiness conditions of the object.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
inventory:
description: |-
Inventory contains a list of Kubernetes resource object references
last applied on the cluster.
properties:
entries:
description: Entries of Kubernetes resource object references.
items:
description: ResourceRef contains the information necessary
to locate a resource within a cluster.
properties:
id:
description: |-
ID is the string representation of the Kubernetes resource object's metadata,
in the format '<namespace>_<name>_<group>_<kind>'.
type: string
v:
description: Version is the API version of the Kubernetes
resource object's kind.
type: string
required:
- id
- v
type: object
type: array
required:
- entries
type: object
lastAppliedRevision:
description: |-
LastAppliedRevision is the version and digest of the
distribution config that was last reconcile.
type: string
lastAttemptedRevision:
description: |-
LastAttemptedRevision is the version and digest of the
distribution config that was last attempted to reconcile.
type: string
lastHandledReconcileAt:
description: |-
LastHandledReconcileAt holds the value of the most recent
reconcile request value, so a change of the annotation value
can be detected.
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

94
packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,94 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "flux-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "flux-operator.labels" . | nindent 4 }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "flux-operator.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "flux-operator.labels" . | nindent 8 }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with .Values.image.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "flux-operator.fullname" . }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.hostNetwork }}
hostNetwork: true
{{- end }}
containers:
- name: manager
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.marketplace.account }}
- name: MARKETPLACE_ACCOUNT
value: {{ . }}
{{- end }}
{{- with .Values.marketplace.license }}
- name: MARKETPLACE_LICENSE
value: {{ . }}
{{- end }}
{{- if .Values.extraEnvs }}
{{- toYaml .Values.extraEnvs | nindent 12 }}
{{- end }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: IfNotPresent
ports:
- name: http-metrics
containerPort: 8080
protocol: TCP
- name: http
containerPort: 8081
protocol: TCP
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: temp
mountPath: /tmp
volumes:
- name: temp
emptyDir: {}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

22
packages/core/fluxcd/charts/flux-operator/templates/service.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "flux-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "flux-operator.labels" . | nindent 4 }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- port: 8080
targetPort: http-metrics
protocol: TCP
name: http
selector:
{{- include "flux-operator.selectorLabels" . | nindent 4 }}

15
packages/core/fluxcd/charts/flux-operator/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "flux-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "flux-operator.labels" . | nindent 4 }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}

303
packages/core/fluxcd/charts/flux-operator/values.schema.json Normal file
View File

@@ -0,0 +1,303 @@
{
"$schema": "https://json-schema.org/draft/2019-09/schema",
"properties": {
"affinity": {
"default": {
"nodeAffinity": {
"requiredDuringSchedulingIgnoredDuringExecution": {
"nodeSelectorTerms": [
{
"matchExpressions": [
{
"key": "kubernetes.io/os",
"operator": "In",
"values": [
"linux"
]
}
]
}
]
}
}
},
"properties": {
"nodeAffinity": {
"properties": {
"requiredDuringSchedulingIgnoredDuringExecution": {
"properties": {
"nodeSelectorTerms": {
"items": {
"properties": {
"matchExpressions": {
"items": {
"properties": {
"key": {
"type": "string"
},
"operator": {
"type": "string"
},
"values": {
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object"
},
"type": "array"
}
},
"type": "object"
},
"type": "array"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
},
"commonAnnotations": {
"properties": {},
"type": "object"
},
"commonLabels": {
"properties": {},
"type": "object"
},
"extraEnvs": {
"items": {
"type": "object"
},
"type": "array",
"uniqueItems": true
},
"fullnameOverride": {
"type": "string"
},
"hostNetwork": {
"default": false,
"type": "boolean"
},
"image": {
"properties": {
"pullSecrets": {
"items": {
"type": "object"
},
"type": "array",
"uniqueItems": true
},
"repository": {
"type": "string"
},
"tag": {
"type": "string"
}
},
"required": [
"repository"
],
"type": "object"
},
"installCRDs": {
"default": true,
"type": "boolean"
},
"livenessProbe": {
"default": {
"httpGet": {
"path": "/healthz",
"port": 8081
},
"initialDelaySeconds": 15,
"periodSeconds": 20
},
"properties": {
"httpGet": {
"properties": {
"path": {
"type": "string"
},
"port": {
"type": "integer"
}
},
"type": "object"
},
"initialDelaySeconds": {
"type": "integer"
},
"periodSeconds": {
"type": "integer"
}
},
"type": "object"
},
"marketplace": {
"properties": {
"account": {
"type": "string"
},
"license": {
"type": "string"
}
},
"type": "object"
},
"nameOverride": {
"type": "string"
},
"podSecurityContext": {
"default": {
"fsGroup": 1337
},
"properties": {},
"type": "object"
},
"priorityClassName": {
"default": "system-cluster-critical",
"type": "string"
},
"readinessProbe": {
"default": {
"httpGet": {
"path": "/readyz",
"port": 8081
},
"initialDelaySeconds": 5,
"periodSeconds": 10
},
"properties": {
"httpGet": {
"properties": {
"path": {
"type": "string"
},
"port": {
"type": "integer"
}
},
"type": "object"
},
"initialDelaySeconds": {
"type": "integer"
},
"periodSeconds": {
"type": "integer"
}
},
"type": "object"
},
"resources": {
"properties": {
"limits": {
"properties": {
"cpu": {
"type": "string"
},
"memory": {
"type": "string"
}
},
"type": "object"
},
"requests": {
"default": {
"cpu": "100m",
"memory": "64Mi"
},
"properties": {
"cpu": {
"type": "string"
},
"memory": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"securityContext": {
"properties": {
"allowPrivilegeEscalation": {
"default": false,
"type": "boolean"
},
"capabilities": {
"default": {
"drop": [
"ALL"
]
},
"properties": {
"drop": {
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": true
}
},
"type": "object"
},
"readOnlyRootFilesystem": {
"default": true,
"type": "boolean"
},
"runAsNonRoot": {
"default": true,
"type": "boolean"
},
"seccompProfile": {
"default": {
"type": "RuntimeDefault"
},
"properties": {
"type": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"serviceAccount": {
"default": {
"automount": true,
"create": true,
"name": ""
},
"properties": {
"automount": {
"type": "boolean"
},
"name": {
"type": "string"
}
},
"type": "object"
},
"tolerations": {
"items": {
"type": "object"
},
"type": "array",
"uniqueItems": true
}
},
"required": [
"resources",
"securityContext"
],
"type": "object"
}

95
packages/core/fluxcd/charts/flux-operator/values.yaml Normal file
View File

@@ -0,0 +1,95 @@
# Default values for flux-operator.
nameOverride: ""
fullnameOverride: ""
# -- Install and upgrade the custom resource definitions.
installCRDs: true # @schema default: true
# -- Common annotations to add to all deployed objects including pods.
commonAnnotations: { }
# -- Common labels to add to all deployed objects including pods.
commonLabels: { }
# -- Container image settings.
# The image tag defaults to the chart appVersion.
image:
repository: ghcr.io/controlplaneio-fluxcd/flux-operator # @schema required: true
tag: ""
pullSecrets: [ ] # @schema item: object ; uniqueItems: true
# -- Pod priority class name.
# Recommended value is system-cluster-critical.
priorityClassName: "" # @schema default: "system-cluster-critical"
# -- Container resources requests and limits settings.
resources: # @schema required: true
limits:
cpu: 1000m
memory: 1Gi
requests: # @schema default: {"cpu":"100m","memory":"64Mi"}
cpu: 100m
memory: 64Mi
# -- Container liveness probe settings.
livenessProbe: # @schema default: {"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":15,"periodSeconds":20}
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
# -- Container readiness probe settings.
readinessProbe: # @schema default: {"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":5,"periodSeconds":10}
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
# -- Pod service account settings.
# The name of the service account defaults to the release name.
serviceAccount: # @schema default: {"create":true,"automount":true,"name":""}
automount: true
name: ""
# -- Pod security context settings.
podSecurityContext: { } # @schema default: {"fsGroup":1337}
# -- Container security context settings.
# The default is compliant with the pod security restricted profile.
securityContext: # @schema required: true
runAsNonRoot: true # @schema default: true
readOnlyRootFilesystem: true # @schema default: true
allowPrivilegeEscalation: false # @schema default: false
capabilities: # @schema default: {"drop":["ALL"]}
drop: # @schema item: string ; uniqueItems: true
- "ALL"
seccompProfile: # @schema default: {"type":"RuntimeDefault"}
type: "RuntimeDefault"
# -- Pod affinity and anti-affinity settings.
affinity: # @schema default: {"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]}}}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
# -- Pod tolerations settings.
tolerations: [ ] # @schema item: object ; uniqueItems: true
# -- Marketplace settings.
marketplace:
license: ""
account: ""
# -- If `true`, start flux-operator in hostNetwork mode.
hostNetwork: false
# -- Add environment variables eg. for kubeprism KUBERNETES_SERVICE_HOST and _PORT
extraEnvs: [ ]

11
packages/core/fluxcd/charts/flux2/Chart.yaml
View File

@@ -1,11 +0,0 @@
annotations:
artifacthub.io/changes: |
- "[Chore]: Update App Version to upstream 2.2.3"
apiVersion: v2
appVersion: 2.2.3
description: A Helm chart for flux2
name: flux2
sources:
- https://github.com/fluxcd-community/helm-charts
type: application
version: 2.12.4

174
packages/core/fluxcd/charts/flux2/README.md
View File

@@ -1,174 +0,0 @@
# flux2
![Version: 2.12.4](https://img.shields.io/badge/Version-2.12.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.2.3](https://img.shields.io/badge/AppVersion-2.2.3-informational?style=flat-square)
A Helm chart for flux2
This helm chart is maintained and released by the fluxcd-community on a best effort basis.
## Source Code
* <https://github.com/fluxcd-community/helm-charts>
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| cli.affinity | object | `{}` | |
| cli.annotations | object | `{}` | |
| cli.image | string | `"ghcr.io/fluxcd/flux-cli"` | |
| cli.nodeSelector | object | `{}` | |
| cli.serviceAccount.automount | bool | `true` | |
| cli.tag | string | `"v2.2.3"` | |
| cli.tolerations | list | `[]` | |
| clusterDomain | string | `"cluster.local"` | |
| crds.annotations | object | `{}` | Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep |
| extraObjects | list | `[]` | Array of extra K8s manifests to deploy |
| helmController.affinity | object | `{}` | |
| helmController.annotations."prometheus.io/port" | string | `"8080"` | |
| helmController.annotations."prometheus.io/scrape" | string | `"true"` | |
| helmController.container.additionalArgs | list | `[]` | |
| helmController.create | bool | `true` | |
| helmController.extraEnv | list | `[]` | |
| helmController.image | string | `"ghcr.io/fluxcd/helm-controller"` | |
| helmController.imagePullPolicy | string | `""` | |
| helmController.labels | object | `{}` | |
| helmController.nodeSelector | object | `{}` | |
| helmController.priorityClassName | string | `""` | |
| helmController.resources.limits | object | `{}` | |
| helmController.resources.requests.cpu | string | `"100m"` | |
| helmController.resources.requests.memory | string | `"64Mi"` | |
| helmController.serviceAccount.annotations | object | `{}` | |
| helmController.serviceAccount.automount | bool | `true` | |
| helmController.serviceAccount.create | bool | `true` | |
| helmController.tag | string | `"v0.37.4"` | |
| helmController.tolerations | list | `[]` | |
| imageAutomationController.affinity | object | `{}` | |
| imageAutomationController.annotations."prometheus.io/port" | string | `"8080"` | |
| imageAutomationController.annotations."prometheus.io/scrape" | string | `"true"` | |
| imageAutomationController.container.additionalArgs | list | `[]` | |
| imageAutomationController.create | bool | `true` | |
| imageAutomationController.extraEnv | list | `[]` | |
| imageAutomationController.image | string | `"ghcr.io/fluxcd/image-automation-controller"` | |
| imageAutomationController.imagePullPolicy | string | `""` | |
| imageAutomationController.labels | object | `{}` | |
| imageAutomationController.nodeSelector | object | `{}` | |
| imageAutomationController.priorityClassName | string | `""` | |
| imageAutomationController.resources.limits | object | `{}` | |
| imageAutomationController.resources.requests.cpu | string | `"100m"` | |
| imageAutomationController.resources.requests.memory | string | `"64Mi"` | |
| imageAutomationController.serviceAccount.annotations | object | `{}` | |
| imageAutomationController.serviceAccount.automount | bool | `true` | |
| imageAutomationController.serviceAccount.create | bool | `true` | |
| imageAutomationController.tag | string | `"v0.37.1"` | |
| imageAutomationController.tolerations | list | `[]` | |
| imagePullSecrets | list | `[]` | contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers |
| imageReflectionController.affinity | object | `{}` | |
| imageReflectionController.annotations."prometheus.io/port" | string | `"8080"` | |
| imageReflectionController.annotations."prometheus.io/scrape" | string | `"true"` | |
| imageReflectionController.container.additionalArgs | list | `[]` | |
| imageReflectionController.create | bool | `true` | |
| imageReflectionController.extraEnv | list | `[]` | |
| imageReflectionController.image | string | `"ghcr.io/fluxcd/image-reflector-controller"` | |
| imageReflectionController.imagePullPolicy | string | `""` | |
| imageReflectionController.labels | object | `{}` | |
| imageReflectionController.nodeSelector | object | `{}` | |
| imageReflectionController.priorityClassName | string | `""` | |
| imageReflectionController.resources.limits | object | `{}` | |
| imageReflectionController.resources.requests.cpu | string | `"100m"` | |
| imageReflectionController.resources.requests.memory | string | `"64Mi"` | |
| imageReflectionController.serviceAccount.annotations | object | `{}` | |
| imageReflectionController.serviceAccount.automount | bool | `true` | |
| imageReflectionController.serviceAccount.create | bool | `true` | |
| imageReflectionController.tag | string | `"v0.31.2"` | |
| imageReflectionController.tolerations | list | `[]` | |
| installCRDs | bool | `true` | |
| kustomizeController.affinity | object | `{}` | |
| kustomizeController.annotations."prometheus.io/port" | string | `"8080"` | |
| kustomizeController.annotations."prometheus.io/scrape" | string | `"true"` | |
| kustomizeController.container.additionalArgs | list | `[]` | |
| kustomizeController.create | bool | `true` | |
| kustomizeController.envFrom | object | `{"map":{"name":""},"secret":{"name":""}}` | Defines envFrom using a configmap and/or secret. |
| kustomizeController.extraEnv | list | `[]` | |
| kustomizeController.extraSecretMounts | list | `[]` | Defines additional mounts with secrets. Secrets must be manually created in the namespace or with kustomizeController.secret |
| kustomizeController.image | string | `"ghcr.io/fluxcd/kustomize-controller"` | |
| kustomizeController.imagePullPolicy | string | `""` | |
| kustomizeController.labels | object | `{}` | |
| kustomizeController.nodeSelector | object | `{}` | |
| kustomizeController.priorityClassName | string | `""` | |
| kustomizeController.resources.limits | object | `{}` | |
| kustomizeController.resources.requests.cpu | string | `"100m"` | |
| kustomizeController.resources.requests.memory | string | `"64Mi"` | |
| kustomizeController.secret.create | bool | `false` | Create a secret to use it with extraSecretMounts. Defaults to false. |
| kustomizeController.secret.data | object | `{}` | |
| kustomizeController.secret.name | string | `""` | |
| kustomizeController.serviceAccount.annotations | object | `{}` | |
| kustomizeController.serviceAccount.automount | bool | `true` | |
| kustomizeController.serviceAccount.create | bool | `true` | |
| kustomizeController.tag | string | `"v1.2.2"` | |
| kustomizeController.tolerations | list | `[]` | |
| logLevel | string | `"info"` | |
| multitenancy.defaultServiceAccount | string | `"default"` | All Kustomizations and HelmReleases which dont have spec.serviceAccountName specified, will use the default account from the tenants namespace. Tenants have to specify a service account in their Flux resources to be able to deploy workloads in their namespaces as the default account has no permissions. |
| multitenancy.enabled | bool | `false` | Implement the patches for Multi-tenancy lockdown. See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown |
| multitenancy.privileged | bool | `true` | Both kustomize-controller and helm-controller service accounts run privileged with cluster-admin ClusterRoleBinding. Disable if you want to run them with a minimum set of permissions. |
| notificationController.affinity | object | `{}` | |
| notificationController.annotations."prometheus.io/port" | string | `"8080"` | |
| notificationController.annotations."prometheus.io/scrape" | string | `"true"` | |
| notificationController.container.additionalArgs | list | `[]` | |
| notificationController.create | bool | `true` | |
| notificationController.extraEnv | list | `[]` | |
| notificationController.image | string | `"ghcr.io/fluxcd/notification-controller"` | |
| notificationController.imagePullPolicy | string | `""` | |
| notificationController.labels | object | `{}` | |
| notificationController.nodeSelector | object | `{}` | |
| notificationController.priorityClassName | string | `""` | |
| notificationController.resources.limits | object | `{}` | |
| notificationController.resources.requests.cpu | string | `"100m"` | |
| notificationController.resources.requests.memory | string | `"64Mi"` | |
| notificationController.service.annotations | object | `{}` | |
| notificationController.service.labels | object | `{}` | |
| notificationController.serviceAccount.annotations | object | `{}` | |
| notificationController.serviceAccount.automount | bool | `true` | |
| notificationController.serviceAccount.create | bool | `true` | |
| notificationController.tag | string | `"v1.2.4"` | |
| notificationController.tolerations | list | `[]` | |
| notificationController.webhookReceiver.ingress.annotations | object | `{}` | |
| notificationController.webhookReceiver.ingress.create | bool | `false` | |
| notificationController.webhookReceiver.ingress.hosts[0].host | string | `"flux-webhook.example.com"` | |
| notificationController.webhookReceiver.ingress.hosts[0].paths[0].path | string | `"/"` | |
| notificationController.webhookReceiver.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | |
| notificationController.webhookReceiver.ingress.labels | object | `{}` | |
| notificationController.webhookReceiver.ingress.tls | list | `[]` | |
| notificationController.webhookReceiver.service.annotations | object | `{}` | |
| notificationController.webhookReceiver.service.labels | object | `{}` | |
| policies.create | bool | `true` | |
| prometheus.podMonitor.create | bool | `false` | Enables podMonitor endpoint |
| prometheus.podMonitor.podMetricsEndpoints[0].port | string | `"http-prom"` | |
| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].action | string | `"keep"` | |
| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].regex | string | `"Running"` | |
| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_phase"` | |
| rbac.annotations | object | `{}` | Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep |
| rbac.create | bool | `true` | |
| rbac.createAggregation | bool | `true` | Grant the Kubernetes view, edit and admin roles access to Flux custom resources |
| sourceController.affinity | object | `{}` | |
| sourceController.annotations."prometheus.io/port" | string | `"8080"` | |
| sourceController.annotations."prometheus.io/scrape" | string | `"true"` | |
| sourceController.container.additionalArgs | list | `[]` | |
| sourceController.create | bool | `true` | |
| sourceController.extraEnv | list | `[]` | |
| sourceController.image | string | `"ghcr.io/fluxcd/source-controller"` | |
| sourceController.imagePullPolicy | string | `""` | |
| sourceController.labels | object | `{}` | |
| sourceController.nodeSelector | object | `{}` | |
| sourceController.priorityClassName | string | `""` | |
| sourceController.resources.limits | object | `{}` | |
| sourceController.resources.requests.cpu | string | `"100m"` | |
| sourceController.resources.requests.memory | string | `"64Mi"` | |
| sourceController.service.annotations | object | `{}` | |
| sourceController.service.labels | object | `{}` | |
| sourceController.serviceAccount.annotations | object | `{}` | |
| sourceController.serviceAccount.automount | bool | `true` | |
| sourceController.serviceAccount.create | bool | `true` | |
| sourceController.tag | string | `"v1.2.4"` | |
| sourceController.tolerations | list | `[]` | |
| watchAllNamespaces | bool | `true` | |

7
packages/core/fluxcd/charts/flux2/templates/_helper.tpl
View File

@@ -1,7 +0,0 @@
{{- define "template.image" -}}
{{- if eq (substr 0 7 .tag) "sha256:" -}}
{{- printf "%s@%s" .image .tag -}}
{{- else -}}
{{- printf "%s:%s" .image .tag -}}
{{- end -}}
{{- end -}}

47
packages/core/fluxcd/charts/flux2/templates/aggregate-clusterroles.yaml
View File

@@ -1,47 +0,0 @@
{{- if .Values.rbac.createAggregation }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
{{- with .Values.rbac.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
name: flux-edit
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- notification.toolkit.fluxcd.io
- source.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
- image.toolkit.fluxcd.io
- kustomize.toolkit.fluxcd.io
resources: ["*"]
verbs:
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: flux-view
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- notification.toolkit.fluxcd.io
- source.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
- image.toolkit.fluxcd.io
- kustomize.toolkit.fluxcd.io
resources: ["*"]
verbs:
- get
- list
- watch
{{- end }}

26
packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml
View File

@@ -1,26 +0,0 @@
{{- if and .Values.rbac.create (or (not .Values.multitenancy.enabled) .Values.multitenancy.privileged) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
{{- with .Values.rbac.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: cluster-reconciler
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Values.rbac.roleRef.name }}
subjects:
- kind: ServiceAccount
name: kustomize-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: helm-controller
namespace: {{ .Release.Namespace }}
{{- end }}

19
packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml
View File

@@ -1,19 +0,0 @@
{{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
{{- with .Values.rbac.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
name: cluster-reconciler-impersonator
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
rules:
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["impersonate"]
{{- end }}

26
packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml
View File

@@ -1,26 +0,0 @@
{{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
{{- with .Values.rbac.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: cluster-reconciler-impersonator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reconciler-impersonator
subjects:
- kind: ServiceAccount
name: kustomize-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: helm-controller
namespace: {{ .Release.Namespace }}
{{- end }}

82
packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrole.yaml
View File

@@ -1,82 +0,0 @@
{{- if and .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
{{- with .Values.rbac.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
name: crd-controller
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
rules:
- apiGroups: ['source.toolkit.fluxcd.io']
resources: ['*']
verbs: ['*']
- apiGroups: ['kustomize.toolkit.fluxcd.io']
resources: ['*']
verbs: ['*']
- apiGroups: ['helm.toolkit.fluxcd.io']
resources: ['*']
verbs: ['*']
- apiGroups: ['notification.toolkit.fluxcd.io']
resources: ['*']
verbs: ['*']
- apiGroups: ['image.toolkit.fluxcd.io']
resources: ['*']
verbs: ['*']
- apiGroups:
- ""
resources:
- namespaces
- secrets
- configmaps
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
# required by leader election
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- "coordination.k8s.io"
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
{{- end }}

38
packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrolebinding.yaml
View File

@@ -1,38 +0,0 @@
{{- if and .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
{{- with .Values.rbac.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
name: crd-controller
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: crd-controller
subjects:
- kind: ServiceAccount
name: kustomize-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: helm-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: source-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: notification-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: image-reflector-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: image-automation-controller
namespace: {{ .Release.Namespace }}
{{- end }}

4
packages/core/fluxcd/charts/flux2/templates/extra-manifests.yaml
View File

@@ -1,4 +0,0 @@
{{ range .Values.extraObjects }}
---
{{ tpl (toYaml .) $ }}
{{ end }}

18
packages/core/fluxcd/charts/flux2/templates/helm-controller-sa.yaml
View File

@@ -1,18 +0,0 @@
{{- if and .Values.helmController.create}}
{{- if .Values.helmController.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: helm-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: helm-controller
{{- with .Values.helmController.serviceAccount.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

2268
packages/core/fluxcd/charts/flux2/templates/helm-controller.crds.yaml
View File

File diff suppressed because it is too large Load Diff

133
packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml
View File

@@ -1,133 +0,0 @@
{{- if and .Values.helmController.create}}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: helm-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.helmController.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
name: helm-controller
spec:
{{- if kindIs "invalid" .Values.helmController.replicas }}
replicas: 1
{{- else }}
replicas: {{ .Values.helmController.replicas }}
{{- end}}
selector:
matchLabels:
app: helm-controller
template:
metadata:
{{- with .Values.helmController.annotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
labels:
app: helm-controller
{{ with .Values.helmController.labels }}{{ toYaml . | indent 8 }}{{ end }}
spec:
automountServiceAccountToken: {{ .Values.helmController.serviceAccount.automount }}
{{- if .Values.helmController.initContainers}}
initContainers:
{{- toYaml .Values.helmController.initContainers | nindent 8}}
{{- end}}
containers:
- args:
{{- if .Values.multitenancy.enabled }}
- --no-cross-namespace-refs=true
- --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default" }}
{{- end}}
{{- if .Values.notificationController.create }}
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
{{- end}}
- --watch-all-namespaces={{ .Values.watchAllNamespaces }}
- --log-level={{ .Values.logLevel | default "info" }}
- --log-encoding=json
- --enable-leader-election
{{- range .Values.helmController.container.additionalArgs }}
- {{ . }}
{{- end}}
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.helmController.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ template "template.image" .Values.helmController }}
{{- if .Values.helmController.imagePullPolicy }}
imagePullPolicy: {{ .Values.helmController.imagePullPolicy }}
{{- else }}
imagePullPolicy: IfNotPresent
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 8080
name: http-prom
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
{{- with .Values.helmController.resources }}
resources: {{ toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.helmController.securityContext }}
securityContext: {{ toYaml .Values.helmController.securityContext | nindent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end}}
volumeMounts:
- mountPath: /tmp
name: temp
{{- if .Values.helmController.volumeMounts }}
{{- toYaml .Values.helmController.volumeMounts | nindent 8 }}
{{- end}}
{{- if .Values.helmController.priorityClassName }}
priorityClassName: {{ .Values.helmController.priorityClassName | quote }}
{{- end }}
{{- if .Values.helmController.podSecurityContext }}
securityContext: {{ toYaml .Values.helmController.podSecurityContext | nindent 8 }}
{{- end }}
serviceAccountName: helm-controller
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
{{- end }}
terminationGracePeriodSeconds: 600
volumes:
- emptyDir: {}
name: temp
{{- if .Values.helmController.volumes }}
{{- toYaml .Values.helmController.volumes | nindent 6 }}
{{- end}}
{{- with .Values.helmController.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.helmController.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.helmController.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}
{{- end }}

18
packages/core/fluxcd/charts/flux2/templates/image-automation-controller-sa.yaml
View File

@@ -1,18 +0,0 @@
{{- if and .Values.imageAutomationController.create }}
{{- if .Values.imageAutomationController.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: image-automation-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: image-automation-controller
{{- with .Values.imageAutomationController.serviceAccount.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

326
packages/core/fluxcd/charts/flux2/templates/image-automation-controller.crds.yaml
View File

@@ -1,326 +0,0 @@
{{- if and .Values.installCRDs .Values.imageAutomationController.create }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
{{- with .Values.crds.annotations }}
{{- . | toYaml | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/component: image-automation-controller
app.kubernetes.io/instance: '{{ .Release.Namespace }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/part-of: flux
app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
name: imageupdateautomations.image.toolkit.fluxcd.io
spec:
group: image.toolkit.fluxcd.io
names:
kind: ImageUpdateAutomation
listKind: ImageUpdateAutomationList
plural: imageupdateautomations
singular: imageupdateautomation
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.lastAutomationRunTime
name: Last run
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ImageUpdateAutomation is the Schema for the imageupdateautomations
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ImageUpdateAutomationSpec defines the desired state of ImageUpdateAutomation
properties:
git:
description: GitSpec contains all the git-specific definitions. This
is technically optional, but in practice mandatory until there are
other kinds of source allowed.
properties:
checkout:
description: Checkout gives the parameters for cloning the git
repository, ready to make changes. If not present, the `spec.ref`
field from the referenced `GitRepository` or its default will
be used.
properties:
ref:
description: Reference gives a branch, tag or commit to clone
from the Git repository.
properties:
branch:
description: Branch to check out, defaults to 'master'
if no other field is defined.
type: string
commit:
description: "Commit SHA to check out, takes precedence
over all reference fields. \n This can be combined with
Branch to shallow clone the branch, in which the commit
is expected to exist."
type: string
name:
description: "Name of the reference to check out; takes
precedence over Branch, Tag and SemVer. \n It must be
a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description
Examples: \"refs/heads/main\", \"refs/tags/v0.1.0\",
\"refs/pull/420/head\", \"refs/merge-requests/1/head\""
type: string
semver:
description: SemVer tag expression to check out, takes
precedence over Tag.
type: string
tag:
description: Tag to check out, takes precedence over Branch.
type: string
type: object
required:
- ref
type: object
commit:
description: Commit specifies how to commit to the git repository.
properties:
author:
description: Author gives the email and optionally the name
to use as the author of commits.
properties:
email:
description: Email gives the email to provide when making
a commit.
type: string
name:
description: Name gives the name to provide when making
a commit.
type: string
required:
- email
type: object
messageTemplate:
description: MessageTemplate provides a template for the commit
message, into which will be interpolated the details of
the change made.
type: string
signingKey:
description: SigningKey provides the option to sign commits
with a GPG key
properties:
secretRef:
description: SecretRef holds the name to a secret that
contains a 'git.asc' key corresponding to the ASCII
Armored file containing the GPG signing keypair as the
value. It must be in the same namespace as the ImageUpdateAutomation.
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
type: object
required:
- author
type: object
push:
description: Push specifies how and where to push commits made
by the automation. If missing, commits are pushed (back) to
`.spec.checkout.branch` or its default.
properties:
branch:
description: Branch specifies that commits should be pushed
to the branch named. The branch is created using `.spec.checkout.branch`
as the starting point, if it doesn't already exist.
type: string
options:
additionalProperties:
type: string
description: 'Options specifies the push options that are
sent to the Git server when performing a push operation.
For details, see: https://git-scm.com/docs/git-push#Documentation/git-push.txt---push-optionltoptiongt'
type: object
refspec:
description: 'Refspec specifies the Git Refspec to use for
a push operation. If both Branch and Refspec are provided,
then the commit is pushed to the branch and also using the
specified refspec. For more details about Git Refspecs,
see: https://git-scm.com/book/en/v2/Git-Internals-The-Refspec'
type: string
type: object
required:
- commit
type: object
interval:
description: Interval gives an lower bound for how often the automation
run should be attempted.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
sourceRef:
description: SourceRef refers to the resource giving access details
to a git repository.
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
default: GitRepository
description: Kind of the referent.
enum:
- GitRepository
type: string
name:
description: Name of the referent.
type: string
namespace:
description: Namespace of the referent, defaults to the namespace
of the Kubernetes resource object that contains the reference.
type: string
required:
- kind
- name
type: object
suspend:
description: Suspend tells the controller to not run this automation,
until it is unset (or set to false). Defaults to false.
type: boolean
update:
default:
strategy: Setters
description: Update gives the specification for how to update the
files in the repository. This can be left empty, to use the default
value.
properties:
path:
description: Path to the directory containing the manifests to
be updated. Defaults to 'None', which translates to the root
path of the GitRepositoryRef.
type: string
strategy:
default: Setters
description: Strategy names the strategy to be used.
enum:
- Setters
type: string
required:
- strategy
type: object
required:
- interval
- sourceRef
type: object
status:
default:
observedGeneration: -1
description: ImageUpdateAutomationStatus defines the observed state of
ImageUpdateAutomation
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
lastAutomationRunTime:
description: LastAutomationRunTime records the last time the controller
ran this automation through to completion (even if no updates were
made).
format: date-time
type: string
lastHandledReconcileAt:
description: LastHandledReconcileAt holds the value of the most recent
reconcile request value, so a change of the annotation value can
be detected.
type: string
lastPushCommit:
description: LastPushCommit records the SHA1 of the last commit made
by the controller, for this automation object
type: string
lastPushTime:
description: LastPushTime records the time of the last pushed change.
format: date-time
type: string
observedGeneration:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

135
packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml
View File

@@ -1,135 +0,0 @@
{{- if and .Values.imageAutomationController.create}}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: image-automation-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.imageAutomationController.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
name: image-automation-controller
spec:
{{- if kindIs "invalid" .Values.imageAutomationController.replicas }}
replicas: 1
{{- else }}
replicas: {{ .Values.imageAutomationController.replicas }}
{{- end}}
selector:
matchLabels:
app: image-automation-controller
template:
metadata:
{{- with .Values.imageAutomationController.annotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
labels:
app: image-automation-controller
{{ with .Values.imageAutomationController.labels }}{{ toYaml . | indent 8 }}{{ end }}
spec:
automountServiceAccountToken: {{ .Values.imageAutomationController.serviceAccount.automount }}
{{- if .Values.imageAutomationController.initContainers}}
initContainers:
{{- toYaml .Values.imageAutomationController.initContainers | nindent 8}}
{{- end}}
containers:
- args:
{{- if .Values.multitenancy.enabled }}
- --no-cross-namespace-refs=true
{{- end}}
{{- if .Values.notificationController.create }}
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
{{- end}}
- --watch-all-namespaces={{ .Values.watchAllNamespaces }}
- --log-level={{ .Values.logLevel | default "info" }}
- --log-encoding=json
- --enable-leader-election
{{- range .Values.imageAutomationController.container.additionalArgs }}
- {{ . }}
{{- end}}
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.imageAutomationController.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ template "template.image" .Values.imageAutomationController }}
{{- if .Values.imageAutomationController.imagePullPolicy }}
imagePullPolicy: {{ .Values.imageAutomationController.imagePullPolicy }}
{{- else }}
imagePullPolicy: IfNotPresent
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 8080
name: http-prom
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
{{- with .Values.imageAutomationController.resources }}
resources: {{ toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.imageAutomationController.securityContext }}
securityContext: {{ toYaml .Values.imageAutomationController.securityContext | nindent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end}}
volumeMounts:
- mountPath: /tmp
name: temp
{{- if .Values.imageAutomationController.volumeMounts }}
{{- toYaml .Values.imageAutomationController.volumeMounts | nindent 8 }}
{{- end}}
{{- if .Values.imageAutomationController.priorityClassName }}
priorityClassName: {{ .Values.imageAutomationController.priorityClassName | quote }}
{{- end }}
{{- if .Values.imageAutomationController.podSecurityContext }}
securityContext: {{ toYaml .Values.imageAutomationController.podSecurityContext | nindent 8 }}
{{- else }}
securityContext:
fsGroup: 1337
{{- end}}
serviceAccountName: image-automation-controller
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
{{- end }}
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: temp
{{- if .Values.imageAutomationController.volumes }}
{{- toYaml .Values.imageAutomationController.volumes | nindent 6 }}
{{- end}}
{{- with .Values.imageAutomationController.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imageAutomationController.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imageAutomationController.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}
{{- end }}

18
packages/core/fluxcd/charts/flux2/templates/image-reflector-controller-sa.yaml
View File

@@ -1,18 +0,0 @@
{{- if and .Values.imageReflectionController.create }}
{{- if .Values.imageReflectionController.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: image-reflector-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: image-reflector-controller
{{- with .Values.imageReflectionController.serviceAccount.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

901
packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.crds.yaml
View File

@@ -1,901 +0,0 @@
{{- if and .Values.installCRDs .Values.imageReflectionController.create }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
{{- with .Values.crds.annotations }}
{{- . | toYaml | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/component: image-reflector-controller
app.kubernetes.io/instance: '{{ .Release.Namespace }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/part-of: flux
app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
name: imagepolicies.image.toolkit.fluxcd.io
spec:
group: image.toolkit.fluxcd.io
names:
kind: ImagePolicy
listKind: ImagePolicyList
plural: imagepolicies
singular: imagepolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.latestImage
name: LatestImage
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ImagePolicy is the Schema for the imagepolicies API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ImagePolicySpec defines the parameters for calculating the
ImagePolicy
properties:
filterTags:
description: FilterTags enables filtering for only a subset of tags
based on a set of rules. If no rules are provided, all the tags
from the repository will be ordered and compared.
properties:
extract:
description: Extract allows a capture group to be extracted from
the specified regular expression pattern, useful before tag
evaluation.
type: string
pattern:
description: Pattern specifies a regular expression pattern used
to filter for image tags.
type: string
type: object
imageRepositoryRef:
description: ImageRepositoryRef points at the object specifying the
image being scanned
properties:
name:
description: Name of the referent.
type: string
namespace:
description: Namespace of the referent, when not specified it
acts as LocalObjectReference.
type: string
required:
- name
type: object
policy:
description: Policy gives the particulars of the policy to be followed
in selecting the most recent image
properties:
alphabetical:
description: Alphabetical set of rules to use for alphabetical
ordering of the tags.
properties:
order:
default: asc
description: Order specifies the sorting order of the tags.
Given the letters of the alphabet as tags, ascending order
would select Z, and descending order would select A.
enum:
- asc
- desc
type: string
type: object
numerical:
description: Numerical set of rules to use for numerical ordering
of the tags.
properties:
order:
default: asc
description: Order specifies the sorting order of the tags.
Given the integer values from 0 to 9 as tags, ascending
order would select 9, and descending order would select
0.
enum:
- asc
- desc
type: string
type: object
semver:
description: SemVer gives a semantic version range to check against
the tags available.
properties:
range:
description: Range gives a semver range for the image tag;
the highest version within the range that's a tag yields
the latest image.
type: string
required:
- range
type: object
type: object
required:
- imageRepositoryRef
- policy
type: object
status:
default:
observedGeneration: -1
description: ImagePolicyStatus defines the observed state of ImagePolicy
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
latestImage:
description: LatestImage gives the first in the list of images scanned
by the image repository, when filtered and ordered according to
the policy.
type: string
observedGeneration:
format: int64
type: integer
type: object
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .status.latestImage
name: LatestImage
type: string
name: v1beta2
schema:
openAPIV3Schema:
description: ImagePolicy is the Schema for the imagepolicies API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ImagePolicySpec defines the parameters for calculating the
ImagePolicy.
properties:
filterTags:
description: FilterTags enables filtering for only a subset of tags
based on a set of rules. If no rules are provided, all the tags
from the repository will be ordered and compared.
properties:
extract:
description: Extract allows a capture group to be extracted from
the specified regular expression pattern, useful before tag
evaluation.
type: string
pattern:
description: Pattern specifies a regular expression pattern used
to filter for image tags.
type: string
type: object
imageRepositoryRef:
description: ImageRepositoryRef points at the object specifying the
image being scanned
properties:
name:
description: Name of the referent.
type: string
namespace:
description: Namespace of the referent, when not specified it
acts as LocalObjectReference.
type: string
required:
- name
type: object
policy:
description: Policy gives the particulars of the policy to be followed
in selecting the most recent image
properties:
alphabetical:
description: Alphabetical set of rules to use for alphabetical
ordering of the tags.
properties:
order:
default: asc
description: Order specifies the sorting order of the tags.
Given the letters of the alphabet as tags, ascending order
would select Z, and descending order would select A.
enum:
- asc
- desc
type: string
type: object
numerical:
description: Numerical set of rules to use for numerical ordering
of the tags.
properties:
order:
default: asc
description: Order specifies the sorting order of the tags.
Given the integer values from 0 to 9 as tags, ascending
order would select 9, and descending order would select
0.
enum:
- asc
- desc
type: string
type: object
semver:
description: SemVer gives a semantic version range to check against
the tags available.
properties:
range:
description: Range gives a semver range for the image tag;
the highest version within the range that's a tag yields
the latest image.
type: string
required:
- range
type: object
type: object
required:
- imageRepositoryRef
- policy
type: object
status:
default:
observedGeneration: -1
description: ImagePolicyStatus defines the observed state of ImagePolicy
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
latestImage:
description: LatestImage gives the first in the list of images scanned
by the image repository, when filtered and ordered according to
the policy.
type: string
observedGeneration:
format: int64
type: integer
observedPreviousImage:
description: ObservedPreviousImage is the observed previous LatestImage.
It is used to keep track of the previous and current images.
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
{{- with .Values.crds.annotations }}
{{- . | toYaml | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/component: image-reflector-controller
app.kubernetes.io/instance: '{{ .Release.Namespace }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/part-of: flux
app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
name: imagerepositories.image.toolkit.fluxcd.io
spec:
group: image.toolkit.fluxcd.io
names:
kind: ImageRepository
listKind: ImageRepositoryList
plural: imagerepositories
singular: imagerepository
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.lastScanResult.scanTime
name: Last scan
type: string
- jsonPath: .status.lastScanResult.tagCount
name: Tags
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ImageRepository is the Schema for the imagerepositories API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ImageRepositorySpec defines the parameters for scanning an
image repository, e.g., `fluxcd/flux`.
properties:
accessFrom:
description: AccessFrom defines an ACL for allowing cross-namespace
references to the ImageRepository object based on the caller's namespace
labels.
properties:
namespaceSelectors:
description: NamespaceSelectors is the list of namespace selectors
to which this ACL applies. Items in this list are evaluated
using a logical OR operation.
items:
description: NamespaceSelector selects the namespaces to which
this ACL applies. An empty map of MatchLabels matches all
namespaces in a cluster.
properties:
matchLabels:
additionalProperties:
type: string
description: MatchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
type: array
required:
- namespaceSelectors
type: object
certSecretRef:
description: "CertSecretRef can be given the name of a secret containing
either or both of \n - a PEM-encoded client certificate (`certFile`)
and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`)
\n and whichever are supplied, will be used for connecting to the
registry. The client cert and key are useful if you are authenticating
with a certificate; the CA cert is useful if you are using a self-signed
server certificate."
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
exclusionList:
description: ExclusionList is a list of regex strings used to exclude
certain tags from being stored in the database.
items:
type: string
type: array
image:
description: Image is the name of the image repository
type: string
interval:
description: Interval is the length of time to wait between scans
of the image repository.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
secretRef:
description: SecretRef can be given the name of a secret containing
credentials to use for the image registry. The secret should be
created with `kubectl create secret docker-registry`, or the equivalent.
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
serviceAccountName:
description: ServiceAccountName is the name of the Kubernetes ServiceAccount
used to authenticate the image pull if the service account has attached
pull secrets.
maxLength: 253
type: string
suspend:
description: This flag tells the controller to suspend subsequent
image scans. It does not apply to already started scans. Defaults
to false.
type: boolean
timeout:
description: Timeout for image scanning. Defaults to 'Interval' duration.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
type: string
type: object
status:
default:
observedGeneration: -1
description: ImageRepositoryStatus defines the observed state of ImageRepository
properties:
canonicalImageName:
description: CanonicalName is the name of the image repository with
all the implied bits made explicit; e.g., `docker.io/library/alpine`
rather than `alpine`.
type: string
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
lastHandledReconcileAt:
description: LastHandledReconcileAt holds the value of the most recent
reconcile request value, so a change of the annotation value can
be detected.
type: string
lastScanResult:
description: LastScanResult contains the number of fetched tags.
properties:
scanTime:
format: date-time
type: string
tagCount:
type: integer
required:
- tagCount
type: object
observedGeneration:
description: ObservedGeneration is the last reconciled generation.
format: int64
type: integer
type: object
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .status.lastScanResult.scanTime
name: Last scan
type: string
- jsonPath: .status.lastScanResult.tagCount
name: Tags
type: string
name: v1beta2
schema:
openAPIV3Schema:
description: ImageRepository is the Schema for the imagerepositories API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ImageRepositorySpec defines the parameters for scanning an
image repository, e.g., `fluxcd/flux`.
properties:
accessFrom:
description: AccessFrom defines an ACL for allowing cross-namespace
references to the ImageRepository object based on the caller's namespace
labels.
properties:
namespaceSelectors:
description: NamespaceSelectors is the list of namespace selectors
to which this ACL applies. Items in this list are evaluated
using a logical OR operation.
items:
description: NamespaceSelector selects the namespaces to which
this ACL applies. An empty map of MatchLabels matches all
namespaces in a cluster.
properties:
matchLabels:
additionalProperties:
type: string
description: MatchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
type: array
required:
- namespaceSelectors
type: object
certSecretRef:
description: "CertSecretRef can be given the name of a Secret containing
either or both of \n - a PEM-encoded client certificate (`tls.crt`)
and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`)
\n and whichever are supplied, will be used for connecting to the
registry. The client cert and key are useful if you are authenticating
with a certificate; the CA cert is useful if you are using a self-signed
server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`.
\n Note: Support for the `caFile`, `certFile` and `keyFile` keys
has been deprecated."
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
exclusionList:
default:
- ^.*\.sig$
description: ExclusionList is a list of regex strings used to exclude
certain tags from being stored in the database.
items:
type: string
maxItems: 25
type: array
image:
description: Image is the name of the image repository
type: string
insecure:
description: Insecure allows connecting to a non-TLS HTTP container
registry.
type: boolean
interval:
description: Interval is the length of time to wait between scans
of the image repository.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
provider:
default: generic
description: The provider used for authentication, can be 'aws', 'azure',
'gcp' or 'generic'. When not specified, defaults to 'generic'.
enum:
- generic
- aws
- azure
- gcp
type: string
secretRef:
description: SecretRef can be given the name of a secret containing
credentials to use for the image registry. The secret should be
created with `kubectl create secret docker-registry`, or the equivalent.
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
serviceAccountName:
description: ServiceAccountName is the name of the Kubernetes ServiceAccount
used to authenticate the image pull if the service account has attached
pull secrets.
maxLength: 253
type: string
suspend:
description: This flag tells the controller to suspend subsequent
image scans. It does not apply to already started scans. Defaults
to false.
type: boolean
timeout:
description: Timeout for image scanning. Defaults to 'Interval' duration.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
type: string
type: object
status:
default:
observedGeneration: -1
description: ImageRepositoryStatus defines the observed state of ImageRepository
properties:
canonicalImageName:
description: CanonicalName is the name of the image repository with
all the implied bits made explicit; e.g., `docker.io/library/alpine`
rather than `alpine`.
type: string
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
lastHandledReconcileAt:
description: LastHandledReconcileAt holds the value of the most recent
reconcile request value, so a change of the annotation value can
be detected.
type: string
lastScanResult:
description: LastScanResult contains the number of fetched tags.
properties:
latestTags:
items:
type: string
type: array
scanTime:
format: date-time
type: string
tagCount:
type: integer
required:
- tagCount
type: object
observedExclusionList:
description: ObservedExclusionList is a list of observed exclusion
list. It reflects the exclusion rules used for the observed scan
result in spec.lastScanResult.
items:
type: string
type: array
observedGeneration:
description: ObservedGeneration is the last reconciled generation.
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

139
packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml
View File

@@ -1,139 +0,0 @@
{{- if and .Values.imageReflectionController.create }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: image-reflector-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.imageReflectionController.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
name: image-reflector-controller
spec:
{{- if kindIs "invalid" .Values.imageReflectionController.replicas }}
replicas: 1
{{- else }}
replicas: {{ .Values.imageReflectionController.replicas }}
{{- end}}
selector:
matchLabels:
app: image-reflector-controller
template:
metadata:
{{- with .Values.imageReflectionController.annotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
labels:
app: image-reflector-controller
{{ with .Values.imageReflectionController.labels }}{{ toYaml . | indent 8 }}{{ end }}
spec:
automountServiceAccountToken: {{ .Values.imageReflectionController.serviceAccount.automount }}
{{- if .Values.imageReflectionController.initContainers}}
initContainers:
{{- toYaml .Values.imageReflectionController.initContainers | nindent 8}}
{{- end}}
containers:
- args:
{{- if .Values.multitenancy.enabled }}
- --no-cross-namespace-refs=true
{{- end}}
{{- if .Values.notificationController.create }}
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
{{- end}}
- --watch-all-namespaces={{ .Values.watchAllNamespaces }}
- --log-level={{ .Values.logLevel | default "info" }}
- --log-encoding=json
- --enable-leader-election
{{- range .Values.imageReflectionController.container.additionalArgs }}
- {{ . }}
{{- end}}
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.imageReflectionController.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ template "template.image" .Values.imageReflectionController }}
{{- if .Values.imageReflectionController.imagePullPolicy }}
imagePullPolicy: {{ .Values.imageReflectionController.imagePullPolicy }}
{{- else }}
imagePullPolicy: IfNotPresent
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 8080
name: http-prom
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
{{- with .Values.imageReflectionController.resources }}
resources: {{ toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.imageReflectionController.securityContext }}
securityContext: {{ toYaml .Values.imageReflectionController.securityContext | nindent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end}}
volumeMounts:
- mountPath: /tmp
name: temp
- mountPath: /data
name: data
{{- if .Values.imageReflectionController.volumeMounts }}
{{- toYaml .Values.imageReflectionController.volumeMounts | nindent 8 }}
{{- end}}
{{- if .Values.imageReflectionController.priorityClassName }}
priorityClassName: {{ .Values.imageReflectionController.priorityClassName | quote }}
{{- end }}
{{- if .Values.imageReflectionController.podSecurityContext }}
securityContext: {{ toYaml .Values.imageReflectionController.podSecurityContext | nindent 8 }}
{{- else }}
securityContext:
fsGroup: 1337
{{- end}}
serviceAccountName: image-reflector-controller
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
{{- end }}
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: temp
- emptyDir: {}
name: data
{{- if .Values.imageReflectionController.volumes }}
{{- toYaml .Values.imageReflectionController.volumes | nindent 6 }}
{{- end}}
{{- with .Values.imageReflectionController.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imageReflectionController.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imageReflectionController.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}
{{- end }}

18
packages/core/fluxcd/charts/flux2/templates/kustomize-controller-sa.yaml
View File

@@ -1,18 +0,0 @@
{{- if and .Values.kustomizeController.create }}
{{- if .Values.kustomizeController.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: kustomize-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: kustomize-controller
{{- with .Values.kustomizeController.serviceAccount.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

18
packages/core/fluxcd/charts/flux2/templates/kustomize-controller-secret.yaml
View File

@@ -1,18 +0,0 @@
{{- if and .Values.kustomizeController.secret.create }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.kustomizeController.secret.name }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
type: Opaque
data:
{{- range $key, $value := .Values.kustomizeController.secret.data }}
{{ $key }}: {{ $value | toString | b64enc | quote }}
{{- end }}
{{- end }}

1640
packages/core/fluxcd/charts/flux2/templates/kustomize-controller.crds.yaml
View File

File diff suppressed because it is too large Load Diff

158
packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml
View File

@@ -1,158 +0,0 @@
{{- if and .Values.kustomizeController.create }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: kustomize-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.kustomizeController.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
name: kustomize-controller
spec:
{{- if kindIs "invalid" .Values.kustomizeController.replicas }}
replicas: 1
{{- else }}
replicas: {{ .Values.kustomizeController.replicas }}
{{- end}}
selector:
matchLabels:
app: kustomize-controller
template:
metadata:
{{- with .Values.kustomizeController.annotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
labels:
app: kustomize-controller
{{ with .Values.kustomizeController.labels }}{{ toYaml . | indent 8 }}{{ end }}
spec:
automountServiceAccountToken: {{ .Values.kustomizeController.serviceAccount.automount }}
{{- if .Values.kustomizeController.initContainers}}
initContainers:
{{- toYaml .Values.kustomizeController.initContainers | nindent 8}}
{{- end}}
containers:
- args:
{{- if .Values.multitenancy.enabled }}
- --no-cross-namespace-refs=true
- --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default" }}
{{- end}}
{{- if .Values.notificationController.create }}
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
{{- end}}
- --watch-all-namespaces={{ .Values.watchAllNamespaces }}
- --log-level={{ .Values.logLevel | default "info" }}
- --log-encoding=json
- --enable-leader-election
{{- range .Values.kustomizeController.container.additionalArgs }}
- {{ . }}
{{- end}}
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.kustomizeController.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or (.Values.kustomizeController.envFrom.map.name) (.Values.kustomizeController.envFrom.secret.name) }}
envFrom:
{{- if .Values.kustomizeController.envFrom.map.name }}
- configMapRef:
name: {{ .Values.kustomizeController.envFrom.map.name }}
{{- end }}
{{- if .Values.kustomizeController.envFrom.secret.name }}
- secretRef:
name: {{ .Values.kustomizeController.envFrom.secret.name }}
{{- end }}
{{- end }}
image: {{ template "template.image" .Values.kustomizeController }}
{{- if .Values.kustomizeController.imagePullPolicy }}
imagePullPolicy: {{ .Values.kustomizeController.imagePullPolicy }}
{{- else }}
imagePullPolicy: IfNotPresent
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 8080
name: http-prom
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
{{- with .Values.kustomizeController.resources }}
resources: {{ toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.kustomizeController.securityContext }}
securityContext: {{ toYaml .Values.kustomizeController.securityContext | nindent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end}}
volumeMounts:
- mountPath: /tmp
name: temp
{{- if .Values.kustomizeController.volumeMounts }}
{{- toYaml .Values.kustomizeController.volumeMounts | nindent 8 }}
{{- end}}
{{- if .Values.kustomizeController.priorityClassName }}
priorityClassName: {{ .Values.kustomizeController.priorityClassName | quote }}
{{- end }}
{{- range .Values.kustomizeController.extraSecretMounts }}
- name: {{ .name }}
mountPath: {{ .mountPath }}
subPath: {{ .subPath }}
readOnly: {{ .readOnly }}
{{- end }}
{{- if .Values.kustomizeController.podSecurityContext }}
securityContext: {{ toYaml .Values.kustomizeController.podSecurityContext | nindent 8 }}
{{- else }}
securityContext:
fsGroup: 1337
{{- end}}
serviceAccountName: kustomize-controller
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
{{- end }}
terminationGracePeriodSeconds: 60
volumes:
- emptyDir: {}
name: temp
{{- if .Values.kustomizeController.volumes }}
{{- toYaml .Values.kustomizeController.volumes | nindent 6 }}
{{- end}}
{{- range .Values.kustomizeController.extraSecretMounts }}
- name: {{ .name }}
secret:
secretName: {{ .secretName }}
{{- end }}
{{- with .Values.kustomizeController.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.kustomizeController.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.kustomizeController.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}
{{- end }}

49
packages/core/fluxcd/charts/flux2/templates/notification-controller-ingress.yaml
View File

@@ -1,49 +0,0 @@
{{- if and .Values.notificationController.create .Values.notificationController.webhookReceiver.ingress.create }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.notificationController.webhookReceiver.ingress.labels }}{{ toYaml . | nindent 4 }}{{ end }}
{{- with .Values.notificationController.webhookReceiver.ingress.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ tpl $value $ | quote }}
{{- end }}
{{- end }}
name: webhook-receiver
spec:
{{- if .Values.notificationController.webhookReceiver.ingress.ingressClassName }}
ingressClassName: {{ .Values.notificationController.webhookReceiver.ingress.ingressClassName }}
{{- end -}}
{{- if .Values.notificationController.webhookReceiver.ingress.tls }}
tls:
{{- range .Values.notificationController.webhookReceiver.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.notificationController.webhookReceiver.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
pathType: {{ .pathType }}
backend:
service:
name: webhook-receiver
port:
number: 80
{{- end }}
{{- end }}
{{- end }}

18
packages/core/fluxcd/charts/flux2/templates/notification-controller-sa.yaml
View File

@@ -1,18 +0,0 @@
{{- if and .Values.notificationController.create -}}
{{- if .Values.notificationController.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: notification-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: notification-controller
{{- with .Values.notificationController.serviceAccount.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

29
packages/core/fluxcd/charts/flux2/templates/notification-controller-service.yaml
View File

@@ -1,29 +0,0 @@
{{- if and .Values.notificationController.create }}
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.notificationController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
name: notification-controller
{{- with .Values.notificationController.service.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
{{- if .Values.notificationController.service.ports }}
{{- toYaml .Values.notificationController.service.ports | nindent 2 }}
{{- end}}
selector:
app: notification-controller
type: ClusterIP
{{- end }}

26
packages/core/fluxcd/charts/flux2/templates/notification-controller-webhook-service.yaml
View File

@@ -1,26 +0,0 @@
{{- if and .Values.notificationController.create }}
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.notificationController.webhookReceiver.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
name: webhook-receiver
{{- with .Values.notificationController.webhookReceiver.service.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 9292
selector:
app: notification-controller
type: ClusterIP
{{- end }}

1790
packages/core/fluxcd/charts/flux2/templates/notification-controller.crds.yaml
View File

File diff suppressed because it is too large Load Diff

136
packages/core/fluxcd/charts/flux2/templates/notification-controller.yaml
View File

@@ -1,136 +0,0 @@
{{- if and .Values.notificationController.create }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: notification-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.notificationController.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
name: notification-controller
spec:
{{- if kindIs "invalid" .Values.notificationController.replicas }}
replicas: 1
{{- else }}
replicas: {{ .Values.notificationController.replicas }}
{{- end}}
selector:
matchLabels:
app: notification-controller
template:
metadata:
{{- with .Values.notificationController.annotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
labels:
app: notification-controller
{{ with .Values.notificationController.labels }}{{ toYaml . | indent 8 }}{{ end }}
spec:
automountServiceAccountToken: {{ .Values.notificationController.serviceAccount.automount }}
{{- if .Values.notificationController.initContainers}}
initContainers:
{{- toYaml .Values.notificationController.initContainers | nindent 8}}
{{- end}}
containers:
- args:
{{- if .Values.multitenancy.enabled }}
- --no-cross-namespace-refs=true
{{- end}}
- --watch-all-namespaces={{ .Values.watchAllNamespaces }}
- --log-level={{ .Values.logLevel | default "info" }}
- --log-encoding=json
- --enable-leader-election
{{- range .Values.notificationController.container.additionalArgs }}
- {{ . }}
{{- end}}
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.notificationController.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ template "template.image" .Values.notificationController }}
{{- if .Values.notificationController.imagePullPolicy }}
imagePullPolicy: {{ .Values.notificationController.imagePullPolicy }}
{{- else }}
imagePullPolicy: IfNotPresent
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 9090
name: http
protocol: TCP
- containerPort: 9292
name: http-webhook
protocol: TCP
- containerPort: 8080
name: http-prom
protocol: TCP
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
{{- with .Values.notificationController.resources }}
resources: {{ toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.notificationController.securityContext }}
securityContext: {{ toYaml .Values.notificationController.securityContext | nindent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end}}
volumeMounts:
- mountPath: /tmp
name: temp
{{- if .Values.notificationController.volumeMounts }}
{{- toYaml .Values.notificationController.volumeMounts | nindent 8 }}
{{- end}}
{{- if .Values.notificationController.priorityClassName }}
priorityClassName: {{ .Values.notificationController.priorityClassName | quote }}
{{- end }}
{{- if .Values.notificationController.podSecurityContext }}
securityContext: {{ toYaml .Values.notificationController.podSecurityContext | nindent 8 }}
{{- end }}
serviceAccountName: notification-controller
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
{{- end }}
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: temp
{{- if .Values.notificationController.volumes }}
{{- toYaml .Values.notificationController.volumes | nindent 6 }}
{{- end}}
{{- with .Values.notificationController.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.notificationController.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.notificationController.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}
{{- end }}

32
packages/core/fluxcd/charts/flux2/templates/podmonitor.yaml
View File

@@ -1,32 +0,0 @@
{{ if .Values.prometheus.podMonitor.create }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ .Release.Name }}
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
{{- range $key, $value := .Values.prometheus.podMonitor.additionalLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchExpressions:
- key: app
operator: In
values:
- helm-controller
- source-controller
- kustomize-controller
- notification-controller
- image-automation-controller
- image-reflector-controller
podMetricsEndpoints:
{{ toYaml .Values.prometheus.podMonitor.podMetricsEndpoints | indent 4 }}
{{- end }}

63
packages/core/fluxcd/charts/flux2/templates/policies.yaml
View File

@@ -1,63 +0,0 @@
{{- if and .Values.policies.create}}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: allow-egress
spec:
egress:
- {}
ingress:
- from:
- podSelector: {}
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: allow-scraping
spec:
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8080
protocol: TCP
podSelector: {}
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: allow-webhooks
spec:
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: notification-controller
policyTypes:
- Ingress
{{- end }}

14
packages/core/fluxcd/charts/flux2/templates/pre-install-job-serviceaccount.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: "{{ .Release.Name }}-flux-check"
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "-10"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

72
packages/core/fluxcd/charts/flux2/templates/pre-install-job.yaml
View File

@@ -1,72 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: "{{ .Release.Name }}-flux-check"
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
backoffLimit: 1
template:
metadata:
name: "{{ .Release.Name }}"
{{- with .Values.cli.annotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
spec:
restartPolicy: Never
serviceAccountName: "{{ .Release.Name }}-flux-check"
automountServiceAccountToken: {{ .Values.cli.serviceAccount.automount }}
containers:
- name: flux-cli
image: {{ template "template.image" .Values.cli }}
command: ["/usr/local/bin/flux", "check", "--pre", "--namespace", {{ .Release.Namespace }}]
{{- with .Values.cli.resources }}
resources: {{ toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.cli.securityContext }}
securityContext: {{ toYaml .Values.cli.securityContext | nindent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end}}
{{- if .Values.cli.volumeMounts }}
volumeMounts:
{{- toYaml .Values.cli.volumeMounts | nindent 10 }}
{{- end}}
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
{{- end }}
{{- with .Values.cli.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.cli.volumes }}
volumes:
{{- toYaml .Values.cli.volumes | nindent 8 }}
{{- end}}
{{- with .Values.cli.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cli.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}

29
packages/core/fluxcd/charts/flux2/templates/source-controller-service.yaml
View File

@@ -1,29 +0,0 @@
{{- if .Values.sourceController.create }}
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.sourceController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
name: source-controller
{{- with .Values.sourceController.service.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
{{- if .Values.sourceController.service.ports }}
{{- toYaml .Values.sourceController.service.ports | nindent 2 }}
{{- end}}
selector:
app: source-controller
type: ClusterIP
{{- end }}

18
packages/core/fluxcd/charts/flux2/templates/source-controller-serviceaccount.yaml
View File

@@ -1,18 +0,0 @@
{{- if .Values.sourceController.create -}}
{{- if .Values.sourceController.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: source-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: source-controller
{{- with .Values.sourceController.serviceAccount.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

3291
packages/core/fluxcd/charts/flux2/templates/source-controller.crds.yaml
View File

File diff suppressed because it is too large Load Diff

140
packages/core/fluxcd/charts/flux2/templates/source-controller.yaml
View File

@@ -1,140 +0,0 @@
{{- if .Values.sourceController.create }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: source-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.sourceController.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
name: source-controller
spec:
replicas: 1
selector:
matchLabels:
app: source-controller
strategy:
type: Recreate
template:
metadata:
{{- with .Values.sourceController.annotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
labels:
app: source-controller
{{ with .Values.sourceController.labels }}{{ toYaml . | indent 8 }}{{ end }}
spec:
automountServiceAccountToken: {{ .Values.sourceController.serviceAccount.automount }}
{{- if .Values.sourceController.initContainers}}
initContainers:
{{- toYaml .Values.sourceController.initContainers | nindent 8}}
{{- end}}
containers:
- args:
{{- if .Values.notificationController.create }}
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
{{- end}}
- --watch-all-namespaces={{ .Values.watchAllNamespaces }}
- --log-level={{ .Values.logLevel | default "info" }}
- --log-encoding=json
- --enable-leader-election
- --storage-path=/data
- --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc
{{- range .Values.sourceController.container.additionalArgs }}
- {{ . }}
{{- end}}
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.sourceController.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ template "template.image" .Values.sourceController }}
{{- if .Values.sourceController.imagePullPolicy }}
imagePullPolicy: {{ .Values.sourceController.imagePullPolicy }}
{{- else }}
imagePullPolicy: IfNotPresent
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 9090
name: http
protocol: TCP
- containerPort: 8080
name: http-prom
protocol: TCP
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /
port: http
{{- with .Values.sourceController.resources }}
resources: {{ toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.sourceController.securityContext }}
securityContext: {{ toYaml .Values.sourceController.securityContext | nindent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end}}
volumeMounts:
- mountPath: /data
name: data
- mountPath: /tmp
name: tmp
{{- if .Values.sourceController.volumeMounts }}
{{- toYaml .Values.sourceController.volumeMounts | nindent 8 }}
{{- end}}
{{- if .Values.sourceController.priorityClassName }}
priorityClassName: {{ .Values.sourceController.priorityClassName | quote }}
{{- end }}
{{- if .Values.sourceController.podSecurityContext }}
securityContext: {{ toYaml .Values.sourceController.podSecurityContext | nindent 8 }}
{{- else }}
securityContext:
fsGroup: 1337
{{- end}}
serviceAccountName: source-controller
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
{{- end }}
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: data
- emptyDir: {}
name: tmp
{{- if .Values.sourceController.volumes }}
{{- toYaml .Values.sourceController.volumes | nindent 6 }}
{{- end}}
{{- with .Values.sourceController.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.sourceController.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.sourceController.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}
{{- end }}

327
packages/core/fluxcd/charts/flux2/values.yaml
View File

@@ -1,327 +0,0 @@
# global
installCRDs: true
crds:
# -- Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep
annotations: {}
multitenancy:
# -- Implement the patches for Multi-tenancy lockdown.
# See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown
enabled: false
# -- All Kustomizations and HelmReleases which dont have spec.serviceAccountName
# specified, will use the default account from the tenants namespace.
# Tenants have to specify a service account in their Flux resources to be able
# to deploy workloads in their namespaces as the default account has no permissions.
defaultServiceAccount: "default"
# -- Both kustomize-controller and helm-controller service accounts run privileged
# with cluster-admin ClusterRoleBinding. Disable if you want to run them with a
# minimum set of permissions.
privileged: true
clusterDomain: cluster.local
cli:
image: ghcr.io/fluxcd/flux-cli
tag: v2.2.3
nodeSelector: {}
affinity: {}
tolerations: []
annotations: {}
serviceAccount:
automount: true
# controllers
helmController:
create: true
image: ghcr.io/fluxcd/helm-controller
tag: v0.37.4
resources:
limits: {}
# cpu: 1000m
# memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
priorityClassName: ""
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels: {}
container:
additionalArgs: []
extraEnv: []
serviceAccount:
create: true
automount: true
annotations: {}
imagePullPolicy: ""
nodeSelector: {}
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
# for example:
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: foo.bar.com/role
# operator: In
# values:
# - master
affinity: {}
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
# for example:
# tolerations:
# - key: foo.bar.com/role
# operator: Equal
# value: master
# effect: NoSchedule
tolerations: []
imageAutomationController:
create: true
image: ghcr.io/fluxcd/image-automation-controller
tag: v0.37.1
resources:
limits: {}
# cpu: 1000m
# memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
priorityClassName: ""
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels: {}
container:
additionalArgs: []
extraEnv: []
serviceAccount:
create: true
automount: true
annotations: {}
imagePullPolicy: ""
nodeSelector: {}
affinity: {}
tolerations: []
imageReflectionController:
create: true
image: ghcr.io/fluxcd/image-reflector-controller
tag: v0.31.2
resources:
limits: {}
# cpu: 1000m
# memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
priorityClassName: ""
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels: {}
container:
additionalArgs: []
extraEnv: []
serviceAccount:
create: true
automount: true
annotations: {}
imagePullPolicy: ""
nodeSelector: {}
affinity: {}
tolerations: []
kustomizeController:
create: true
image: ghcr.io/fluxcd/kustomize-controller
tag: v1.2.2
resources:
limits: {}
# cpu: 1000m
# memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
priorityClassName: ""
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels: {}
container:
additionalArgs: []
extraEnv: []
serviceAccount:
create: true
automount: true
annotations: {}
imagePullPolicy: ""
secret:
# -- Create a secret to use it with extraSecretMounts. Defaults to false.
create: false
name: ""
data: {}
# -- Defines envFrom using a configmap and/or secret.
envFrom:
map:
name: ""
secret:
name: ""
# -- Defines additional mounts with secrets.
# Secrets must be manually created in the namespace or with kustomizeController.secret
extraSecretMounts: []
# - name: secret-files
# mountPath: /etc/secrets
# subPath: ""
# secretName: secret-files
# readOnly: true
nodeSelector: {}
affinity: {}
tolerations: []
notificationController:
create: true
image: ghcr.io/fluxcd/notification-controller
tag: v1.2.4
resources:
limits: {}
# cpu: 1000m
# memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
priorityClassName: ""
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels: {}
container:
additionalArgs: []
extraEnv: []
serviceAccount:
create: true
automount: true
annotations: {}
imagePullPolicy: ""
service:
labels: {}
annotations: {}
webhookReceiver:
service:
labels: {}
annotations: {}
ingress:
create: false
# ingressClassName: nginx
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
labels: {}
hosts:
- host: flux-webhook.example.com
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: flux-webhook-tls
# hosts:
# - flux-webhook.example.com
nodeSelector: {}
affinity: {}
tolerations: []
sourceController:
create: true
image: ghcr.io/fluxcd/source-controller
tag: v1.2.4
resources:
limits: {}
# cpu: 1000m
# memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
priorityClassName: ""
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels: {}
container:
additionalArgs: []
serviceAccount:
create: true
automount: true
annotations: {}
imagePullPolicy: ""
service:
labels: {}
annotations: {}
nodeSelector: {}
affinity: {}
tolerations: []
extraEnv: []
policies:
create: true
rbac:
create: true
# -- Grant the Kubernetes view, edit and admin roles access to Flux custom resources
createAggregation: true
# -- Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep
annotations: {}
roleRef:
name: cluster-admin
logLevel: info
watchAllNamespaces: true
# -- contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers
imagePullSecrets: []
# -- Array of extra K8s manifests to deploy
extraObjects: []
# Example usage from https://fluxcd.io/docs/components/source/buckets/#static-authentication
# - apiVersion: source.toolkit.fluxcd.io/v1beta2
# kind: Bucket
# metadata:
# name: podinfo
# namespace: default
# spec:
# interval: 1m
# provider: generic
# bucketName: podinfo
# endpoint: minio.minio.svc.cluster.local:9000
# insecure: true
# secretRef:
# name: minio-credentials
# - apiVersion: v1
# kind: Secret
# metadata:
# name: minio-credentials
# namespace: default
# type: Opaque
# data:
# accesskey: <BASE64>
# secretkey: <BASE64>
# Enables podMonitor creation for the Prometheus Operator
prometheus:
podMonitor:
# -- Enables podMonitor endpoint
create: false
podMetricsEndpoints:
- port: http-prom
relabelings:
# https://github.com/prometheus-operator/prometheus-operator/issues/4816
- sourceLabels: [__meta_kubernetes_pod_phase]
action: keep
regex: Running

15
packages/core/fluxcd/templates/flux-instance.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: fluxcd.controlplane.io/v1
kind: FluxInstance
metadata:
name: flux
spec:
cluster:
domain: {{ .Values.fluxInstance.cluster.domain }}
distribution:
version: {{ .Values.fluxInstance.distribution.version }}
registry: {{ .Values.fluxInstance.distribution.registry }}
components:
{{- if .Values.fluxInstance.components }}
{{- toYaml .Values.fluxInstance.components | nindent 4 }}
{{- end }}

13
packages/core/fluxcd/values.yaml Normal file
View File

@@ -0,0 +1,13 @@
fluxInstance:
cluster:
domain: cozy.local
distribution:
version: 2.2.x
registry: ghcr.io/fluxcd
components:
- source-controller
- kustomize-controller
- helm-controller
- notification-controller
- image-reflector-controller
- image-automation-controller

11
packages/core/fluxcd/valuesFile.yaml Normal file
View File

@@ -0,0 +1,11 @@
flux-operator:
tolerations:
- key: node.kubernetes.io/not-ready
operator: Exists
effect: NoSchedule
hostNetwork: true
extraEnvs:
- name: KUBERNETES_SERVICE_HOST
value: localhost
- name: KUBERNETES_SERVICE_PORT
value: "7445"

2
packages/core/platform/templates/namespaces.yaml
View File

@@ -16,7 +16,7 @@
{{/* Add extra namespaces */}}
{{- $_ := set $namespaces "cozy-public" false }}
{{- $_ := set $namespaces "cozy-fluxcd" false }}
{{- $_ := set $namespaces "cozy-fluxcd" true }}
{{- range $namespace, $privileged := $namespaces }}
---

25
scripts/installer.sh
View File

@@ -18,7 +18,16 @@ run_migrations() {
done
}
flux_is_ok() {
flux_operator_is_ok() {
kubectl wait --for=condition=available -n cozy-fluxcd deploy/fluxcd-flux-operator --timeout=1m
}
flux_instance_is_ok() {
kubectl wait --for=condition=ready -n cozy-fluxcd fluxinstance/flux --timeout=5m
}
flux_controllers_ok() {
kubectl wait --for=condition=available -n cozy-fluxcd deploy/source-controller deploy/helm-controller --timeout=10s
}
@@ -39,20 +48,24 @@ run_migrations
# Install namespaces
make -C packages/core/platform namespaces-apply
# Install fluxcd
make -C packages/core/fluxcd apply
# Install fluxcd twice (once it will fail, since CRDs can't be ordered)
make -C packages/core/fluxcd apply || make -C packages/core/fluxcd apply
# Reconcile Helm repositories
kubectl annotate helmrepositories.source.toolkit.fluxcd.io -A -l cozystack.io/repository reconcile.fluxcd.io/requestedAt=$(date +"%Y-%m-%dT%H:%M:%SZ") --overwrite
if flux_operator_is_ok; then
echo "Flux operator is installed and FluxInstance CRD is ready"
fi
# Install platform chart
make -C packages/core/platform apply
# Install basic system charts (should be after platform chart applied)
if ! flux_is_ok; then
if ! flux_controllers_ok; then
install_basic_charts
fi
# Reconcile Helm repositories
kubectl annotate helmrepositories.source.toolkit.fluxcd.io -A -l cozystack.io/repository reconcile.fluxcd.io/requestedAt=$(date +"%Y-%m-%dT%H:%M:%SZ") --overwrite
# Reconcile platform chart
trap 'exit' INT TERM
while true; do