Move flux to core package and avoid Helm installation

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

manifests/cozystack-installer.yaml

@@ -102,3 +102,6 @@ spec:
       - key: "node.kubernetes.io/not-ready"
         operator: "Exists"
         effect: "NoSchedule"
+      - key: "node.cilium.io/agent-not-ready"
+        operator: "Exists"
+        effect: "NoSchedule"

packages/core/fluxcd/Makefile

@@ -0,0 +1,13 @@
+NAMESPACE=cozy-fluxcd
+NAME=fluxcd
+
+API_VERSIONS_FLAGS=$(addprefix -a ,$(shell kubectl api-versions))
+
+show:
+	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS)
+
+apply:
+	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl apply -n $(NAMESPACE) -f-
+
+diff:
+	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f-

packages/core/installer/Makefile

@@ -1,4 +1,4 @@
-NAMESPACE=cozy-installer
+NAMESPACE=cozy-system
 NAME=installer
 PUSH := 1
 LOAD := 0
@@ -21,6 +21,7 @@ update:
 image: image-cozystack image-talos image-matchbox
 
 image-cozystack:
+	make -C ../../.. repos
 	docker buildx build -f images/cozystack/Dockerfile ../../.. \
 		--provenance false \
 		--tag $(REGISTRY)/cozystack:$(TAG) \

packages/core/installer/templates/cozystack.yaml

@@ -82,6 +82,9 @@ spec:
       - key: "node.kubernetes.io/not-ready"
         operator: "Exists"
         effect: "NoSchedule"
+      - key: "node.cilium.io/agent-not-ready"
+        operator: "Exists"
+        effect: "NoSchedule"
 ---
 apiVersion: v1
 kind: Service

packages/core/platform/Makefile

@@ -13,7 +13,7 @@ namespaces-show:
 	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) -s templates/namespaces.yaml
 
 namespaces-apply:
-	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) -s templates/namespaces.yaml | kubectl apply -f-
+	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) -s templates/namespaces.yaml | kubectl apply -n $(NAMESPACE) -f-
 
 diff:
 	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -f-

packages/core/platform/bundles/full-distro.yaml

@@ -7,12 +7,13 @@ releases:
   namespace: cozy-cilium
   privileged: true
   dependsOn: []
-
-- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: [cilium]
+  values:
+    cilium:
+      cni:
+        chainingMode: ~
+        customConf: false
+        configMap: ""
+      enableIPv4Masquerade: true
 
 - name: cert-manager
   releaseName: cert-manager
@@ -93,4 +94,4 @@ releases:
   releaseName: traffic-manager
   chart: cozy-telepresence
   namespace: cozy-telepresence
-  dependsOn: [kubeovn]
+  dependsOn: []

packages/core/platform/bundles/full-paas.yaml

@@ -24,12 +24,6 @@ releases:
         SVC_CIDR: "{{ index $cozyConfig.data "ipv4-svc-cidr" }}"
         JOIN_CIDR: "{{ index $cozyConfig.data "ipv4-join-cidr" }}"
 
-- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: [cilium,kubeovn]
-
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager

packages/core/platform/bundles/hosted-distro.yaml

@@ -1,12 +1,6 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 
 releases:
-- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: []
-
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager

packages/core/platform/bundles/hosted-paas.yaml

@@ -1,12 +1,6 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 
 releases:
-- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: []
-
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager

packages/core/platform/templates/apps.yaml

@@ -1,7 +1,10 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $bundleName := index $cozyConfig.data "bundle-name" }}
+{{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
 {{- $host := "example.org" }}
 {{- $tenantRoot := list }}
-{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2beta1" }}
-{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2beta1" "HelmRelease" "tenant-root" "tenant-root" }}
+{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2beta2" }}
+{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2beta2" "HelmRelease" "tenant-root" "tenant-root" }}
 {{- end }}
 {{- if and $tenantRoot $tenantRoot.spec $tenantRoot.spec.values $tenantRoot.spec.values.host }}
 {{- $host = $tenantRoot.spec.values.host }}
@@ -19,7 +22,7 @@ metadata:
     namespace.cozystack.io/host: "{{ $host }}"
   name: tenant-root
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
   name: tenant-root
@@ -45,7 +48,9 @@ spec:
   values:
     host: "{{ $host }}"
   dependsOn:
-  - name: cilium
-    namespace: cozy-cilium
-  - name: kubeovn
-    namespace: cozy-kubeovn
+  {{- range $x := $bundle.releases }}
+  {{- if has $x.name (list "cilium" "kubeovn") }}
+  - name: {{ $x.name }}
+    namespace: {{ $x.namespace }}
+  {{- end }}
+  {{- end }}

packages/core/platform/templates/namespaces.yaml

@@ -14,6 +14,8 @@
 {{- end }}
 {{- end }}
 
+{{- $_ := set $namespaces "cozy-fluxcd" false }}
+
 {{- range $namespace, $privileged := $namespaces }}
 ---
 apiVersion: v1

packages/system/cilium/Makefile

@@ -2,13 +2,13 @@ NAMESPACE=cozy-cilium
 NAME=cilium
 
 show:
-	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
+	kubectl get hr -n cozy-cilium cilium -o jsonpath='{.spec.values}' | helm template --dry-run=server -n $(NAMESPACE) $(NAME) . -f -
 
 apply:
-	helm upgrade -i -n $(NAMESPACE) $(NAME) .
+	kubectl get hr -n cozy-cilium cilium -o jsonpath='{.spec.values}' | helm upgrade -i -n $(NAMESPACE) $(NAME) . -f -
 
 diff:
-	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .
+	kubectl get hr -n cozy-cilium cilium -o jsonpath='{.spec.values}' | helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) . -f -
 
 update:
 	rm -rf charts

packages/system/fluxcd/Makefile

@@ -1,15 +0,0 @@
-NAMESPACE=cozy-fluxcd
-NAME=fluxcd
-
-show:
-	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
-
-apply:
-	helm upgrade -i -n $(NAMESPACE) $(NAME) .
-
-diff:
-	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .
-
-update:
-	rm -rf charts
-	helm pull oci://ghcr.io/fluxcd-community/charts/flux2 --untar --untardir charts

packages/system/kubeovn/Makefile

@@ -2,13 +2,13 @@ NAMESPACE=cozy-kubeovn
 NAME=kubeovn
 
 show:
-	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
+	kubectl get hr -n $(NAMESPACE) $(NAME) -o jsonpath='{.spec.values}' | helm template --dry-run=server -n $(NAMESPACE) $(NAME) . -f -
 
 apply:
-	helm upgrade -i -n $(NAMESPACE) $(NAME) .
+	kubectl get hr -n $(NAMESPACE) $(NAME) -o jsonpath='{.spec.values}' | helm upgrade -i -n $(NAMESPACE) $(NAME) . -f -
 
 diff:
-	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .
+	kubectl get hr -n $(NAMESPACE) $(NAME) -o jsonpath='{.spec.values}' | helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) . -f -
 
 update:
 	rm -rf charts && mkdir -p charts/kube-ovn

scripts/installer.sh

@@ -20,9 +20,13 @@ flux_is_ok() {
 }
 
 install_basic_charts() {
+  bundle=$(kubectl get configmap -n cozy-system cozystack -o 'go-template={{index .data "bundle-name"}}')
+  if [ "$bundle" = "full-paas" ] || [ "$bundle" = "full-distro" ]; then
   make -C packages/system/cilium apply
-  make -C packages/system/kubeovn apply
-  make -C packages/system/fluxcd apply
+  fi
+  if [ "$bundle" = "full-paas" ]; then
+    make -C packages/system/kubeovn apply
+  fi
 }
 
 cd "$(dirname "$0")/.."
@@ -33,10 +37,8 @@ run_migrations
 # Install namespaces
 make -C packages/core/platform namespaces-apply
 
-# Install basic system charts
-if ! flux_is_ok; then
-  install_basic_charts
-fi
+# Install fluxcd
+make -C packages/core/fluxcd apply
 
 # Reconcile Helm repositories
 kubectl annotate helmrepositories.source.toolkit.fluxcd.io -A -l cozystack.io/repository reconcile.fluxcd.io/requestedAt=$(date +"%Y-%m-%dT%H:%M:%SZ") --overwrite
@@ -44,6 +46,11 @@ kubectl annotate helmrepositories.source.toolkit.fluxcd.io -A -l cozystack.io/re
 # Install platform chart
 make -C packages/core/platform apply
 
+# Install basic system charts (should be after platform chart applied)
+if ! flux_is_ok; then
+  install_basic_charts
+fi
+
 # Reconcile platform chart
 trap 'exit' INT TERM
 while true; do

scripts/migrations/1

@@ -1,8 +1,18 @@
 #!/bin/sh
+# Migration 1 --> 2
 
+# Fix mariadb-operator secrets
 if kubectl get -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert; then
   kubectl annotate -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert meta.helm.sh/release-namespace=cozy-mariadb-operator meta.helm.sh/release-name=mariadb-operator
   kubectl label -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert app.kubernetes.io/managed-by=Helm
 fi
 
+# Gratefully remove fluxcd release and keep resources
+if kubectl get hr -n cozy-fluxcd cozy-fluxcd 2>/dev/null; then
+  kubectl patch hr -n cozy-fluxcd cozy-fluxcd  -p '{"spec": {"suspend": true}, "metadata": {"finalizers": null}}' --type=merge
+  kubectl delete hr -n cozy-fluxcd cozy-fluxcd
+fi
+kubectl delete secret -n cozy-fluxcd -l name=fluxcd
+
+# Write version to cozystack-version config
 kubectl create configmap -n cozy-system cozystack-version --from-literal=version=2 --dry-run=client -o yaml | kubectl apply -f-