From 8bd9b5fffd8769a93bb8b1207420d0a0231181e9 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Sun, 1 Jun 2025 21:23:48 +0300 Subject: [PATCH 01/12] Add digest pinning to image automation testing Signed-off-by: Stefan Prodan Signed-off-by: S. M. Mohiuddin Khan Shiam <147746955+mohiuddin-khan-shiam@users.noreply.github.com> --- .github/workflows/e2e-bootstrap.yaml | 2 ++ tests/image-automation/auto.yaml | 23 ++++++++++++++++--- tests/image-automation/kustomization.yaml | 7 +++--- tests/integration/go.mod | 12 +++++----- tests/integration/go.sum | 28 +++++++++++------------ 5 files changed, 46 insertions(+), 26 deletions(-) diff --git a/.github/workflows/e2e-bootstrap.yaml b/.github/workflows/e2e-bootstrap.yaml index 12e2249c..cb84f777 100644 --- a/.github/workflows/e2e-bootstrap.yaml +++ b/.github/workflows/e2e-bootstrap.yaml @@ -107,6 +107,8 @@ jobs: ./bin/flux reconcile image repository podinfo ./bin/flux reconcile image update flux-system ./bin/flux get images all + ./bin/flux -n flux-system events --for ImageUpdateAutomation/flux-system + kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system | \ yq '.status.lastPushCommit | length > 1' | grep 'true' env: diff --git a/tests/image-automation/auto.yaml b/tests/image-automation/auto.yaml index a0f7bce2..cd291856 100644 --- a/tests/image-automation/auto.yaml +++ b/tests/image-automation/auto.yaml @@ -5,7 +5,7 @@ metadata: namespace: flux-system spec: image: ghcr.io/stefanprodan/podinfo - interval: 1m0s + interval: 10m --- apiVersion: image.toolkit.fluxcd.io/v1beta2 kind: ImagePolicy @@ -13,11 +13,13 @@ metadata: name: podinfo namespace: flux-system spec: + interval: 10m imageRepositoryRef: name: podinfo policy: semver: - range: 5.2.x + range: 6.x + digestReflectionPolicy: Always --- apiVersion: image.toolkit.fluxcd.io/v1beta2 kind: ImageUpdateAutomation @@ -37,7 +39,22 @@ spec: author: email: fluxcdbot@users.noreply.github.com name: fluxcdbot - messageTemplate: '{{range .Updated.Images}}{{println .}}{{end}}' + messageTemplate: | + Automated image update + + Automation name: {{ .AutomationObject }} + + Files: + {{ range $filename, $_ := .Changed.FileChanges -}} + - {{ $filename }} + {{ end -}} + + Changes: + {{ range $resource, $changes := .Changed.Objects -}} + {{- range $_, $change := $changes }} + - {{ $change.OldValue }} -> {{ $change.NewValue }} + {{ end -}} + {{ end -}} push: branch: main update: diff --git a/tests/image-automation/kustomization.yaml b/tests/image-automation/kustomization.yaml index 64cb51fc..6c3d8a57 100644 --- a/tests/image-automation/kustomization.yaml +++ b/tests/image-automation/kustomization.yaml @@ -2,9 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: flux-system resources: - - https://raw.githubusercontent.com/stefanprodan/podinfo/5.2.0/kustomize/deployment.yaml + - https://raw.githubusercontent.com/stefanprodan/podinfo/6.8.0/kustomize/deployment.yaml - auto.yaml images: - name: ghcr.io/stefanprodan/podinfo - newName: ghcr.io/stefanprodan/podinfo - newTag: 5.2.0 # {"$imagepolicy": "flux-system:podinfo:tag"} + newName: ghcr.io/stefanprodan/podinfo # {"$imagepolicy": "flux-system:podinfo:name"} + newTag: 6.8.0 # {"$imagepolicy": "flux-system:podinfo:tag"} + digest: "sha256:6c1975b871efb327528c84d46d38e6dd7906eecee6402bc270eeb7f1b1a506df" # {"$imagepolicy": "flux-system:podinfo:digest"} diff --git a/tests/integration/go.mod b/tests/integration/go.mod index 836e0fd9..f8e628a6 100644 --- a/tests/integration/go.mod +++ b/tests/integration/go.mod @@ -6,17 +6,17 @@ require ( cloud.google.com/go/pubsub v1.49.0 github.com/Azure/azure-event-hubs-go/v3 v3.6.2 github.com/chainguard-dev/git-urls v1.0.2 - github.com/fluxcd/helm-controller/api v1.2.0 - github.com/fluxcd/image-automation-controller/api v0.40.0 - github.com/fluxcd/image-reflector-controller/api v0.34.0 - github.com/fluxcd/kustomize-controller/api v1.5.1 - github.com/fluxcd/notification-controller/api v1.5.0 + github.com/fluxcd/helm-controller/api v1.3.0 + github.com/fluxcd/image-automation-controller/api v0.41.0 + github.com/fluxcd/image-reflector-controller/api v0.35.1 + github.com/fluxcd/kustomize-controller/api v1.6.0 + github.com/fluxcd/notification-controller/api v1.6.0 github.com/fluxcd/pkg/apis/event v0.17.0 github.com/fluxcd/pkg/apis/meta v1.12.0 github.com/fluxcd/pkg/git v0.31.0 github.com/fluxcd/pkg/git/gogit v0.33.0 github.com/fluxcd/pkg/runtime v0.60.0 - github.com/fluxcd/source-controller/api v1.5.0 + github.com/fluxcd/source-controller/api v1.6.0 github.com/fluxcd/test-infra/tftestenv v0.0.0-20250519112614-4450eea17b00 github.com/go-git/go-git/v5 v5.16.0 github.com/google/go-containerregistry v0.20.3 diff --git a/tests/integration/go.sum b/tests/integration/go.sum index 5e1c3a66..bc39d73d 100644 --- a/tests/integration/go.sum +++ b/tests/integration/go.sum @@ -113,16 +113,16 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fluxcd/gitkit v0.6.0 h1:iNg5LTx6ePo+Pl0ZwqHTAkhbUHxGVSY3YCxCdw7VIFg= github.com/fluxcd/gitkit v0.6.0/go.mod h1:svOHuKi0fO9HoawdK4HfHAJJseZDHHjk7I3ihnCIqNo= -github.com/fluxcd/helm-controller/api v1.2.0 h1:cjpHBpJQv+8WyYQNwoujoNMFOQx2llllv4peLIiWyxU= -github.com/fluxcd/helm-controller/api v1.2.0/go.mod h1:3NZts/4n6PpD4sONSDJWXPQzfPpBk3YpknIFA6rLW3I= -github.com/fluxcd/image-automation-controller/api v0.40.0 h1:AgObtp2/bnOraIkkzkAl5kJDmDsBMOx/wDPQd6Yv7Is= -github.com/fluxcd/image-automation-controller/api v0.40.0/go.mod h1:jqFjp75nUHQBeZp2cj2GZYE08l6/4Fz20PBXo41XYyM= -github.com/fluxcd/image-reflector-controller/api v0.34.0 h1:+0AGoaYzHYXzVDQO9xq2eGZKkPl81Bfz6xFI7rElBzs= -github.com/fluxcd/image-reflector-controller/api v0.34.0/go.mod h1:C6742RYyZVt2KIyJv16lb4gYbsK+P1RGQeaQ8C8huec= -github.com/fluxcd/kustomize-controller/api v1.5.1 h1:SLVMIk/3E/GkK610S85zDBfX/TQhpE2ym+516ONXtU4= -github.com/fluxcd/kustomize-controller/api v1.5.1/go.mod h1:SnQ5blin2e25GOCvd9JqYezYhqcM7beyK1aLq9Iw0So= -github.com/fluxcd/notification-controller/api v1.5.0 h1:UFrOuaOrnQYhOg/i/Ylvs7TKJV5ggwVIt0zsiZy+rVA= -github.com/fluxcd/notification-controller/api v1.5.0/go.mod h1:6RrjQrvIAAmi9fUfhqnQKTgxLvKzI0z6Lvzj6c5RyX4= +github.com/fluxcd/helm-controller/api v1.3.0 h1:PupXPuQbksmU0g2Lc6NjIYal2HJGL+6xohsf82eGVjo= +github.com/fluxcd/helm-controller/api v1.3.0/go.mod h1:4b8PfdH0e/9Pfol2ogdMYbQ1nLjcVu9gAv27cQzIPK4= +github.com/fluxcd/image-automation-controller/api v0.41.0 h1:wItzHTo0w50NKaJ4wV6iXKbWo5vvjDpl6bY9NOK6Rs8= +github.com/fluxcd/image-automation-controller/api v0.41.0/go.mod h1:u1L/gztaeJgwRQrPEx2DqE4mlYoAfSeKTWx/JLUxRbA= +github.com/fluxcd/image-reflector-controller/api v0.35.1 h1:QpnLjPR4BMRQN2C+cL6NhjvsUCQoQS00Qq40DC85OtY= +github.com/fluxcd/image-reflector-controller/api v0.35.1/go.mod h1:mjpokoQhFs2RxfFjY4rHpn3ZAUvee8TiELyROFN4wiA= +github.com/fluxcd/kustomize-controller/api v1.6.0 h1:8p230vpJy7giisoBNuI3CX99O+XKKVLLxXuJmv3sOHQ= +github.com/fluxcd/kustomize-controller/api v1.6.0/go.mod h1:b0i/KVz28tV8iuqlNHx7MW6ZtTcIbBELGLoKdaK+X8M= +github.com/fluxcd/notification-controller/api v1.6.0 h1:t0k662zxnUZlnDvFrk4DBDl6iivFmJxbwuRdyhH9Ot4= +github.com/fluxcd/notification-controller/api v1.6.0/go.mod h1:b1gwfsygqnasQVdn/iMCFDI81LeOeY/ibLul+Z6W8U0= github.com/fluxcd/pkg/apis/acl v0.7.0 h1:dMhZJH+g6ZRPjs4zVOAN9vHBd1DcavFgcIFkg5ooOE0= github.com/fluxcd/pkg/apis/acl v0.7.0/go.mod h1:uv7pXXR/gydiX4MUwlQa7vS8JONEDztynnjTvY3JxKQ= github.com/fluxcd/pkg/apis/event v0.17.0 h1:foEINE++pCJlWVhWjYDXfkVmGKu8mQ4BDBlbYi5NU7M= @@ -143,8 +143,8 @@ github.com/fluxcd/pkg/ssh v0.18.0 h1:SB0RrZ/YZIla3chTUulsfVmiCzJv5pEWfHM3dHMC8AU github.com/fluxcd/pkg/ssh v0.18.0/go.mod h1:G5o0ZD7iR3KFoG5gPnFelX243ciI/PIiVW7J4eBrt5Y= github.com/fluxcd/pkg/version v0.7.0 h1:jZT5I6WFy1KlM40nHCSqlHmjC1VT1/DfmbAdOkIVVJc= github.com/fluxcd/pkg/version v0.7.0/go.mod h1:3BjQDJXIZJmeJLXnfa2yG/sNAT1t5oeLAPfnSjOHNuA= -github.com/fluxcd/source-controller/api v1.5.0 h1:caSR+u/r2Vh0jq/0pNR0r1zLxyvgatWuGSV2mxgTB/I= -github.com/fluxcd/source-controller/api v1.5.0/go.mod h1:OZPuHMlLH2E2mnj6Q5DLkWfUOmJ20zA1LIvUVfNsYl8= +github.com/fluxcd/source-controller/api v1.6.0 h1:IxfjUczJ2pzbXIef6iQ0RHEH4AYA9anJfTGK8dzwODM= +github.com/fluxcd/source-controller/api v1.6.0/go.mod h1:ZJcAi0nemsnBxjVgmJl0WQzNvB0rMETxQMTdoFosmMw= github.com/fluxcd/test-infra/tftestenv v0.0.0-20250519112614-4450eea17b00 h1:hU0IM9zG6xaasycHPOPdUlDLtg6tfN1bZ8GTv4iwkRQ= github.com/fluxcd/test-infra/tftestenv v0.0.0-20250519112614-4450eea17b00/go.mod h1:liFlLEXgambGVdWSJ4JzbIHf1Vjpp1HwUyPazPIVZug= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= @@ -456,8 +456,8 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.30.0 h1:BgcpHewrV5AUp2G9MebG4XPFI1E2W41zU1SaqVA9vJY= -golang.org/x/tools v0.30.0/go.mod h1:c347cR/OJfw5TI+GfX7RUPNMdDRRbjvYTS0jPyvsVtY= +golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc= +golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 572e58d64d9cba0e2f4231d63bc2617bf0f42885 Mon Sep 17 00:00:00 2001 From: Johannes Ibald Date: Wed, 4 Jun 2025 11:11:40 +0200 Subject: [PATCH 02/12] correct small typo Signed-off-by: Johannes Ibald Signed-off-by: S. M. Mohiuddin Khan Shiam <147746955+mohiuddin-khan-shiam@users.noreply.github.com> --- cmd/flux/bootstrap_gitlab.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/flux/bootstrap_gitlab.go b/cmd/flux/bootstrap_gitlab.go index 896bd392..9f4510ca 100644 --- a/cmd/flux/bootstrap_gitlab.go +++ b/cmd/flux/bootstrap_gitlab.go @@ -42,7 +42,7 @@ import ( var bootstrapGitLabCmd = &cobra.Command{ Use: "gitlab", Short: "Deploy Flux on a cluster connected to a GitLab repository", - Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exists and + Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exist and commits the Flux manifests to the specified branch. Then it configures the target cluster to synchronize with that repository. If the Flux components are present on the cluster, From 161da6cd4c10ae13d4ded955c261f06ec7e70034 Mon Sep 17 00:00:00 2001 From: Matheus Pimenta Date: Wed, 14 May 2025 09:04:44 +0100 Subject: [PATCH 03/12] Remove credentials sync manifests Signed-off-by: Matheus Pimenta Signed-off-by: S. M. Mohiuddin Khan Shiam <147746955+mohiuddin-khan-shiam@users.noreply.github.com> --- manifests/integrations/Makefile | 14 -- .../_base/kubectl-patch.yaml | 32 ----- .../_base/kustomization.yaml | 23 --- .../_base/kustomizeconfig.yaml | 3 - .../eventhub-credentials-sync/_base/sync.yaml | 133 ------------------ .../_cronjobs/_base/kubectl-patch.yaml | 30 ---- .../_cronjobs/_base/kustomization.yaml | 23 --- .../_cronjobs/_base/kustomizeconfig.yaml | 3 - .../_cronjobs/_base/sync.yaml | 109 -------------- .../_cronjobs/azure/az-identity.yaml | 16 --- .../_cronjobs/azure/config-patches.yaml | 41 ------ .../_cronjobs/azure/kustomization.yaml | 27 ---- .../_cronjobs/azure/kustomizeconfig.yaml | 7 - .../_cronjobs/azure/reconcile-patch.yaml | 27 ---- .../_cronjobs/generic/config-patches.yaml | 15 -- .../_cronjobs/generic/kustomization.yaml | 17 --- .../_cronjobs/generic/reconcile-patch.yaml | 42 ------ .../generic/secret-azure-credentials.yaml | 14 -- .../azure/az-identity.yaml | 16 --- .../azure/config-patches.yaml | 39 ----- .../azure/kustomization.yaml | 27 ---- .../azure/kustomizeconfig.yaml | 7 - .../azure/reconcile-patch.yaml | 26 ---- .../generic/config-patches.yaml | 17 --- .../generic/kustomization.yaml | 17 --- .../generic/reconcile-patch.yaml | 41 ------ .../generic/secret-azure-credentials.yaml | 14 -- .../_base/kubectl-patch.yaml | 28 ---- .../_base/kustomization.yaml | 23 --- .../_base/kustomizeconfig.yaml | 3 - .../registry-credentials-sync/_base/sync.yaml | 125 ---------------- .../_cronjobs/_base/kubectl-patch.yaml | 30 ---- .../_cronjobs/_base/kustomization.yaml | 23 --- .../_cronjobs/_base/kustomizeconfig.yaml | 3 - .../_cronjobs/_base/sync.yaml | 101 ------------- .../_cronjobs/aws/config-patches.yaml | 52 ------- .../_cronjobs/aws/kustomization.yaml | 25 ---- .../_cronjobs/aws/reconcile-patch.yaml | 29 ---- .../_cronjobs/azure/az-identity.yaml | 16 --- .../_cronjobs/azure/config-patches.yaml | 41 ------ .../_cronjobs/azure/kustomization.yaml | 27 ---- .../_cronjobs/azure/kustomizeconfig.yaml | 7 - .../_cronjobs/azure/reconcile-patch.yaml | 30 ---- .../_cronjobs/gcp/config-patches.yaml | 28 ---- .../_cronjobs/gcp/kustomization.yaml | 15 -- .../_cronjobs/gcp/reconcile-patch.yaml | 29 ---- .../aws/config-patches.yaml | 42 ------ .../aws/kustomization.yaml | 25 ---- .../aws/reconcile-patch.yaml | 28 ---- .../azure/az-identity.yaml | 16 --- .../azure/config-patches.yaml | 39 ----- .../azure/kustomization.yaml | 27 ---- .../azure/kustomizeconfig.yaml | 7 - .../azure/reconcile-patch.yaml | 30 ---- .../gcp/config-patches.yaml | 20 --- .../gcp/kustomization.yaml | 15 -- .../gcp/reconcile-patch.yaml | 28 ---- 57 files changed, 1692 deletions(-) delete mode 100644 manifests/integrations/Makefile delete mode 100644 manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_base/kustomizeconfig.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_base/sync.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/reconcile-patch.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/reconcile-patch.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/secret-azure-credentials.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/azure/reconcile-patch.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/generic/config-patches.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/generic/reconcile-patch.yaml delete mode 100644 manifests/integrations/eventhub-credentials-sync/generic/secret-azure-credentials.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_base/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_base/kustomizeconfig.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_base/sync.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/_base/sync.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/aws/reconcile-patch.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/azure/reconcile-patch.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/aws/config-patches.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/aws/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/aws/reconcile-patch.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/azure/az-identity.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/azure/config-patches.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/azure/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/azure/reconcile-patch.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/gcp/config-patches.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/gcp/kustomization.yaml delete mode 100644 manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml diff --git a/manifests/integrations/Makefile b/manifests/integrations/Makefile deleted file mode 100644 index ebe8d320..00000000 --- a/manifests/integrations/Makefile +++ /dev/null @@ -1,14 +0,0 @@ - -bases := $(shell dirname $(shell find | grep kustomization.yaml | sort)) - -all: $(bases) - -permutations := $(bases) $(addsuffix /,$(bases)) -.PHONY: $(permutations) -$(permutations): - @echo $@ - @warnings=$$(kustomize build $@ -o /dev/null 2>&1); \ - if [ "$$warnings" ]; then \ - echo "$$warnings"; \ - false; \ - fi diff --git a/manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml deleted file mode 100644 index 552c16de..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - template: - spec: - initContainers: - - image: ghcr.io/fluxcd/flux-cli:v0.17.2 - securityContext: - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - name: copy-kubectl - # it's okay to do this because kubectl is a statically linked binary - command: - - sh - - -ceu - - cp $(which kubectl) /kbin/ - resources: {} - volumeMounts: - - name: kbin - mountPath: /kbin - containers: - - name: sync - volumeMounts: - - name: kbin - mountPath: /kbin - volumes: - - name: kbin - emptyDir: {} diff --git a/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml deleted file mode 100644 index c4a8a062..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -commonLabels: - app: credentials-sync-eventhub - -resources: - - sync.yaml - -patchesStrategicMerge: - - kubectl-patch.yaml - -vars: - - name: KUBE_SECRET - objref: - kind: ConfigMap - name: credentials-sync-eventhub - apiVersion: v1 - fieldref: - fieldpath: data.KUBE_SECRET - -configurations: - - kustomizeconfig.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/_base/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/_base/kustomizeconfig.yaml deleted file mode 100644 index 61edffd4..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_base/kustomizeconfig.yaml +++ /dev/null @@ -1,3 +0,0 @@ -varReference: -- path: rules/resourceNames - kind: Role diff --git a/manifests/integrations/eventhub-credentials-sync/_base/sync.yaml b/manifests/integrations/eventhub-credentials-sync/_base/sync.yaml deleted file mode 100644 index 9e8ab4f5..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_base/sync.yaml +++ /dev/null @@ -1,133 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync-eventhub -data: - # Patch this ConfigMap with additional values needed for your cloud - KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace - ADDRESS: "fluxv2" # the Azure Event Hub name - SYNC_PERIOD: "3600" # tokens expire; refresh faster than that - ---- -# This Deployment frequently fetches registry tokens and applies them as an imagePullSecret. -# It's done as a 1-replica Deployment rather than a CronJob, because CronJob scheduling can -# block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time. -# This deployment will immediately fetch a token, which reduces latency for working image updates. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - replicas: 1 - strategy: - type: Recreate - template: - spec: - serviceAccountName: credentials-sync-eventhub - securityContext: - runAsNonRoot: true - runAsUser: 1001 - containers: - - image: busybox # override this with a cloud-specific image - name: sync - envFrom: - - configMapRef: - name: credentials-sync-eventhub - env: - - name: RECONCILE_SH # override this env var with a shell function in a kustomize patch - value: |- - reconcile() { - echo reconciling... - } - command: - - bash - - -ceu - - |- - # template reconcile() into the script - # env var is expanded by k8s before the pod starts - $(RECONCILE_SH) - - apply-secret() { - /kbin/kubectl create secret generic "$1" \ - --from-literal=token="$2" \ - --from-literal=address="$3" \ - --dry-run=client -o=yaml \ - | grep -v "creationTimestamp:" \ - | /kbin/kubectl apply -f - - } - - pause_loop() { - sleep "$SYNC_PERIOD" || true - } - - graceful_exit() { - echo "Trapped signal -- $(date)" - job_ids="$( - jobs \ - | grep "pause_loop" \ - | cut -d] -f1 \ - | tr [ % - )" - # shellcheck disable=SC2086 - if [ "$job_ids" ]; then - kill $job_ids - fi - wait - echo "Graceful exit -- $(date)" - } - - trap graceful_exit INT TERM - - echo "Loop started (period: $SYNC_PERIOD s) -- $(date)" - while true; do - reconcile & wait $! - pause_loop & wait $! - done - resources: {} - volumeMounts: - - mountPath: /.azure - name: cache-volume - volumes: - - emptyDir: {} - name: cache-volume - -# RBAC necessary for our Deployment to apply our secret that will store the JWT token ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync-eventhub - namespace: flux-system -rules: - - apiGroups: [""] - resources: - - secrets - verbs: - - get - - create - - update - - patch - # Lock this down to the specific Secret name (Optional) - #resourceNames: - # - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync-eventhub - namespace: flux-system -subjects: - - kind: ServiceAccount - name: credentials-sync-eventhub -roleRef: - kind: Role - name: credentials-sync-eventhub - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync-eventhub - namespace: flux-system diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml deleted file mode 100644 index e9d07a71..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - initContainers: - - image: ghcr.io/fluxcd/flux-cli:v0.17.2 - name: copy-kubectl - # it's okay to do this because kubectl is a statically linked binary - command: - - sh - - -ceu - - cp $(which kubectl) /kbin/ - resources: {} - volumeMounts: - - name: kbin - mountPath: /kbin - containers: - - name: sync - volumeMounts: - - name: kbin - mountPath: /kbin - volumes: - - name: kbin - emptyDir: {} diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml deleted file mode 100644 index c4a8a062..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -commonLabels: - app: credentials-sync-eventhub - -resources: - - sync.yaml - -patchesStrategicMerge: - - kubectl-patch.yaml - -vars: - - name: KUBE_SECRET - objref: - kind: ConfigMap - name: credentials-sync-eventhub - apiVersion: v1 - fieldref: - fieldpath: data.KUBE_SECRET - -configurations: - - kustomizeconfig.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml deleted file mode 100644 index 61edffd4..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml +++ /dev/null @@ -1,3 +0,0 @@ -varReference: -- path: rules/resourceNames - kind: Role diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml deleted file mode 100644 index f2525d96..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml +++ /dev/null @@ -1,109 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync-eventhub -data: - # Patch this ConfigMap with additional values needed for your cloud - KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace - ADDRESS: "fluxv2" # the Azure Event Hub name - ---- -# This CronJob frequently fetches registry tokens and applies them as an imagePullSecret. -# note: CronJob scheduling can block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time. -# To run the job immediately, do `kubectl create job --from=cronjob/credentials-sync-eventhub -n flux-system credentials-sync-eventhub-init` -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - suspend: false - schedule: 0 */6 * * * - failedJobsHistoryLimit: 1 - successfulJobsHistoryLimit: 1 - jobTemplate: - spec: - template: - spec: - serviceAccountName: credentials-sync-eventhub - securityContext: - runAsNonRoot: true - runAsUser: 1001 - restartPolicy: Never - containers: - - image: busybox # override this with a cloud-specific image - name: sync - envFrom: - - configMapRef: - name: credentials-sync-eventhub - env: - - name: RECONCILE_SH # override this env var with a shell function in a kustomize patch - value: |- - reconcile() { - echo reconciling... - } - command: - - bash - - -ceu - - |- - # template reconcile() into the script - # env var is expanded by k8s before the pod starts - $(RECONCILE_SH) - - apply-secret() { - /kbin/kubectl create secret generic "$1" \ - --from-literal=token="$2" \ - --from-literal=address="$3" \ - --dry-run=client -o=yaml \ - | grep -v "creationTimestamp:" \ - | /kbin/kubectl apply -f - - } - - reconcile - resources: {} - volumeMounts: - - mountPath: /.azure - name: cache-volume - volumes: - - emptyDir: {} - name: cache-volume - -# RBAC necessary for our Deployment to apply our secret that will store the JWT token ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync-eventhub - namespace: flux-system -rules: - - apiGroups: [""] - resources: - - secrets - verbs: - - get - - create - - update - - patch - # Lock this down to the specific Secret name (Optional) - resourceNames: - - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync-eventhub - namespace: flux-system -subjects: - - kind: ServiceAccount - name: credentials-sync-eventhub -roleRef: - kind: Role - name: credentials-sync-eventhub - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync-eventhub - namespace: flux-system diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml deleted file mode 100644 index 38fa05ff..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: lab # if this is changed, also change in config-patches.yaml - namespace: flux-system ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentityBinding -metadata: - name: lab - namespace: flux-system -spec: - azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name - selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml deleted file mode 100644 index 8e8bc3a3..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync-eventhub -data: - KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace - ADDRESS: "fluxv2" # the Azure Event Hub name - -# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub): -# az identity create -n eventhub-write -# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)" -# Fetch the clientID and resourceID to configure the AzureIdentity spec below: -# az identity show -n eventhub-write -otsv --query clientId -# az identity show -n eventhub-write -otsv --query resourceId ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: lab - namespace: flux-system -spec: - clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 - resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write - type: 0 - -# Set the reconcile period + specify the pod-identity via the aadpodidbinding label ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - schedule: 0 * * * * # JWT tokens expire every 24 hours; refresh faster than that - jobTemplate: - spec: - template: - metadata: - labels: - aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml deleted file mode 100644 index f5ca8d55..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: jwt- -commonLabels: - app: jwt-eventhub-credentials-sync - -namespace: flux-system - -bases: - - ../_base -resources: - - az-identity.yaml - -patchesStrategicMerge: - - config-patches.yaml - - reconcile-patch.yaml - -vars: - - name: AZ_IDENTITY_NAME - objref: - kind: AzureIdentity - name: lab - apiVersion: aadpodidentity.k8s.io/v1 - -configurations: - - kustomizeconfig.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml deleted file mode 100644 index 09c76747..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ -varReference: -- path: spec/jobTemplate/spec/template/metadata/labels - kind: CronJob -- path: spec/azureIdentity - kind: AzureIdentityBinding -- path: spec/selector - kind: AzureIdentityBinding diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/reconcile-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/reconcile-patch.yaml deleted file mode 100644 index 1e96e536..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/reconcile-patch.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - containers: - - name: sync - image: mcr.microsoft.com/azure-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting JWT token sync -- $(date)" - echo "Logging into Azure" - az login --identity - echo "Getting JWT token" - token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken) - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}" - echo "Finished JWT token sync -- $(date)" - echo - } diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml deleted file mode 100644 index 5eb1d262..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync-eventhub -data: - KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace - ADDRESS: "fluxv2" # the Azure Event Hub name - -# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub): -# az identity create -n eventhub-write -# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)" -# Fetch the clientID and resourceID to configure the AzureIdentity spec below: -# az identity show -n eventhub-write -otsv --query clientId -# az identity show -n eventhub-write -otsv --query resourceId diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml deleted file mode 100644 index c67b113d..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: jwt- -commonLabels: - app: jwt-eventhub-credentials-sync - -namespace: flux-system - -bases: - - ../_base -resources: - - secret-azure-credentials.yaml - -patchesStrategicMerge: - - config-patches.yaml - - reconcile-patch.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/reconcile-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/reconcile-patch.yaml deleted file mode 100644 index 67eebfc9..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/reconcile-patch.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - containers: - - name: sync - image: mcr.microsoft.com/azure-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting JWT token sync -- $(date)" - echo "Logging into Azure" - az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID} - echo "Getting JWT token" - token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken) - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}" - echo "Finished JWT token sync -- $(date)" - echo - } - - name: AZURE_CLIENT_ID - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_CLIENT_ID - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_CLIENT_SECRET - - name: AZURE_TENANT_ID - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_TENANT_ID diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/secret-azure-credentials.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/secret-azure-credentials.yaml deleted file mode 100644 index af2da5b3..00000000 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/secret-azure-credentials.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -data: - AZURE_CLIENT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA== - AZURE_CLIENT_SECRET: c28tbXVjaC1zZWNyZXQ= - AZURE_TENANT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA== -kind: Secret -metadata: - name: azure-credentials - namespace: flux-system -type: Opaque -# This is just a example secret, you should never store secrets in git. -# One way forward can be to use sealed-secrets or SOPS -# https://fluxcd.io/flux/guides/sealed-secrets/ -# https://fluxcd.io/flux/guides/mozilla-sops/ diff --git a/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml b/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml deleted file mode 100644 index 32d8b574..00000000 --- a/manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: lab # if this is changed, also change in config-patches.yaml - namespace: flux-system ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentityBinding -metadata: - name: lab # this can have a different name, but it's nice to keep them the same - namespace: flux-system -spec: - azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name - selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml deleted file mode 100644 index 3967cbb7..00000000 --- a/manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync-eventhub -data: - KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace - ADDRESS: "fluxv2" # the Azure Event Hub name - SYNC_PERIOD: "3600" # tokens expire; refresh faster than that - -# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub): -# az identity create -n eventhub-write -# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)" -# Fetch the clientID and resourceID to configure the AzureIdentity spec below: -# az identity show -n eventhub-write -otsv --query clientId -# az identity show -n eventhub-write -otsv --query resourceId ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: lab - namespace: flux-system -spec: - clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 - resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write - type: 0 - -# Specify the pod-identity via the aadpodidbinding label ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - template: - metadata: - labels: - aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml deleted file mode 100644 index f5ca8d55..00000000 --- a/manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: jwt- -commonLabels: - app: jwt-eventhub-credentials-sync - -namespace: flux-system - -bases: - - ../_base -resources: - - az-identity.yaml - -patchesStrategicMerge: - - config-patches.yaml - - reconcile-patch.yaml - -vars: - - name: AZ_IDENTITY_NAME - objref: - kind: AzureIdentity - name: lab - apiVersion: aadpodidentity.k8s.io/v1 - -configurations: - - kustomizeconfig.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml b/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml deleted file mode 100644 index da4d902d..00000000 --- a/manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ -varReference: -- path: spec/template/metadata/labels - kind: Deployment -- path: spec/azureIdentity - kind: AzureIdentityBinding -- path: spec/selector - kind: AzureIdentityBinding diff --git a/manifests/integrations/eventhub-credentials-sync/azure/reconcile-patch.yaml b/manifests/integrations/eventhub-credentials-sync/azure/reconcile-patch.yaml deleted file mode 100644 index 88d9086a..00000000 --- a/manifests/integrations/eventhub-credentials-sync/azure/reconcile-patch.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - template: - spec: - containers: - - name: sync - image: mcr.microsoft.com/azure-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting JWT token sync -- $(date)" - echo "Logging into Azure" - az login --identity - echo "Getting JWT token" - token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken) - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}" - echo "Finished JWT token sync -- $(date)" - echo - } diff --git a/manifests/integrations/eventhub-credentials-sync/generic/config-patches.yaml b/manifests/integrations/eventhub-credentials-sync/generic/config-patches.yaml deleted file mode 100644 index 9c1ca794..00000000 --- a/manifests/integrations/eventhub-credentials-sync/generic/config-patches.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync-eventhub -data: - KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace - ADDRESS: "fluxv2" # the Azure Event Hub name - SYNC_PERIOD: "3600" # tokens expire; refresh faster than that - -# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub): -# az identity create -n eventhub-write -# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)" -# Fetch the clientID and resourceID to configure the AzureIdentity spec below: -# az identity show -n eventhub-write -otsv --query clientId -# az identity show -n eventhub-write -otsv --query resourceId -# Specify the pod-identity via the aadpodidbinding label diff --git a/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml deleted file mode 100644 index c67b113d..00000000 --- a/manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: jwt- -commonLabels: - app: jwt-eventhub-credentials-sync - -namespace: flux-system - -bases: - - ../_base -resources: - - secret-azure-credentials.yaml - -patchesStrategicMerge: - - config-patches.yaml - - reconcile-patch.yaml diff --git a/manifests/integrations/eventhub-credentials-sync/generic/reconcile-patch.yaml b/manifests/integrations/eventhub-credentials-sync/generic/reconcile-patch.yaml deleted file mode 100644 index 89953444..00000000 --- a/manifests/integrations/eventhub-credentials-sync/generic/reconcile-patch.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync-eventhub - namespace: flux-system -spec: - template: - spec: - containers: - - name: sync - image: mcr.microsoft.com/azure-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting JWT token sync -- $(date)" - echo "Logging into Azure" - az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID} - echo "Getting JWT token" - token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken) - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}" - echo "Finished JWT token sync -- $(date)" - echo - } - - name: AZURE_CLIENT_ID - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_CLIENT_ID - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_CLIENT_SECRET - - name: AZURE_TENANT_ID - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_TENANT_ID diff --git a/manifests/integrations/eventhub-credentials-sync/generic/secret-azure-credentials.yaml b/manifests/integrations/eventhub-credentials-sync/generic/secret-azure-credentials.yaml deleted file mode 100644 index 8a6d8a2c..00000000 --- a/manifests/integrations/eventhub-credentials-sync/generic/secret-azure-credentials.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -data: - AZURE_CLIENT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA== - AZURE_CLIENT_SECRET: c28tbXVjaC1zZWNyZXQ= - AZURE_TENANT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA== -kind: Secret -metadata: - name: azure-credentials - namespace: flux-system -type: Opaque -# This is just a example secret, you should never store secrets in git. -# One way forward can be to use sealed-secrets or SOPS -# https://fluxcd.io/docs/guides/sealed-secrets/ -# https://fluxcd.io/docs/guides/mozilla-sops/ diff --git a/manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml b/manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml deleted file mode 100644 index 501e940e..00000000 --- a/manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync - namespace: flux-system -spec: - template: - spec: - initContainers: - - image: ghcr.io/fluxcd/flux-cli:v0.17.2 - name: copy-kubectl - # it's okay to do this because kubectl is a statically linked binary - command: - - sh - - -ceu - - cp $(which kubectl) /kbin/ - resources: {} - volumeMounts: - - name: kbin - mountPath: /kbin - containers: - - name: sync - volumeMounts: - - name: kbin - mountPath: /kbin - volumes: - - name: kbin - emptyDir: {} diff --git a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml deleted file mode 100644 index 2218f2b8..00000000 --- a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -commonLabels: - app: credentials-sync - -resources: -- sync.yaml - -patchesStrategicMerge: - - kubectl-patch.yaml - -vars: -- name: KUBE_SECRET - objref: - kind: ConfigMap - name: credentials-sync - apiVersion: v1 - fieldref: - fieldpath: data.KUBE_SECRET - -configurations: -- kustomizeconfig.yaml diff --git a/manifests/integrations/registry-credentials-sync/_base/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/_base/kustomizeconfig.yaml deleted file mode 100644 index 61edffd4..00000000 --- a/manifests/integrations/registry-credentials-sync/_base/kustomizeconfig.yaml +++ /dev/null @@ -1,3 +0,0 @@ -varReference: -- path: rules/resourceNames - kind: Role diff --git a/manifests/integrations/registry-credentials-sync/_base/sync.yaml b/manifests/integrations/registry-credentials-sync/_base/sync.yaml deleted file mode 100644 index 913b94e2..00000000 --- a/manifests/integrations/registry-credentials-sync/_base/sync.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - # Patch this ConfigMap with additional values needed for your cloud - KUBE_SECRET: my-registry-token # does not yet exist -- will be created in the same Namespace - SYNC_PERIOD: "3600" # tokens expire; refresh faster than that - ---- -# This Deployment frequently fetches registry tokens and applies them as an imagePullSecret. -# It's done as a 1-replica Deployment rather than a CronJob, because CronJob scheduling can -# block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time. -# This deployment will immediately fetch a token, which reduces latency for working image updates. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync - namespace: flux-system -spec: - replicas: 1 - strategy: - type: Recreate - template: - spec: - serviceAccountName: credentials-sync - containers: - - image: busybox # override this with a cloud-specific image - name: sync - envFrom: - - configMapRef: - name: credentials-sync - env: - - name: RECONCILE_SH # override this env var with a shell function in a kustomize patch - value: |- - reconcile() { - echo reconciling... - } - command: - - bash - - -ceu - - |- - # template reconcile() into the script - # env var is expanded by k8s before the pod starts - $(RECONCILE_SH) - - apply-secret() { - /kbin/kubectl create secret docker-registry "$1" \ - --docker-password="$2" \ - --docker-username="$3" \ - --docker-server="$4" \ - --dry-run=client -o=yaml \ - | grep -v "creationTimestamp:" \ - | /kbin/kubectl apply -f - - } - - pause_loop() { - sleep "$SYNC_PERIOD" || true - } - - graceful_exit() { - echo "Trapped signal -- $(date)" - job_ids="$( - jobs \ - | grep "pause_loop" \ - | cut -d] -f1 \ - | tr [ % - )" - # shellcheck disable=SC2086 - if [ "$job_ids" ]; then - kill $job_ids - fi - wait - echo "Graceful exit -- $(date)" - } - - trap graceful_exit INT TERM - - echo "Loop started (period: $SYNC_PERIOD s) -- $(date)" - while true; do - reconcile & wait $! - pause_loop & wait $! - done - resources: {} - - -# RBAC necessary for our Deployment to apply our imagePullSecret ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync - namespace: flux-system -rules: -- apiGroups: [""] - resources: - - secrets - verbs: - - get - - create - - update - - patch - # # Lock this down to the specific Secret name (Optional) - #resourceNames: - #- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync - namespace: flux-system -subjects: -- kind: ServiceAccount - name: credentials-sync -roleRef: - kind: Role - name: credentials-sync - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml deleted file mode 100644 index ad4e6404..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - initContainers: - - image: ghcr.io/fluxcd/flux-cli:v0.17.2 - name: copy-kubectl - # it's okay to do this because kubectl is a statically linked binary - command: - - sh - - -ceu - - cp $(which kubectl) /kbin/ - resources: {} - volumeMounts: - - name: kbin - mountPath: /kbin - containers: - - name: sync - volumeMounts: - - name: kbin - mountPath: /kbin - volumes: - - name: kbin - emptyDir: {} diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml deleted file mode 100644 index 2218f2b8..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -commonLabels: - app: credentials-sync - -resources: -- sync.yaml - -patchesStrategicMerge: - - kubectl-patch.yaml - -vars: -- name: KUBE_SECRET - objref: - kind: ConfigMap - name: credentials-sync - apiVersion: v1 - fieldref: - fieldpath: data.KUBE_SECRET - -configurations: -- kustomizeconfig.yaml diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml deleted file mode 100644 index 61edffd4..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml +++ /dev/null @@ -1,3 +0,0 @@ -varReference: -- path: rules/resourceNames - kind: Role diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/sync.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/sync.yaml deleted file mode 100644 index fc00a3c6..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/sync.yaml +++ /dev/null @@ -1,101 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - # Patch this ConfigMap with additional values needed for your cloud - KUBE_SECRET: my-registry-token # does not yet exist -- will be created in the same Namespace - ---- -# This CronJob frequently fetches registry tokens and applies them as an imagePullSecret. -# note: CronJob scheduling can block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time. -# To run the job immediately, do `kubectl create job --from=cronjob/credentials-sync -n flux-system credentials-sync-init` -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - suspend: false - schedule: 0 */6 * * * - failedJobsHistoryLimit: 1 - successfulJobsHistoryLimit: 1 - jobTemplate: - spec: - template: - spec: - serviceAccountName: credentials-sync - restartPolicy: Never - containers: - - image: busybox # override this with a cloud-specific image - name: sync - envFrom: - - configMapRef: - name: credentials-sync - env: - - name: RECONCILE_SH # override this env var with a shell function in a kustomize patch - value: |- - reconcile() { - echo reconciling... - } - command: - - bash - - -ceu - - |- - # template reconcile() into the script - # env var is expanded by k8s before the pod starts - $(RECONCILE_SH) - - apply-secret() { - /kbin/kubectl create secret docker-registry "$1" \ - --docker-password="$2" \ - --docker-username="$3" \ - --docker-server="$4" \ - --dry-run=client -o=yaml \ - | grep -v "creationTimestamp:" \ - | /kbin/kubectl apply -f - - } - - reconcile - resources: {} - - -# RBAC necessary for our Deployment to apply our imagePullSecret ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync - namespace: flux-system -rules: -- apiGroups: [""] - resources: - - secrets - verbs: - - get - - create - - update - - patch - # # Lock this down to the specific Secret name (Optional) - resourceNames: - - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: credentials-sync - namespace: flux-system -subjects: -- kind: ServiceAccount - name: credentials-sync -roleRef: - kind: Role - name: credentials-sync - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml deleted file mode 100644 index 3c849225..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/config-patches.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - ECR_REGION: us-east-1 # set the region - ECR_REGISTRY: .dkr.ecr..amazonaws.com # fill in the account id and region - KUBE_SECRET: ecr-credentials # does not yet exist -- will be created in the same Namespace - - -# Bind IRSA for the ServiceAccount ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system - annotations: - eks.amazonaws.com/role-arn: # set the ARN for your role - - -# Set the reconcile period ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - schedule: 0 */6 * * * # every 6hrs -- ECR tokens expire every 12 hours; refresh faster than that - - -## If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables -## Store these values in a Secret and load them in the container using envFrom. -## For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build. -## https://fluxcd.io/docs/guides/mozilla-sops/ -## https://fluxcd.io/docs/guides/sealed-secrets/ -# --- -# apiVersion: apps/v1 -# kind: Deployment -# metadata: -# name: credentials-sync -# namespace: flux-system -# spec: -# template: -# spec: -# containers: -# - name: sync -# envFrom: -# secretRef: -# name: $(ECR_SECRET_NAME) # uncomment the var for this in kustomization.yaml diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml deleted file mode 100644 index 6e58e58b..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: ecr- -commonLabels: - app: ecr-credentials-sync - -namespace: flux-system - -bases: -- ../_base -## If not using IRSA, consider creating the following file via SOPS or SealedSecrets -# - encrypted-secret.yaml - -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml - -## uncomment if using encrypted-secret.yaml -# vars: -# - name: ECR_SECRET_NAME -# objref: -# kind: Secret -# name: credentials-sync -# apiVersion: v1 diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/aws/reconcile-patch.yaml deleted file mode 100644 index 98264fed..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/aws/reconcile-patch.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - containers: - - name: sync - image: mcr.microsoft.com/azure-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting ECR token sync -- $(date)" - echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}" - token="$(aws ecr get-login-password --region "${ECR_REGION}")" - user="AWS" - server="${ECR_REGISTRY}" - - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}" - - echo "Finished ECR token sync -- $(date)" - echo - } diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml deleted file mode 100644 index 8b365507..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: credentials-sync # if this is changed, also change in config-patches.yaml - namespace: flux-system ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentityBinding -metadata: - name: credentials-sync # this can have a different name, but it's nice to keep them the same - namespace: flux-system -spec: - azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name - selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml deleted file mode 100644 index a6428860..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/config-patches.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - ACR_NAME: my-registry - KUBE_SECRET: acr-my-registry # does not yet exist -- will be created in the same Namespace - -# Create an identity in Azure and assign it a role to pull from ACR (note: the identity's resourceGroup should match the desired ACR): -# az identity create -n acr-sync -# az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)" -# Fetch the clientID and resourceID to configure the AzureIdentity spec below: -# az identity show -n acr-sync -otsv --query clientId -# az identity show -n acr-sync -otsv --query resourceId ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: credentials-sync # name must match the stub-resource in az-identity.yaml - namespace: flux-system -spec: - clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 - resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync - type: 0 # user-managed identity - -# Set the reconcile period + specify the pod-identity via the aadpodidbinding label ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - schedule: 0 * * * * # ACR tokens expire every 3 hours; refresh faster than that - jobTemplate: - spec: - template: - metadata: - labels: - aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml deleted file mode 100644 index 54c333a9..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: acr- -commonLabels: - app: acr-credentials-sync - -namespace: flux-system - -bases: -- ../_base -resources: -- az-identity.yaml - -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml - -vars: -- name: AZ_IDENTITY_NAME - objref: - kind: AzureIdentity - name: credentials-sync - apiVersion: aadpodidentity.k8s.io/v1 - -configurations: -- kustomizeconfig.yaml diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml deleted file mode 100644 index 09c76747..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ -varReference: -- path: spec/jobTemplate/spec/template/metadata/labels - kind: CronJob -- path: spec/azureIdentity - kind: AzureIdentityBinding -- path: spec/selector - kind: AzureIdentityBinding diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/azure/reconcile-patch.yaml deleted file mode 100644 index 2a500af4..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/azure/reconcile-patch.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - containers: - - name: sync - image: mcr.microsoft.com/azure-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting ACR token sync -- $(date)" - echo "Logging into Azure" - az login --identity - echo "Logging into ACR: ${ACR_NAME}" - output="$(az acr login --expose-token -o=tsv -n "${ACR_NAME}")" - read token server <<< "${output}" - user="00000000-0000-0000-0000-000000000000" - - apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}" - - echo "Finished ACR token sync -- $(date)" - echo - } diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml deleted file mode 100644 index fdbb39d1..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/config-patches.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - GCR_REGISTRY: gcr.io # set the registry - KUBE_SECRET: gcr-credentials # does not yet exist -- will be created in the same Namespace - -# Bind to the GCP service-account ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system - annotations: - iam.gke.io/gcp-service-account: @.iam.gserviceaccount.com # set the GCP service-account - -# Set the reconcile period ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - schedule: 0,30 * * * * # 30m interval -- GCR tokens expire every hour; refresh faster than that diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml deleted file mode 100644 index ea28e0b6..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/kustomization.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: gcr- -commonLabels: - app: gcr-credentials-sync - -namespace: flux-system - -bases: -- ../_base - -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml deleted file mode 100644 index 84dea7d3..00000000 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: credentials-sync - namespace: flux-system -spec: - jobTemplate: - spec: - template: - spec: - containers: - - name: sync - image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting GCR token sync -- $(date)" - echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}" - token="$(gcloud auth print-access-token)" - user="oauth2accesstoken " - server="${GCR_REGISTRY}" - - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}" - - echo "Finished GCR token sync -- $(date)" - echo - } diff --git a/manifests/integrations/registry-credentials-sync/aws/config-patches.yaml b/manifests/integrations/registry-credentials-sync/aws/config-patches.yaml deleted file mode 100644 index f57ccf79..00000000 --- a/manifests/integrations/registry-credentials-sync/aws/config-patches.yaml +++ /dev/null @@ -1,42 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - ECR_REGION: us-east-1 # set the region - ECR_REGISTRY: .dkr.ecr..amazonaws.com # fill in the account id and region - KUBE_SECRET: ecr-credentials # does not yet exist -- will be created in the same Namespace - SYNC_PERIOD: "21600" # 6hrs -- ECR tokens expire every 12 hours; refresh faster than that - - -# Bind IRSA for the ServiceAccount ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system - annotations: - eks.amazonaws.com/role-arn: # set the ARN for your role - - -## If not using IRSA, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables -## Store these values in a Secret and load them in the container using envFrom. -## For managing this secret via GitOps, consider using SOPS or SealedSecrets and add that manifest in a resource file for this kustomize build. -## https://fluxcd.io/flux/guides/mozilla-sops/ -## https://fluxcd.io/flux/guides/sealed-secrets/ -# --- -# apiVersion: apps/v1 -# kind: Deployment -# metadata: -# name: credentials-sync -# namespace: flux-system -# spec: -# template: -# spec: -# containers: -# - name: sync -# envFrom: -# secretRef: -# name: $(ECR_SECRET_NAME) # uncomment the var for this in kustomization.yaml diff --git a/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml b/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml deleted file mode 100644 index 6e58e58b..00000000 --- a/manifests/integrations/registry-credentials-sync/aws/kustomization.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: ecr- -commonLabels: - app: ecr-credentials-sync - -namespace: flux-system - -bases: -- ../_base -## If not using IRSA, consider creating the following file via SOPS or SealedSecrets -# - encrypted-secret.yaml - -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml - -## uncomment if using encrypted-secret.yaml -# vars: -# - name: ECR_SECRET_NAME -# objref: -# kind: Secret -# name: credentials-sync -# apiVersion: v1 diff --git a/manifests/integrations/registry-credentials-sync/aws/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/aws/reconcile-patch.yaml deleted file mode 100644 index edac3a11..00000000 --- a/manifests/integrations/registry-credentials-sync/aws/reconcile-patch.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync - namespace: flux-system -spec: - template: - spec: - containers: - - name: sync - image: aws/aws-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting ECR token sync -- $(date)" - echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}" - token="$(aws ecr get-login-password --region "${ECR_REGION}")" - user="AWS" - server="${ECR_REGISTRY}" - - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}" - - echo "Finished ECR token sync -- $(date)" - echo - } diff --git a/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml b/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml deleted file mode 100644 index 8b365507..00000000 --- a/manifests/integrations/registry-credentials-sync/azure/az-identity.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: credentials-sync # if this is changed, also change in config-patches.yaml - namespace: flux-system ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentityBinding -metadata: - name: credentials-sync # this can have a different name, but it's nice to keep them the same - namespace: flux-system -spec: - azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name - selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/azure/config-patches.yaml b/manifests/integrations/registry-credentials-sync/azure/config-patches.yaml deleted file mode 100644 index d386a497..00000000 --- a/manifests/integrations/registry-credentials-sync/azure/config-patches.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - ACR_NAME: my-registry - KUBE_SECRET: acr-my-registry # does not yet exist -- will be created in the same Namespace - SYNC_PERIOD: "3600" # ACR tokens expire every 3 hours; refresh faster than that - -# Create an identity in Azure and assign it a role to pull from ACR (note: the identity's resourceGroup should match the desired ACR): -# az identity create -n acr-sync -# az role assignment create --role AcrPull --assignee-object-id "$(az identity show -n acr-sync -o tsv --query principalId)" -# Fetch the clientID and resourceID to configure the AzureIdentity spec below: -# az identity show -n acr-sync -otsv --query clientId -# az identity show -n acr-sync -otsv --query resourceId ---- -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: credentials-sync # name must match the stub-resource in az-identity.yaml - namespace: flux-system -spec: - clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000 - resourceID: /subscriptions/873c7e7f-76cd-4805-ae86-b923850b0000/resourcegroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acr-sync - type: 0 # user-managed identity - -# Specify the pod-identity via the aadpodidbinding label ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync - namespace: flux-system -spec: - template: - metadata: - labels: - aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name diff --git a/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml b/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml deleted file mode 100644 index 54c333a9..00000000 --- a/manifests/integrations/registry-credentials-sync/azure/kustomization.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: acr- -commonLabels: - app: acr-credentials-sync - -namespace: flux-system - -bases: -- ../_base -resources: -- az-identity.yaml - -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml - -vars: -- name: AZ_IDENTITY_NAME - objref: - kind: AzureIdentity - name: credentials-sync - apiVersion: aadpodidentity.k8s.io/v1 - -configurations: -- kustomizeconfig.yaml diff --git a/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml b/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml deleted file mode 100644 index da4d902d..00000000 --- a/manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ -varReference: -- path: spec/template/metadata/labels - kind: Deployment -- path: spec/azureIdentity - kind: AzureIdentityBinding -- path: spec/selector - kind: AzureIdentityBinding diff --git a/manifests/integrations/registry-credentials-sync/azure/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/azure/reconcile-patch.yaml deleted file mode 100644 index b713053b..00000000 --- a/manifests/integrations/registry-credentials-sync/azure/reconcile-patch.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync - namespace: flux-system -spec: - template: - spec: - containers: - - name: sync - image: mcr.microsoft.com/azure-cli - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting ACR token sync -- $(date)" - echo "Logging into Azure" - az login --identity - echo "Logging into ACR: $ACR_NAME" - output="$(az acr login --expose-token -o=tsv -n "$ACR_NAME")" - read token server <<< "$output" - user="00000000-0000-0000-0000-000000000000" - - echo "Creating secret: $KUBE_SECRET" - apply-secret "$KUBE_SECRET" "$token" "$user" "$server" - - echo "Finished ACR token sync -- $(date)" - echo - } diff --git a/manifests/integrations/registry-credentials-sync/gcp/config-patches.yaml b/manifests/integrations/registry-credentials-sync/gcp/config-patches.yaml deleted file mode 100644 index dda354ce..00000000 --- a/manifests/integrations/registry-credentials-sync/gcp/config-patches.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: credentials-sync -data: - GCR_REGISTRY: gcr.io # set the registry - KUBE_SECRET: gcr-credentials # does not yet exist -- will be created in the same Namespace - SYNC_PERIOD: "1800" # 30m -- GCR tokens expire every hour; refresh faster than that - - -# Bind to the GCP service-account ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: credentials-sync - namespace: flux-system - annotations: - iam.gke.io/gcp-service-account: @.iam.gserviceaccount.com # set the GCP service-account diff --git a/manifests/integrations/registry-credentials-sync/gcp/kustomization.yaml b/manifests/integrations/registry-credentials-sync/gcp/kustomization.yaml deleted file mode 100644 index ea28e0b6..00000000 --- a/manifests/integrations/registry-credentials-sync/gcp/kustomization.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namePrefix: gcr- -commonLabels: - app: gcr-credentials-sync - -namespace: flux-system - -bases: -- ../_base - -patchesStrategicMerge: -- config-patches.yaml -- reconcile-patch.yaml diff --git a/manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml b/manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml deleted file mode 100644 index 8b637f3f..00000000 --- a/manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: credentials-sync - namespace: flux-system -spec: - template: - spec: - containers: - - name: sync - image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine - env: - - name: RECONCILE_SH - value: |- - reconcile() { - echo "Starting GCR token sync -- $(date)" - echo "Logging into ECR: ${ECR_REGION} -- ${ECR_REGISTRY}" - token="$(gcloud auth print-access-token)" - user="oauth2accesstoken " - server="${GCR_REGISTRY}" - - echo "Creating secret: ${KUBE_SECRET}" - apply-secret "${KUBE_SECRET}" "${token}" "${user}" "${server}" - - echo "Finished GCR token sync -- $(date)" - echo - } From 7aea9534b416f4fe0f125c7a21d099ff81339a19 Mon Sep 17 00:00:00 2001 From: Brock Alberry Date: Wed, 4 Jun 2025 10:11:24 -0400 Subject: [PATCH 04/12] add sparse checkout to cli Signed-off-by: Brock Alberry Signed-off-by: S. M. Mohiuddin Khan Shiam <147746955+mohiuddin-khan-shiam@users.noreply.github.com> --- cmd/flux/create_source_git.go | 41 ++++++++++--------- cmd/flux/create_source_git_test.go | 2 +- .../testdata/create_source_git/export.golden | 3 ++ 3 files changed, 26 insertions(+), 20 deletions(-) diff --git a/cmd/flux/create_source_git.go b/cmd/flux/create_source_git.go index 134f8f40..e708f07d 100644 --- a/cmd/flux/create_source_git.go +++ b/cmd/flux/create_source_git.go @@ -44,25 +44,26 @@ import ( ) type sourceGitFlags struct { - url string - branch string - tag string - semver string - refName string - commit string - username string - password string - keyAlgorithm flags.PublicKeyAlgorithm - keyRSABits flags.RSAKeyBits - keyECDSACurve flags.ECDSACurve - secretRef string - proxySecretRef string - provider flags.SourceGitProvider - caFile string - privateKeyFile string - recurseSubmodules bool - silent bool - ignorePaths []string + url string + branch string + tag string + semver string + refName string + commit string + username string + password string + keyAlgorithm flags.PublicKeyAlgorithm + keyRSABits flags.RSAKeyBits + keyECDSACurve flags.ECDSACurve + secretRef string + proxySecretRef string + provider flags.SourceGitProvider + caFile string + privateKeyFile string + recurseSubmodules bool + silent bool + ignorePaths []string + sparseCheckoutPaths []string } var createSourceGitCmd = &cobra.Command{ @@ -154,6 +155,7 @@ func init() { "when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces") createSourceGitCmd.Flags().BoolVarP(&sourceGitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation") createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in git resource (can specify multiple paths with commas: path1,path2)") + createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.sparseCheckoutPaths, "sparse-checkout-paths", nil, "set paths to sparse checkout in git resource (can specify multiple paths with commas: path1,path2)") createSourceCmd.AddCommand(createSourceGitCmd) } @@ -220,6 +222,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error { RecurseSubmodules: sourceGitArgs.recurseSubmodules, Reference: &sourcev1.GitRepositoryRef{}, Ignore: ignorePaths, + SparseCheckout: sourceGitArgs.sparseCheckoutPaths, }, } diff --git a/cmd/flux/create_source_git_test.go b/cmd/flux/create_source_git_test.go index a04ee5c9..aefdace1 100644 --- a/cmd/flux/create_source_git_test.go +++ b/cmd/flux/create_source_git_test.go @@ -87,7 +87,7 @@ func (r *reconciler) conditionFunc() (bool, error) { } func TestCreateSourceGitExport(t *testing.T) { - var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String() + var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --sparse-checkout-paths .cosign,non-existent-dir/ --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String() cases := []struct { name string diff --git a/cmd/flux/testdata/create_source_git/export.golden b/cmd/flux/testdata/create_source_git/export.golden index b23aaaab..9ac841af 100644 --- a/cmd/flux/testdata/create_source_git/export.golden +++ b/cmd/flux/testdata/create_source_git/export.golden @@ -11,4 +11,7 @@ spec: interval: 1m0s ref: branch: master + sparseCheckout: + - .cosign + - non-existent-dir/ url: https://github.com/stefanprodan/podinfo From 8dcb0743ec69aca534555e03cff5aa135c18bf73 Mon Sep 17 00:00:00 2001 From: Matheus Pimenta Date: Thu, 5 Jun 2025 19:07:12 +0100 Subject: [PATCH 05/12] Introduce support for shelling out to Azure binaries in authentication Signed-off-by: Matheus Pimenta Signed-off-by: S. M. Mohiuddin Khan Shiam <147746955+mohiuddin-khan-shiam@users.noreply.github.com> --- cmd/flux/oci.go | 8 +++++++- cmd/flux/push_artifact.go | 10 ++++++++-- go.mod | 3 ++- go.sum | 6 ++++-- 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/cmd/flux/oci.go b/cmd/flux/oci.go index 3dd61f0b..d919c9de 100644 --- a/cmd/flux/oci.go +++ b/cmd/flux/oci.go @@ -23,12 +23,18 @@ import ( "github.com/google/go-containerregistry/pkg/crane" + "github.com/fluxcd/pkg/auth" + "github.com/fluxcd/pkg/auth/azure" authutils "github.com/fluxcd/pkg/auth/utils" ) // loginWithProvider gets a crane authentication option for the given provider and URL. func loginWithProvider(ctx context.Context, url, provider string) (crane.Option, error) { - authenticator, err := authutils.GetArtifactRegistryCredentials(ctx, provider, url) + var opts []auth.Option + if provider == azure.ProviderName { + opts = append(opts, auth.WithAllowShellOut()) + } + authenticator, err := authutils.GetArtifactRegistryCredentials(ctx, provider, url, opts...) if err != nil { return nil, fmt.Errorf("could not login to provider %s with url %s: %w", provider, url, err) } diff --git a/cmd/flux/push_artifact.go b/cmd/flux/push_artifact.go index a03ea7ae..41fef563 100644 --- a/cmd/flux/push_artifact.go +++ b/cmd/flux/push_artifact.go @@ -34,6 +34,8 @@ import ( "github.com/spf13/cobra" "sigs.k8s.io/yaml" + "github.com/fluxcd/pkg/auth" + "github.com/fluxcd/pkg/auth/azure" authutils "github.com/fluxcd/pkg/auth/utils" "github.com/fluxcd/pkg/oci" sourcev1 "github.com/fluxcd/source-controller/api/v1" @@ -225,9 +227,13 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error { opts = append(opts, crane.WithAuth(authenticator)) } - if pushArtifactArgs.provider.String() != sourcev1.GenericOCIProvider { + if provider := pushArtifactArgs.provider.String(); provider != sourcev1.GenericOCIProvider { logger.Actionf("logging in to registry with provider credentials") - authenticator, err = authutils.GetArtifactRegistryCredentials(ctx, pushArtifactArgs.provider.String(), url) + var authOpts []auth.Option + if provider == azure.ProviderName { + authOpts = append(authOpts, auth.WithAllowShellOut()) + } + authenticator, err = authutils.GetArtifactRegistryCredentials(ctx, provider, url, authOpts...) if err != nil { return fmt.Errorf("error during login with provider: %w", err) } diff --git a/go.mod b/go.mod index c82327dc..4cf20691 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/fluxcd/notification-controller/api v1.6.0 github.com/fluxcd/pkg/apis/event v0.17.0 github.com/fluxcd/pkg/apis/meta v1.12.0 - github.com/fluxcd/pkg/auth v0.16.0 + github.com/fluxcd/pkg/auth v0.17.0 github.com/fluxcd/pkg/chartutil v1.3.0 github.com/fluxcd/pkg/envsubst v1.4.0 github.com/fluxcd/pkg/git v0.31.0 @@ -87,6 +87,7 @@ require ( github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.43.3 // indirect + github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.0 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect diff --git a/go.sum b/go.sum index f9b71ecf..2b85e059 100644 --- a/go.sum +++ b/go.sum @@ -59,6 +59,8 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= github.com/aws/aws-sdk-go-v2/service/ecr v1.43.3 h1:YyH8Hk73bYzdbvf6S8NF5z/fb/1stpiMnFSfL6jSfRA= github.com/aws/aws-sdk-go-v2/service/ecr v1.43.3/go.mod h1:iQ1skgw1XRK+6Lgkb0I9ODatAP72WoTILh0zXQ5DtbU= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.0 h1:wA2O6pZ2r5smqJunFP4hp7qptMW4EQxs8O6RVHPulOE= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.0/go.mod h1:RZL7ov7c72wSmoM8bIiVxRHgcVdzhNkVW2J36C8RF4s= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM= @@ -179,8 +181,8 @@ github.com/fluxcd/pkg/apis/kustomize v1.10.0 h1:47EeSzkQvlQZdH92vHMe2lK2iR8aOSEJ github.com/fluxcd/pkg/apis/kustomize v1.10.0/go.mod h1:UsqMV4sqNa1Yg0pmTsdkHRJr7bafBOENIJoAN+3ezaQ= github.com/fluxcd/pkg/apis/meta v1.12.0 h1:XW15TKZieC2b7MN8VS85stqZJOx+/b8jATQ/xTUhVYg= github.com/fluxcd/pkg/apis/meta v1.12.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI= -github.com/fluxcd/pkg/auth v0.16.0 h1:YEjSaNqlpYoXfoFAGhU/Z8y0322nGsT24W6zCh+sbGw= -github.com/fluxcd/pkg/auth v0.16.0/go.mod h1:+BRnAO61Nr6fACEjJS6eNRdOk1nXhX/FCPylYn1ypNc= +github.com/fluxcd/pkg/auth v0.17.0 h1:jgum55f5K7Db6yI2bi4WeKojTzQS9KxlHCC0CsFs5x8= +github.com/fluxcd/pkg/auth v0.17.0/go.mod h1:4h6s8VBNuec3tWd4xIReLw8BYPOKaIegjNMEbA4ikTU= github.com/fluxcd/pkg/cache v0.9.0 h1:EGKfOLMG3fOwWnH/4Axl5xd425mxoQbZzlZoLfd8PDk= github.com/fluxcd/pkg/cache v0.9.0/go.mod h1:jMwabjWfsC5lW8hE7NM3wtGNwSJ38Javx6EKbEi7INU= github.com/fluxcd/pkg/chartutil v1.3.0 h1:Zoc+AIyKL4YU4PaLL/iGv9VRLujeWT2Mvj4BLGFGKlg= From 1299df9f95d6807acd8dcceed44a9dd9a4d7c6a6 Mon Sep 17 00:00:00 2001 From: Matheus Pimenta Date: Thu, 12 Jun 2025 18:12:50 +0100 Subject: [PATCH 06/12] Upgrade dependencies Signed-off-by: Matheus Pimenta Signed-off-by: S. M. Mohiuddin Khan Shiam <147746955+mohiuddin-khan-shiam@users.noreply.github.com> --- go.mod | 14 +++++++------- go.sum | 28 ++++++++++++++-------------- tests/integration/go.mod | 16 ++++++++-------- tests/integration/go.sum | 32 ++++++++++++++++---------------- 4 files changed, 45 insertions(+), 45 deletions(-) diff --git a/go.mod b/go.mod index 4cf20691..c2496bff 100644 --- a/go.mod +++ b/go.mod @@ -22,18 +22,18 @@ require ( github.com/fluxcd/pkg/auth v0.17.0 github.com/fluxcd/pkg/chartutil v1.3.0 github.com/fluxcd/pkg/envsubst v1.4.0 - github.com/fluxcd/pkg/git v0.31.0 - github.com/fluxcd/pkg/git/gogit v0.33.0 + github.com/fluxcd/pkg/git v0.32.0 + github.com/fluxcd/pkg/git/gogit v0.35.0 github.com/fluxcd/pkg/kustomize v1.18.0 github.com/fluxcd/pkg/oci v0.49.0 github.com/fluxcd/pkg/runtime v0.60.0 github.com/fluxcd/pkg/sourceignore v0.12.0 github.com/fluxcd/pkg/ssa v0.48.0 - github.com/fluxcd/pkg/ssh v0.18.0 + github.com/fluxcd/pkg/ssh v0.19.0 github.com/fluxcd/pkg/tar v0.12.0 github.com/fluxcd/pkg/version v0.7.0 github.com/fluxcd/source-controller/api v1.6.0 - github.com/go-git/go-git/v5 v5.16.0 + github.com/go-git/go-git/v5 v5.16.2 github.com/go-logr/logr v1.4.2 github.com/gonvenience/bunt v1.4.0 github.com/gonvenience/ytbx v1.4.6 @@ -50,9 +50,9 @@ require ( github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 github.com/spf13/cobra v1.9.1 github.com/theckman/yacspin v0.13.12 - golang.org/x/crypto v0.38.0 + golang.org/x/crypto v0.39.0 golang.org/x/term v0.32.0 - golang.org/x/text v0.25.0 + golang.org/x/text v0.26.0 k8s.io/api v0.33.0 k8s.io/apiextensions-apiserver v0.33.0 k8s.io/apimachinery v0.33.0 @@ -241,7 +241,7 @@ require ( go.opentelemetry.io/proto/otlp v1.4.0 // indirect golang.org/x/net v0.40.0 // indirect golang.org/x/oauth2 v0.29.0 // indirect - golang.org/x/sync v0.14.0 // indirect + golang.org/x/sync v0.15.0 // indirect golang.org/x/sys v0.33.0 // indirect golang.org/x/time v0.11.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index 2b85e059..f3733e63 100644 --- a/go.sum +++ b/go.sum @@ -189,10 +189,10 @@ github.com/fluxcd/pkg/chartutil v1.3.0 h1:Zoc+AIyKL4YU4PaLL/iGv9VRLujeWT2Mvj4BLG github.com/fluxcd/pkg/chartutil v1.3.0/go.mod h1:O7eIdk0wgejua/8ikabfMFmwPv5mSDbHgZCyfTnL06U= github.com/fluxcd/pkg/envsubst v1.4.0 h1:pYsb6wrmXOSfHXuXQHaaBBMt3LumhgCb8SMdBNAwV/U= github.com/fluxcd/pkg/envsubst v1.4.0/go.mod h1:zSDFO3Wawi+vI2NPxsMQp+EkIsz/85MNg/s1Wzmqt+s= -github.com/fluxcd/pkg/git v0.31.0 h1:hVUJcRujNa+GA5zrjrMpuVcgHbCBjfq0CZIZJqJl22I= -github.com/fluxcd/pkg/git v0.31.0/go.mod h1:rUgLXVQGBkBggHOLVMhHMHaweQ8Oc6HwZiN2Zm08Zxs= -github.com/fluxcd/pkg/git/gogit v0.33.0 h1:JYKa3XqA91AX7/sKEgARO9VzkwouXWjUgpwudEZEWq0= -github.com/fluxcd/pkg/git/gogit v0.33.0/go.mod h1:EvsVYcB3KjfhpdoyU1sO9HuMH5Xt0cVhW49kFlZcFLY= +github.com/fluxcd/pkg/git v0.32.0 h1:agSE4Ia8saj5eg075qhLhZvjuTg/Hnj8mZU0meGKOyc= +github.com/fluxcd/pkg/git v0.32.0/go.mod h1:rUgLXVQGBkBggHOLVMhHMHaweQ8Oc6HwZiN2Zm08Zxs= +github.com/fluxcd/pkg/git/gogit v0.35.0 h1:uMFFwhg3X4H2GaJtXBG/sEv5yrIUk7gIdIpayTLXdC0= +github.com/fluxcd/pkg/git/gogit v0.35.0/go.mod h1:/WcAqTDBrjF+6cwFTaK7kNM791j/pXmw0fy8xbd1YWo= github.com/fluxcd/pkg/gittestserver v0.17.0 h1:JlBvWZQTDOI+np5Z+084m3DkeAH1hMusEybyRUDF63k= github.com/fluxcd/pkg/gittestserver v0.17.0/go.mod h1:E/40EmLoXcMqd6gLuLDC9F6KJxqHVGbBBeMNKk5XdxU= github.com/fluxcd/pkg/kustomize v1.18.0 h1:wWK+qYwmBmba3N3VAqZ9ijnfVGGaIjcaHWo033URZTw= @@ -205,8 +205,8 @@ github.com/fluxcd/pkg/sourceignore v0.12.0 h1:jCIe6d50rQ3wdXPF0+PhhqN0XrTRIq3upM github.com/fluxcd/pkg/sourceignore v0.12.0/go.mod h1:dc0zvkuXM5OgL/b3IkrVuwvPjj1zJn4NBUMH45uJ4Y0= github.com/fluxcd/pkg/ssa v0.48.0 h1:DW+4DG8L/yZEi30UltOEXPB1d/ZFn4HfVhpJQp5oc2o= github.com/fluxcd/pkg/ssa v0.48.0/go.mod h1:T50TO0U2obLodZnrFgOrxollfBEy4V673OkM2aTUF1c= -github.com/fluxcd/pkg/ssh v0.18.0 h1:SB0RrZ/YZIla3chTUulsfVmiCzJv5pEWfHM3dHMC8AU= -github.com/fluxcd/pkg/ssh v0.18.0/go.mod h1:G5o0ZD7iR3KFoG5gPnFelX243ciI/PIiVW7J4eBrt5Y= +github.com/fluxcd/pkg/ssh v0.19.0 h1:njSwNJQZ+3TGhBXshU/2TbqvooMbf6lQzFn7w6vuaKI= +github.com/fluxcd/pkg/ssh v0.19.0/go.mod h1:0e7sqpyekj65A4y/UUCVUxxVw8HonwFtJJ2KhvJQq1o= github.com/fluxcd/pkg/tar v0.12.0 h1:og6F+ivnWNRbNJSq0ukCTVs7YrGIlzjxSVZU+E8NprM= github.com/fluxcd/pkg/tar v0.12.0/go.mod h1:Ra5Cj++MD5iCy7bZGKJJX3GpOeMPv+ZDkPO9bBwpDeU= github.com/fluxcd/pkg/version v0.7.0 h1:jZT5I6WFy1KlM40nHCSqlHmjC1VT1/DfmbAdOkIVVJc= @@ -231,8 +231,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= -github.com/go-git/go-git/v5 v5.16.0 h1:k3kuOEpkc0DeY7xlL6NaaNg39xdgQbtH5mwCafHO9AQ= -github.com/go-git/go-git/v5 v5.16.0/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8= +github.com/go-git/go-git/v5 v5.16.2 h1:fT6ZIOjE5iEnkzKyxTHK1W4HGAsPhqEqiSAssSO77hM= +github.com/go-git/go-git/v5 v5.16.2/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8= github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE= github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= @@ -623,8 +623,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= -golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= -golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= +golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= +golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -664,8 +664,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= -golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= +golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -715,8 +715,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= -golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= -golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= +golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= +golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/tests/integration/go.mod b/tests/integration/go.mod index f8e628a6..fe4e93c4 100644 --- a/tests/integration/go.mod +++ b/tests/integration/go.mod @@ -13,12 +13,12 @@ require ( github.com/fluxcd/notification-controller/api v1.6.0 github.com/fluxcd/pkg/apis/event v0.17.0 github.com/fluxcd/pkg/apis/meta v1.12.0 - github.com/fluxcd/pkg/git v0.31.0 - github.com/fluxcd/pkg/git/gogit v0.33.0 + github.com/fluxcd/pkg/git v0.32.0 + github.com/fluxcd/pkg/git/gogit v0.35.0 github.com/fluxcd/pkg/runtime v0.60.0 github.com/fluxcd/source-controller/api v1.6.0 github.com/fluxcd/test-infra/tftestenv v0.0.0-20250519112614-4450eea17b00 - github.com/go-git/go-git/v5 v5.16.0 + github.com/go-git/go-git/v5 v5.16.2 github.com/google/go-containerregistry v0.20.3 github.com/hashicorp/terraform-exec v0.23.0 github.com/hashicorp/terraform-json v0.24.0 @@ -67,7 +67,7 @@ require ( github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fluxcd/pkg/apis/acl v0.7.0 // indirect github.com/fluxcd/pkg/apis/kustomize v1.10.0 // indirect - github.com/fluxcd/pkg/ssh v0.18.0 // indirect + github.com/fluxcd/pkg/ssh v0.19.0 // indirect github.com/fluxcd/pkg/version v0.7.0 // indirect github.com/fxamacker/cbor/v2 v2.8.0 // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect @@ -123,14 +123,14 @@ require ( go.opentelemetry.io/otel v1.35.0 // indirect go.opentelemetry.io/otel/metric v1.35.0 // indirect go.opentelemetry.io/otel/trace v1.35.0 // indirect - golang.org/x/crypto v0.38.0 // indirect - golang.org/x/mod v0.24.0 // indirect + golang.org/x/crypto v0.39.0 // indirect + golang.org/x/mod v0.25.0 // indirect golang.org/x/net v0.40.0 // indirect golang.org/x/oauth2 v0.29.0 // indirect - golang.org/x/sync v0.14.0 // indirect + golang.org/x/sync v0.15.0 // indirect golang.org/x/sys v0.33.0 // indirect golang.org/x/term v0.32.0 // indirect - golang.org/x/text v0.25.0 // indirect + golang.org/x/text v0.26.0 // indirect golang.org/x/time v0.11.0 // indirect google.golang.org/api v0.230.0 // indirect google.golang.org/genproto v0.0.0-20250425173222-7b384671a197 // indirect diff --git a/tests/integration/go.sum b/tests/integration/go.sum index bc39d73d..12f910b4 100644 --- a/tests/integration/go.sum +++ b/tests/integration/go.sum @@ -131,16 +131,16 @@ github.com/fluxcd/pkg/apis/kustomize v1.10.0 h1:47EeSzkQvlQZdH92vHMe2lK2iR8aOSEJ github.com/fluxcd/pkg/apis/kustomize v1.10.0/go.mod h1:UsqMV4sqNa1Yg0pmTsdkHRJr7bafBOENIJoAN+3ezaQ= github.com/fluxcd/pkg/apis/meta v1.12.0 h1:XW15TKZieC2b7MN8VS85stqZJOx+/b8jATQ/xTUhVYg= github.com/fluxcd/pkg/apis/meta v1.12.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI= -github.com/fluxcd/pkg/git v0.31.0 h1:hVUJcRujNa+GA5zrjrMpuVcgHbCBjfq0CZIZJqJl22I= -github.com/fluxcd/pkg/git v0.31.0/go.mod h1:rUgLXVQGBkBggHOLVMhHMHaweQ8Oc6HwZiN2Zm08Zxs= -github.com/fluxcd/pkg/git/gogit v0.33.0 h1:JYKa3XqA91AX7/sKEgARO9VzkwouXWjUgpwudEZEWq0= -github.com/fluxcd/pkg/git/gogit v0.33.0/go.mod h1:EvsVYcB3KjfhpdoyU1sO9HuMH5Xt0cVhW49kFlZcFLY= +github.com/fluxcd/pkg/git v0.32.0 h1:agSE4Ia8saj5eg075qhLhZvjuTg/Hnj8mZU0meGKOyc= +github.com/fluxcd/pkg/git v0.32.0/go.mod h1:rUgLXVQGBkBggHOLVMhHMHaweQ8Oc6HwZiN2Zm08Zxs= +github.com/fluxcd/pkg/git/gogit v0.35.0 h1:uMFFwhg3X4H2GaJtXBG/sEv5yrIUk7gIdIpayTLXdC0= +github.com/fluxcd/pkg/git/gogit v0.35.0/go.mod h1:/WcAqTDBrjF+6cwFTaK7kNM791j/pXmw0fy8xbd1YWo= github.com/fluxcd/pkg/gittestserver v0.17.0 h1:JlBvWZQTDOI+np5Z+084m3DkeAH1hMusEybyRUDF63k= github.com/fluxcd/pkg/gittestserver v0.17.0/go.mod h1:E/40EmLoXcMqd6gLuLDC9F6KJxqHVGbBBeMNKk5XdxU= github.com/fluxcd/pkg/runtime v0.60.0 h1:d++EkV3FlycB+bzakB5NumwY4J8xts8i7lbvD6jBLeU= github.com/fluxcd/pkg/runtime v0.60.0/go.mod h1:UeU0/eZLErYC/1bTmgzBfNXhiHy9fuQzjfLK0HxRgxY= -github.com/fluxcd/pkg/ssh v0.18.0 h1:SB0RrZ/YZIla3chTUulsfVmiCzJv5pEWfHM3dHMC8AU= -github.com/fluxcd/pkg/ssh v0.18.0/go.mod h1:G5o0ZD7iR3KFoG5gPnFelX243ciI/PIiVW7J4eBrt5Y= +github.com/fluxcd/pkg/ssh v0.19.0 h1:njSwNJQZ+3TGhBXshU/2TbqvooMbf6lQzFn7w6vuaKI= +github.com/fluxcd/pkg/ssh v0.19.0/go.mod h1:0e7sqpyekj65A4y/UUCVUxxVw8HonwFtJJ2KhvJQq1o= github.com/fluxcd/pkg/version v0.7.0 h1:jZT5I6WFy1KlM40nHCSqlHmjC1VT1/DfmbAdOkIVVJc= github.com/fluxcd/pkg/version v0.7.0/go.mod h1:3BjQDJXIZJmeJLXnfa2yG/sNAT1t5oeLAPfnSjOHNuA= github.com/fluxcd/source-controller/api v1.6.0 h1:IxfjUczJ2pzbXIef6iQ0RHEH4AYA9anJfTGK8dzwODM= @@ -159,8 +159,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= -github.com/go-git/go-git/v5 v5.16.0 h1:k3kuOEpkc0DeY7xlL6NaaNg39xdgQbtH5mwCafHO9AQ= -github.com/go-git/go-git/v5 v5.16.0/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8= +github.com/go-git/go-git/v5 v5.16.2 h1:fT6ZIOjE5iEnkzKyxTHK1W4HGAsPhqEqiSAssSO77hM= +github.com/go-git/go-git/v5 v5.16.2/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -371,8 +371,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= -golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= -golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= +golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= +golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -381,8 +381,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU= -golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w= +golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -409,8 +409,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= -golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= +golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -442,8 +442,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= -golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= +golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= +golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= From b1e54faa387acf608b7bf09827e00e4941638d52 Mon Sep 17 00:00:00 2001 From: cappyzawa Date: Fri, 13 Jun 2025 13:19:24 +0900 Subject: [PATCH 07/12] Use normalize.UnstructuredList instead of ssa.SetNativeKindsDefaults Signed-off-by: cappyzawa Signed-off-by: S. M. Mohiuddin Khan Shiam <147746955+mohiuddin-khan-shiam@users.noreply.github.com> --- cmd/flux/diff_kustomization_test.go | 3 ++- internal/build/diff.go | 3 ++- internal/utils/apply.go | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/cmd/flux/diff_kustomization_test.go b/cmd/flux/diff_kustomization_test.go index b6d4e9af..33cea70e 100644 --- a/cmd/flux/diff_kustomization_test.go +++ b/cmd/flux/diff_kustomization_test.go @@ -27,6 +27,7 @@ import ( "github.com/fluxcd/flux2/v2/internal/build" "github.com/fluxcd/pkg/ssa" + "github.com/fluxcd/pkg/ssa/normalize" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -151,7 +152,7 @@ func createObjectFromFile(objectFile string, templateValues map[string]string, t t.Fatalf("Error decoding yaml file '%s': %v", objectFile, err) } - if err := ssa.SetNativeKindsDefaults(clientObjects); err != nil { + if err := normalize.UnstructuredList(clientObjects); err != nil { t.Fatalf("Error setting native kinds defaults for '%s': %v", objectFile, err) } diff --git a/internal/build/diff.go b/internal/build/diff.go index b6636641..f6df0cc9 100644 --- a/internal/build/diff.go +++ b/internal/build/diff.go @@ -41,6 +41,7 @@ import ( "github.com/fluxcd/cli-utils/pkg/object" kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1" "github.com/fluxcd/pkg/ssa" + "github.com/fluxcd/pkg/ssa/normalize" ssautil "github.com/fluxcd/pkg/ssa/utils" "github.com/fluxcd/flux2/v2/pkg/printers" @@ -80,7 +81,7 @@ func (b *Builder) diff() (string, bool, error) { return "", createdOrDrifted, err } - err = ssa.SetNativeKindsDefaults(objects) + err = normalize.UnstructuredList(objects) if err != nil { return "", createdOrDrifted, err } diff --git a/internal/utils/apply.go b/internal/utils/apply.go index 5867287c..2ce7359c 100644 --- a/internal/utils/apply.go +++ b/internal/utils/apply.go @@ -33,6 +33,7 @@ import ( "github.com/fluxcd/cli-utils/pkg/kstatus/polling" runclient "github.com/fluxcd/pkg/runtime/client" "github.com/fluxcd/pkg/ssa" + "github.com/fluxcd/pkg/ssa/normalize" ssautil "github.com/fluxcd/pkg/ssa/utils" "github.com/fluxcd/flux2/v2/pkg/manifestgen/kustomization" @@ -50,7 +51,7 @@ func Apply(ctx context.Context, rcg genericclioptions.RESTClientGetter, opts *ru return "", fmt.Errorf("no Kubernetes objects found at: %s", manifestPath) } - if err := ssa.SetNativeKindsDefaults(objs); err != nil { + if err := normalize.UnstructuredList(objs); err != nil { return "", err } From 09167fbf1f91aaa007d32a6f45ef57ccd97bfac3 Mon Sep 17 00:00:00 2001 From: Stefan Bickel Date: Wed, 11 Jun 2025 16:25:19 +0200 Subject: [PATCH 08/12] Add cli arg --with-service-account Signed-off-by: Stefan Bickel Signed-off-by: S. M. Mohiuddin Khan Shiam <147746955+mohiuddin-khan-shiam@users.noreply.github.com> --- cmd/flux/create_tenant.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/cmd/flux/create_tenant.go b/cmd/flux/create_tenant.go index 1b071ecb..1c7c75bc 100644 --- a/cmd/flux/create_tenant.go +++ b/cmd/flux/create_tenant.go @@ -59,6 +59,7 @@ const ( type tenantFlags struct { namespaces []string clusterRole string + account string } var tenantArgs tenantFlags @@ -66,6 +67,7 @@ var tenantArgs tenantFlags func init() { createTenantCmd.Flags().StringSliceVar(&tenantArgs.namespaces, "with-namespace", nil, "namespace belonging to this tenant") createTenantCmd.Flags().StringVar(&tenantArgs.clusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding") + createTenantCmd.Flags().StringVar(&tenantArgs.account, "with-service-account", "", "service account belonging to this tenant") createCmd.AddCommand(createTenantCmd) } @@ -107,9 +109,17 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error { } namespaces = append(namespaces, namespace) + accountName := tenant + if tenantArgs.account != "" { + accountName = tenantArgs.account + } + if err := validation.IsQualifiedName(accountName); len(err) > 0 { + return fmt.Errorf("invalid service-account name '%s': %v", accountName, err) + } + account := corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ - Name: tenant, + Name: accountName, Namespace: ns, Labels: objLabels, }, @@ -131,7 +141,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error { }, { Kind: "ServiceAccount", - Name: tenant, + Name: accountName, Namespace: ns, }, }, From cda16d27590c0a0f462ed82d5b8549fc814bb02f Mon Sep 17 00:00:00 2001 From: Stefan Bickel Date: Wed, 11 Jun 2025 16:51:32 +0200 Subject: [PATCH 09/12] Add tests and golden files for create tenant Signed-off-by: Stefan Bickel Signed-off-by: S. M. Mohiuddin Khan Shiam <147746955+mohiuddin-khan-shiam@users.noreply.github.com> --- cmd/flux/create_tenant_test.go | 68 +++++++++++++++++++ .../testdata/create_tenant/tenant-basic.yaml | 34 ++++++++++ .../tenant-with-cluster-role.yaml | 34 ++++++++++ .../tenant-with-service-account.yaml | 34 ++++++++++ 4 files changed, 170 insertions(+) create mode 100644 cmd/flux/create_tenant_test.go create mode 100644 cmd/flux/testdata/create_tenant/tenant-basic.yaml create mode 100644 cmd/flux/testdata/create_tenant/tenant-with-cluster-role.yaml create mode 100644 cmd/flux/testdata/create_tenant/tenant-with-service-account.yaml diff --git a/cmd/flux/create_tenant_test.go b/cmd/flux/create_tenant_test.go new file mode 100644 index 00000000..f4fadb8f --- /dev/null +++ b/cmd/flux/create_tenant_test.go @@ -0,0 +1,68 @@ +//go:build e2e +// +build e2e + +/* +Copyright 2025 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + "testing" +) + +func TestCreateTenant(t *testing.T) { + tests := []struct { + name string + args string + assert assertFunc + }{ + { + name: "no args", + args: "create tenant", + assert: assertError("name is required"), + }, + { + name: "no namespace", + args: "create tenant dev-team --cluster-role=cluster-admin", + assert: assertError("with-namespace is required"), + }, + { + name: "basic tenant", + args: "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --export", + assert: assertGoldenFile("./testdata/create_tenant/tenant-basic.yaml"), + }, + { + name: "tenant with custom serviceaccount", + args: "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --with-service-account=flux-tenant --export", + assert: assertGoldenFile("./testdata/create_tenant/tenant-with-service-account.yaml"), + }, + { + name: "tenant with custom cluster role", + args: "create tenant dev-team --with-namespace=apps --cluster-role=custom-role --export", + assert: assertGoldenFile("./testdata/create_tenant/tenant-with-cluster-role.yaml"), + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + cmd := cmdTestCase{ + args: tt.args, + assert: tt.assert, + } + cmd.runTestCmd(t) + }) + } +} diff --git a/cmd/flux/testdata/create_tenant/tenant-basic.yaml b/cmd/flux/testdata/create_tenant/tenant-basic.yaml new file mode 100644 index 00000000..5bf0da1a --- /dev/null +++ b/cmd/flux/testdata/create_tenant/tenant-basic.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + toolkit.fluxcd.io/tenant: dev-team + name: apps +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + toolkit.fluxcd.io/tenant: dev-team + name: dev-team + namespace: apps +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + toolkit.fluxcd.io/tenant: dev-team + name: dev-team-reconciler + namespace: apps +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: gotk:apps:reconciler +- kind: ServiceAccount + name: dev-team + namespace: apps diff --git a/cmd/flux/testdata/create_tenant/tenant-with-cluster-role.yaml b/cmd/flux/testdata/create_tenant/tenant-with-cluster-role.yaml new file mode 100644 index 00000000..69b5b2c5 --- /dev/null +++ b/cmd/flux/testdata/create_tenant/tenant-with-cluster-role.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + toolkit.fluxcd.io/tenant: dev-team + name: apps +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + toolkit.fluxcd.io/tenant: dev-team + name: dev-team + namespace: apps +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + toolkit.fluxcd.io/tenant: dev-team + name: dev-team-reconciler + namespace: apps +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom-role +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: gotk:apps:reconciler +- kind: ServiceAccount + name: dev-team + namespace: apps diff --git a/cmd/flux/testdata/create_tenant/tenant-with-service-account.yaml b/cmd/flux/testdata/create_tenant/tenant-with-service-account.yaml new file mode 100644 index 00000000..50a3e8fc --- /dev/null +++ b/cmd/flux/testdata/create_tenant/tenant-with-service-account.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + toolkit.fluxcd.io/tenant: dev-team + name: apps +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + toolkit.fluxcd.io/tenant: dev-team + name: flux-tenant + namespace: apps +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + toolkit.fluxcd.io/tenant: dev-team + name: dev-team-reconciler + namespace: apps +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: gotk:apps:reconciler +- kind: ServiceAccount + name: flux-tenant + namespace: apps From d1c9b633cd14ed692f27ac952db1489dd4ba6ea1 Mon Sep 17 00:00:00 2001 From: Stefan Bickel Date: Fri, 13 Jun 2025 12:37:08 +0200 Subject: [PATCH 10/12] Make golden tests pass Signed-off-by: Stefan Bickel Signed-off-by: S. M. Mohiuddin Khan Shiam <147746955+mohiuddin-khan-shiam@users.noreply.github.com> --- cmd/flux/create_tenant.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cmd/flux/create_tenant.go b/cmd/flux/create_tenant.go index 1c7c75bc..442f0f73 100644 --- a/cmd/flux/create_tenant.go +++ b/cmd/flux/create_tenant.go @@ -293,9 +293,9 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol return err } - fmt.Println("---") + rootCmd.Println("---") data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1) - fmt.Println(resourceToString(data)) + rootCmd.Println(resourceToString(data)) account.TypeMeta = metav1.TypeMeta{ APIVersion: "v1", @@ -306,9 +306,9 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol return err } - fmt.Println("---") + rootCmd.Println("---") data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1) - fmt.Println(resourceToString(data)) + rootCmd.Println(resourceToString(data)) roleBinding.TypeMeta = metav1.TypeMeta{ APIVersion: "rbac.authorization.k8s.io/v1", @@ -319,8 +319,8 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol return err } - fmt.Println("---") - fmt.Println(resourceToString(data)) + rootCmd.Println("---") + rootCmd.Println(resourceToString(data)) return nil } From 2b8564d79ffd0d19cf6bd1979b843db4744ea2e5 Mon Sep 17 00:00:00 2001 From: fluxcdbot Date: Fri, 13 Jun 2025 16:59:37 +0000 Subject: [PATCH 11/12] Update toolkit components - source-controller to v1.6.1 https://github.com/fluxcd/source-controller/blob/v1.6.1/CHANGELOG.md - image-reflector-controller to v0.35.2 https://github.com/fluxcd/image-reflector-controller/blob/v0.35.2/CHANGELOG.md - image-automation-controller to v0.41.1 https://github.com/fluxcd/image-automation-controller/blob/v0.41.1/CHANGELOG.md Signed-off-by: GitHub Signed-off-by: S. M. Mohiuddin Khan Shiam <147746955+mohiuddin-khan-shiam@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ .../image-automation-controller/kustomization.yaml | 4 ++-- .../image-reflector-controller/kustomization.yaml | 4 ++-- manifests/bases/source-controller/kustomization.yaml | 4 ++-- manifests/crds/kustomization.yaml | 6 +++--- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/go.mod b/go.mod index c2496bff..03e97a71 100644 --- a/go.mod +++ b/go.mod @@ -13,8 +13,8 @@ require ( github.com/fluxcd/cli-utils v0.36.0-flux.13 github.com/fluxcd/go-git-providers v0.23.0 github.com/fluxcd/helm-controller/api v1.3.0 - github.com/fluxcd/image-automation-controller/api v0.41.0 - github.com/fluxcd/image-reflector-controller/api v0.35.1 + github.com/fluxcd/image-automation-controller/api v0.41.1 + github.com/fluxcd/image-reflector-controller/api v0.35.2 github.com/fluxcd/kustomize-controller/api v1.6.0 github.com/fluxcd/notification-controller/api v1.6.0 github.com/fluxcd/pkg/apis/event v0.17.0 @@ -32,7 +32,7 @@ require ( github.com/fluxcd/pkg/ssh v0.19.0 github.com/fluxcd/pkg/tar v0.12.0 github.com/fluxcd/pkg/version v0.7.0 - github.com/fluxcd/source-controller/api v1.6.0 + github.com/fluxcd/source-controller/api v1.6.1 github.com/go-git/go-git/v5 v5.16.2 github.com/go-logr/logr v1.4.2 github.com/gonvenience/bunt v1.4.0 diff --git a/go.sum b/go.sum index f3733e63..4cf07eb1 100644 --- a/go.sum +++ b/go.sum @@ -165,10 +165,10 @@ github.com/fluxcd/go-git-providers v0.23.0 h1:7IkXIOzdMQZO98daCyFWORMMceA/eIDnq6 github.com/fluxcd/go-git-providers v0.23.0/go.mod h1:XUDCVcBbCp0OgnKztOenSbiYXms/0yPquhuhVCNyqfU= github.com/fluxcd/helm-controller/api v1.3.0 h1:PupXPuQbksmU0g2Lc6NjIYal2HJGL+6xohsf82eGVjo= github.com/fluxcd/helm-controller/api v1.3.0/go.mod h1:4b8PfdH0e/9Pfol2ogdMYbQ1nLjcVu9gAv27cQzIPK4= -github.com/fluxcd/image-automation-controller/api v0.41.0 h1:wItzHTo0w50NKaJ4wV6iXKbWo5vvjDpl6bY9NOK6Rs8= -github.com/fluxcd/image-automation-controller/api v0.41.0/go.mod h1:u1L/gztaeJgwRQrPEx2DqE4mlYoAfSeKTWx/JLUxRbA= -github.com/fluxcd/image-reflector-controller/api v0.35.1 h1:QpnLjPR4BMRQN2C+cL6NhjvsUCQoQS00Qq40DC85OtY= -github.com/fluxcd/image-reflector-controller/api v0.35.1/go.mod h1:mjpokoQhFs2RxfFjY4rHpn3ZAUvee8TiELyROFN4wiA= +github.com/fluxcd/image-automation-controller/api v0.41.1 h1:zT0BN/LRqMzo4B53mM7ayAg73Ifh+th46H6TtQrB+7A= +github.com/fluxcd/image-automation-controller/api v0.41.1/go.mod h1:TaCaXnDu0a6uWyF41WkyskH0gg6dFyniftvdCELcEKU= +github.com/fluxcd/image-reflector-controller/api v0.35.2 h1:EzjtUpyx8kbTFx7ugdi5LRMaCpQW4kX/vjFCIPpPD38= +github.com/fluxcd/image-reflector-controller/api v0.35.2/go.mod h1:mjpokoQhFs2RxfFjY4rHpn3ZAUvee8TiELyROFN4wiA= github.com/fluxcd/kustomize-controller/api v1.6.0 h1:8p230vpJy7giisoBNuI3CX99O+XKKVLLxXuJmv3sOHQ= github.com/fluxcd/kustomize-controller/api v1.6.0/go.mod h1:b0i/KVz28tV8iuqlNHx7MW6ZtTcIbBELGLoKdaK+X8M= github.com/fluxcd/notification-controller/api v1.6.0 h1:t0k662zxnUZlnDvFrk4DBDl6iivFmJxbwuRdyhH9Ot4= @@ -211,8 +211,8 @@ github.com/fluxcd/pkg/tar v0.12.0 h1:og6F+ivnWNRbNJSq0ukCTVs7YrGIlzjxSVZU+E8NprM github.com/fluxcd/pkg/tar v0.12.0/go.mod h1:Ra5Cj++MD5iCy7bZGKJJX3GpOeMPv+ZDkPO9bBwpDeU= github.com/fluxcd/pkg/version v0.7.0 h1:jZT5I6WFy1KlM40nHCSqlHmjC1VT1/DfmbAdOkIVVJc= github.com/fluxcd/pkg/version v0.7.0/go.mod h1:3BjQDJXIZJmeJLXnfa2yG/sNAT1t5oeLAPfnSjOHNuA= -github.com/fluxcd/source-controller/api v1.6.0 h1:IxfjUczJ2pzbXIef6iQ0RHEH4AYA9anJfTGK8dzwODM= -github.com/fluxcd/source-controller/api v1.6.0/go.mod h1:ZJcAi0nemsnBxjVgmJl0WQzNvB0rMETxQMTdoFosmMw= +github.com/fluxcd/source-controller/api v1.6.1 h1:ZPTA9lNzBYHmwHfFX978qb8xVkdnQZHF1ggo6BoFm4w= +github.com/fluxcd/source-controller/api v1.6.1/go.mod h1:ZJcAi0nemsnBxjVgmJl0WQzNvB0rMETxQMTdoFosmMw= github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU= diff --git a/manifests/bases/image-automation-controller/kustomization.yaml b/manifests/bases/image-automation-controller/kustomization.yaml index 6007f53a..a7edcf3b 100644 --- a/manifests/bases/image-automation-controller/kustomization.yaml +++ b/manifests/bases/image-automation-controller/kustomization.yaml @@ -1,8 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- https://github.com/fluxcd/image-automation-controller/releases/download/v0.41.0/image-automation-controller.crds.yaml -- https://github.com/fluxcd/image-automation-controller/releases/download/v0.41.0/image-automation-controller.deployment.yaml +- https://github.com/fluxcd/image-automation-controller/releases/download/v0.41.1/image-automation-controller.crds.yaml +- https://github.com/fluxcd/image-automation-controller/releases/download/v0.41.1/image-automation-controller.deployment.yaml - account.yaml transformers: - labels.yaml diff --git a/manifests/bases/image-reflector-controller/kustomization.yaml b/manifests/bases/image-reflector-controller/kustomization.yaml index c9621e06..3dde75b7 100644 --- a/manifests/bases/image-reflector-controller/kustomization.yaml +++ b/manifests/bases/image-reflector-controller/kustomization.yaml @@ -1,8 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.35.1/image-reflector-controller.crds.yaml -- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.35.1/image-reflector-controller.deployment.yaml +- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.35.2/image-reflector-controller.crds.yaml +- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.35.2/image-reflector-controller.deployment.yaml - account.yaml transformers: - labels.yaml diff --git a/manifests/bases/source-controller/kustomization.yaml b/manifests/bases/source-controller/kustomization.yaml index 341ae860..85be536c 100644 --- a/manifests/bases/source-controller/kustomization.yaml +++ b/manifests/bases/source-controller/kustomization.yaml @@ -1,8 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- https://github.com/fluxcd/source-controller/releases/download/v1.6.0/source-controller.crds.yaml -- https://github.com/fluxcd/source-controller/releases/download/v1.6.0/source-controller.deployment.yaml +- https://github.com/fluxcd/source-controller/releases/download/v1.6.1/source-controller.crds.yaml +- https://github.com/fluxcd/source-controller/releases/download/v1.6.1/source-controller.deployment.yaml - account.yaml transformers: - labels.yaml diff --git a/manifests/crds/kustomization.yaml b/manifests/crds/kustomization.yaml index 88727ea0..4ccd55ff 100644 --- a/manifests/crds/kustomization.yaml +++ b/manifests/crds/kustomization.yaml @@ -1,9 +1,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- https://github.com/fluxcd/source-controller/releases/download/v1.6.0/source-controller.crds.yaml +- https://github.com/fluxcd/source-controller/releases/download/v1.6.1/source-controller.crds.yaml - https://github.com/fluxcd/kustomize-controller/releases/download/v1.6.0/kustomize-controller.crds.yaml - https://github.com/fluxcd/helm-controller/releases/download/v1.3.0/helm-controller.crds.yaml - https://github.com/fluxcd/notification-controller/releases/download/v1.6.0/notification-controller.crds.yaml -- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.35.1/image-reflector-controller.crds.yaml -- https://github.com/fluxcd/image-automation-controller/releases/download/v0.41.0/image-automation-controller.crds.yaml +- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.35.2/image-reflector-controller.crds.yaml +- https://github.com/fluxcd/image-automation-controller/releases/download/v0.41.1/image-automation-controller.crds.yaml From 9265d67fe6d7b7b9d2f3b60bdb8672cf0ae084ef Mon Sep 17 00:00:00 2001 From: "S. M. Mohiuddin Khan Shiam" Date: Wed, 18 Jun 2025 01:22:53 +0600 Subject: [PATCH 12/12] fix(events): respect `--all-namespaces` flag The `flux events` command always applied a namespace filter, even when `--all-namespaces` was set. This produced incomplete results and confused users expecting cluster-wide events. Changes made: * Build `clientListOpts` dynamically. * Omit `client.InNamespace(...)` when `eventArgs.allNamespaces` is true, ensuring no namespace constraint. Impact: `flux events --all-namespaces` now returns events from every namespace, restoring expected functionality without affecting other options. Signed-off-by: S. M. Mohiuddin Khan Shiam <147746955+mohiuddin-khan-shiam@users.noreply.github.com> --- cmd/flux/events.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cmd/flux/events.go b/cmd/flux/events.go index bcaafae6..dc0bbd66 100644 --- a/cmd/flux/events.go +++ b/cmd/flux/events.go @@ -112,7 +112,12 @@ func eventsCmdRun(cmd *cobra.Command, args []string) error { } var diffRefNs bool - clientListOpts := []client.ListOption{client.InNamespace(*kubeconfigArgs.Namespace)} + // Build the base list options. When --all-namespaces is set we must NOT constrain the + // query to a single namespace, otherwise we silently return a partial result set. + clientListOpts := []client.ListOption{} + if !eventArgs.allNamespaces { + clientListOpts = append(clientListOpts, client.InNamespace(*kubeconfigArgs.Namespace)) + } var refListOpts [][]client.ListOption if eventArgs.forSelector != "" { kind, name := getKindNameFromSelector(eventArgs.forSelector)