diff --git a/.github/workflows/e2e-openshift.yaml b/.github/workflows/e2e-openshift.yaml index f40739c2..c0c4e1fe 100644 --- a/.github/workflows/e2e-openshift.yaml +++ b/.github/workflows/e2e-openshift.yaml @@ -39,13 +39,18 @@ jobs: kubernetes-version: "4.15.0-okd" ttl: 20m cluster-name: "${{ steps.prep.outputs.cluster }}" - - name: Run flux check + - name: Setup kubeconfig run: | echo "${{ steps.create-cluster.outputs.cluster-kubeconfig }}" > kubeconfig.yaml - ./bin/flux check --kubeconfig=kubeconfig.yaml - - name: Apply openshift prerequisites + - name: Install Flux run: | - kubectl apply -k ./manifests/openshift --kubeconfig=kubeconfig.yaml + ./bin/flux install --manifests ./manifests/openshift/ --kubeconfig=kubeconfig.yaml + - name: Debug + run: | + kubectl -n flux-system get all --kubeconfig=kubeconfig.yaml + kubectl -n flux-system describe pods --kubeconfig=kubeconfig.yaml + kubectl -n flux-system logs deploy/source-controller --kubeconfig=kubeconfig.yaml + kubectl -n flux-system logs deploy/kustomize-controller --kubeconfig=kubeconfig.yaml - name: Remove cluster if: ${{ always() }} uses: replicatedhq/replicated-actions/remove-cluster@v1 diff --git a/manifests/openshift/kustomization.yaml b/manifests/openshift/kustomization.yaml index b5633ece..a161f2b1 100644 --- a/manifests/openshift/kustomization.yaml +++ b/manifests/openshift/kustomization.yaml @@ -1,4 +1,48 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: flux-system resources: - - rbac.yaml + - namespace.yaml + - scc.yaml + - ../bases/source-controller + - ../bases/kustomize-controller + - ../bases/notification-controller + - ../bases/helm-controller + - ../bases/image-reflector-controller + - ../bases/image-automation-controller + - ../rbac + - ../policies +transformers: + - labels.yaml +images: + - name: fluxcd/source-controller + newName: ghcr.io/fluxcd/source-controller + - name: fluxcd/kustomize-controller + newName: ghcr.io/fluxcd/kustomize-controller + - name: fluxcd/helm-controller + newName: ghcr.io/fluxcd/helm-controller + - name: fluxcd/notification-controller + newName: ghcr.io/fluxcd/notification-controller + - name: fluxcd/image-reflector-controller + newName: ghcr.io/fluxcd/image-reflector-controller + - name: fluxcd/image-automation-controller + newName: ghcr.io/fluxcd/image-automation-controller +patches: + - patch: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: all + spec: + template: + spec: + securityContext: + $patch: delete + containers: + - name: manager + securityContext: + runAsUser: 65534 + seccompProfile: + $patch: delete + target: + kind: Deployment diff --git a/manifests/openshift/labels.yaml b/manifests/openshift/labels.yaml new file mode 100644 index 00000000..5a5d78b4 --- /dev/null +++ b/manifests/openshift/labels.yaml @@ -0,0 +1,10 @@ +apiVersion: builtin +kind: LabelTransformer +metadata: + name: labels +labels: + app.kubernetes.io/part-of: flux + app.kubernetes.io/instance: flux-system +fieldSpecs: + - path: metadata/labels + create: true diff --git a/manifests/openshift/namespace.yaml b/manifests/openshift/namespace.yaml new file mode 100644 index 00000000..c00a4321 --- /dev/null +++ b/manifests/openshift/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: flux-system diff --git a/manifests/openshift/rbac.yaml b/manifests/openshift/rbac.yaml deleted file mode 100644 index fefb26fe..00000000 --- a/manifests/openshift/rbac.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: v1 -kind: List -items: - - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: flux-scc - rules: - - apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - resourceNames: - - nonroot - verbs: - - use - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: flux-scc-source-controller - namespace: flux-system - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: flux-scc - subjects: - - kind: ServiceAccount - name: source-controller - namespace: flux-system - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: flux-scc-kustomize-controller - namespace: flux-system - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: flux-scc - subjects: - - kind: ServiceAccount - name: kustomize-controller - namespace: flux-system - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: flux-scc-helm-controller - namespace: flux-system - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: flux-scc - subjects: - - kind: ServiceAccount - name: helm-controller - namespace: flux-system - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: flux-scc-notification-controller - namespace: flux-system - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: flux-scc - subjects: - - kind: ServiceAccount - name: notification-controller - namespace: flux-system diff --git a/manifests/openshift/scc.yaml b/manifests/openshift/scc.yaml new file mode 100644 index 00000000..da8bcd99 --- /dev/null +++ b/manifests/openshift/scc.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: flux-scc +rules: + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nonroot + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: flux-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flux-scc +subjects: + - kind: ServiceAccount + name: source-controller + namespace: flux-system + - kind: ServiceAccount + name: kustomize-controller + namespace: flux-system + - kind: ServiceAccount + name: helm-controller + namespace: flux-system + - kind: ServiceAccount + name: notification-controller + namespace: flux-system + - kind: ServiceAccount + name: image-reflector-controller + namespace: flux-system + - kind: ServiceAccount + name: image-automation-controller + namespace: flux-system