Mirrors
/
flux2
mirror of https://github.com/fluxcd/flux2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2856 from fluxcd/oci

Browse Source 
[RFC-0003] Add commands for managing OCI artifacts
pull/2966/head
Stefan Prodan 2 years ago committed by GitHub
parent ac50aea21f 7e2d235f53
commit c06072d5cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
54 changed files with 2658 additions and 133 deletions
Show Stats Download Patch File Download Diff File

37
.github/workflows/e2e.yaml vendored
Unescape Escape View File

@ -4,11 +4,16 @@ on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
branches: [ main, oci ]
jobs:
kind:
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
- name: Checkout
uses: actions/checkout@v3
@ -168,6 +173,36 @@ jobs:
- name: flux delete source git
run: |
/tmp/flux delete source git podinfo --silent
- name: flux oci artifacts
run: |
/tmp/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
--path="./manifests" \
--source="${{ github.repositoryUrl }}" \
--revision="${{ github.ref }}/${{ github.sha }}"
/tmp/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
--tag latest
/tmp/flux list artifacts oci://localhost:5000/fluxcd/flux
- name: flux oci repositories
run: |
/tmp/flux create source oci podinfo-oci \
--url oci://ghcr.io/stefanprodan/manifests/podinfo \
--tag-semver 6.1.x \
--interval 10m
/tmp/flux create kustomization podinfo-oci \
--source=OCIRepository/podinfo-oci \
--path="./kustomize" \
--prune=true \
--interval=5m \
--target-namespace=default \
--wait=true \
--health-check-timeout=3m
/tmp/flux reconcile source oci podinfo-oci
/tmp/flux suspend source oci podinfo-oci
/tmp/flux get sources oci
/tmp/flux resume source oci podinfo-oci
/tmp/flux export source oci podinfo-oci
/tmp/flux delete ks podinfo-oci --silent
/tmp/flux delete source oci podinfo-oci --silent
- name: flux create tenant
run: |
/tmp/flux create tenant dev-team --with-namespace=apps

4
Makefile
Unescape Escape View File

@ -1,4 +1,5 @@
VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | head -n 1 | tr -d '"')
DEV_VERSION?=0.0.0-$(shell git rev-parse --abbrev-ref HEAD)-$(shell git rev-parse --short HEAD)-$(shell date +%s)
EMBEDDED_MANIFESTS_TARGET=cmd/flux/.manifests.done
TEST_KUBECONFIG?=/tmp/flux-e2e-test-kubeconfig
# Architecture to use envtest with
@ -55,6 +56,9 @@ $(EMBEDDED_MANIFESTS_TARGET): $(call rwildcard,manifests/,*.yaml *.json)
build: $(EMBEDDED_MANIFESTS_TARGET)
CGO_ENABLED=0 go build -ldflags="-s -w -X main.VERSION=$(VERSION)" -o ./bin/flux ./cmd/flux
build-dev: $(EMBEDDED_MANIFESTS_TARGET)
CGO_ENABLED=0 go build -ldflags="-s -w -X main.VERSION=$(DEV_VERSION)" -o ./bin/flux ./cmd/flux
.PHONY: install
install:
CGO_ENABLED=0 go install ./cmd/flux

88
action/README.md
Unescape Escape View File

@ -32,7 +32,7 @@ You can download a specific version with:
- name: Setup Flux CLI
uses: fluxcd/flux2/action@main
with:
version: 0.8.0
version: 0.32.0
```
### Automate Flux updates
@ -74,6 +74,92 @@ jobs:
${{ steps.update.outputs.flux_version }}
```
### Push Kubernetes manifests to container registries
Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to GitHub Container Registry:
```yaml
name: push-artifact-staging
on:
push:
branches:
- 'main'
permissions:
packages: write # needed for ghcr.io access
env:
OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"
jobs:
kubernetes:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Flux CLI
uses: fluxcd/flux2/action@main
- name: Login to GHCR
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate manifests
run: |
kustomize build ./manifests/staging > ./deploy/app.yaml
- name: Push manifests
run: |
flux push artifact $OCI_REPO:$(git rev-parse --short HEAD) \
--path="./deploy" \
--source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)/$(git rev-parse HEAD)"
- name: Deploy manifests to staging
run: |
flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging
```
Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to Docker Hub:
```yaml
name: push-artifact-production
on:
push:
tags:
- '*'
env:
OCI_REPO: "oci://docker.io/my-org/app-config"
jobs:
kubernetes:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Flux CLI
uses: fluxcd/flux2/action@main
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Generate manifests
run: |
kustomize build ./manifests/production > ./deploy/app.yaml
- name: Push manifests
run: |
flux push artifact $OCI_REPO:$(git tag --points-at HEAD) \
--path="./deploy" \
--source="$(git config --get remote.origin.url)" \
--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"
- name: Deploy manifests to production
run: |
flux tag artifact $OCI_REPO:$(git tag --points-at HEAD) --tag production
```
### End-to-end testing
Example workflow for running Flux in Kubernetes Kind:

73
cmd/flux/build_artifact.go
Unescape Escape View File

@ -0,0 +1,73 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"fmt"
"os"
"github.com/spf13/cobra"
oci "github.com/fluxcd/pkg/oci/client"
)
var buildArtifactCmd = &cobra.Command{
Use: "artifact",
Short: "Build artifact",
Long: `The build artifact command creates a tgz file with the manifests from the given directory.`,
Example: ` # Build the given manifests directory into an artifact
flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz
# List the files bundled in the artifact
tar -ztvf ./path/to/artifact.tgz
`,
RunE: buildArtifactCmdRun,
}
type buildArtifactFlags struct {
output string
path string
}
var buildArtifactArgs buildArtifactFlags
func init() {
buildArtifactCmd.Flags().StringVar(&buildArtifactArgs.path, "path", "", "Path to the directory where the Kubernetes manifests are located.")
buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.output, "output", "o", "artifact.tgz", "Path to where the artifact tgz file should be written.")
buildCmd.AddCommand(buildArtifactCmd)
}
func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
if buildArtifactArgs.path == "" {
return fmt.Errorf("invalid path %q", buildArtifactArgs.path)
}
if fs, err := os.Stat(buildArtifactArgs.path); err != nil || !fs.IsDir() {
return fmt.Errorf("invalid path '%s', must point to an existing directory", buildArtifactArgs.path)
}
logger.Actionf("building artifact from %s", buildArtifactArgs.path)
ociClient := oci.NewLocalClient()
if err := ociClient.Build(buildArtifactArgs.output, buildArtifactArgs.path); err != nil {
return fmt.Errorf("bulding artifact failed, error: %w", err)
}
logger.Successf("artifact created at %s", buildArtifactArgs.output)
return nil
}

7
cmd/flux/create_kustomization.go
Unescape Escape View File

@ -68,6 +68,13 @@ var createKsCmd = &cobra.Command{
--prune=true \
--interval=5m
# Create a Kustomization resource that references an OCIRepository
flux create kustomization podinfo \
--source=OCIRepository/podinfo \
--target-namespace=default \
--prune=true \
--interval=5m
# Create a Kustomization resource that references a Bucket
flux create kustomization secrets \
--source=Bucket/secrets \

16
cmd/flux/create_secret_helm_test.go
Unescape Escape View File

@ -1,3 +1,19 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (

121
cmd/flux/create_secret_oci.go
Unescape Escape View File

@ -0,0 +1,121 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"context"
"fmt"
"github.com/fluxcd/flux2/internal/utils"
"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
"github.com/google/go-containerregistry/pkg/name"
"github.com/spf13/cobra"
corev1 "k8s.io/api/core/v1"
"sigs.k8s.io/yaml"
)
var createSecretOCICmd = &cobra.Command{
Use: "oci [name]",
Short: "Create or update a Kubernetes image pull secret",
Long: `The create secret oci command generates a Kubernetes secret that can be used for OCIRepository authentication`,
Example: ` # Create an OCI authentication secret on disk and encrypt it with Mozilla SOPS
flux create secret oci podinfo-auth \
--url=ghcr.io \
--username=username \
--password=password \
--export > repo-auth.yaml
sops --encrypt --encrypted-regex '^(data|stringData)$' \
--in-place repo-auth.yaml
`,
RunE: createSecretOCICmdRun,
}
type secretOCIFlags struct {
url string
password string
username string
}
var secretOCIArgs = secretOCIFlags{}
func init() {
createSecretOCICmd.Flags().StringVar(&secretOCIArgs.url, "url", "", "oci repository address e.g ghcr.io/stefanprodan/charts")
createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.username, "username", "u", "", "basic authentication username")
createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.password, "password", "p", "", "basic authentication password")
createSecretCmd.AddCommand(createSecretOCICmd)
}
func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
if len(args) < 1 {
return fmt.Errorf("name is required")
}
secretName := args[0]
if secretOCIArgs.url == "" {
return fmt.Errorf("--url is required")
}
if secretOCIArgs.username == "" {
return fmt.Errorf("--username is required")
}
if secretOCIArgs.password == "" {
return fmt.Errorf("--password is required")
}
if _, err := name.ParseReference(secretOCIArgs.url); err != nil {
return fmt.Errorf("error parsing url: '%s'", err)
}
opts := sourcesecret.Options{
Name: secretName,
Namespace: *kubeconfigArgs.Namespace,
Registry: secretOCIArgs.url,
Password: secretOCIArgs.password,
Username: secretOCIArgs.username,
}
secret, err := sourcesecret.Generate(opts)
if err != nil {
return err
}
if createArgs.export {
rootCmd.Println(secret.Content)
return nil
}
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
defer cancel()
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
if err != nil {
return err
}
var s corev1.Secret
if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
return err
}
if err := upsertSecret(ctx, kubeClient, s); err != nil {
return err
}
logger.Actionf("oci secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
return nil
}

51
cmd/flux/create_secret_oci_test.go
Unescape Escape View File

@ -0,0 +1,51 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"testing"
)
func TestCreateSecretOCI(t *testing.T) {
tests := []struct {
name string
args string
assert assertFunc
}{
{
args: "create secret oci",
assert: assertError("name is required"),
},
{
args: "create secret oci ghcr",
assert: assertError("--url is required"),
},
{
args: "create secret oci ghcr --namespace=my-namespace --url ghcr.io --username stefanprodan --password=password --export",
assert: assertGoldenFile("testdata/create_secret/oci/create-secret.yaml"),
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cmd := cmdTestCase{
args: tt.args,
assert: tt.assert,
}
cmd.runTestCmd(t)
})
}
}

244
cmd/flux/create_source_oci.go
Unescape Escape View File

@ -0,0 +1,244 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"context"
"fmt"
"strings"
"github.com/spf13/cobra"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/wait"
"sigs.k8s.io/controller-runtime/pkg/client"
"github.com/fluxcd/pkg/apis/meta"
"github.com/fluxcd/pkg/runtime/conditions"
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
"github.com/fluxcd/flux2/internal/flags"
"github.com/fluxcd/flux2/internal/utils"
)
var createSourceOCIRepositoryCmd = &cobra.Command{
Use: "oci [name]",
Short: "Create or update an OCIRepository",
Long: `The create source oci command generates an OCIRepository resource and waits for it to be ready.`,
Example: ` # Create an OCIRepository for a public container image
flux create source oci podinfo \
--url=oci://ghcr.io/stefanprodan/manifests/podinfo \
--tag=6.1.6 \
--interval=10m
`,
RunE: createSourceOCIRepositoryCmdRun,
}
type sourceOCIRepositoryFlags struct {
url string
tag string
semver string
digest string
secretRef string
serviceAccount string
certSecretRef string
ignorePaths []string
provider flags.SourceOCIProvider
}
var sourceOCIRepositoryArgs = newSourceOCIFlags()
func newSourceOCIFlags() sourceOCIRepositoryFlags {
return sourceOCIRepositoryFlags{
provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
}
}
func init() {
createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.url, "url", "", "the OCI repository URL")
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.tag, "tag", "", "the OCI artifact tag")
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.semver, "tag-semver", "", "the OCI artifact tag semver range")
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.digest, "digest", "", "the OCI artifact digest")
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.secretRef, "secret-ref", "", "the name of the Kubernetes image pull secret (type 'kubernetes.io/dockerconfigjson')")
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.serviceAccount, "service-account", "", "the name of the Kubernetes service account that refers to an image pull secret")
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
createSourceOCIRepositoryCmd.Flags().StringSliceVar(&sourceOCIRepositoryArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore resources (can specify multiple paths with commas: path1,path2)")
createSourceCmd.AddCommand(createSourceOCIRepositoryCmd)
}
func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
name := args[0]
if sourceOCIRepositoryArgs.url == "" {
return fmt.Errorf("url is required")
}
if sourceOCIRepositoryArgs.semver == "" && sourceOCIRepositoryArgs.tag == "" && sourceOCIRepositoryArgs.digest == "" {
return fmt.Errorf("--tag, --tag-semver or --digest is required")
}
sourceLabels, err := parseLabels()
if err != nil {
return err
}
var ignorePaths *string
if len(sourceOCIRepositoryArgs.ignorePaths) > 0 {
ignorePathsStr := strings.Join(sourceOCIRepositoryArgs.ignorePaths, "\n")
ignorePaths = &ignorePathsStr
}
repository := &sourcev1.OCIRepository{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: *kubeconfigArgs.Namespace,
Labels: sourceLabels,
},
Spec: sourcev1.OCIRepositorySpec{
Provider: sourceOCIRepositoryArgs.provider.String(),
URL: sourceOCIRepositoryArgs.url,
Interval: metav1.Duration{
Duration: createArgs.interval,
},
Reference: &sourcev1.OCIRepositoryRef{},
Ignore: ignorePaths,
},
}
if digest := sourceOCIRepositoryArgs.digest; digest != "" {
repository.Spec.Reference.Digest = digest
}
if semver := sourceOCIRepositoryArgs.semver; semver != "" {
repository.Spec.Reference.SemVer = semver
}
if tag := sourceOCIRepositoryArgs.tag; tag != "" {
repository.Spec.Reference.Tag = tag
}
if createSourceArgs.fetchTimeout > 0 {
repository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
}
if saName := sourceOCIRepositoryArgs.serviceAccount; saName != "" {
repository.Spec.ServiceAccountName = saName
}
if secretName := sourceOCIRepositoryArgs.secretRef; secretName != "" {
repository.Spec.SecretRef = &meta.LocalObjectReference{
Name: secretName,
}
}
if secretName := sourceOCIRepositoryArgs.certSecretRef; secretName != "" {
repository.Spec.CertSecretRef = &meta.LocalObjectReference{
Name: secretName,
}
}
if createArgs.export {
return printExport(exportOCIRepository(repository))
}
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
defer cancel()
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
if err != nil {
return err
}
logger.Actionf("applying OCIRepository")
namespacedName, err := upsertOCIRepository(ctx, kubeClient, repository)
if err != nil {
return err
}
logger.Waitingf("waiting for OCIRepository reconciliation")
if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
isOCIRepositoryReady(ctx, kubeClient, namespacedName, repository)); err != nil {
return err
}
logger.Successf("OCIRepository reconciliation completed")
if repository.Status.Artifact == nil {
return fmt.Errorf("no artifact was found")
}
logger.Successf("fetched revision: %s", repository.Status.Artifact.Revision)
return nil
}
func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
ociRepository *sourcev1.OCIRepository) (types.NamespacedName, error) {
namespacedName := types.NamespacedName{
Namespace: ociRepository.GetNamespace(),
Name: ociRepository.GetName(),
}
var existing sourcev1.OCIRepository
err := kubeClient.Get(ctx, namespacedName, &existing)
if err != nil {
if errors.IsNotFound(err) {
if err := kubeClient.Create(ctx, ociRepository); err != nil {
return namespacedName, err
} else {
logger.Successf("OCIRepository created")
return namespacedName, nil
}
}
return namespacedName, err
}
existing.Labels = ociRepository.Labels
existing.Spec = ociRepository.Spec
if err := kubeClient.Update(ctx, &existing); err != nil {
return namespacedName, err
}
ociRepository = &existing
logger.Successf("OCIRepository updated")
return namespacedName, nil
}
func isOCIRepositoryReady(ctx context.Context, kubeClient client.Client,
namespacedName types.NamespacedName, ociRepository *sourcev1.OCIRepository) wait.ConditionFunc {
return func() (bool, error) {
err := kubeClient.Get(ctx, namespacedName, ociRepository)
if err != nil {
return false, err
}
if c := conditions.Get(ociRepository, meta.ReadyCondition); c != nil {
// Confirm the Ready condition we are observing is for the
// current generation
if c.ObservedGeneration != ociRepository.GetGeneration() {
return false, nil
}
// Further check the Status
switch c.Status {
case metav1.ConditionTrue:
return true, nil
case metav1.ConditionFalse:
return false, fmt.Errorf(c.Message)
}
}
return false, nil
}
}

61
cmd/flux/create_source_oci_test.go
Unescape Escape View File

@ -0,0 +1,61 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"testing"
)
func TestCreateSourceOCI(t *testing.T) {
tests := []struct {
name string
args string
assertFunc assertFunc
}{
{
name: "NoArgs",
args: "create source oci",
assertFunc: assertError("name is required"),
},
{
name: "NoURL",
args: "create source oci podinfo",
assertFunc: assertError("url is required"),
},
{
name: "export manifest",
args: "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.1.6 --interval 10m --export",
assertFunc: assertGoldenFile("./testdata/oci/export.golden"),
},
{
name: "export manifest with secret",
args: "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.1.6 --interval 10m --secret-ref=creds --export",
assertFunc: assertGoldenFile("./testdata/oci/export_with_secret.golden"),
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cmd := cmdTestCase{
args: tt.args,
assert: tt.assertFunc,
}
cmd.runTestCmd(t)
})
}
}

40
cmd/flux/delete_source_oci.go
Unescape Escape View File

@ -0,0 +1,40 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"github.com/spf13/cobra"
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
)
var deleteSourceOCIRepositoryCmd = &cobra.Command{
Use: "oci [name]",
Short: "Delete an OCIRepository source",
Long: "The delete source oci command deletes the given OCIRepository from the cluster.",
Example: ` # Delete an OCIRepository
flux delete source oci podinfo`,
ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
RunE: deleteCommand{
apiType: ociRepositoryType,
object: universalAdapter{&sourcev1.OCIRepository{}},
}.run,
}
func init() {
deleteSourceCmd.AddCommand(deleteSourceOCIRepositoryCmd)
}

92
cmd/flux/export_source_oci.go
Unescape Escape View File

@ -0,0 +1,92 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"github.com/spf13/cobra"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
)
var exportSourceOCIRepositoryCmd = &cobra.Command{
Use: "oci [name]",
Short: "Export OCIRepository sources in YAML format",
Long: "The export source oci command exports one or all OCIRepository sources in YAML format.",
Example: ` # Export all OCIRepository sources
flux export source oci --all > sources.yaml
# Export a OCIRepository including the static credentials
flux export source oci my-app --with-credentials > source.yaml`,
ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
RunE: exportWithSecretCommand{
list: ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
object: ociRepositoryAdapter{&sourcev1.OCIRepository{}},
}.run,
}
func init() {
exportSourceCmd.AddCommand(exportSourceOCIRepositoryCmd)
}
func exportOCIRepository(source *sourcev1.OCIRepository) interface{} {
gvk := sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)
export := sourcev1.OCIRepository{
TypeMeta: metav1.TypeMeta{
Kind: gvk.Kind,
APIVersion: gvk.GroupVersion().String(),
},
ObjectMeta: metav1.ObjectMeta{
Name: source.Name,
Namespace: source.Namespace,
Labels: source.Labels,
Annotations: source.Annotations,
},
Spec: source.Spec,
}
return export
}
func getOCIRepositorySecret(source *sourcev1.OCIRepository) *types.NamespacedName {
if source.Spec.SecretRef != nil {
namespacedName := types.NamespacedName{
Namespace: source.Namespace,
Name: source.Spec.SecretRef.Name,
}
return &namespacedName
}
return nil
}
func (ex ociRepositoryAdapter) secret() *types.NamespacedName {
return getOCIRepositorySecret(ex.OCIRepository)
}
func (ex ociRepositoryListAdapter) secretItem(i int) *types.NamespacedName {
return getOCIRepositorySecret(&ex.OCIRepositoryList.Items[i])
}
func (ex ociRepositoryAdapter) export() interface{} {
return exportOCIRepository(ex.OCIRepository)
}
func (ex ociRepositoryListAdapter) exportItem(i int) interface{} {
return exportOCIRepository(&ex.OCIRepositoryList.Items[i])
}

4
cmd/flux/get_source_all.go
Unescape Escape View File

@ -40,6 +40,10 @@ var getSourceAllCmd = &cobra.Command{
}
var allSourceCmd = []getCommand{
{
apiType: ociRepositoryType,
list: &ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
},
{
apiType: bucketType,
list: &bucketListAdapter{&sourcev1.BucketList{}},

98
cmd/flux/get_source_oci.go
Unescape Escape View File

@ -0,0 +1,98 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"fmt"
"strconv"
"strings"
"github.com/spf13/cobra"
"k8s.io/apimachinery/pkg/runtime"
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
)
var getSourceOCIRepositoryCmd = &cobra.Command{
Use: "oci",
Short: "Get OCIRepository status",
Long: "The get sources oci command prints the status of the OCIRepository sources.",
Example: ` # List all OCIRepositories and their status
flux get sources oci
# List OCIRepositories from all namespaces
flux get sources oci --all-namespaces`,
ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
RunE: func(cmd *cobra.Command, args []string) error {
get := getCommand{
apiType: ociRepositoryType,
list: &ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
funcMap: make(typeMap),
}
err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
o, ok := obj.(*sourcev1.OCIRepository)
if !ok {
return nil, fmt.Errorf("impossible to cast type %#v to OCIRepository", obj)
}
sink := &ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{
Items: []sourcev1.OCIRepository{
*o,
}}}
return sink, nil
})
if err != nil {
return err
}
if err := get.run(cmd, args); err != nil {
return err
}
return nil
},
}
func init() {
getSourceCmd.AddCommand(getSourceOCIRepositoryCmd)
}
func (a *ociRepositoryListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
item := a.Items[i]
var revision string
if item.GetArtifact() != nil {
revision = item.GetArtifact().Revision
}
status, msg := statusAndMessage(item.Status.Conditions)
return append(nameColumns(&item, includeNamespace, includeKind),
revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
}
func (a ociRepositoryListAdapter) headers(includeNamespace bool) []string {
headers := []string{"Name", "Revision", "Suspended", "Ready", "Message"}
if includeNamespace {
headers = append([]string{"Namespace"}, headers...)
}
return headers
}
func (a ociRepositoryListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
item := a.Items[i]
return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
}

16
cmd/flux/image_test.go
Unescape Escape View File

@ -1,6 +1,22 @@
//go:build e2e
// +build e2e
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import "testing"

31
cmd/flux/list.go
Unescape Escape View File

@ -0,0 +1,31 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"github.com/spf13/cobra"
)
var listCmd = &cobra.Command{
Use: "list",
Short: "List artifacts",
Long: "The list command is used for printing the OCI artifacts metadata.",
}
func init() {
rootCmd.AddCommand(listCmd)
}

76
cmd/flux/list_artifact.go
Unescape Escape View File

@ -0,0 +1,76 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"context"
"fmt"
"github.com/spf13/cobra"
oci "github.com/fluxcd/pkg/oci/client"
"github.com/fluxcd/flux2/pkg/printers"
)
var listArtifactsCmd = &cobra.Command{
Use: "artifacts",
Short: "list artifacts",
Long: `The list command fetches the tags and their metadata from a remote OCI repository.
The command uses the credentials from '~/.docker/config.json'.`,
Example: ` # List the artifacts stored in an OCI repository
flux list artifact oci://ghcr.io/org/config/app
`,
RunE: listArtifactsCmdRun,
}
func init() {
listCmd.AddCommand(listArtifactsCmd)
}
func listArtifactsCmdRun(cmd *cobra.Command, args []string) error {
if len(args) < 1 {
return fmt.Errorf("artifact repository URL is required")
}
ociURL := args[0]
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
defer cancel()
ociClient := oci.NewLocalClient()
url, err := oci.ParseArtifactURL(ociURL)
if err != nil {
return err
}
metas, err := ociClient.List(ctx, url)
if err != nil {
return err
}
var rows [][]string
for _, meta := range metas {
rows = append(rows, []string{meta.URL, meta.Digest, meta.Source, meta.Revision})
}
err = printers.TablePrinter([]string{"artifact", "digest", "source", "revision"}).Print(cmd.OutOrStdout(), rows)
if err != nil {
return err
}
return nil
}

4
cmd/flux/main_test.go
Unescape Escape View File

@ -387,7 +387,11 @@ func resetCmdArgs() {
createArgs = createFlags{}
getArgs = GetFlags{}
sourceHelmArgs = sourceHelmFlags{}
sourceOCIRepositoryArgs = sourceOCIRepositoryFlags{}
sourceGitArgs = sourceGitFlags{}
sourceBucketArgs = sourceBucketFlags{}
secretGitArgs = NewSecretGitFlags()
*kubeconfigArgs.Namespace = rootArgs.defaults.Namespace
}
func isChangeError(err error) bool {

31
cmd/flux/pull.go
Unescape Escape View File

@ -0,0 +1,31 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"github.com/spf13/cobra"
)
var pullCmd = &cobra.Command{
Use: "pull",
Short: "Pull artifacts",
Long: "The pull command is used to download OCI artifacts.",
}
func init() {
rootCmd.AddCommand(pullCmd)
}

87
cmd/flux/pull_artifact.go
Unescape Escape View File

@ -0,0 +1,87 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"context"
"fmt"
"os"
"github.com/spf13/cobra"
oci "github.com/fluxcd/pkg/oci/client"
)
var pullArtifactCmd = &cobra.Command{
Use: "artifact",
Short: "Pull artifact",
Long: `The pull artifact command downloads and extracts the OCI artifact content to the given path.
The pull command uses the credentials from '~/.docker/config.json'.`,
Example: ` # Pull an OCI artifact created by flux from GHCR
flux pull artifact oci://ghcr.io/org/manifests/app:v0.0.1 --output ./path/to/local/manifests
`,
RunE: pullArtifactCmdRun,
}
type pullArtifactFlags struct {
output string
}
var pullArtifactArgs pullArtifactFlags
func init() {
pullArtifactCmd.Flags().StringVarP(&pullArtifactArgs.output, "output", "o", "", "path where the artifact content should be extracted.")
pullCmd.AddCommand(pullArtifactCmd)
}
func pullArtifactCmdRun(cmd *cobra.Command, args []string) error {
if len(args) < 1 {
return fmt.Errorf("artifact URL is required")
}
ociURL := args[0]
if pullArtifactArgs.output == "" {
return fmt.Errorf("invalid output path %s", pullArtifactArgs.output)
}
if fs, err := os.Stat(pullArtifactArgs.output); err != nil || !fs.IsDir() {
return fmt.Errorf("invalid output path %s", pullArtifactArgs.output)
}
ociClient := oci.NewLocalClient()
url, err := oci.ParseArtifactURL(ociURL)
if err != nil {
return err
}
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
defer cancel()
logger.Actionf("pulling artifact from %s", url)
meta, err := ociClient.Pull(ctx, url, pullArtifactArgs.output)
if err != nil {
return err
}
logger.Successf("source %s", meta.Source)
logger.Successf("revision %s", meta.Revision)
logger.Successf("digest %s", meta.Digest)
logger.Successf("artifact content extracted to %s", pullArtifactArgs.output)
return nil
}

31
cmd/flux/push.go
Unescape Escape View File

@ -0,0 +1,31 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"github.com/spf13/cobra"
)
var pushCmd = &cobra.Command{
Use: "push",
Short: "Push artifacts",
Long: "The push command is used to publish OCI artifacts.",
}
func init() {
rootCmd.AddCommand(pushCmd)
}

113
cmd/flux/push_artifact.go
Unescape Escape View File

@ -0,0 +1,113 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"context"
"fmt"
"os"
"github.com/spf13/cobra"
oci "github.com/fluxcd/pkg/oci/client"
)
var pushArtifactCmd = &cobra.Command{
Use: "artifact",
Short: "Push artifact",
Long: `The push artifact command creates a tarball from the given directory and uploads the artifact to an OCI repository.
The command uses the credentials from '~/.docker/config.json'.`,
Example: ` # Push manifests to GHCR using the short Git SHA as the OCI artifact tag
echo $GITHUB_PAT | docker login ghcr.io --username flux --password-stdin
flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
--path="./path/to/local/manifests" \
--source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)/$(git rev-parse HEAD)"
# Push manifests to Docker Hub using the Git tag as the OCI artifact tag
echo $DOCKER_PAT | docker login --username flux --password-stdin
flux push artifact oci://docker.io/org/app-config:$(git tag --points-at HEAD) \
--path="./path/to/local/manifests" \
--source="$(git config --get remote.origin.url)" \
--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"
`,
RunE: pushArtifactCmdRun,
}
type pushArtifactFlags struct {
path string
source string
revision string
}
var pushArtifactArgs pushArtifactFlags
func init() {
pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.path, "path", "", "path to the directory where the Kubernetes manifests are located")
pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.source, "source", "", "the source address, e.g. the Git URL")
pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.revision, "revision", "", "the source revision in the format '<branch|tag>/<commit-sha>'")
pushCmd.AddCommand(pushArtifactCmd)
}
func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
if len(args) < 1 {
return fmt.Errorf("artifact URL is required")
}
ociURL := args[0]
if pushArtifactArgs.source == "" {
return fmt.Errorf("--source is required")
}
if pushArtifactArgs.revision == "" {
return fmt.Errorf("--revision is required")
}
if pushArtifactArgs.path == "" {
return fmt.Errorf("invalid path %q", pushArtifactArgs.path)
}
ociClient := oci.NewLocalClient()
url, err := oci.ParseArtifactURL(ociURL)
if err != nil {
return err
}
if fs, err := os.Stat(pushArtifactArgs.path); err != nil || !fs.IsDir() {
return fmt.Errorf("invalid path %q", pushArtifactArgs.path)
}
meta := oci.Metadata{
Source: pushArtifactArgs.source,
Revision: pushArtifactArgs.revision,
}
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
defer cancel()
logger.Actionf("pushing artifact to %s", url)
digest, err := ociClient.Push(ctx, url, pushArtifactArgs.path, meta)
if err != nil {
return fmt.Errorf("pushing artifact failed: %w", err)
}
logger.Successf("artifact successfully pushed to %s", digest)
return nil
}

5
cmd/flux/reconcile_kustomization.go
Unescape Escape View File

@ -65,6 +65,11 @@ func (obj kustomizationAdapter) reconcileSource() bool {
func (obj kustomizationAdapter) getSource() (reconcileCommand, types.NamespacedName) {
var cmd reconcileCommand
switch obj.Spec.SourceRef.Kind {
case sourcev1.OCIRepositoryKind:
cmd = reconcileCommand{
apiType: ociRepositoryType,
object: ociRepositoryAdapter{&sourcev1.OCIRepository{}},
}
case sourcev1.GitRepositoryKind:
cmd = reconcileCommand{
apiType: gitRepositoryType,

50
cmd/flux/reconcile_source_oci.go
Unescape Escape View File

@ -0,0 +1,50 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"fmt"
"github.com/spf13/cobra"
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
)
var reconcileSourceOCIRepositoryCmd = &cobra.Command{
Use: "oci [name]",
Short: "Reconcile an OCIRepository",
Long: `The reconcile source command triggers a reconciliation of an OCIRepository resource and waits for it to finish.`,
Example: ` # Trigger a reconciliation for an existing source
flux reconcile source oci podinfo`,
ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
RunE: reconcileCommand{
apiType: ociRepositoryType,
object: ociRepositoryAdapter{&sourcev1.OCIRepository{}},
}.run,
}
func init() {
reconcileSourceCmd.AddCommand(reconcileSourceOCIRepositoryCmd)
}
func (obj ociRepositoryAdapter) lastHandledReconcileRequest() string {
return obj.Status.GetLastHandledReconcileRequest()
}
func (obj ociRepositoryAdapter) successMessage() string {
return fmt.Sprintf("fetched revision %s", obj.Status.Artifact.Revision)
}

53
cmd/flux/resume_source_oci.go
Unescape Escape View File

@ -0,0 +1,53 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"github.com/spf13/cobra"
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
)
var resumeSourceOCIRepositoryCmd = &cobra.Command{
Use: "oci [name]",
Short: "Resume a suspended OCIRepository",
Long: `The resume command marks a previously suspended OCIRepository resource for reconciliation and waits for it to finish.`,
Example: ` # Resume reconciliation for an existing OCIRepository
flux resume source oci podinfo`,
ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
RunE: resumeCommand{
apiType: ociRepositoryType,
object: ociRepositoryAdapter{&sourcev1.OCIRepository{}},
list: ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
}.run,
}
func init() {
resumeSourceCmd.AddCommand(resumeSourceOCIRepositoryCmd)
}
func (obj ociRepositoryAdapter) getObservedGeneration() int64 {
return obj.OCIRepository.Status.ObservedGeneration
}
func (obj ociRepositoryAdapter) setUnsuspended() {
obj.OCIRepository.Spec.Suspend = false
}
func (a ociRepositoryListAdapter) resumeItem(i int) resumable {
return &ociRepositoryAdapter{&a.OCIRepositoryList.Items[i]}
}

34
cmd/flux/source.go
Unescape Escape View File

@ -26,6 +26,40 @@ import (
// the various commands. The *List adapters implement len(), since
// it's used in at least a couple of commands.
// sourcev1.ociRepository
var ociRepositoryType = apiType{
kind: sourcev1.OCIRepositoryKind,
humanKind: "source oci",
groupVersion: sourcev1.GroupVersion,
}
type ociRepositoryAdapter struct {
*sourcev1.OCIRepository
}
func (a ociRepositoryAdapter) asClientObject() client.Object {
return a.OCIRepository
}
func (a ociRepositoryAdapter) deepCopyClientObject() client.Object {
return a.OCIRepository.DeepCopy()
}
// sourcev1.OCIRepositoryList
type ociRepositoryListAdapter struct {
*sourcev1.OCIRepositoryList
}
func (a ociRepositoryListAdapter) asClientList() client.ObjectList {
return a.OCIRepositoryList
}
func (a ociRepositoryListAdapter) len() int {
return len(a.OCIRepositoryList.Items)
}
// sourcev1.Bucket
var bucketType = apiType{

71
cmd/flux/source_oci_test.go
Unescape Escape View File

@ -0,0 +1,71 @@
//go:build e2e
// +build e2e
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"testing"
)
func TestSourceOCI(t *testing.T) {
cases := []struct {
args string
goldenFile string
}{
{
"create source oci thrfg --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.1.6 --interval 10m",
"testdata/oci/create_source_oci.golden",
},
{
"get source oci thrfg",
"testdata/oci/get_oci.golden",
},
{
"reconcile source oci thrfg",
"testdata/oci/reconcile_oci.golden",
},
{
"suspend source oci thrfg",
"testdata/oci/suspend_oci.golden",
},
{
"resume source oci thrfg",
"testdata/oci/resume_oci.golden",
},
{
"delete source oci thrfg --silent",
"testdata/oci/delete_oci.golden",
},
}
namespace := allocateNamespace("oci-test")
del, err := setupTestNamespace(namespace)
if err != nil {
t.Fatal(err)
}
defer del()
for _, tc := range cases {
cmd := cmdTestCase{
args: tc.args + " -n=" + namespace,
assert: assertGoldenTemplateFile(tc.goldenFile, map[string]string{"ns": namespace}),
}
cmd.runTestCmd(t)
}
}

53
cmd/flux/suspend_source_oci.go
Unescape Escape View File

@ -0,0 +1,53 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"github.com/spf13/cobra"
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
)
var suspendSourceOCIRepositoryCmd = &cobra.Command{
Use: "oci [name]",
Short: "Suspend reconciliation of an OCIRepository",
Long: "The suspend command disables the reconciliation of an OCIRepository resource.",
Example: ` # Suspend reconciliation for an existing OCIRepository
flux suspend source oci podinfo`,
ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
RunE: suspendCommand{
apiType: ociRepositoryType,
object: ociRepositoryAdapter{&sourcev1.OCIRepository{}},
list: ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
}.run,
}
func init() {
suspendSourceCmd.AddCommand(suspendSourceOCIRepositoryCmd)
}
func (obj ociRepositoryAdapter) isSuspended() bool {
return obj.OCIRepository.Spec.Suspend
}
func (obj ociRepositoryAdapter) setSuspended() {
obj.OCIRepository.Spec.Suspend = true
}
func (a ociRepositoryListAdapter) item(i int) suspendable {
return &ociRepositoryAdapter{&a.OCIRepositoryList.Items[i]}
}

31
cmd/flux/tag.go
Unescape Escape View File

@ -0,0 +1,31 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"github.com/spf13/cobra"
)
var tagCmd = &cobra.Command{
Use: "tag",
Short: "Tag artifacts",
Long: "The tag command is used to tag OCI artifacts.",
}
func init() {
rootCmd.AddCommand(tagCmd)
}

82
cmd/flux/tag_artifact.go
Unescape Escape View File

@ -0,0 +1,82 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"context"
"fmt"
"github.com/spf13/cobra"
oci "github.com/fluxcd/pkg/oci/client"
)
var tagArtifactCmd = &cobra.Command{
Use: "artifact",
Short: "Tag artifact",
Long: `The tag artifact command creates tags for the given OCI artifact.
The command uses the credentials from '~/.docker/config.json'.`,
Example: ` # Tag an artifact version as latest
flux tag artifact oci://ghcr.io/org/manifests/app:v0.0.1 --tag latest
`,
RunE: tagArtifactCmdRun,
}
type tagArtifactFlags struct {
tags []string
}
var tagArtifactArgs tagArtifactFlags
func init() {
tagArtifactCmd.Flags().StringSliceVar(&tagArtifactArgs.tags, "tag", nil, "tag name")
tagCmd.AddCommand(tagArtifactCmd)
}
func tagArtifactCmdRun(cmd *cobra.Command, args []string) error {
if len(args) < 1 {
return fmt.Errorf("artifact name is required")
}
ociURL := args[0]
if len(tagArtifactArgs.tags) < 1 {
return fmt.Errorf("--tag is required")
}
ociClient := oci.NewLocalClient()
url, err := oci.ParseArtifactURL(ociURL)
if err != nil {
return err
}
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
defer cancel()
logger.Actionf("tagging artifact")
for _, tag := range tagArtifactArgs.tags {
img, err := ociClient.Tag(ctx, url, tag)
if err != nil {
return fmt.Errorf("tagging artifact failed: %w", err)
}
logger.Successf("artifact tagged as %s", img)
}
return nil
}

10
cmd/flux/testdata/create_secret/oci/create-secret.yaml vendored
Unescape Escape View File

@ -0,0 +1,10 @@
---
apiVersion: v1
kind: Secret
metadata:
name: ghcr
namespace: my-namespace
stringData:
.dockerconfigjson: '{"auths":{"ghcr.io":{"username":"stefanprodan","password":"password","auth":"c3RlZmFucHJvZGFuOnBhc3N3b3Jk"}}}'
type: kubernetes.io/dockerconfigjson

5
cmd/flux/testdata/oci/create_source_oci.golden vendored
Unescape Escape View File

@ -0,0 +1,5 @@
► applying OCIRepository
✔ OCIRepository created
◎ waiting for OCIRepository reconciliation
✔ OCIRepository reconciliation completed
✔ fetched revision: dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3

2
cmd/flux/testdata/oci/delete_oci.golden vendored
Unescape Escape View File

@ -0,0 +1,2 @@
► deleting source oci thrfg in {{ .ns }} namespace
✔ source oci deleted

12
cmd/flux/testdata/oci/export.golden vendored
Unescape Escape View File

@ -0,0 +1,12 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: podinfo
namespace: flux-system
spec:
interval: 10m0s
ref:
tag: 6.1.6
url: oci://ghcr.io/stefanprodan/manifests/podinfo

14
cmd/flux/testdata/oci/export_with_secret.golden vendored
Unescape Escape View File

@ -0,0 +1,14 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: podinfo
namespace: flux-system
spec:
interval: 10m0s
ref:
tag: 6.1.6
secretRef:
name: creds
url: oci://ghcr.io/stefanprodan/manifests/podinfo

2
cmd/flux/testdata/oci/get_oci.golden vendored
Unescape Escape View File

@ -0,0 +1,2 @@
NAME REVISION SUSPENDED READY MESSAGE
thrfg dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3 False True stored artifact for digest 'dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3'

4
cmd/flux/testdata/oci/reconcile_oci.golden vendored
Unescape Escape View File

@ -0,0 +1,4 @@
► annotating OCIRepository thrfg in {{ .ns }} namespace
✔ OCIRepository annotated
◎ waiting for OCIRepository reconciliation
✔ fetched revision dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3

5
cmd/flux/testdata/oci/resume_oci.golden vendored
Unescape Escape View File

@ -0,0 +1,5 @@
► resuming source oci thrfg in {{ .ns }} namespace
✔ source oci resumed
◎ waiting for OCIRepository reconciliation
✔ OCIRepository reconciliation completed
✔ fetched revision dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3

2
cmd/flux/testdata/oci/suspend_oci.golden vendored
Unescape Escape View File

@ -0,0 +1,2 @@
► suspending source oci thrfg in {{ .ns }} namespace
✔ source oci suspended

21
cmd/flux/testdata/trace/helmrelease-oci.golden vendored
Unescape Escape View File

@ -0,0 +1,21 @@
Object: HelmRelease/podinfo
Namespace: {{ .ns }}
Status: Managed by Flux
---
Kustomization: infrastructure
Namespace: {{ .fluxns }}
Path: ./infrastructure
Revision: main/696f056df216eea4f9401adbee0ff744d4df390f
Status: Last reconciled at {{ .kustomizationLastReconcile }}
Message: Applied revision: main/696f056df216eea4f9401adbee0ff744d4df390f
---
OCIRepository: flux-system
Namespace: {{ .fluxns }}
URL: oci://ghcr.io/example/repo
Tag: 1.2.3
Revision: dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3
Origin Revision: 6.1.6/450796ddb2ab6724ee1cc32a4be56da032d1cca0
Origin Source: https://github.com/stefanprodan/podinfo.git
Status: Last reconciled at {{ .ociRepositoryLastReconcile }}
Message: stored artifact for digest 'dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3'

92
cmd/flux/testdata/trace/helmrelease-oci.yaml vendored
Unescape Escape View File

@ -0,0 +1,92 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ .fluxns }}
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ .ns }}
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
labels:
kustomize.toolkit.fluxcd.io/name: infrastructure
kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
name: podinfo
namespace: {{ .ns }}
spec:
chart:
spec:
chart: podinfo
sourceRef:
kind: HelmRepository
name: podinfo
namespace: {{ .fluxns }}
interval: 5m
status:
conditions:
- lastTransitionTime: "2021-07-16T15:42:20Z"
message: Release reconciliation succeeded
reason: ReconciliationSucceeded
status: "True"
type: Ready
helmChart: {{ .fluxns }}/podinfo-podinfo
lastAppliedRevision: 6.0.0
lastAttemptedRevision: 6.0.0
lastAttemptedValuesChecksum: c31db75d05b7515eba2eef47bd71038c74b2e531
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: infrastructure
namespace: {{ .fluxns }}
spec:
path: ./infrastructure
sourceRef:
kind: OCIRepository
name: flux-system
validation: client
interval: 5m
prune: false
status:
conditions:
- lastTransitionTime: "2021-08-01T04:52:56Z"
message: 'Applied revision: main/696f056df216eea4f9401adbee0ff744d4df390f'
reason: ReconciliationSucceeded
status: "True"
type: Ready
lastAppliedRevision: main/696f056df216eea4f9401adbee0ff744d4df390f
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
labels:
kustomize.toolkit.fluxcd.io/name: flux-system
kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
name: flux-system
namespace: {{ .fluxns }}
spec:
interval: 10m0s
provider: generic
ref:
tag: 1.2.3
timeout: 60s
url: oci://ghcr.io/example/repo
status:
artifact:
lastUpdateTime: "2022-08-10T10:07:59Z"
metadata:
org.opencontainers.image.revision: 6.1.6/450796ddb2ab6724ee1cc32a4be56da032d1cca0
org.opencontainers.image.source: https://github.com/stefanprodan/podinfo.git
path: "example"
revision: dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3
url: "example"
conditions:
- lastTransitionTime: "2021-07-20T00:48:16Z"
message: "stored artifact for digest 'dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3'"
reason: Succeed
status: "True"
type: Ready

81
cmd/flux/trace.go
Unescape Escape View File

@ -37,6 +37,7 @@ import (
helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
fluxmeta "github.com/fluxcd/pkg/apis/meta"
"github.com/fluxcd/pkg/oci"
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
)
@ -219,10 +220,12 @@ func traceKustomization(ctx context.Context, kubeClient client.Client, ksName ty
}
ksReady := meta.FindStatusCondition(ks.Status.Conditions, fluxmeta.ReadyCondition)
var ksRepository *sourcev1.GitRepository
var gitRepository *sourcev1.GitRepository
var ociRepository *sourcev1.OCIRepository
var ksRepositoryReady *metav1.Condition
if ks.Spec.SourceRef.Kind == sourcev1.GitRepositoryKind {
ksRepository = &sourcev1.GitRepository{}
switch ks.Spec.SourceRef.Kind {
case sourcev1.GitRepositoryKind:
gitRepository = &sourcev1.GitRepository{}
sourceNamespace := ks.Namespace
if ks.Spec.SourceRef.Namespace != "" {
sourceNamespace = ks.Spec.SourceRef.Namespace
@ -230,11 +233,25 @@ func traceKustomization(ctx context.Context, kubeClient client.Client, ksName ty
err = kubeClient.Get(ctx, types.NamespacedName{
Namespace: sourceNamespace,
Name: ks.Spec.SourceRef.Name,
}, ksRepository)
}, gitRepository)
if err != nil {
return "", fmt.Errorf("failed to find GitRepository: %w", err)
}
ksRepositoryReady = meta.FindStatusCondition(ksRepository.Status.Conditions, fluxmeta.ReadyCondition)
ksRepositoryReady = meta.FindStatusCondition(gitRepository.Status.Conditions, fluxmeta.ReadyCondition)
case sourcev1.OCIRepositoryKind:
ociRepository = &sourcev1.OCIRepository{}
sourceNamespace := ks.Namespace
if ks.Spec.SourceRef.Namespace != "" {
sourceNamespace = ks.Spec.SourceRef.Namespace
}
err = kubeClient.Get(ctx, types.NamespacedName{
Namespace: sourceNamespace,
Name: ks.Spec.SourceRef.Name,
}, ociRepository)
if err != nil {
return "", fmt.Errorf("failed to find OCIRepository: %w", err)
}
ksRepositoryReady = meta.FindStatusCondition(ociRepository.Status.Conditions, fluxmeta.ReadyCondition)
}
var traceTmpl = `
@ -276,13 +293,47 @@ Branch: {{.GitRepository.Spec.Reference.Branch}}
{{- if .GitRepository.Status.Artifact }}
Revision: {{.GitRepository.Status.Artifact.Revision}}
{{- end }}
{{- if .GitRepositoryReady }}
{{- if eq .GitRepositoryReady.Status "False" }}
Status: Last reconciliation failed at {{.GitRepositoryReady.LastTransitionTime}}
{{- if .RepositoryReady }}
{{- if eq .RepositoryReady.Status "False" }}
Status: Last reconciliation failed at {{.RepositoryReady.LastTransitionTime}}
{{- else }}
Status: Last reconciled at {{.GitRepositoryReady.LastTransitionTime}}
Status: Last reconciled at {{.RepositoryReady.LastTransitionTime}}
{{- end }}
Message: {{.GitRepositoryReady.Message}}
Message: {{.RepositoryReady.Message}}
{{- else }}
Status: Unknown
{{- end }}
{{- end }}
{{- if .OCIRepository }}
---
OCIRepository: {{.OCIRepository.Name}}
Namespace: {{.OCIRepository.Namespace}}
URL: {{.OCIRepository.Spec.URL}}
{{- if .OCIRepository.Spec.Reference }}
{{- if .OCIRepository.Spec.Reference.Tag }}
Tag: {{.OCIRepository.Spec.Reference.Tag}}
{{- else if .OCIRepository.Spec.Reference.SemVer }}
Tag: {{.OCIRepository.Spec.Reference.SemVer}}
{{- else if .OCIRepository.Spec.Reference.Digest }}
Digest: {{.OCIRepository.Spec.Reference.Digest}}
{{- end }}
{{- end }}
{{- if .OCIRepository.Status.Artifact }}
Revision: {{.OCIRepository.Status.Artifact.Revision}}
{{- if .OCIRepository.Status.Artifact.Metadata }}
{{- $metadata := .OCIRepository.Status.Artifact.Metadata }}
{{- range $k, $v := .Annotations }}
{{ with (index $metadata $v) }}{{ $k }}{{ . }}{{ end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .RepositoryReady }}
{{- if eq .RepositoryReady.Status "False" }}
Status: Last reconciliation failed at {{.RepositoryReady.LastTransitionTime}}
{{- else }}
Status: Last reconciled at {{.RepositoryReady.LastTransitionTime}}
{{- end }}
Message: {{.RepositoryReady.Message}}
{{- else }}
Status: Unknown
{{- end }}
@ -295,14 +346,18 @@ Status: Unknown
Kustomization *kustomizev1.Kustomization
KustomizationReady *metav1.Condition
GitRepository *sourcev1.GitRepository
GitRepositoryReady *metav1.Condition
OCIRepository *sourcev1.OCIRepository
RepositoryReady *metav1.Condition
Annotations map[string]string
}{
ObjectName: obj.GetKind() + "/" + obj.GetName(),
ObjectNamespace: obj.GetNamespace(),
Kustomization: ks,
KustomizationReady: ksReady,
GitRepository: ksRepository,
GitRepositoryReady: ksRepositoryReady,
GitRepository: gitRepository,
OCIRepository: ociRepository,
RepositoryReady: ksRepositoryReady,
Annotations: map[string]string{"Origin Source: ": oci.SourceAnnotation, "Origin Revision: ": oci.RevisionAnnotation},
}
t, err := template.New("tmpl").Parse(traceTmpl)

12
cmd/flux/trace_test.go
Unescape Escape View File

@ -57,6 +57,18 @@ func TestTrace(t *testing.T) {
"gitRepositoryLastReconcile": toLocalTime(t, "2021-07-20T00:48:16Z"),
},
},
{
"HelmRelease from OCI registry",
"trace podinfo --kind HelmRelease --api-version=helm.toolkit.fluxcd.io/v2beta1",
"testdata/trace/helmrelease-oci.yaml",
"testdata/trace/helmrelease-oci.golden",
map[string]string{
"ns": allocateNamespace("podinfo"),
"fluxns": allocateNamespace("flux-system"),
"kustomizationLastReconcile": toLocalTime(t, "2021-08-01T04:52:56Z"),
"ociRepositoryLastReconcile": toLocalTime(t, "2021-07-20T00:48:16Z"),
},
},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {

67
go.mod
Unescape Escape View File

@ -10,21 +10,22 @@ require (
github.com/fluxcd/helm-controller/api v0.22.2
github.com/fluxcd/image-automation-controller/api v0.23.5
github.com/fluxcd/image-reflector-controller/api v0.19.4
github.com/fluxcd/kustomize-controller/api v0.26.3
github.com/fluxcd/notification-controller/api v0.24.1
github.com/fluxcd/kustomize-controller/api v0.27.0
github.com/fluxcd/notification-controller/api v0.25.0
github.com/fluxcd/pkg/apis/meta v0.14.2
github.com/fluxcd/pkg/kustomize v0.5.2
github.com/fluxcd/pkg/oci v0.3.0
github.com/fluxcd/pkg/runtime v0.16.2
github.com/fluxcd/pkg/ssa v0.17.0
github.com/fluxcd/pkg/ssh v0.5.0
github.com/fluxcd/pkg/untar v0.1.0
github.com/fluxcd/pkg/version v0.1.0
github.com/fluxcd/source-controller/api v0.25.11
github.com/fluxcd/source-controller/api v0.26.0
github.com/go-git/go-git/v5 v5.4.2
github.com/gonvenience/bunt v1.3.4
github.com/gonvenience/ytbx v1.4.4
github.com/google/go-cmp v0.5.8
github.com/google/go-containerregistry v0.9.0
github.com/google/go-containerregistry v0.10.0
github.com/hashicorp/go-multierror v1.1.1
github.com/homeport/dyff v1.5.4
github.com/lucasb-eyer/go-colorful v1.2.0
@ -37,16 +38,16 @@ require (
github.com/theckman/yacspin v0.13.12
golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e
golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
k8s.io/api v0.24.1
k8s.io/apiextensions-apiserver v0.24.1
k8s.io/apimachinery v0.24.1
k8s.io/api v0.24.3
k8s.io/apiextensions-apiserver v0.24.3
k8s.io/apimachinery v0.24.3
k8s.io/cli-runtime v0.24.1
k8s.io/client-go v0.24.1
k8s.io/client-go v0.24.3
k8s.io/kubectl v0.24.1
sigs.k8s.io/cli-utils v0.31.2
sigs.k8s.io/cli-utils v0.32.0
sigs.k8s.io/controller-runtime v0.11.2
sigs.k8s.io/kustomize/api v0.11.5
sigs.k8s.io/kustomize/kyaml v0.13.7
sigs.k8s.io/kustomize/api v0.12.1
sigs.k8s.io/kustomize/kyaml v0.13.9
sigs.k8s.io/yaml v1.3.0
)
@ -57,41 +58,44 @@ require (
cloud.google.com/go v0.99.0 // indirect
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest v0.11.18 // indirect
github.com/Azure/go-autorest/autorest/adal v0.9.13 // indirect
github.com/Azure/go-autorest/autorest v0.11.24 // indirect
github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
github.com/Azure/go-autorest/logger v0.2.1 // indirect
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/BurntSushi/toml v1.0.0 // indirect
github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
github.com/Microsoft/go-winio v0.5.2 // indirect
github.com/PuerkitoBio/purell v1.1.1 // indirect
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/acomagu/bufpipe v1.0.3 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect
github.com/containerd/stargz-snapshotter/estargz v0.11.4 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/docker/cli v20.10.17+incompatible // indirect
github.com/docker/distribution v2.8.1+incompatible // indirect
github.com/docker/docker v20.10.17+incompatible // indirect
github.com/docker/docker-credential-helpers v0.6.4 // indirect
github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 // indirect
github.com/emicklei/go-restful v2.9.5+incompatible // indirect
github.com/emicklei/go-restful v2.15.0+incompatible // indirect
github.com/emirpasic/gods v1.12.0 // indirect
github.com/evanphx/json-patch v4.12.0+incompatible // indirect
github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
github.com/fatih/color v1.13.0 // indirect
github.com/fluxcd/pkg/apis/acl v0.0.3 // indirect
github.com/fluxcd/pkg/apis/kustomize v0.4.2 // indirect
github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
github.com/fsnotify/fsnotify v1.5.1 // indirect
github.com/go-errors/errors v1.0.1 // indirect
github.com/go-git/gcfg v1.5.0 // indirect
github.com/go-git/go-billy/v5 v5.3.1 // indirect
github.com/go-logr/logr v1.2.3 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect
github.com/go-openapi/jsonreference v0.19.5 // indirect
github.com/go-openapi/swag v0.19.14 // indirect
github.com/go-openapi/jsonreference v0.20.0 // indirect
github.com/go-openapi/swag v0.21.1 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/gonvenience/neat v1.3.10 // indirect
@ -99,7 +103,7 @@ require (
github.com/gonvenience/text v1.0.7 // indirect
github.com/gonvenience/wrap v1.1.1 // indirect
github.com/google/btree v1.0.1 // indirect
github.com/google/gnostic v0.5.7-v3refs // indirect
github.com/google/gnostic v0.6.9 // indirect
github.com/google/go-github/v42 v42.0.0 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
@ -115,8 +119,9 @@ require (
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
github.com/klauspost/compress v1.15.4 // indirect
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
github.com/mailru/easyjson v0.7.6 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-ciede2000 v0.0.0-20170301095244-782e8c62fec3 // indirect
github.com/mattn/go-colorable v0.1.12 // indirect
github.com/mattn/go-isatty v0.0.14 // indirect
@ -132,6 +137,8 @@ require (
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/prometheus/client_golang v1.12.1 // indirect
@ -139,19 +146,21 @@ require (
github.com/prometheus/common v0.32.1 // indirect
github.com/prometheus/procfs v0.7.3 // indirect
github.com/rivo/uniseg v0.2.0 // indirect
github.com/russross/blackfriday v1.5.2 // indirect
github.com/russross/blackfriday v1.6.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/sergi/go-diff v1.2.0 // indirect
github.com/sirupsen/logrus v1.9.0 // indirect
github.com/texttheater/golang-levenshtein v1.0.1 // indirect
github.com/vbatts/tar-split v0.11.2 // indirect
github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 // indirect
github.com/xanzy/go-gitlab v0.58.0 // indirect
github.com/xanzy/ssh-agent v0.3.0 // indirect
github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
github.com/xlab/treeprint v1.1.0 // indirect
go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2 // indirect
golang.org/x/oauth2 v0.0.0-20220524215830-622c5d57e401 // indirect
golang.org/x/net v0.0.0-20220708220712-1185a9018129 // indirect
golang.org/x/oauth2 v0.0.0-20220718184931-c8730f7fcb92 // indirect
golang.org/x/sync v0.0.0-20220513210516-0976fa681c29 // indirect
golang.org/x/sys v0.0.0-20220513210249-45d2b4557a2a // indirect
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
golang.org/x/text v0.3.7 // indirect
golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
@ -161,10 +170,10 @@ require (
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/component-base v0.24.1 // indirect
k8s.io/component-base v0.24.3 // indirect
k8s.io/klog/v2 v2.60.1 // indirect
k8s.io/kube-openapi v0.0.0-20220401212409-b28bf2818661 // indirect
k8s.io/kube-openapi v0.0.0-20220413171646-5e7f5fdc6da6 // indirect
k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
sigs.k8s.io/json v0.0.0-20220525155127-227cbc7cc124 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
)

545
go.sum
View File

File diff suppressed because it is too large Load Diff

2
internal/flags/kustomization_source.go
Unescape Escape View File

@ -25,7 +25,7 @@ import (
"github.com/fluxcd/flux2/internal/utils"
)
var supportedKustomizationSourceKinds = []string{sourcev1.GitRepositoryKind, sourcev1.BucketKind}
var supportedKustomizationSourceKinds = []string{sourcev1.OCIRepositoryKind, sourcev1.GitRepositoryKind, sourcev1.BucketKind}
type KustomizationSource struct {
Kind string

7
internal/flags/source_bucket_provider.go
Unescape Escape View File

@ -24,7 +24,12 @@ import (
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
)
var supportedSourceBucketProviders = []string{sourcev1.GenericBucketProvider, sourcev1.AmazonBucketProvider}
var supportedSourceBucketProviders = []string{
sourcev1.GenericBucketProvider,
sourcev1.AmazonBucketProvider,
sourcev1.AzureBucketProvider,
sourcev1.GoogleBucketProvider,
}
type SourceBucketProvider string

62
internal/flags/source_oci_provider.go
Unescape Escape View File

@ -0,0 +1,62 @@
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package flags
import (
"fmt"
"strings"
"github.com/fluxcd/flux2/internal/utils"
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
)
var supportedSourceOCIProviders = []string{
sourcev1.GenericOCIProvider,
sourcev1.AmazonOCIProvider,
sourcev1.AzureOCIProvider,
sourcev1.GoogleOCIProvider,
}
type SourceOCIProvider string
func (p *SourceOCIProvider) String() string {
return string(*p)
}
func (p *SourceOCIProvider) Set(str string) error {
if strings.TrimSpace(str) == "" {
return fmt.Errorf("no source OCI provider given, please specify %s",
p.Description())
}
if !utils.ContainsItemString(supportedSourceOCIProviders, str) {
return fmt.Errorf("source OCI provider '%s' is not supported, must be one of: %v",
str, strings.Join(supportedSourceOCIProviders, ", "))
}
*p = SourceOCIProvider(str)
return nil
}
func (p *SourceOCIProvider) Type() string {
return "sourceOCIProvider"
}
func (p *SourceOCIProvider) Description() string {
return fmt.Sprintf(
"the OCI provider name, available options are: (%s)",
strings.Join(supportedSourceOCIProviders, ", "),
)
}

5
manifests/bases/kustomize-controller/kustomization.yaml
Unescape Escape View File

@ -1,8 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.26.3/kustomize-controller.crds.yaml
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.26.3/kustomize-controller.deployment.yaml
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.27.0/kustomize-controller.crds.yaml
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.27.0/kustomize-controller.deployment.yaml
- account.yaml
patchesJson6902:
- target:
@ -11,3 +11,4 @@ patchesJson6902:
kind: Deployment
name: kustomize-controller
path: patch.yaml

4
manifests/bases/notification-controller/kustomization.yaml
Unescape Escape View File

@ -1,8 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/fluxcd/notification-controller/releases/download/v0.24.1/notification-controller.crds.yaml
- https://github.com/fluxcd/notification-controller/releases/download/v0.24.1/notification-controller.deployment.yaml
- https://github.com/fluxcd/notification-controller/releases/download/v0.25.0/notification-controller.crds.yaml
- https://github.com/fluxcd/notification-controller/releases/download/v0.25.0/notification-controller.deployment.yaml
- account.yaml
patchesJson6902:
- target:

5
manifests/bases/source-controller/kustomization.yaml
Unescape Escape View File

@ -1,8 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/fluxcd/source-controller/releases/download/v0.25.11/source-controller.crds.yaml
- https://github.com/fluxcd/source-controller/releases/download/v0.25.11/source-controller.deployment.yaml
- https://github.com/fluxcd/source-controller/releases/download/v0.26.0/source-controller.crds.yaml
- https://github.com/fluxcd/source-controller/releases/download/v0.26.0/source-controller.deployment.yaml
- account.yaml
patchesJson6902:
- target:
@ -11,3 +11,4 @@ patchesJson6902:
kind: Deployment
name: source-controller
path: patch.yaml

1
pkg/manifestgen/sourcesecret/options.go
Unescape Escape View File

@ -43,6 +43,7 @@ type Options struct {
Name string
Namespace string
Labels map[string]string
Registry string
SSHHostname string
PrivateKeyAlgorithm PrivateKeyAlgorithm
RSAKeyBits int

57
pkg/manifestgen/sourcesecret/sourcesecret.go
Unescape Escape View File

@ -18,6 +18,8 @@ package sourcesecret
import (
"bytes"
"encoding/base64"
"encoding/json"
"fmt"
"net"
"os"
@ -36,6 +38,27 @@ import (
const defaultSSHPort = 22
// types gotten from https://github.com/kubernetes/kubectl/blob/master/pkg/cmd/create/create_secret_docker.go#L64-L84
// DockerConfigJSON represents a local docker auth config file
// for pulling images.
type DockerConfigJSON struct {
Auths DockerConfig `json:"auths"`
}
// DockerConfig represents the config file used by the docker CLI.
// This config that represents the credentials that should be used
// when pulling images from specific image repositories.
type DockerConfig map[string]DockerConfigEntry
// DockerConfigEntry holds the user information that grant the access to docker registry
type DockerConfigEntry struct {
Username string `json:"username,omitempty"`
Password string `json:"password,omitempty"`
Email string `json:"email,omitempty"`
Auth string `json:"auth,omitempty"`
}
func Generate(options Options) (*manifestgen.Manifest, error) {
var err error
@ -77,7 +100,15 @@ func Generate(options Options) (*manifestgen.Manifest, error) {
}
}
secret := buildSecret(keypair, hostKey, caFile, certFile, keyFile, options)
var dockerCfgJson []byte
if options.Registry != "" {
dockerCfgJson, err = generateDockerConfigJson(options.Registry, options.Username, options.Password)
if err != nil {
return nil, fmt.Errorf("failed to generate json for docker config: %w", err)
}
}
secret := buildSecret(keypair, hostKey, caFile, certFile, keyFile, dockerCfgJson, options)
b, err := yaml.Marshal(secret)
if err != nil {
return nil, err
@ -89,7 +120,7 @@ func Generate(options Options) (*manifestgen.Manifest, error) {
}, nil
}
func buildSecret(keypair *ssh.KeyPair, hostKey, caFile, certFile, keyFile []byte, options Options) (secret corev1.Secret) {
func buildSecret(keypair *ssh.KeyPair, hostKey, caFile, certFile, keyFile, dockerCfg []byte, options Options) (secret corev1.Secret) {
secret.TypeMeta = metav1.TypeMeta{
APIVersion: "v1",
Kind: "Secret",
@ -101,6 +132,12 @@ func buildSecret(keypair *ssh.KeyPair, hostKey, caFile, certFile, keyFile []byte
secret.Labels = options.Labels
secret.StringData = map[string]string{}
if dockerCfg != nil {
secret.Type = corev1.SecretTypeDockerConfigJson
secret.StringData[corev1.DockerConfigJsonKey] = string(dockerCfg)
return
}
if options.Username != "" && options.Password != "" {
secret.StringData[UsernameSecretKey] = options.Username
secret.StringData[PasswordSecretKey] = options.Password
@ -189,3 +226,19 @@ func resourceToString(data []byte) string {
data = bytes.Replace(data, []byte("status: {}\n"), []byte(""), 1)
return string(data)
}
func generateDockerConfigJson(url, username, password string) ([]byte, error) {
cred := fmt.Sprintf("%s:%s", username, password)
auth := base64.StdEncoding.EncodeToString([]byte(cred))
cfg := DockerConfigJSON{
Auths: map[string]DockerConfigEntry{
url: {
Username: username,
Password: password,
Auth: auth,
},
},
}
return json.Marshal(cfg)
}

Write Preview
Loading…
Cancel
Save