Mirrors/flux2
1
0
Fork 0
mirror of synced 2026-03-04 12:16:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Mirrors:ksm-dashboard
Branches Tags
Mirrors:main Mirrors:dependabot/go_modules/go.opentelemetry.io/otel/sdk-1.40.0 Mirrors:dependabot/github_actions/ci-ef60ad99c8 Mirrors:release/v2.8.x Mirrors:dependabot/go_modules/github.com/cloudflare/circl-1.6.3 Mirrors:dependabot/go_modules/tests/integration/github.com/cloudflare/circl-1.6.3 Mirrors:rfc-creds Mirrors:release/v2.7.x Mirrors:dependabot/go_modules/golang.org/x/crypto-0.45.0 Mirrors:dependabot/go_modules/tests/integration/golang.org/x/crypto-0.45.0 Mirrors:release/v2.6.x Mirrors:conform-k8s-1.33 Mirrors:release/v2.5.x Mirrors:release/v2.4.x Mirrors:remove-notation-validation Mirrors:release/v2.3.x Mirrors:release/v2.2.x Mirrors:RFC Mirrors:fix-commit-log Mirrors:flux-audit Mirrors:release/v2.1.x Mirrors:context-ns Mirrors:ksm-dashboard Mirrors:rfc-passwordless-git-auth Mirrors:release/v2.0.x Mirrors:rfc-gating Mirrors:release/v0.27.4 Mirrors:rfc-0003 Mirrors:rfc-0002 Mirrors:rfc-0001 Mirrors:prompt-for-tokens Mirrors:encrypt-init-cmd
Mirrors:v2.8.1 Mirrors:v2.8.0 Mirrors:v2.7.5 Mirrors:v2.7.4 Mirrors:v2.7.3 Mirrors:v2.7.2 Mirrors:v2.7.1 Mirrors:v2.7.0 Mirrors:v2.6.4 Mirrors:v2.6.3 Mirrors:v2.6.2 Mirrors:v2.6.1 Mirrors:v2.6.0 Mirrors:v2.5.1 Mirrors:v2.5.0 Mirrors:v2.4.0 Mirrors:v2.3.0 Mirrors:v2.2.3 Mirrors:v2.2.2 Mirrors:v2.2.1 Mirrors:v2.2.0 Mirrors:v2.1.2 Mirrors:v2.1.1 Mirrors:v2.1.0 Mirrors:v2.0.1 Mirrors:v2.0.0 Mirrors:v2.0.0-rc.5 Mirrors:v2.0.0-rc.4 Mirrors:v2.0.0-rc.3 Mirrors:v2.0.0-rc.2 Mirrors:v2.0.0-rc.1 Mirrors:v0.41.2 Mirrors:v0.41.1 Mirrors:v0.41.0 Mirrors:v0.40.2 Mirrors:v0.40.1 Mirrors:v0.40.0 Mirrors:v0.39.0 Mirrors:v0.38.3 Mirrors:v0.38.2 Mirrors:v0.38.1 Mirrors:v0.38.0 Mirrors:v0.37.0 Mirrors:v0.36.0 Mirrors:v0.35.0 Mirrors:v0.34.0 Mirrors:v0.33.0 Mirrors:v0.32.0 Mirrors:v0.31.5 Mirrors:v0.31.4 Mirrors:v0.31.3 Mirrors:v0.31.2 Mirrors:v0.31.1 Mirrors:v0.31.0 Mirrors:v0.30.2 Mirrors:v0.30.1 Mirrors:v0.30.0 Mirrors:v0.29.5 Mirrors:v0.29.4 Mirrors:v0.29.3 Mirrors:v0.29.2 Mirrors:v0.29.1 Mirrors:v0.29.0 Mirrors:v0.28.5 Mirrors:v0.28.4 Mirrors:v0.28.3 Mirrors:v0.28.2 Mirrors:v0.28.1 Mirrors:v0.28.0 Mirrors:v0.27.4 Mirrors:v0.27.3 Mirrors:v0.27.2 Mirrors:v0.27.1 Mirrors:v0.27.0 Mirrors:v0.26.3 Mirrors:v0.26.2 Mirrors:v0.26.1 Mirrors:v0.26.0 Mirrors:v0.25.3 Mirrors:v0.25.2 Mirrors:v0.25.1 Mirrors:v0.25.0 Mirrors:v0.24.1 Mirrors:v0.24.0 Mirrors:v0.23.0 Mirrors:v0.22.1 Mirrors:v0.22.0 Mirrors:v0.21.1 Mirrors:v0.21.0 Mirrors:v0.20.1 Mirrors:v0.20.0 Mirrors:v0.19.1 Mirrors:v0.19.0 Mirrors:v0.18.3 Mirrors:v0.18.2 Mirrors:v0.18.1 Mirrors:v0.18.0 Mirrors:v0.17.2 Mirrors:v0.17.1 Mirrors:v0.17.0 Mirrors:v0.16.2 Mirrors:v0.16.1 Mirrors:v0.16.0 Mirrors:v0.15.3 Mirrors:v0.15.2 Mirrors:v0.15.1 Mirrors:v0.15.0 Mirrors:v0.14.2 Mirrors:v0.14.1 Mirrors:v0.14.0 Mirrors:v0.13.4 Mirrors:v0.13.3 Mirrors:v0.13.2 Mirrors:v0.13.1 Mirrors:v0.13.0 Mirrors:v0.12.3 Mirrors:v0.12.2 Mirrors:v0.12.1 Mirrors:v0.12.0 Mirrors:v0.11.0 Mirrors:v0.10.0 Mirrors:v0.9.1 Mirrors:v0.9.0 Mirrors:v0.8.2 Mirrors:v0.8.1 Mirrors:v0.8.0 Mirrors:v0.7.7 Mirrors:v0.7.6 Mirrors:v0.7.5 Mirrors:v0.7.4 Mirrors:v0.7.3 Mirrors:v0.7.2 Mirrors:v0.7.1 Mirrors:v0.7.0 Mirrors:v0.6.3 Mirrors:v0.6.2 Mirrors:v0.6.1 Mirrors:v0.6.0 Mirrors:v0.5.9 Mirrors:v0.5.8 Mirrors:v0.5.7 Mirrors:v0.5.6 Mirrors:v0.5.5 Mirrors:v0.5.4 Mirrors:v0.5.3 Mirrors:v0.5.2 Mirrors:v0.5.1 Mirrors:v0.5.0 Mirrors:v0.4.3 Mirrors:v0.4.2 Mirrors:v0.4.1 Mirrors:v0.4.0 Mirrors:v0.3.0 Mirrors:v0.2.6 Mirrors:v0.2.5 Mirrors:v0.2.4 Mirrors:v0.2.3 Mirrors:v0.2.2 Mirrors:v0.2.1 Mirrors:v0.2.0 Mirrors:v0.1.8 Mirrors:v0.1.7 Mirrors:v0.1.6 Mirrors:v0.1.5 Mirrors:v0.1.4 Mirrors:v0.1.3 Mirrors:v0.1.2 Mirrors:v0.1.1 Mirrors:v0.1.0 Mirrors:v0.0.28 Mirrors:v0.0.27 Mirrors:v0.0.26 Mirrors:v0.0.25 Mirrors:v0.0.24 Mirrors:v0.0.23 Mirrors:v0.0.22 Mirrors:v0.0.21 Mirrors:v0.0.20 Mirrors:v0.0.19 Mirrors:v0.0.18 Mirrors:v0.0.17 Mirrors:v0.0.16 Mirrors:v0.0.15 Mirrors:v0.0.14 Mirrors:v0.0.13 Mirrors:v0.0.12 Mirrors:v0.0.11 Mirrors:v0.0.10 Mirrors:v0.0.9 Mirrors:v0.0.8 Mirrors:v0.0.7 Mirrors:v0.0.6 Mirrors:v0.0.5 Mirrors:v0.0.4 Mirrors:v0.0.3 Mirrors:v0.0.2 Mirrors:v0.0.1 Mirrors:v0.0.1-beta.4 Mirrors:v0.0.1-beta.3 Mirrors:v0.0.1-beta.2 Mirrors:v0.0.1-beta.1 Mirrors:v0.0.1-alpha.1
..
compare: Mirrors:rfc-passwordless-git-auth
Branches Tags
Mirrors:dependabot/go_modules/go.opentelemetry.io/otel/sdk-1.40.0 Mirrors:dependabot/github_actions/ci-ef60ad99c8 Mirrors:main Mirrors:release/v2.8.x Mirrors:dependabot/go_modules/github.com/cloudflare/circl-1.6.3 Mirrors:dependabot/go_modules/tests/integration/github.com/cloudflare/circl-1.6.3 Mirrors:rfc-creds Mirrors:release/v2.7.x Mirrors:dependabot/go_modules/golang.org/x/crypto-0.45.0 Mirrors:dependabot/go_modules/tests/integration/golang.org/x/crypto-0.45.0 Mirrors:release/v2.6.x Mirrors:conform-k8s-1.33 Mirrors:release/v2.5.x Mirrors:release/v2.4.x Mirrors:remove-notation-validation Mirrors:release/v2.3.x Mirrors:release/v2.2.x Mirrors:RFC Mirrors:fix-commit-log Mirrors:flux-audit Mirrors:release/v2.1.x Mirrors:context-ns Mirrors:ksm-dashboard Mirrors:rfc-passwordless-git-auth Mirrors:release/v2.0.x Mirrors:rfc-gating Mirrors:release/v0.27.4 Mirrors:rfc-0003 Mirrors:rfc-0002 Mirrors:rfc-0001 Mirrors:prompt-for-tokens Mirrors:encrypt-init-cmd
Mirrors:v2.8.1 Mirrors:v2.8.0 Mirrors:v2.7.5 Mirrors:v2.7.4 Mirrors:v2.7.3 Mirrors:v2.7.2 Mirrors:v2.7.1 Mirrors:v2.7.0 Mirrors:v2.6.4 Mirrors:v2.6.3 Mirrors:v2.6.2 Mirrors:v2.6.1 Mirrors:v2.6.0 Mirrors:v2.5.1 Mirrors:v2.5.0 Mirrors:v2.4.0 Mirrors:v2.3.0 Mirrors:v2.2.3 Mirrors:v2.2.2 Mirrors:v2.2.1 Mirrors:v2.2.0 Mirrors:v2.1.2 Mirrors:v2.1.1 Mirrors:v2.1.0 Mirrors:v2.0.1 Mirrors:v2.0.0 Mirrors:v2.0.0-rc.5 Mirrors:v2.0.0-rc.4 Mirrors:v2.0.0-rc.3 Mirrors:v2.0.0-rc.2 Mirrors:v2.0.0-rc.1 Mirrors:v0.41.2 Mirrors:v0.41.1 Mirrors:v0.41.0 Mirrors:v0.40.2 Mirrors:v0.40.1 Mirrors:v0.40.0 Mirrors:v0.39.0 Mirrors:v0.38.3 Mirrors:v0.38.2 Mirrors:v0.38.1 Mirrors:v0.38.0 Mirrors:v0.37.0 Mirrors:v0.36.0 Mirrors:v0.35.0 Mirrors:v0.34.0 Mirrors:v0.33.0 Mirrors:v0.32.0 Mirrors:v0.31.5 Mirrors:v0.31.4 Mirrors:v0.31.3 Mirrors:v0.31.2 Mirrors:v0.31.1 Mirrors:v0.31.0 Mirrors:v0.30.2 Mirrors:v0.30.1 Mirrors:v0.30.0 Mirrors:v0.29.5 Mirrors:v0.29.4 Mirrors:v0.29.3 Mirrors:v0.29.2 Mirrors:v0.29.1 Mirrors:v0.29.0 Mirrors:v0.28.5 Mirrors:v0.28.4 Mirrors:v0.28.3 Mirrors:v0.28.2 Mirrors:v0.28.1 Mirrors:v0.28.0 Mirrors:v0.27.4 Mirrors:v0.27.3 Mirrors:v0.27.2 Mirrors:v0.27.1 Mirrors:v0.27.0 Mirrors:v0.26.3 Mirrors:v0.26.2 Mirrors:v0.26.1 Mirrors:v0.26.0 Mirrors:v0.25.3 Mirrors:v0.25.2 Mirrors:v0.25.1 Mirrors:v0.25.0 Mirrors:v0.24.1 Mirrors:v0.24.0 Mirrors:v0.23.0 Mirrors:v0.22.1 Mirrors:v0.22.0 Mirrors:v0.21.1 Mirrors:v0.21.0 Mirrors:v0.20.1 Mirrors:v0.20.0 Mirrors:v0.19.1 Mirrors:v0.19.0 Mirrors:v0.18.3 Mirrors:v0.18.2 Mirrors:v0.18.1 Mirrors:v0.18.0 Mirrors:v0.17.2 Mirrors:v0.17.1 Mirrors:v0.17.0 Mirrors:v0.16.2 Mirrors:v0.16.1 Mirrors:v0.16.0 Mirrors:v0.15.3 Mirrors:v0.15.2 Mirrors:v0.15.1 Mirrors:v0.15.0 Mirrors:v0.14.2 Mirrors:v0.14.1 Mirrors:v0.14.0 Mirrors:v0.13.4 Mirrors:v0.13.3 Mirrors:v0.13.2 Mirrors:v0.13.1 Mirrors:v0.13.0 Mirrors:v0.12.3 Mirrors:v0.12.2 Mirrors:v0.12.1 Mirrors:v0.12.0 Mirrors:v0.11.0 Mirrors:v0.10.0 Mirrors:v0.9.1 Mirrors:v0.9.0 Mirrors:v0.8.2 Mirrors:v0.8.1 Mirrors:v0.8.0 Mirrors:v0.7.7 Mirrors:v0.7.6 Mirrors:v0.7.5 Mirrors:v0.7.4 Mirrors:v0.7.3 Mirrors:v0.7.2 Mirrors:v0.7.1 Mirrors:v0.7.0 Mirrors:v0.6.3 Mirrors:v0.6.2 Mirrors:v0.6.1 Mirrors:v0.6.0 Mirrors:v0.5.9 Mirrors:v0.5.8 Mirrors:v0.5.7 Mirrors:v0.5.6 Mirrors:v0.5.5 Mirrors:v0.5.4 Mirrors:v0.5.3 Mirrors:v0.5.2 Mirrors:v0.5.1 Mirrors:v0.5.0 Mirrors:v0.4.3 Mirrors:v0.4.2 Mirrors:v0.4.1 Mirrors:v0.4.0 Mirrors:v0.3.0 Mirrors:v0.2.6 Mirrors:v0.2.5 Mirrors:v0.2.4 Mirrors:v0.2.3 Mirrors:v0.2.2 Mirrors:v0.2.1 Mirrors:v0.2.0 Mirrors:v0.1.8 Mirrors:v0.1.7 Mirrors:v0.1.6 Mirrors:v0.1.5 Mirrors:v0.1.4 Mirrors:v0.1.3 Mirrors:v0.1.2 Mirrors:v0.1.1 Mirrors:v0.1.0 Mirrors:v0.0.28 Mirrors:v0.0.27 Mirrors:v0.0.26 Mirrors:v0.0.25 Mirrors:v0.0.24 Mirrors:v0.0.23 Mirrors:v0.0.22 Mirrors:v0.0.21 Mirrors:v0.0.20 Mirrors:v0.0.19 Mirrors:v0.0.18 Mirrors:v0.0.17 Mirrors:v0.0.16 Mirrors:v0.0.15 Mirrors:v0.0.14 Mirrors:v0.0.13 Mirrors:v0.0.12 Mirrors:v0.0.11 Mirrors:v0.0.10 Mirrors:v0.0.9 Mirrors:v0.0.8 Mirrors:v0.0.7 Mirrors:v0.0.6 Mirrors:v0.0.5 Mirrors:v0.0.4 Mirrors:v0.0.3 Mirrors:v0.0.2 Mirrors:v0.0.1 Mirrors:v0.0.1-beta.4 Mirrors:v0.0.1-beta.3 Mirrors:v0.0.1-beta.2 Mirrors:v0.0.1-beta.1 Mirrors:v0.0.1-alpha.1

2 Commits
ksm-dashbo ... rfc-passwo

Author SHA1 Message Date
Sanskar Jaiswal
067180b5b2 rfc: add more details around token refreshing and caching 
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
 2023-08-02 12:46:06 +05:30
Sanskar Jaiswal
e3f6b242ea rfc: add passswordless auth for git repos draft 
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
 2023-07-31 22:34:05 +05:30
3 changed files with 345 additions and 477 deletions
Expand all files Collapse all files

245
manifests/monitoring/kube-prometheus-stack/release.yaml
View File

@@ -6,7 +6,7 @@ spec:
interval: 5m interval: 5m
chart: chart:
spec: spec:
version: "48.x" version: "45.x"
chart: kube-prometheus-stack chart: kube-prometheus-stack
sourceRef: sourceRef:
kind: HelmRepository kind: HelmRepository
@@ -31,249 +31,6 @@ spec:
podMonitorSelector: podMonitorSelector:
matchLabels: matchLabels:
app.kubernetes.io/component: monitoring app.kubernetes.io/component: monitoring
grafana:
defaultDashboardsEnabled: false
kube-state-metrics:
collectors: []
extraArgs:
- --custom-resource-state-only=true
rbac:
extraRules:
- apiGroups:
- source.toolkit.fluxcd.io
- kustomize.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
- image.toolkit.fluxcd.io
- notification.toolkit.fluxcd.io
resources:
- gitrepositories
- buckets
- helmrepositories
- helmcharts
- ocirepositories
- kustomizations
- helmreleases
- imagerepositories
- imagepolicies
- imageupdateautomations
- alerts
- providers
- receivers
verbs: ["list", "watch"]
customResourceState:
enabled: true
config:
spec:
resources:
- groupVersionKind:
group: source.toolkit.fluxcd.io
version: "v1"
kind: GitRepository
metricNamePrefix: gotk
metrics:
- name: "resource_info"
help: "The current state of a GitOps Toolkit resource."
each:
type: Info
info:
labelsFromPath:
name: [metadata, name]
labelsFromPath:
exported_namespace: [metadata, namespace]
ready: [status, conditions, "[type=Ready]", status]
- groupVersionKind:
group: source.toolkit.fluxcd.io
version: "v1beta2"
kind: Bucket
metricNamePrefix: gotk
metrics:
- name: "resource_info"
help: "The current state of a GitOps Toolkit resource."
each:
type: Info
info:
labelsFromPath:
name: [metadata, name]
labelsFromPath:
exported_namespace: [metadata, namespace]
ready: [status, conditions, "[type=Ready]", status]
- groupVersionKind:
group: source.toolkit.fluxcd.io
version: "v1beta2"
kind: HelmRepository
metricNamePrefix: gotk
metrics:
- name: "resource_info"
help: "The current state of a GitOps Toolkit resource."
each:
type: Info
info:
labelsFromPath:
name: [metadata, name]
labelsFromPath:
exported_namespace: [metadata, namespace]
type: [spec, type]
ready: [status, conditions, "[type=Ready]", status]
- groupVersionKind:
group: source.toolkit.fluxcd.io
version: "v1beta2"
kind: HelmChart
metricNamePrefix: gotk
metrics:
- name: "resource_info"
help: "The current state of a GitOps Toolkit resource."
each:
type: Info
info:
labelsFromPath:
name: [metadata, name]
labelsFromPath:
exported_namespace: [metadata, namespace]
ready: [status, conditions, "[type=Ready]", status]
- groupVersionKind:
group: source.toolkit.fluxcd.io
version: "v1beta2"
kind: OCIRepository
metricNamePrefix: gotk
metrics:
- name: "resource_info"
help: "The current state of a GitOps Toolkit resource."
each:
type: Info
info:
labelsFromPath:
name: [metadata, name]
labelsFromPath:
exported_namespace: [metadata, namespace]
ready: [status, conditions, "[type=Ready]", status]
- groupVersionKind:
group: kustomize.toolkit.fluxcd.io
version: "v1"
kind: Kustomization
metricNamePrefix: gotk
metrics:
- name: "resource_info"
help: "The current state of a GitOps Toolkit resource."
each:
type: Info
info:
labelsFromPath:
name: [metadata, name]
labelsFromPath:
exported_namespace: [metadata, namespace]
ready: [status, conditions, "[type=Ready]", status]
- groupVersionKind:
group: helm.toolkit.fluxcd.io
version: "v2beta1"
kind: HelmRelease
metricNamePrefix: gotk
metrics:
- name: "resource_info"
help: "The current state of a GitOps Toolkit resource."
each:
type: Info
info:
labelsFromPath:
name: [metadata, name]
labelsFromPath:
exported_namespace: [metadata, namespace]
ready: [status, conditions, "[type=Ready]", status]
- groupVersionKind:
group: image.toolkit.fluxcd.io
version: "v1beta2"
kind: ImageRepository
metricNamePrefix: gotk
metrics:
- name: "resource_info"
help: "The current state of a GitOps Toolkit resource."
each:
type: Info
info:
labelsFromPath:
name: [metadata, name]
labelsFromPath:
exported_namespace: [metadata, namespace]
ready: [status, conditions, "[type=Ready]", status]
- groupVersionKind:
group: image.toolkit.fluxcd.io
version: "v1beta2"
kind: ImagePolicy
metricNamePrefix: gotk
metrics:
- name: "resource_info"
help: "The current state of a GitOps Toolkit resource."
each:
type: Info
info:
labelsFromPath:
name: [metadata, name]
labelsFromPath:
exported_namespace: [metadata, namespace]
ready: [status, conditions, "[type=Ready]", status]
- groupVersionKind:
group: image.toolkit.fluxcd.io
version: "v1beta1"
kind: ImageUpdateAutomation
metricNamePrefix: gotk
metrics:
- name: "resource_info"
help: "The current state of a GitOps Toolkit resource."
each:
type: Info
info:
labelsFromPath:
name: [metadata, name]
labelsFromPath:
exported_namespace: [metadata, namespace]
ready: [status, conditions, "[type=Ready]", status]
- groupVersionKind:
group: notification.toolkit.fluxcd.io
version: "v1beta2"
kind: Alert
metricNamePrefix: gotk
metrics:
- name: "resource_info"
help: "The current state of a GitOps Toolkit resource."
each:
type: Info
info:
labelsFromPath:
name: [metadata, name]
labelsFromPath:
exported_namespace: [metadata, namespace]
ready: [status, conditions, "[type=Ready]", status]
- groupVersionKind:
group: notification.toolkit.fluxcd.io
version: "v1beta2"
kind: Provider
metricNamePrefix: gotk
metrics:
- name: "resource_info"
help: "The current state of a GitOps Toolkit resource."
each:
type: Info
info:
labelsFromPath:
name: [metadata, name]
labelsFromPath:
exported_namespace: [metadata, namespace]
ready: [status, conditions, "[type=Ready]", status]
- groupVersionKind:
group: notification.toolkit.fluxcd.io
version: "v1"
kind: Receiver
metricNamePrefix: gotk
metrics:
- name: "resource_info"
help: "The current state of a GitOps Toolkit resource."
each:
type: Info
info:
labelsFromPath:
name: [metadata, name]
labelsFromPath:
exported_namespace: [metadata, namespace]
ready: [status, conditions, "[type=Ready]", status]
postRenderers: postRenderers:
- kustomize: - kustomize:
patches: patches:

368
manifests/monitoring/monitoring-config/dashboards/cluster.json
View File

@@ -30,23 +30,18 @@
] ]
}, },
"editable": true, "editable": true,
"fiscalYearStartMonth": 0, "gnetId": null,
"graphTooltip": 0, "graphTooltip": 0,
"id": 5, "iteration": 1652337714814,
"links": [], "links": [],
"liveNow": false,
"panels": [ "panels": [
{ {
"datasource": { "datasource": "${DS_PROMETHEUS}",
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "", "description": "",
"fieldConfig": { "fieldConfig": {
"defaults": { "defaults": {
"decimals": 0, "decimals": 0,
"mappings": [], "mappings": [],
"noValue": "0",
"thresholds": { "thresholds": {
"mode": "absolute", "mode": "absolute",
"steps": [ "steps": [
@@ -86,37 +81,28 @@
"text": {}, "text": {},
"textMode": "value" "textMode": "value"
}, },
"pluginVersion": "10.0.2", "pluginVersion": "7.5.5",
"targets": [ "targets": [
{ {
"datasource": { "exemplar": true,
"type": "prometheus", "expr": "count(gotk_reconcile_condition{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",type=\"Ready\",status=\"True\",kind=~\"Kustomization|HelmRelease\"})\n-\nsum(gotk_reconcile_condition{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",type=\"Ready\",status=\"Deleted\",kind=~\"Kustomization|HelmRelease\"})",
"uid": "prometheus"
},
"editorMode": "code",
"exemplar": false,
"expr": "count(gotk_resource_info{exported_namespace=~\"$namespace\", customresource_kind=~\"Kustomization|HelmRelease\"})",
"instant": true,
"interval": "", "interval": "",
"legendFormat": "", "legendFormat": "",
"range": false,
"refId": "A" "refId": "A"
} }
], ],
"timeFrom": null,
"timeShift": null,
"title": "Cluster Reconcilers", "title": "Cluster Reconcilers",
"type": "stat" "type": "stat"
}, },
{ {
"datasource": { "datasource": "${DS_PROMETHEUS}",
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "", "description": "",
"fieldConfig": { "fieldConfig": {
"defaults": { "defaults": {
"decimals": 0, "decimals": 0,
"mappings": [], "mappings": [],
"noValue": "0",
"thresholds": { "thresholds": {
"mode": "absolute", "mode": "absolute",
"steps": [ "steps": [
@@ -152,37 +138,28 @@
"text": {}, "text": {},
"textMode": "value" "textMode": "value"
}, },
"pluginVersion": "10.0.2", "pluginVersion": "7.5.5",
"targets": [ "targets": [
{ {
"datasource": { "exemplar": true,
"type": "prometheus", "expr": "sum(gotk_reconcile_condition{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",type=\"Ready\",status=\"False\",kind=~\"Kustomization|HelmRelease\"})",
"uid": "prometheus"
},
"editorMode": "code",
"exemplar": false,
"expr": "count(gotk_resource_info{exported_namespace=~\"$namespace\", customresource_kind=~\"Kustomization|HelmRelease\", ready=\"False\"})",
"instant": true,
"interval": "", "interval": "",
"legendFormat": "", "legendFormat": "",
"range": false,
"refId": "A" "refId": "A"
} }
], ],
"timeFrom": null,
"timeShift": null,
"title": "Failing Reconcilers", "title": "Failing Reconcilers",
"type": "stat" "type": "stat"
}, },
{ {
"datasource": { "datasource": "${DS_PROMETHEUS}",
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "", "description": "",
"fieldConfig": { "fieldConfig": {
"defaults": { "defaults": {
"decimals": 0, "decimals": 0,
"mappings": [], "mappings": [],
"noValue": "0",
"thresholds": { "thresholds": {
"mode": "absolute", "mode": "absolute",
"steps": [ "steps": [
@@ -222,37 +199,28 @@
"text": {}, "text": {},
"textMode": "value" "textMode": "value"
}, },
"pluginVersion": "10.0.2", "pluginVersion": "7.5.5",
"targets": [ "targets": [
{ {
"datasource": { "exemplar": true,
"type": "prometheus", "expr": "count(gotk_reconcile_condition{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",type=\"Ready\",status=\"True\",kind=~\"GitRepository|HelmRepository|Bucket\"})\n-\nsum(gotk_reconcile_condition{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",type=\"Ready\",status=\"Deleted\",kind=~\"GitRepository|HelmRepository|Bucket\"})",
"uid": "prometheus"
},
"editorMode": "code",
"exemplar": false,
"expr": "count(gotk_resource_info{exported_namespace=~\"$namespace\", customresource_kind=~\"GitRepository|HelmRepository|Bucket|OCIRepository\"})",
"instant": true,
"interval": "", "interval": "",
"legendFormat": "", "legendFormat": "",
"range": false,
"refId": "A" "refId": "A"
} }
], ],
"timeFrom": null,
"timeShift": null,
"title": "Kubernetes Manifests Sources", "title": "Kubernetes Manifests Sources",
"type": "stat" "type": "stat"
}, },
{ {
"datasource": { "datasource": "${DS_PROMETHEUS}",
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "", "description": "",
"fieldConfig": { "fieldConfig": {
"defaults": { "defaults": {
"decimals": 0, "decimals": 0,
"mappings": [], "mappings": [],
"noValue": "0",
"thresholds": { "thresholds": {
"mode": "absolute", "mode": "absolute",
"steps": [ "steps": [
@@ -288,23 +256,18 @@
"text": {}, "text": {},
"textMode": "value" "textMode": "value"
}, },
"pluginVersion": "10.0.2", "pluginVersion": "7.5.5",
"targets": [ "targets": [
{ {
"datasource": { "exemplar": true,
"type": "prometheus", "expr": "sum(gotk_reconcile_condition{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",type=\"Ready\",status=\"False\",kind=~\"GitRepository|HelmRepository|Bucket\"})",
"uid": "prometheus"
},
"editorMode": "code",
"exemplar": false,
"expr": "count(gotk_resource_info{exported_namespace=~\"$namespace\", customresource_kind=~\"GitRepository|HelmRepository|Bucket|OCIRepository\", ready=\"False\"})",
"instant": true,
"interval": "", "interval": "",
"legendFormat": "", "legendFormat": "",
"range": false,
"refId": "A" "refId": "A"
} }
], ],
"timeFrom": null,
"timeShift": null,
"title": "Failing Sources", "title": "Failing Sources",
"type": "stat" "type": "stat"
}, },
@@ -355,10 +318,9 @@
"values": false "values": false
}, },
"showUnfilled": true, "showUnfilled": true,
"text": {}, "text": {}
"valueMode": "color"
}, },
"pluginVersion": "10.0.2", "pluginVersion": "7.5.5",
"targets": [ "targets": [
{ {
"exemplar": true, "exemplar": true,
@@ -368,6 +330,8 @@
"refId": "A" "refId": "A"
} }
], ],
"timeFrom": null,
"timeShift": null,
"title": "Reconciler ops avg. duration", "title": "Reconciler ops avg. duration",
"type": "bargauge" "type": "bargauge"
}, },
@@ -418,19 +382,20 @@
"values": false "values": false
}, },
"showUnfilled": true, "showUnfilled": true,
"text": {}, "text": {}
"valueMode": "color"
}, },
"pluginVersion": "10.0.2", "pluginVersion": "7.5.5",
"targets": [ "targets": [
{ {
"exemplar": true, "exemplar": true,
"expr": " sum(rate(gotk_reconcile_duration_seconds_sum{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",kind=~\"GitRepository|HelmRepository|Bucket|OCIRepository\"}[5m])) by (kind)\n/\n sum(rate(gotk_reconcile_duration_seconds_count{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",kind=~\"GitRepository|HelmRepository|Bucket|OCIRepository\"}[5m])) by (kind)", "expr": " sum(rate(gotk_reconcile_duration_seconds_sum{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",kind=~\"GitRepository|HelmRepository|Bucket\"}[5m])) by (kind)\n/\n sum(rate(gotk_reconcile_duration_seconds_count{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",kind=~\"GitRepository|HelmRepository|Bucket\"}[5m])) by (kind)",
"interval": "", "interval": "",
"legendFormat": "{{kind}}", "legendFormat": "{{kind}}",
"refId": "A" "refId": "A"
} }
], ],
"timeFrom": null,
"timeShift": null,
"title": "Source ops avg. duration", "title": "Source ops avg. duration",
"type": "bargauge" "type": "bargauge"
}, },
@@ -449,33 +414,23 @@
"type": "row" "type": "row"
}, },
{ {
"datasource": { "datasource": "${DS_PROMETHEUS}",
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "", "description": "",
"fieldConfig": { "fieldConfig": {
"defaults": { "defaults": {
"custom": { "custom": {
"align": "auto", "displayMode": "auto",
"cellOptions": {
"type": "auto"
},
"filterable": true, "filterable": true,
"inspect": false "inspect": false
}, },
"mappings": [ "mappings": [
{ {
"options": { "options": {
"False": { "0": {
"color": "red",
"index": 1,
"text": "Not Ready"
},
"True": {
"color": "blue",
"index": 0,
"text": "Ready" "text": "Ready"
},
"1": {
"text": "Not Ready"
} }
}, },
"type": "value" "type": "value"
@@ -485,8 +440,16 @@
"mode": "absolute", "mode": "absolute",
"steps": [ "steps": [
{ {
"color": "transparent", "color": "blue",
"value": null "value": null
},
{
"color": "blue",
"value": 0
},
{
"color": "red",
"value": 1
} }
] ]
} }
@@ -494,16 +457,13 @@
"overrides": [ "overrides": [
{ {
"matcher": { "matcher": {
"id": "byType", "id": "byName",
"options": "string" "options": "Status"
}, },
"properties": [ "properties": [
{ {
"id": "custom.cellOptions", "id": "custom.displayMode",
"value": { "value": "color-background"
"mode": "basic",
"type": "color-background"
}
} }
] ]
} }
@@ -517,9 +477,7 @@
}, },
"id": 33, "id": 33,
"options": { "options": {
"cellHeight": "sm",
"footer": { "footer": {
"countRows": false,
"fields": "", "fields": "",
"reducer": [ "reducer": [
"sum" "sum"
@@ -534,16 +492,11 @@
} }
] ]
}, },
"pluginVersion": "10.0.2", "pluginVersion": "7.5.5",
"targets": [ "targets": [
{ {
"datasource": {
"type": "prometheus",
"uid": "prometheus"
},
"editorMode": "code",
"exemplar": true, "exemplar": true,
"expr": "gotk_resource_info{exported_namespace=~\"$namespace\", customresource_kind=~\"Kustomization|HelmRelease\"}", "expr": "gotk_reconcile_condition{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",type=\"Ready\",status=\"False\",kind=~\"Kustomization|HelmRelease\"}",
"format": "table", "format": "table",
"instant": true, "instant": true,
"interval": "", "interval": "",
@@ -551,6 +504,8 @@
"refId": "A" "refId": "A"
} }
], ],
"timeFrom": null,
"timeShift": null,
"title": "Cluster reconciliation readiness ", "title": "Cluster reconciliation readiness ",
"transformations": [ "transformations": [
{ {
@@ -558,16 +513,11 @@
"options": { "options": {
"excludeByName": { "excludeByName": {
"Time": true, "Time": true,
"Value": true,
"__name__": true, "__name__": true,
"app": true, "app": true,
"container": true, "container": true,
"customresource_group": true,
"customresource_kind": false,
"customresource_version": true,
"endpoint": true, "endpoint": true,
"exported_namespace": false, "exported_namespace": false,
"gotk_type": true,
"instance": true, "instance": true,
"job": true, "job": true,
"kubernetes_namespace": true, "kubernetes_namespace": true,
@@ -575,36 +525,16 @@
"namespace": true, "namespace": true,
"pod": true, "pod": true,
"pod_template_hash": true, "pod_template_hash": true,
"service": true,
"status": true, "status": true,
"type": true "type": true
}, },
"indexByName": { "indexByName": {},
"Time": 0,
"Value": 15,
"__name__": 1,
"container": 2,
"customresource_group": 4,
"customresource_kind": 5,
"customresource_version": 6,
"endpoint": 7,
"exported_namespace": 3,
"instance": 8,
"job": 9,
"name": 10,
"namespace": 11,
"pod": 12,
"ready": 13,
"service": 14
},
"renameByName": { "renameByName": {
"Value": "", "Value": "Status",
"customresource_kind": "Kind",
"exported_namespace": "Namespace", "exported_namespace": "Namespace",
"kind": "Kind", "kind": "Kind",
"name": "Name", "name": "Name",
"namespace": "Operator Namespace", "namespace": "Operator Namespace"
"ready": "Status"
} }
} }
} }
@@ -612,36 +542,23 @@
"type": "table" "type": "table"
}, },
{ {
"datasource": { "datasource": "${DS_PROMETHEUS}",
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"description": "", "description": "",
"fieldConfig": { "fieldConfig": {
"defaults": { "defaults": {
"color": {
"mode": "thresholds"
},
"custom": { "custom": {
"align": "auto", "displayMode": "auto",
"cellOptions": {
"type": "auto"
},
"filterable": true, "filterable": true,
"inspect": false "inspect": false
}, },
"mappings": [ "mappings": [
{ {
"options": { "options": {
"False": { "0": {
"color": "red",
"index": 1,
"text": "Not Ready"
},
"True": {
"color": "blue",
"index": 0,
"text": "Ready" "text": "Ready"
},
"1": {
"text": "Not Ready"
} }
}, },
"type": "value" "type": "value"
@@ -651,28 +568,21 @@
"mode": "absolute", "mode": "absolute",
"steps": [ "steps": [
{ {
"color": "transparent", "color": "blue",
"value": null "value": null
},
{
"color": "blue",
"value": 0
},
{
"color": "red",
"value": 1
} }
] ]
} }
}, },
"overrides": [ "overrides": [
{
"matcher": {
"id": "byType",
"options": "string"
},
"properties": [
{
"id": "custom.cellOptions",
"value": {
"mode": "basic",
"type": "color-background"
}
}
]
},
{ {
"matcher": { "matcher": {
"id": "byName", "id": "byName",
@@ -680,15 +590,8 @@
}, },
"properties": [ "properties": [
{ {
"id": "noValue", "id": "custom.displayMode",
"value": "Ready" "value": "color-background"
},
{
"id": "color",
"value": {
"fixedColor": "blue",
"mode": "fixed"
}
} }
] ]
} }
@@ -702,9 +605,7 @@
}, },
"id": 34, "id": 34,
"options": { "options": {
"cellHeight": "sm",
"footer": { "footer": {
"countRows": false,
"fields": "", "fields": "",
"reducer": [ "reducer": [
"sum" "sum"
@@ -719,16 +620,11 @@
} }
] ]
}, },
"pluginVersion": "10.0.2", "pluginVersion": "7.5.5",
"targets": [ "targets": [
{ {
"datasource": {
"type": "prometheus",
"uid": "prometheus"
},
"editorMode": "code",
"exemplar": true, "exemplar": true,
"expr": "gotk_resource_info{exported_namespace=~\"$namespace\", customresource_kind=~\"GitRepository|HelmRepository|Bucket|OCIRepository\"}", "expr": "gotk_reconcile_condition{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",type=\"Ready\",status=\"False\",kind=~\"GitRepository|HelmRepository|Bucket\"}",
"format": "table", "format": "table",
"instant": true, "instant": true,
"interval": "", "interval": "",
@@ -736,6 +632,8 @@
"refId": "A" "refId": "A"
} }
], ],
"timeFrom": null,
"timeShift": null,
"title": "Source acquisition readiness ", "title": "Source acquisition readiness ",
"transformations": [ "transformations": [
{ {
@@ -743,16 +641,11 @@
"options": { "options": {
"excludeByName": { "excludeByName": {
"Time": true, "Time": true,
"Value": true,
"__name__": true, "__name__": true,
"app": true, "app": true,
"container": true, "container": true,
"customresource_group": true,
"customresource_kind": false,
"customresource_version": true,
"endpoint": true, "endpoint": true,
"exported_namespace": false, "exported_namespace": false,
"gotk_type": true,
"instance": true, "instance": true,
"job": true, "job": true,
"kubernetes_namespace": true, "kubernetes_namespace": true,
@@ -760,37 +653,16 @@
"namespace": true, "namespace": true,
"pod": true, "pod": true,
"pod_template_hash": true, "pod_template_hash": true,
"ready": false,
"service": true,
"status": true, "status": true,
"type": true "type": true
}, },
"indexByName": { "indexByName": {},
"Time": 0,
"Value": 15,
"__name__": 1,
"container": 2,
"customresource_group": 5,
"customresource_kind": 6,
"customresource_version": 7,
"endpoint": 8,
"exported_namespace": 4,
"instance": 9,
"job": 10,
"name": 11,
"namespace": 3,
"pod": 12,
"ready": 13,
"service": 14
},
"renameByName": { "renameByName": {
"Value": "", "Value": "Status",
"customresource_kind": "Kind",
"exported_namespace": "Namespace", "exported_namespace": "Namespace",
"kind": "Kind", "kind": "Kind",
"name": "Name", "name": "Name",
"namespace": "Operator Namespace", "namespace": "Operator Namespace"
"ready": "Status"
} }
} }
} }
@@ -818,6 +690,10 @@
"dashes": false, "dashes": false,
"datasource": "${DS_PROMETHEUS}", "datasource": "${DS_PROMETHEUS}",
"description": "", "description": "",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"fill": 1, "fill": 1,
"fillGradient": 0, "fillGradient": 0,
"gridPos": { "gridPos": {
@@ -848,7 +724,7 @@
"alertThreshold": true "alertThreshold": true
}, },
"percentage": false, "percentage": false,
"pluginVersion": "10.0.2", "pluginVersion": "7.5.5",
"pointradius": 2, "pointradius": 2,
"points": false, "points": false,
"renderer": "flot", "renderer": "flot",
@@ -867,7 +743,9 @@
} }
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null,
"timeRegions": [], "timeRegions": [],
"timeShift": null,
"title": "Cluster reconciliation duration", "title": "Cluster reconciliation duration",
"tooltip": { "tooltip": {
"shared": true, "shared": true,
@@ -876,24 +754,33 @@
}, },
"type": "graph", "type": "graph",
"xaxis": { "xaxis": {
"buckets": null,
"mode": "time", "mode": "time",
"name": null,
"show": true, "show": true,
"values": [] "values": []
}, },
"yaxes": [ "yaxes": [
{ {
"format": "s", "format": "s",
"label": null,
"logBase": 1, "logBase": 1,
"max": null,
"min": null,
"show": true "show": true
}, },
{ {
"format": "short", "format": "short",
"label": null,
"logBase": 1, "logBase": 1,
"max": null,
"min": null,
"show": true "show": true
} }
], ],
"yaxis": { "yaxis": {
"align": false "align": false,
"alignLevel": null
} }
}, },
{ {
@@ -903,6 +790,10 @@
"dashes": false, "dashes": false,
"datasource": "${DS_PROMETHEUS}", "datasource": "${DS_PROMETHEUS}",
"description": "", "description": "",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"fill": 1, "fill": 1,
"fillGradient": 0, "fillGradient": 0,
"gridPos": { "gridPos": {
@@ -933,7 +824,7 @@
"alertThreshold": true "alertThreshold": true
}, },
"percentage": false, "percentage": false,
"pluginVersion": "10.0.2", "pluginVersion": "7.5.5",
"pointradius": 2, "pointradius": 2,
"points": false, "points": false,
"renderer": "flot", "renderer": "flot",
@@ -944,7 +835,7 @@
"targets": [ "targets": [
{ {
"exemplar": true, "exemplar": true,
"expr": " sum(rate(gotk_reconcile_duration_seconds_sum{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",kind=~\"GitRepository|HelmRepository|Bucket|OCIRepository\"}[5m])) by (kind, name)\n/\n sum(rate(gotk_reconcile_duration_seconds_count{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",kind=~\"GitRepository|HelmRepository|Bucket|OCIRepository\"}[5m])) by (kind, name)", "expr": " sum(rate(gotk_reconcile_duration_seconds_sum{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",kind=~\"GitRepository|HelmRepository|Bucket\"}[5m])) by (kind, name)\n/\n sum(rate(gotk_reconcile_duration_seconds_count{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",kind=~\"GitRepository|HelmRepository|Bucket\"}[5m])) by (kind, name)",
"hide": false, "hide": false,
"interval": "", "interval": "",
"legendFormat": "{{kind}}/{{name}}", "legendFormat": "{{kind}}/{{name}}",
@@ -952,7 +843,9 @@
} }
], ],
"thresholds": [], "thresholds": [],
"timeFrom": null,
"timeRegions": [], "timeRegions": [],
"timeShift": null,
"title": "Source acquisition duration", "title": "Source acquisition duration",
"tooltip": { "tooltip": {
"shared": true, "shared": true,
@@ -961,29 +854,38 @@
}, },
"type": "graph", "type": "graph",
"xaxis": { "xaxis": {
"buckets": null,
"mode": "time", "mode": "time",
"name": null,
"show": true, "show": true,
"values": [] "values": []
}, },
"yaxes": [ "yaxes": [
{ {
"format": "s", "format": "s",
"label": null,
"logBase": 1, "logBase": 1,
"max": null,
"min": null,
"show": true "show": true
}, },
{ {
"format": "short", "format": "short",
"label": null,
"logBase": 1, "logBase": 1,
"max": null,
"min": null,
"show": true "show": true
} }
], ],
"yaxis": { "yaxis": {
"align": false "align": false,
"alignLevel": null
} }
} }
], ],
"refresh": "30s", "refresh": "30s",
"schemaVersion": 38, "schemaVersion": 36,
"style": "light", "style": "light",
"tags": [ "tags": [
"flux" "flux"
@@ -1001,13 +903,13 @@
"$__all" "$__all"
] ]
}, },
"datasource": { "datasource": "$DS_PROMETHEUS",
"type": "prometheus",
"uid": "$DS_PROMETHEUS"
},
"definition": "label_values(gotk_reconcile_condition, namespace)", "definition": "label_values(gotk_reconcile_condition, namespace)",
"description": null,
"error": null,
"hide": 0, "hide": 0,
"includeAll": true, "includeAll": true,
"label": null,
"multi": true, "multi": true,
"name": "operator_namespace", "name": "operator_namespace",
"options": [], "options": [],
@@ -1026,8 +928,10 @@
"useTags": false "useTags": false
}, },
{ {
"allValue": null,
"current": { "current": {
"selected": true, "selected": true,
"tags": [],
"text": [ "text": [
"All" "All"
], ],
@@ -1035,19 +939,19 @@
"$__all" "$__all"
] ]
}, },
"datasource": { "datasource": "$DS_PROMETHEUS",
"type": "prometheus", "definition": "label_values(gotk_reconcile_condition, exported_namespace)",
"uid": "$DS_PROMETHEUS" "description": null,
}, "error": null,
"definition": "label_values(gotk_resource_info,exported_namespace)",
"hide": 0, "hide": 0,
"includeAll": true, "includeAll": true,
"label": null,
"multi": true, "multi": true,
"name": "namespace", "name": "namespace",
"options": [], "options": [],
"query": { "query": {
"query": "label_values(gotk_resource_info,exported_namespace)", "query": "label_values(gotk_reconcile_condition, exported_namespace)",
"refId": "PrometheusVariableQueryEditor-VariableQuery" "refId": "StandardVariableQuery"
}, },
"refresh": 2, "refresh": 2,
"regex": "", "regex": "",
@@ -1096,9 +1000,7 @@
"1d" "1d"
] ]
}, },
"timezone": "",
"title": "Flux Cluster Stats", "title": "Flux Cluster Stats",
"uid": "flux-cluster", "uid": "flux-cluster",
"version": 4, "version": 3
"weekStart": ""
} }

209
rfcs/0006-git-repo-passwordless-auth/README.md Normal file
View File

@@ -0,0 +1,209 @@
# RFC-0006 Passwordless authentication for Git repositories
**Status:** provisional
**Creation date:** 2023-31-07
## Summary
Flux should provide a mechanism to authenticate against Git repositories without
the use of passwords. This RFC proposes the use of alternative authentication
methods like OIDC, OAuth2 and IAM to access Git repositories hosted on specific
Git SaaS platforms and cloud providers.
## Motivation
At the moment, Flux supports HTTP basic and bearer authentication. Users are
required to create a Secret containing the username and the password/bearer
token, which is then referred to in the GitRepository using `.spec.secretRef`.
While this works fine, it has a couple of drawbacks:
* Scalability: Each new GitRepository potentially warrants another credentials
pair, which doesn't scale well in big organizations with hundreds of
repositories with different owners, increasing the risk of mismanagement and
leaks.
* Identity: A username is associated with an actual human. But often, the
repository belongs to a team of 2 or more people. This leads to a problem where
teams have to decide whose credentials should Flux use for authentication.
These problems exist not due to flaws in Flux, but because of the inherent
nature of password based authentication.
With support for OIDC, OAuth2 and IAM based authentication, we can eliminate
these problems:
* Scalability: Since OIDC is fully handled by the cloud provider, it eliminates
any user involvement in managing credentials. For OAuth2 and IAM, users do need
to provide certain information like the ID of the resource, private key, etc.
but these are still a better alternative to passwords since the same resource
can be reused by multiple teams with different members.
* Identity: Since all the above authentication methods are associated with a
virtual resource independent of a user, it solves the problem of a single person
being tied to automation that several people are involved in.
### Goals
* Integrate with major cloud providers' OIDC and IAM offerings to provide a
seamless way of Git repository authentication.
* Integrate with major Git SaaS providers to support their app based OAuth2
mechanism.
### Non-Goals
* Replace the existing basic and bearer authentication API.
## Proposal
A new string field `.spec.provider` shall be added to the GitRepository API.
The field will be an enum with the following variants:
* `azure`
* `github`
* `gcp`
> AWS CodeCommit is not supported as it does not support authentication via IAM
Roles without the use of https://github.com/aws/git-remote-codecommit.
By default, it will be blank, which indicates that the user wants to
authenticate via HTTP basic/bearer auth or SSH.
### Azure
Git repositories hosted on Azure Devops can be accessed by Flux using OIDC if
the cluster running Flux is hosted on AKS with [managed identity](https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops)
enabled. The managed identity associated with the cluster must have sufficient
permissions to be able to access Azure Devops resources. This enables Flux to
access the Git repository without the need for any credentials.
```yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: azure-devops
spec:
interval: 1m
url: https://dev.azure.com/<org>/<project>/_git/<repository>
ref:
branch: master
# notice the lack of secretRef
provider: azure
```
### GCP
Git repositories hosted on Google Cloud Source Repositories can be accessed by
Flux via a [GCP Service Account](https://cloud.google.com/iam/docs/service-account-overview).
The Service Account must have sufficient permissions to be able to access Google
Cloud Source Repositories and its credentials should be specified in the secret
referred to in `.spec.secretRef`.
```yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: gcp-repo
spec:
interval: 1m
url: https://source.developers.google.com/p/<project>/r/<repository>
ref:
branch: master
provider: gcp
secretRef:
name: gcp-sa
---
kind: Secret
metadata:
name: gcp-sa
stringData:
gcpServiceAccount: |
{
"type": "service_account",
"project_id": "my-google-project",
"private_key_id": "REDACTED",
"private_key": "-----BEGIN PRIVATE KEY-----\nREDACTED\n-----END PRIVATE KEY-----\n",
"client_email": "<service-account-id>@my-google-project.iam.gserviceaccount.com",
"client_id": "REDACTED",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/<service-account-id>%40my-google-project.iam.gserviceaccount.com"
}
```
### GitHub
Git repositories hosted on GitHub can be accessed via [GitHub Apps](https://docs.github.com/en/apps/overview).
This allows users to create a single resource from which they can access all
their GitHub repositories. The app must have sufficient permissions to be able
to access repositories. The app's ID, private key and installation ID should
be mentioned in the Secret referred to by `.spec.secretRef`. GitHub Enterprise
users will also need to mention their GitHub API URL in the Secret.
```yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: github-repo
spec:
interval: 1m
url: https://github.com/<org>/<repository>
ref:
branch: master
provider: github
secretRef:
name: github-app
---
kind: Secret
metadata:
name: gcp-sa
stringData:
githubAppID: <app-id>
githubInstallationID: <installation-id>
githubPrivateKey: |
<PEM-private-key>
githubApiURl: <github-enterprise-api-url> #optional, required only for GitHub Enterprise users
```
## Design Details
### Azure
If `.spec.provider` is set to `azure`, Flux controllers will reach out to
[Azure IMDS (Instance Metadata Service)](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-go)
to get an access token. This [access token will be then used as a bearer token](https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops#q-can-i-use-a-service-principal-to-do-git-operations-like-clone-a-repo)
to perform HTTP bearer authentication.
### GCP
If `.spec.provider` is set to `gcp`, Flux controllers will get the Service
Account credentials from the specified Secret and use
[`google.CredentialsFromJSON`](https://pkg.go.dev/golang.org/x/oauth2/google#CredentialsFromJSON)
to fetch the access token. This access token will be then used as the password
and the `client_email` as the username to perform HTTP basic authentication.
### GitHub
If `.spec.provider` is set to `github`, Flux controllers will get the app
details from the specified Secret and use it to [generate an app installation
token](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app).
This token is then used as the password and [`x-access-token` as the username](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/choosing-permissions-for-a-github-app#choosing-permissions-for-git-access)
to perform HTTP basic authentication.
### Token Caching and Refreshing
To avoid calling the upstream API for a token during every reconciliation, Flux
controllers shall cache the token after fetching it. Since GitHub tokens
self-expire, the cache shall automatically evict the token after it has expired,
triggering a fetch of a fresh token.
For GCP, the [`TokenSource`](https://pkg.go.dev/golang.org/x/oauth2@v0.10.0#TokenSource)
object will be cached, since it automatically handles refreshing an expired
token and always returns a valid token. Since a `TokenSource` never expires, it
need not be evicted from the cache.
While Azure's managed identities subsystem caches the token, it is
[recommended for the consumer application to implement their own caching](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#token-caching)
as well.
The caches for all three providers are separate, i.e. there shall exist a
dedicated cache for each provider.
Since the proposed authentication methods for GitHub and GCP involve some form
of credentials stored in a Kubernetes Secret, the cache key can be the Secret's
`<namespace/name>`. Since authentication for Azure is configured directly via
the source-controller Deployment, the token can just be stored in a global
variable, which is refreshed whenever the token expires.