mirror of https://github.com/fluxcd/flux2.git
Compare commits
No commits in common. 'main' and 'v0.28.2' have entirely different histories.
@ -1,16 +0,0 @@
|
||||
version: 2
|
||||
|
||||
updates:
|
||||
- package-ecosystem: "github-actions"
|
||||
directory: "/"
|
||||
labels: ["area/ci", "dependencies"]
|
||||
groups:
|
||||
# Group all updates together, so that they are all applied in a single PR.
|
||||
# Grouped updates are currently in beta and is subject to change.
|
||||
# xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
|
||||
ci:
|
||||
patterns:
|
||||
- "*"
|
||||
schedule:
|
||||
# By default, this will be on a monday.
|
||||
interval: "weekly"
|
||||
@ -1,9 +1,5 @@
|
||||
kind: Cluster
|
||||
apiVersion: kind.x-k8s.io/v1alpha4
|
||||
nodes:
|
||||
- role: control-plane
|
||||
- role: worker
|
||||
- role: worker
|
||||
networking:
|
||||
disableDefaultCNI: true # disable kindnet
|
||||
podSubnet: 192.168.0.0/16 # set to Calico's default subnet
|
||||
|
||||
@ -1,55 +0,0 @@
|
||||
# Configuration file to declaratively configure labels
|
||||
# Ref: https://github.com/EndBug/label-sync#Config-files
|
||||
|
||||
- name: area/bootstrap
|
||||
description: Bootstrap related issues and pull requests
|
||||
color: '#86efc9'
|
||||
- name: area/install
|
||||
description: Install and uninstall related issues and pull requests
|
||||
color: '#86efc9'
|
||||
- name: area/diff
|
||||
description: Diff related issues and pull requests
|
||||
color: '#BA4192'
|
||||
- name: area/bucket
|
||||
description: Bucket related issues and pull requests
|
||||
color: '#00b140'
|
||||
- name: area/git
|
||||
description: Git related issues and pull requests
|
||||
color: '#863faf'
|
||||
- name: area/oci
|
||||
description: OCI related issues and pull requests
|
||||
color: '#c739ff'
|
||||
- name: area/kustomization
|
||||
description: Kustomization related issues and pull requests
|
||||
color: '#00e54d'
|
||||
- name: area/helm
|
||||
description: Helm related issues and pull requests
|
||||
color: '#1673b6'
|
||||
- name: area/image-automation
|
||||
description: Automated image updates related issues and pull requests
|
||||
color: '#c5def5'
|
||||
- name: area/monitoring
|
||||
description: Monitoring related issues and pull requests
|
||||
color: '#dd75ae'
|
||||
- name: area/multi-tenancy
|
||||
description: Multi-tenancy related issues and pull requests
|
||||
color: '#72CDBD'
|
||||
- name: area/notification
|
||||
description: Notification API related issues and pull requests
|
||||
color: '#434ec1'
|
||||
- name: area/source
|
||||
description: Source API related issues and pull requests
|
||||
color: '#863faf'
|
||||
- name: area/rfc
|
||||
description: Feature request proposals in the RFC format
|
||||
color: '#D621C3'
|
||||
aliases: ['area/RFC']
|
||||
- name: backport:release/v2.3.x
|
||||
description: To be backported to release/v2.3.x
|
||||
color: '#ffd700'
|
||||
- name: backport:release/v2.4.x
|
||||
description: To be backported to release/v2.4.x
|
||||
color: '#ffd700'
|
||||
- name: backport:release/v2.5.x
|
||||
description: To be backported to release/v2.5.x
|
||||
color: '#ffd700'
|
||||
@ -1,50 +0,0 @@
|
||||
# Flux GitHub Workflows
|
||||
|
||||
## End-to-end Testing
|
||||
|
||||
The e2e workflows run a series of tests to ensure that the Flux CLI and
|
||||
the GitOps Toolkit controllers work well all together.
|
||||
The tests are written in Go, Bash, Make and Terraform.
|
||||
|
||||
| Workflow | Jobs | Runner | Role |
|
||||
|--------------------|----------------------|----------------|-----------------------------------------------|
|
||||
| e2e.yaml | e2e-amd64-kubernetes | GitHub Ubuntu | integration testing with Kubernetes Kind<br/> |
|
||||
| e2e-arm64.yaml | e2e-arm64-kubernetes | Equinix Ubuntu | integration testing with Kubernetes Kind<br/> |
|
||||
| e2e-bootstrap.yaml | e2e-boostrap-github | GitHub Ubuntu | integration testing with GitHub API<br/> |
|
||||
| e2e-azure.yaml | e2e-amd64-aks | GitHub Ubuntu | integration testing with Azure API<br/> |
|
||||
| scan.yaml | scan-fossa | GitHub Ubuntu | license scanning<br/> |
|
||||
| scan.yaml | scan-snyk | GitHub Ubuntu | vulnerability scanning<br/> |
|
||||
| scan.yaml | scan-codeql | GitHub Ubuntu | vulnerability scanning<br/> |
|
||||
|
||||
## Components Update
|
||||
|
||||
The components update workflow scans the GitOps Toolkit controller repositories for new releases,
|
||||
amd when it finds a new controller version, the workflow performs the following steps:
|
||||
- Updates the controller API package version in `go.mod`.
|
||||
- Patches the controller CRDs version in the `manifests/crds` overlay.
|
||||
- Patches the controller Deployment version in `manifests/bases` overlay.
|
||||
- Opens a Pull Request against the `main` branch.
|
||||
- Triggers the e2e test suite to run for the opened PR.
|
||||
|
||||
|
||||
| Workflow | Jobs | Runner | Role |
|
||||
|-------------|-------------------|---------------|-----------------------------------------------------|
|
||||
| update.yaml | update-components | GitHub Ubuntu | update the GitOps Toolkit APIs and controllers<br/> |
|
||||
|
||||
## Release
|
||||
|
||||
The release workflow is triggered by a semver Git tag and performs the following steps:
|
||||
- Generates the Flux install manifests (YAML).
|
||||
- Generates the OpenAPI validation schemas for the GitOps Toolkit CRDs (JSON).
|
||||
- Generates a Software Bill of Materials (SPDX JSON).
|
||||
- Builds the Flux CLI binaries and the multi-arch container images.
|
||||
- Pushes the container images to GitHub Container Registry and DockerHub.
|
||||
- Signs the sbom, the binaries checksum and the container images with Cosign and GitHub OIDC.
|
||||
- Uploads the sbom, binaries, checksums and install manifests to GitHub Releases.
|
||||
- Pushes the install manifests as OCI artifacts to GitHub Container Registry and DockerHub.
|
||||
- Signs the OCI artifacts with Cosign and GitHub OIDC.
|
||||
|
||||
| Workflow | Jobs | Runner | Role |
|
||||
|--------------|------------------------|---------------|------------------------------------------------------|
|
||||
| release.yaml | release-flux-cli | GitHub Ubuntu | build, push and sign the CLI release artifacts<br/> |
|
||||
| release.yaml | release-flux-manifests | GitHub Ubuntu | build, push and sign the Flux install manifests<br/> |
|
||||
@ -1,29 +0,0 @@
|
||||
name: test-gh-action
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- 'action/**'
|
||||
push:
|
||||
paths:
|
||||
- 'action/**'
|
||||
branches:
|
||||
- 'main'
|
||||
- 'release/**'
|
||||
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
actions:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
version: [ubuntu-latest, macos-latest, windows-latest]
|
||||
|
||||
runs-on: ${{ matrix.version }}
|
||||
name: action on ${{ matrix.version }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: Setup flux
|
||||
uses: ./action
|
||||
@ -1,34 +0,0 @@
|
||||
name: backport
|
||||
|
||||
on:
|
||||
pull_request_target:
|
||||
types: [closed, labeled]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
pull-request:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
- name: Create backport PRs
|
||||
uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0
|
||||
# xref: https://github.com/korthout/backport-action#inputs
|
||||
with:
|
||||
# Use token to allow workflows to be triggered for the created PR
|
||||
github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
|
||||
# Match labels with a pattern `backport:<target-branch>`
|
||||
label_pattern: '^backport:([^ ]+)$'
|
||||
# A bit shorter pull-request title than the default
|
||||
pull_title: '[${target_branch}] ${pull_title}'
|
||||
# Simpler PR description than default
|
||||
pull_description: |-
|
||||
Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
|
||||
@ -1,256 +0,0 @@
|
||||
name: conformance
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches: [ 'main', 'update-components', 'release/**', 'conform*' ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
env:
|
||||
GO_VERSION: 1.23.x
|
||||
|
||||
jobs:
|
||||
conform-kubernetes:
|
||||
runs-on:
|
||||
group: "ARM64"
|
||||
strategy:
|
||||
matrix:
|
||||
# Keep this list up-to-date with https://endoflife.date/kubernetes
|
||||
# Build images with https://github.com/fluxcd/flux-benchmark/actions/workflows/build-kind.yaml
|
||||
KUBERNETES_VERSION: [1.30.9, 1.31.5, 1.32.1 ]
|
||||
fail-fast: false
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
||||
with:
|
||||
go-version: ${{ env.GO_VERSION }}
|
||||
cache-dependency-path: |
|
||||
**/go.sum
|
||||
**/go.mod
|
||||
- name: Prepare
|
||||
id: prep
|
||||
run: |
|
||||
ID=${GITHUB_SHA:0:7}-${{ matrix.KUBERNETES_VERSION }}-$(date +%s)
|
||||
echo "CLUSTER=arm64-${ID}" >> $GITHUB_OUTPUT
|
||||
- name: Build
|
||||
run: |
|
||||
make build
|
||||
- name: Setup Kubernetes
|
||||
uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
|
||||
with:
|
||||
version: v0.22.0
|
||||
cluster_name: ${{ steps.prep.outputs.CLUSTER }}
|
||||
node_image: ghcr.io/fluxcd/kindest/node:v${{ matrix.KUBERNETES_VERSION }}-arm64
|
||||
- name: Run e2e tests
|
||||
run: TEST_KUBECONFIG=$HOME/.kube/config make e2e
|
||||
- name: Run multi-tenancy tests
|
||||
run: |
|
||||
./bin/flux install
|
||||
./bin/flux create source git flux-system \
|
||||
--interval=15m \
|
||||
--url=https://github.com/fluxcd/flux2-multi-tenancy \
|
||||
--branch=main \
|
||||
--ignore-paths="./clusters/**/flux-system/"
|
||||
./bin/flux create kustomization flux-system \
|
||||
--interval=15m \
|
||||
--source=flux-system \
|
||||
--path=./clusters/staging
|
||||
kubectl -n flux-system wait kustomization/tenants --for=condition=ready --timeout=5m
|
||||
kubectl -n apps wait kustomization/dev-team --for=condition=ready --timeout=1m
|
||||
kubectl -n apps wait helmrelease/podinfo --for=condition=ready --timeout=1m
|
||||
- name: Debug failure
|
||||
if: failure()
|
||||
run: |
|
||||
kubectl -n flux-system get all
|
||||
kubectl -n flux-system describe po
|
||||
kubectl -n flux-system logs deploy/source-controller
|
||||
kubectl -n flux-system logs deploy/kustomize-controller
|
||||
|
||||
conform-k3s:
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
matrix:
|
||||
# Keep this list up-to-date with https://endoflife.date/kubernetes
|
||||
# Available versions can be found with "replicated cluster versions"
|
||||
K3S_VERSION: [ 1.30.9, 1.31.5, 1.32.1 ]
|
||||
fail-fast: false
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
||||
with:
|
||||
go-version: ${{ env.GO_VERSION }}
|
||||
cache-dependency-path: |
|
||||
**/go.sum
|
||||
**/go.mod
|
||||
- name: Prepare
|
||||
id: prep
|
||||
run: |
|
||||
ID=${GITHUB_SHA:0:7}-${{ matrix.K3S_VERSION }}-$(date +%s)
|
||||
PSEUDO_RAND_SUFFIX=$(echo "${ID}" | shasum | awk '{print $1}')
|
||||
echo "cluster=flux2-k3s-${PSEUDO_RAND_SUFFIX}" >> $GITHUB_OUTPUT
|
||||
KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
|
||||
echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
|
||||
- name: Setup Kustomize
|
||||
uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
|
||||
- name: Build
|
||||
run: make build-dev
|
||||
- name: Create repository
|
||||
run: |
|
||||
gh repo create --private --add-readme fluxcd-testing/${{ steps.prep.outputs.cluster }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
||||
- name: Create cluster
|
||||
id: create-cluster
|
||||
uses: replicatedhq/replicated-actions/create-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
|
||||
with:
|
||||
api-token: ${{ secrets.REPLICATED_API_TOKEN }}
|
||||
kubernetes-distribution: "k3s"
|
||||
kubernetes-version: ${{ matrix.K3S_VERSION }}
|
||||
ttl: 20m
|
||||
cluster-name: "${{ steps.prep.outputs.cluster }}"
|
||||
kubeconfig-path: ${{ steps.prep.outputs.kubeconfig-path }}
|
||||
export-kubeconfig: true
|
||||
- name: Run e2e tests
|
||||
run: TEST_KUBECONFIG=${{ steps.prep.outputs.kubeconfig-path }} make e2e
|
||||
- name: Run flux bootstrap
|
||||
run: |
|
||||
./bin/flux bootstrap git --manifests ./manifests/install/ \
|
||||
--components-extra=image-reflector-controller,image-automation-controller \
|
||||
--url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
|
||||
--branch=main \
|
||||
--path=clusters/k3s \
|
||||
--token-auth
|
||||
env:
|
||||
GIT_PASSWORD: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
||||
- name: Run flux check
|
||||
run: |
|
||||
./bin/flux check
|
||||
- name: Run flux reconcile
|
||||
run: |
|
||||
./bin/flux reconcile ks flux-system --with-source
|
||||
./bin/flux get all
|
||||
./bin/flux events
|
||||
- name: Collect reconcile logs
|
||||
if: ${{ always() }}
|
||||
continue-on-error: true
|
||||
run: |
|
||||
kubectl -n flux-system get all
|
||||
kubectl -n flux-system describe pods
|
||||
kubectl -n flux-system logs deploy/source-controller
|
||||
kubectl -n flux-system logs deploy/kustomize-controller
|
||||
kubectl -n flux-system logs deploy/notification-controller
|
||||
- name: Delete flux
|
||||
run: |
|
||||
./bin/flux uninstall -s --keep-namespace
|
||||
kubectl delete ns flux-system --wait
|
||||
- name: Delete cluster
|
||||
if: ${{ always() }}
|
||||
uses: replicatedhq/replicated-actions/remove-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
|
||||
continue-on-error: true
|
||||
with:
|
||||
api-token: ${{ secrets.REPLICATED_API_TOKEN }}
|
||||
cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
|
||||
- name: Delete repository
|
||||
if: ${{ always() }}
|
||||
continue-on-error: true
|
||||
run: |
|
||||
gh repo delete fluxcd-testing/${{ steps.prep.outputs.cluster }} --yes
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
||||
|
||||
conform-openshift:
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
matrix:
|
||||
# Keep this list up-to-date with https://endoflife.date/red-hat-openshift
|
||||
OPENSHIFT_VERSION: [ 4.17.0-okd ]
|
||||
fail-fast: false
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
||||
with:
|
||||
go-version: ${{ env.GO_VERSION }}
|
||||
cache-dependency-path: |
|
||||
**/go.sum
|
||||
**/go.mod
|
||||
- name: Prepare
|
||||
id: prep
|
||||
run: |
|
||||
ID=${GITHUB_SHA:0:7}-${{ matrix.OPENSHIFT_VERSION }}-$(date +%s)
|
||||
PSEUDO_RAND_SUFFIX=$(echo "${ID}" | shasum | awk '{print $1}')
|
||||
echo "cluster=flux2-openshift-${PSEUDO_RAND_SUFFIX}" >> $GITHUB_OUTPUT
|
||||
KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
|
||||
echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
|
||||
- name: Setup Kustomize
|
||||
uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
|
||||
- name: Build
|
||||
run: make build-dev
|
||||
- name: Create repository
|
||||
run: |
|
||||
gh repo create --private --add-readme fluxcd-testing/${{ steps.prep.outputs.cluster }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
||||
- name: Create cluster
|
||||
id: create-cluster
|
||||
uses: replicatedhq/replicated-actions/create-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
|
||||
with:
|
||||
api-token: ${{ secrets.REPLICATED_API_TOKEN }}
|
||||
kubernetes-distribution: "openshift"
|
||||
kubernetes-version: ${{ matrix.OPENSHIFT_VERSION }}
|
||||
ttl: 20m
|
||||
cluster-name: "${{ steps.prep.outputs.cluster }}"
|
||||
kubeconfig-path: ${{ steps.prep.outputs.kubeconfig-path }}
|
||||
export-kubeconfig: true
|
||||
- name: Run flux bootstrap
|
||||
run: |
|
||||
./bin/flux bootstrap git --manifests ./manifests/openshift/ \
|
||||
--components-extra=image-reflector-controller,image-automation-controller \
|
||||
--url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
|
||||
--branch=main \
|
||||
--path=clusters/openshift \
|
||||
--token-auth
|
||||
env:
|
||||
GIT_PASSWORD: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
||||
- name: Run flux check
|
||||
run: |
|
||||
./bin/flux check
|
||||
- name: Run flux reconcile
|
||||
run: |
|
||||
./bin/flux reconcile ks flux-system --with-source
|
||||
./bin/flux get all
|
||||
./bin/flux events
|
||||
- name: Collect reconcile logs
|
||||
if: ${{ always() }}
|
||||
continue-on-error: true
|
||||
run: |
|
||||
kubectl -n flux-system get all
|
||||
kubectl -n flux-system describe pods
|
||||
kubectl -n flux-system logs deploy/source-controller
|
||||
kubectl -n flux-system logs deploy/kustomize-controller
|
||||
kubectl -n flux-system logs deploy/notification-controller
|
||||
- name: Delete flux
|
||||
run: |
|
||||
./bin/flux uninstall -s --keep-namespace
|
||||
kubectl delete ns flux-system --wait
|
||||
- name: Delete cluster
|
||||
if: ${{ always() }}
|
||||
uses: replicatedhq/replicated-actions/remove-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
|
||||
continue-on-error: true
|
||||
with:
|
||||
api-token: ${{ secrets.REPLICATED_API_TOKEN }}
|
||||
cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
|
||||
- name: Delete repository
|
||||
if: ${{ always() }}
|
||||
continue-on-error: true
|
||||
run: |
|
||||
gh repo delete fluxcd-testing/${{ steps.prep.outputs.cluster }} --yes
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
||||
@ -0,0 +1,37 @@
|
||||
name: e2e-arm64
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches: [ main, update-components, equinix-runners ]
|
||||
|
||||
jobs:
|
||||
test:
|
||||
# Hosted on Equinix
|
||||
# Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
|
||||
runs-on: [self-hosted, Linux, ARM64, equinix]
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@v2
|
||||
with:
|
||||
go-version: 1.17.x
|
||||
- name: Prepare
|
||||
id: prep
|
||||
run: |
|
||||
echo ::set-output name=CLUSTER::arm64-${GITHUB_SHA:0:7}-$(date +%s)
|
||||
echo ::set-output name=CONTEXT::kind-arm64-${GITHUB_SHA:0:7}-$(date +%s)
|
||||
- name: Build
|
||||
run: |
|
||||
make build
|
||||
- name: Setup Kubernetes Kind
|
||||
run: |
|
||||
kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }}
|
||||
- name: Run e2e tests
|
||||
run: TEST_KUBECONFIG=/tmp/${{ steps.prep.outputs.CLUSTER }} make e2e
|
||||
- name: Cleanup
|
||||
if: always()
|
||||
run: |
|
||||
kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}
|
||||
rm /tmp/${{ steps.prep.outputs.CLUSTER }}
|
||||
@ -1,104 +0,0 @@
|
||||
name: e2e-gcp
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
- cron: '0 6 * * *'
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths:
|
||||
- 'tests/**'
|
||||
- '.github/workflows/e2e-gcp.yaml'
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
paths:
|
||||
- 'tests/**'
|
||||
- '.github/workflows/e2e-gcp.yaml'
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
e2e-gcp:
|
||||
runs-on: ubuntu-22.04
|
||||
defaults:
|
||||
run:
|
||||
working-directory: ./tests/integration
|
||||
if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
||||
with:
|
||||
go-version: 1.23.x
|
||||
cache-dependency-path: tests/integration/go.sum
|
||||
- name: Setup Terraform
|
||||
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
|
||||
- name: Setup Flux CLI
|
||||
run: make build
|
||||
working-directory: ./
|
||||
- name: Setup SOPS
|
||||
run: |
|
||||
mkdir -p $HOME/.local/bin
|
||||
wget -O $HOME/.local/bin/sops https://github.com/mozilla/sops/releases/download/v$SOPS_VER/sops-v$SOPS_VER.linux
|
||||
chmod +x $HOME/.local/bin/sops
|
||||
env:
|
||||
SOPS_VER: 3.7.1
|
||||
- name: Authenticate to Google Cloud
|
||||
uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
|
||||
id: 'auth'
|
||||
with:
|
||||
credentials_json: '${{ secrets.FLUX2_E2E_GOOGLE_CREDENTIALS }}'
|
||||
token_format: 'access_token'
|
||||
- name: Setup gcloud
|
||||
uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
|
||||
- name: Setup QEMU
|
||||
uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
|
||||
- name: Setup Docker Buildx
|
||||
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
|
||||
- name: Log into us-central1-docker.pkg.dev
|
||||
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
|
||||
with:
|
||||
registry: us-central1-docker.pkg.dev
|
||||
username: oauth2accesstoken
|
||||
password: ${{ steps.auth.outputs.access_token }}
|
||||
- name: Set dynamic variables in .env
|
||||
run: |
|
||||
cat > .env <<EOF
|
||||
export TF_VAR_tags='{ "environment"="github", "ci"="true", "repo"="flux2", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)" }'
|
||||
EOF
|
||||
- name: Print .env for dynamic tag value reference
|
||||
run: cat .env
|
||||
- name: Run GCP e2e tests
|
||||
env:
|
||||
TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
|
||||
TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
|
||||
TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
|
||||
TF_VAR_gcp_email: ${{ secrets.TF_VAR_gcp_email }}
|
||||
TF_VAR_gcp_keyring: ${{ secrets.TF_VAR_gcp_keyring }}
|
||||
TF_VAR_gcp_crypto_key: ${{ secrets.TF_VAR_gcp_crypto_key }}
|
||||
GITREPO_SSH_CONTENTS: ${{ secrets.GCP_GITREPO_SSH_CONTENTS }}
|
||||
GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GCP_GITREPO_SSH_PUB_CONTENTS }}
|
||||
run: |
|
||||
source .env
|
||||
mkdir -p ./build/ssh
|
||||
touch ./build/ssh/key
|
||||
echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
|
||||
export GITREPO_SSH_PATH=build/ssh/key
|
||||
touch ./build/ssh/key.pub
|
||||
echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
|
||||
export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
|
||||
make test-gcp
|
||||
- name: Ensure resource cleanup
|
||||
if: ${{ always() }}
|
||||
env:
|
||||
TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
|
||||
TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
|
||||
TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
|
||||
TF_VAR_gcp_email: ${{ secrets.TF_VAR_gcp_email }}
|
||||
TF_VAR_gcp_keyring: ${{ secrets.TF_VAR_gcp_keyring }}
|
||||
TF_VAR_gcp_crypto_key: ${{ secrets.TF_VAR_gcp_crypto_key }}
|
||||
run: source .env && make destroy-gcp
|
||||
@ -1,39 +0,0 @@
|
||||
name: ossf
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
schedule:
|
||||
# Weekly on Saturdays.
|
||||
- cron: '30 1 * * 6'
|
||||
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
scorecard:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
security-events: write
|
||||
id-token: write
|
||||
actions: read
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: Run analysis
|
||||
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
publish_results: true
|
||||
- name: Upload artifact
|
||||
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
|
||||
with:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
retention-days: 5
|
||||
- name: Upload SARIF results
|
||||
uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
@ -0,0 +1,21 @@
|
||||
name: rebase
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
types: [ opened ]
|
||||
issue_comment:
|
||||
types: [ created ]
|
||||
|
||||
jobs:
|
||||
rebase:
|
||||
if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && (github.event.comment.author_association == 'CONTRIBUTOR' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER')
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout the latest code
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Automatic Rebase
|
||||
uses: cirrus-actions/rebase@1.3.1
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
|
||||
@ -1,86 +1,60 @@
|
||||
name: scan
|
||||
name: Scan
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches: [ 'main', 'release/**' ]
|
||||
branches: [ main ]
|
||||
pull_request:
|
||||
branches: [ 'main', 'release/**' ]
|
||||
branches: [ main ]
|
||||
schedule:
|
||||
- cron: '18 10 * * 3'
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
scan-fossa:
|
||||
fossa:
|
||||
name: FOSSA
|
||||
runs-on: ubuntu-latest
|
||||
if: github.actor != 'dependabot[bot]'
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@v2
|
||||
- name: Run FOSSA scan and upload build data
|
||||
uses: fossa-contrib/fossa-action@cdc5065bcdee31a32e47d4585df72d66e8e941c2 # v3.0.0
|
||||
uses: fossa-contrib/fossa-action@v1
|
||||
with:
|
||||
# FOSSA Push-Only API Token
|
||||
fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
|
||||
github-token: ${{ github.token }}
|
||||
|
||||
scan-snyk:
|
||||
snyk:
|
||||
name: Snyk
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
security-events: write
|
||||
if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
|
||||
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@v2
|
||||
- name: Setup Kustomize
|
||||
uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
||||
with:
|
||||
go-version-file: 'go.mod'
|
||||
cache-dependency-path: |
|
||||
**/go.sum
|
||||
**/go.mod
|
||||
- name: Download modules and build manifests
|
||||
uses: fluxcd/pkg//actions/kustomize@main
|
||||
- name: Build manifests
|
||||
run: |
|
||||
make tidy
|
||||
make cmd/flux/.manifests.done
|
||||
- uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf
|
||||
- name: Run Snyk to check for vulnerabilities
|
||||
uses: snyk/actions/golang@master
|
||||
continue-on-error: true
|
||||
run: |
|
||||
snyk test --all-projects --sarif-file-output=snyk.sarif
|
||||
env:
|
||||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
||||
with:
|
||||
args: --sarif-file-output=snyk.sarif
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
continue-on-error: true
|
||||
uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: snyk.sarif
|
||||
|
||||
scan-codeql:
|
||||
codeql:
|
||||
name: CodeQL
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
security-events: write
|
||||
if: github.actor != 'dependabot[bot]'
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
||||
with:
|
||||
go-version-file: 'go.mod'
|
||||
cache-dependency-path: |
|
||||
**/go.sum
|
||||
**/go.mod
|
||||
uses: actions/checkout@v2
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
|
||||
uses: github/codeql-action/init@v1
|
||||
with:
|
||||
languages: go
|
||||
# xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
|
||||
# xref: https://codeql.github.com/codeql-query-help/go/
|
||||
queries: security-and-quality
|
||||
- name: Autobuild
|
||||
uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
|
||||
uses: github/codeql-action/autobuild@v1
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
|
||||
uses: github/codeql-action/analyze@v1
|
||||
|
||||
@ -1,28 +0,0 @@
|
||||
name: sync-labels
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths:
|
||||
- .github/labels.yaml
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
labels:
|
||||
name: Run sync
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
issues: write
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
|
||||
with:
|
||||
# Configuration file
|
||||
config-file: |
|
||||
https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
|
||||
.github/labels.yaml
|
||||
# Strictly declarative
|
||||
delete-other-labels: true
|
||||
@ -1,5 +0,0 @@
|
||||
annotations:
|
||||
- checks:
|
||||
- dangerous-workflow
|
||||
reasons:
|
||||
- reason: not-applicable # This workflow does not run untrusted code, the bot will only backport a code if the a PR was approved and merged into main.
|
||||
@ -1,22 +1,104 @@
|
||||
# Flux GitHub Action
|
||||
|
||||
To install the latest Flux CLI on Linux, macOS or Windows GitHub runners:
|
||||
Usage:
|
||||
|
||||
```yaml
|
||||
steps:
|
||||
steps:
|
||||
- name: Setup Flux CLI
|
||||
uses: fluxcd/flux2/action@main
|
||||
- name: Run Flux commands
|
||||
run: flux -v
|
||||
```
|
||||
|
||||
The latest stable version of the `flux` binary is downloaded from
|
||||
GitHub [releases](https://github.com/fluxcd/flux2/releases)
|
||||
and placed at `/usr/local/bin/flux`.
|
||||
|
||||
Note that this action can only be used on GitHub **Linux** runners.
|
||||
You can change the arch (defaults to `amd64`) with:
|
||||
|
||||
```yaml
|
||||
steps:
|
||||
- name: Setup Flux CLI
|
||||
uses: fluxcd/flux2/action@main
|
||||
with:
|
||||
arch: arm64 # can be amd64, arm64 or arm
|
||||
```
|
||||
|
||||
You can download a specific version with:
|
||||
|
||||
```yaml
|
||||
steps:
|
||||
- name: Setup Flux CLI
|
||||
uses: fluxcd/flux2/action@main
|
||||
with:
|
||||
version: 'latest'
|
||||
- name: Run Flux CLI
|
||||
run: flux version --client
|
||||
version: 0.8.0
|
||||
```
|
||||
|
||||
The Flux GitHub Action can be used to automate various tasks in CI, such as:
|
||||
### Automate Flux updates
|
||||
|
||||
- [Automate Flux upgrades on clusters via Pull Requests](https://fluxcd.io/flux/flux-gh-action/#automate-flux-updates)
|
||||
- [Push Kubernetes manifests to container registries](https://fluxcd.io/flux/flux-gh-action/#push-kubernetes-manifests-to-container-registries)
|
||||
- [Run end-to-end testing with Flux and Kubernetes Kind](https://fluxcd.io/flux/flux-gh-action/#end-to-end-testing)
|
||||
Example workflow for updating Flux's components generated with `flux bootstrap --path=clusters/production`:
|
||||
|
||||
```yaml
|
||||
name: update-flux
|
||||
|
||||
For more information, please see the [Flux GitHub Action documentation](https://fluxcd.io/flux/flux-gh-action/).
|
||||
on:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
- cron: "0 * * * *"
|
||||
|
||||
jobs:
|
||||
components:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v2
|
||||
- name: Setup Flux CLI
|
||||
uses: fluxcd/flux2/action@main
|
||||
- name: Check for updates
|
||||
id: update
|
||||
run: |
|
||||
flux install \
|
||||
--export > ./clusters/production/flux-system/gotk-components.yaml
|
||||
|
||||
VERSION="$(flux -v)"
|
||||
echo "::set-output name=flux_version::$VERSION"
|
||||
- name: Create Pull Request
|
||||
uses: peter-evans/create-pull-request@v3
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
branch: update-flux
|
||||
commit-message: Update to ${{ steps.update.outputs.flux_version }}
|
||||
title: Update to ${{ steps.update.outputs.flux_version }}
|
||||
body: |
|
||||
${{ steps.update.outputs.flux_version }}
|
||||
```
|
||||
|
||||
### End-to-end testing
|
||||
|
||||
Example workflow for running Flux in Kubernetes Kind:
|
||||
|
||||
```yaml
|
||||
name: e2e
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- '*'
|
||||
|
||||
jobs:
|
||||
kubernetes:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
- name: Setup Flux CLI
|
||||
uses: fluxcd/flux2/action@main
|
||||
- name: Setup Kubernetes Kind
|
||||
uses: engineerd/setup-kind@v0.5.0
|
||||
- name: Install Flux in Kubernetes Kind
|
||||
run: flux install
|
||||
```
|
||||
|
||||
A complete e2e testing workflow is available here
|
||||
[flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example/blob/main/.github/workflows/e2e.yaml)
|
||||
|
||||
@ -1,120 +1,52 @@
|
||||
name: Setup Flux CLI
|
||||
description: A GitHub Action for installing the Flux CLI
|
||||
author: Flux project
|
||||
description: A GitHub Action for running Flux commands
|
||||
author: Stefan Prodan
|
||||
branding:
|
||||
color: blue
|
||||
icon: command
|
||||
inputs:
|
||||
version:
|
||||
description: "Flux version e.g. 2.0.0 (defaults to latest stable release)"
|
||||
description: "Flux version e.g. 0.8.0 (defaults to latest stable release)"
|
||||
required: false
|
||||
arch:
|
||||
description: "arch can be amd64, arm64 or arm"
|
||||
required: false
|
||||
deprecationMessage: "No longer required, action will now detect runner arch."
|
||||
required: true
|
||||
default: "amd64"
|
||||
bindir:
|
||||
description: "Alternative location for the Flux binary, defaults to path relative to $RUNNER_TOOL_CACHE."
|
||||
required: false
|
||||
token:
|
||||
description: "Token used to authentication against the GitHub.com API. Defaults to the token from the GitHub context of the workflow."
|
||||
description: "Optional location of the Flux binary. Will not use sudo if set. Updates System Path."
|
||||
required: false
|
||||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
- name: "Download the binary to the runner's cache dir"
|
||||
- name: "Download flux binary to tmp"
|
||||
shell: bash
|
||||
run: |
|
||||
ARCH=${{ inputs.arch }}
|
||||
VERSION=${{ inputs.version }}
|
||||
|
||||
TOKEN=${{ inputs.token }}
|
||||
if [[ -z "$TOKEN" ]]; then
|
||||
TOKEN=${{ github.token }}
|
||||
fi
|
||||
|
||||
if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
|
||||
VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
|
||||
fi
|
||||
if [[ -z "$VERSION" ]]; then
|
||||
echo "Unable to determine Flux CLI version"
|
||||
exit 1
|
||||
fi
|
||||
if [[ $VERSION = v* ]]; then
|
||||
VERSION="${VERSION:1}"
|
||||
fi
|
||||
|
||||
OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
|
||||
if [[ "$OS" == "macos" ]]; then
|
||||
OS="darwin"
|
||||
fi
|
||||
|
||||
ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
|
||||
if [[ "$ARCH" == "x64" ]]; then
|
||||
ARCH="amd64"
|
||||
elif [[ "$ARCH" == "x86" ]]; then
|
||||
ARCH="386"
|
||||
fi
|
||||
|
||||
FLUX_EXEC_FILE="flux"
|
||||
if [[ "$OS" == "windows" ]]; then
|
||||
FLUX_EXEC_FILE="${FLUX_EXEC_FILE}.exe"
|
||||
fi
|
||||
|
||||
FLUX_TOOL_DIR=${{ inputs.bindir }}
|
||||
if [[ -z "$FLUX_TOOL_DIR" ]]; then
|
||||
FLUX_TOOL_DIR="${RUNNER_TOOL_CACHE}/flux2/${VERSION}/${OS}/${ARCH}"
|
||||
fi
|
||||
if [[ ! -x "$FLUX_TOOL_DIR/FLUX_EXEC_FILE" ]]; then
|
||||
DL_DIR="$(mktemp -dt flux2-XXXXXX)"
|
||||
trap 'rm -rf $DL_DIR' EXIT
|
||||
|
||||
echo "Downloading flux ${VERSION} for ${OS}/${ARCH}"
|
||||
FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.tar.gz"
|
||||
if [[ "$OS" == "windows" ]]; then
|
||||
FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.zip"
|
||||
fi
|
||||
|
||||
FLUX_CHECKSUMS_FILE="flux_${VERSION}_checksums.txt"
|
||||
|
||||
FLUX_DOWNLOAD_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/"
|
||||
|
||||
curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"
|
||||
curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"
|
||||
|
||||
echo "Verifying checksum"
|
||||
sum=""
|
||||
if command -v openssl > /dev/null; then
|
||||
sum=$(openssl sha256 "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $2}')
|
||||
elif command -v sha256sum > /dev/null; then
|
||||
sum=$(sha256sum "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $1}')
|
||||
if [ -z $VERSION ]; then
|
||||
VERSION=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
|
||||
fi
|
||||
|
||||
if [[ -z "$sum" ]]; then
|
||||
echo "Neither openssl nor sha256sum found. Cannot calculate checksum."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
expected_sum=$(grep " $FLUX_TARGET_FILE\$" "$DL_DIR/$FLUX_CHECKSUMS_FILE" | awk '{print $1}')
|
||||
if [ "$sum" != "$expected_sum" ]; then
|
||||
echo "SHA sum of ${FLUX_TARGET_FILE} does not match. Aborting."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Installing flux to ${FLUX_TOOL_DIR}"
|
||||
mkdir -p "$FLUX_TOOL_DIR"
|
||||
|
||||
if [[ "$OS" == "windows" ]]; then
|
||||
unzip "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_EXEC_FILE" -d "$FLUX_TOOL_DIR"
|
||||
BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_${ARCH}.tar.gz"
|
||||
curl -sL ${BIN_URL} -o /tmp/flux.tar.gz
|
||||
mkdir -p /tmp/flux
|
||||
tar -C /tmp/flux/ -zxvf /tmp/flux.tar.gz
|
||||
- name: "Copy Flux binary to execute location"
|
||||
shell: bash
|
||||
run: |
|
||||
BINDIR=${{ inputs.bindir }}
|
||||
if [ -z $BINDIR ]; then
|
||||
sudo cp /tmp/flux/flux /usr/local/bin
|
||||
else
|
||||
tar xzf "$DL_DIR/$FLUX_TARGET_FILE" -C "$FLUX_TOOL_DIR" $FLUX_EXEC_FILE
|
||||
fi
|
||||
|
||||
chmod +x "$FLUX_TOOL_DIR/$FLUX_EXEC_FILE"
|
||||
cp /tmp/flux/flux "${BINDIR}"
|
||||
echo "${BINDIR}" >> $GITHUB_PATH
|
||||
fi
|
||||
|
||||
echo "Adding flux to path"
|
||||
echo "$FLUX_TOOL_DIR" >> "$GITHUB_PATH"
|
||||
|
||||
- name: "Print installed flux version"
|
||||
- name: "Cleanup tmp"
|
||||
shell: bash
|
||||
run: |
|
||||
rm -rf /tmp/flux/ /tmp/flux.tar.gz
|
||||
- name: "Verify correct installation of binary"
|
||||
shell: bash
|
||||
run: |
|
||||
flux -v
|
||||
|
||||
@ -1,276 +0,0 @@
|
||||
/*
|
||||
Copyright 2023 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"github.com/fluxcd/pkg/git"
|
||||
"github.com/fluxcd/pkg/git/gogit"
|
||||
"github.com/spf13/cobra"
|
||||
|
||||
"github.com/fluxcd/flux2/v2/internal/flags"
|
||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
||||
"github.com/fluxcd/flux2/v2/pkg/bootstrap"
|
||||
"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
|
||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen"
|
||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
|
||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
|
||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
|
||||
)
|
||||
|
||||
var bootstrapGiteaCmd = &cobra.Command{
|
||||
Use: "gitea",
|
||||
Short: "Deploy Flux on a cluster connected to a Gitea repository",
|
||||
Long: `The bootstrap gitea command creates the Gitea repository if it doesn't exists and
|
||||
commits the Flux manifests to the specified branch.
|
||||
Then it configures the target cluster to synchronize with that repository.
|
||||
If the Flux components are present on the cluster,
|
||||
the bootstrap command will perform an upgrade if needed.`,
|
||||
Example: ` # Create a Gitea personal access token and export it as an env var
|
||||
export GITEA_TOKEN=<my-token>
|
||||
|
||||
# Run bootstrap for a private repository owned by a Gitea organization
|
||||
flux bootstrap gitea --owner=<organization> --repository=<repository name> --path=clusters/my-cluster
|
||||
|
||||
# Run bootstrap for a private repository and assign organization teams to it
|
||||
flux bootstrap gitea --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug> --path=clusters/my-cluster
|
||||
|
||||
# Run bootstrap for a private repository and assign organization teams with their access level(e.g maintain, admin) to it
|
||||
flux bootstrap gitea --owner=<organization> --repository=<repository name> --team=<team1 slug>:<access-level> --path=clusters/my-cluster
|
||||
|
||||
# Run bootstrap for a public repository on a personal account
|
||||
flux bootstrap gitea --owner=<user> --repository=<repository name> --private=false --personal=true --path=clusters/my-cluster
|
||||
|
||||
# Run bootstrap for a private repository hosted on Gitea Enterprise using SSH auth
|
||||
flux bootstrap gitea --owner=<organization> --repository=<repository name> --hostname=<domain> --ssh-hostname=<domain> --path=clusters/my-cluster
|
||||
|
||||
# Run bootstrap for a private repository hosted on Gitea Enterprise using HTTPS auth
|
||||
flux bootstrap gitea --owner=<organization> --repository=<repository name> --hostname=<domain> --token-auth --path=clusters/my-cluster
|
||||
|
||||
# Run bootstrap for an existing repository with a branch named main
|
||||
flux bootstrap gitea --owner=<organization> --repository=<repository name> --branch=main --path=clusters/my-cluster`,
|
||||
RunE: bootstrapGiteaCmdRun,
|
||||
}
|
||||
|
||||
type giteaFlags struct {
|
||||
owner string
|
||||
repository string
|
||||
interval time.Duration
|
||||
personal bool
|
||||
private bool
|
||||
hostname string
|
||||
path flags.SafeRelativePath
|
||||
teams []string
|
||||
readWriteKey bool
|
||||
reconcile bool
|
||||
}
|
||||
|
||||
const (
|
||||
gtDefaultPermission = "maintain"
|
||||
gtDefaultDomain = "gitea.com"
|
||||
gtTokenEnvVar = "GITEA_TOKEN"
|
||||
)
|
||||
|
||||
var giteaArgs giteaFlags
|
||||
|
||||
func init() {
|
||||
bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.owner, "owner", "", "Gitea user or organization name")
|
||||
bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.repository, "repository", "", "Gitea repository name")
|
||||
bootstrapGiteaCmd.Flags().StringSliceVar(&giteaArgs.teams, "team", []string{}, "Gitea team and the access to be given to it(team:maintain). Defaults to maintainer access if no access level is specified (also accepts comma-separated values)")
|
||||
bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.personal, "personal", false, "if true, the owner is assumed to be a Gitea user; otherwise an org")
|
||||
bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.private, "private", true, "if true, the repository is setup or configured as private")
|
||||
bootstrapGiteaCmd.Flags().DurationVar(&giteaArgs.interval, "interval", time.Minute, "sync interval")
|
||||
bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.hostname, "hostname", gtDefaultDomain, "Gitea hostname")
|
||||
bootstrapGiteaCmd.Flags().Var(&giteaArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
|
||||
bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
|
||||
bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
|
||||
|
||||
bootstrapCmd.AddCommand(bootstrapGiteaCmd)
|
||||
}
|
||||
|
||||
func bootstrapGiteaCmdRun(cmd *cobra.Command, args []string) error {
|
||||
gtToken := os.Getenv(gtTokenEnvVar)
|
||||
if gtToken == "" {
|
||||
var err error
|
||||
gtToken, err = readPasswordFromStdin("Please enter your Gitea personal access token (PAT): ")
|
||||
if err != nil {
|
||||
return fmt.Errorf("could not read token: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
if err := bootstrapValidate(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
||||
defer cancel()
|
||||
|
||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Manifest base
|
||||
if ver, err := getVersion(bootstrapArgs.version); err != nil {
|
||||
return err
|
||||
} else {
|
||||
bootstrapArgs.version = ver
|
||||
}
|
||||
manifestsBase, err := buildEmbeddedManifestBase()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer os.RemoveAll(manifestsBase)
|
||||
|
||||
var caBundle []byte
|
||||
if bootstrapArgs.caFile != "" {
|
||||
var err error
|
||||
caBundle, err = os.ReadFile(bootstrapArgs.caFile)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to read TLS CA file: %w", err)
|
||||
}
|
||||
}
|
||||
// Build Gitea provider
|
||||
providerCfg := provider.Config{
|
||||
Provider: provider.GitProviderGitea,
|
||||
Hostname: giteaArgs.hostname,
|
||||
Token: gtToken,
|
||||
CaBundle: caBundle,
|
||||
}
|
||||
providerClient, err := provider.BuildGitProvider(providerCfg)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create temporary working dir: %w", err)
|
||||
}
|
||||
defer os.RemoveAll(tmpDir)
|
||||
|
||||
clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
|
||||
gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
|
||||
Transport: git.HTTPS,
|
||||
Username: giteaArgs.owner,
|
||||
Password: gtToken,
|
||||
CAFile: caBundle,
|
||||
}, clientOpts...)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create a Git client: %w", err)
|
||||
}
|
||||
|
||||
// Install manifest config
|
||||
installOptions := install.Options{
|
||||
BaseURL: rootArgs.defaults.BaseURL,
|
||||
Version: bootstrapArgs.version,
|
||||
Namespace: *kubeconfigArgs.Namespace,
|
||||
Components: bootstrapComponents(),
|
||||
Registry: bootstrapArgs.registry,
|
||||
RegistryCredential: bootstrapArgs.registryCredential,
|
||||
ImagePullSecret: bootstrapArgs.imagePullSecret,
|
||||
WatchAllNamespaces: bootstrapArgs.watchAllNamespaces,
|
||||
NetworkPolicy: bootstrapArgs.networkPolicy,
|
||||
LogLevel: bootstrapArgs.logLevel.String(),
|
||||
NotificationController: rootArgs.defaults.NotificationController,
|
||||
ManifestFile: rootArgs.defaults.ManifestFile,
|
||||
Timeout: rootArgs.timeout,
|
||||
TargetPath: giteaArgs.path.ToSlash(),
|
||||
ClusterDomain: bootstrapArgs.clusterDomain,
|
||||
TolerationKeys: bootstrapArgs.tolerationKeys,
|
||||
}
|
||||
if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
|
||||
installOptions.BaseURL = customBaseURL
|
||||
}
|
||||
|
||||
// Source generation and secret config
|
||||
secretOpts := sourcesecret.Options{
|
||||
Name: bootstrapArgs.secretName,
|
||||
Namespace: *kubeconfigArgs.Namespace,
|
||||
TargetPath: giteaArgs.path.ToSlash(),
|
||||
ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
|
||||
}
|
||||
if bootstrapArgs.tokenAuth {
|
||||
secretOpts.Username = "git"
|
||||
secretOpts.Password = gtToken
|
||||
secretOpts.CACrt = caBundle
|
||||
} else {
|
||||
secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
|
||||
secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
|
||||
secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
|
||||
|
||||
secretOpts.SSHHostname = giteaArgs.hostname
|
||||
if bootstrapArgs.sshHostname != "" {
|
||||
secretOpts.SSHHostname = bootstrapArgs.sshHostname
|
||||
}
|
||||
}
|
||||
|
||||
// Sync manifest config
|
||||
syncOpts := sync.Options{
|
||||
Interval: giteaArgs.interval,
|
||||
Name: *kubeconfigArgs.Namespace,
|
||||
Namespace: *kubeconfigArgs.Namespace,
|
||||
Branch: bootstrapArgs.branch,
|
||||
Secret: bootstrapArgs.secretName,
|
||||
TargetPath: giteaArgs.path.ToSlash(),
|
||||
ManifestFile: sync.MakeDefaultOptions().ManifestFile,
|
||||
RecurseSubmodules: bootstrapArgs.recurseSubmodules,
|
||||
}
|
||||
|
||||
entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Bootstrap config
|
||||
bootstrapOpts := []bootstrap.GitProviderOption{
|
||||
bootstrap.WithProviderRepository(giteaArgs.owner, giteaArgs.repository, giteaArgs.personal),
|
||||
bootstrap.WithBranch(bootstrapArgs.branch),
|
||||
bootstrap.WithBootstrapTransportType("https"),
|
||||
bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
|
||||
bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
|
||||
bootstrap.WithProviderTeamPermissions(mapTeamSlice(giteaArgs.teams, gtDefaultPermission)),
|
||||
bootstrap.WithReadWriteKeyPermissions(giteaArgs.readWriteKey),
|
||||
bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
|
||||
bootstrap.WithLogger(logger),
|
||||
bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
|
||||
}
|
||||
if bootstrapArgs.sshHostname != "" {
|
||||
bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
|
||||
}
|
||||
if bootstrapArgs.tokenAuth {
|
||||
bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
|
||||
}
|
||||
if !giteaArgs.private {
|
||||
bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
|
||||
}
|
||||
if giteaArgs.reconcile {
|
||||
bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
|
||||
}
|
||||
|
||||
// Setup bootstrapper with constructed configs
|
||||
b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Run
|
||||
return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
|
||||
}
|
||||
@ -1,117 +0,0 @@
|
||||
/*
|
||||
Copyright 2022 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"bytes"
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"github.com/spf13/cobra"
|
||||
|
||||
oci "github.com/fluxcd/pkg/oci/client"
|
||||
"github.com/fluxcd/pkg/sourceignore"
|
||||
)
|
||||
|
||||
var buildArtifactCmd = &cobra.Command{
|
||||
Use: "artifact",
|
||||
Short: "Build artifact",
|
||||
Long: withPreviewNote(`The build artifact command creates a tgz file with the manifests
|
||||
from the given directory or a single manifest file.`),
|
||||
Example: ` # Build the given manifests directory into an artifact
|
||||
flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz
|
||||
|
||||
# Build the given single manifest file into an artifact
|
||||
flux build artifact --path ./path/to/local/manifest.yaml --output ./path/to/artifact.tgz
|
||||
|
||||
# List the files bundled in the artifact
|
||||
tar -ztvf ./path/to/artifact.tgz
|
||||
`,
|
||||
RunE: buildArtifactCmdRun,
|
||||
}
|
||||
|
||||
type buildArtifactFlags struct {
|
||||
output string
|
||||
path string
|
||||
ignorePaths []string
|
||||
}
|
||||
|
||||
var excludeOCI = append(strings.Split(sourceignore.ExcludeVCS, ","), strings.Split(sourceignore.ExcludeExt, ",")...)
|
||||
|
||||
var buildArtifactArgs buildArtifactFlags
|
||||
|
||||
func init() {
|
||||
buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.path, "path", "p", "", "Path to the directory where the Kubernetes manifests are located.")
|
||||
buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.output, "output", "o", "artifact.tgz", "Path to where the artifact tgz file should be written.")
|
||||
buildArtifactCmd.Flags().StringSliceVar(&buildArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
|
||||
|
||||
buildCmd.AddCommand(buildArtifactCmd)
|
||||
}
|
||||
|
||||
func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
|
||||
if buildArtifactArgs.path == "" {
|
||||
return fmt.Errorf("invalid path %q", buildArtifactArgs.path)
|
||||
}
|
||||
|
||||
path := buildArtifactArgs.path
|
||||
var err error
|
||||
if buildArtifactArgs.path == "-" {
|
||||
path, err = saveReaderToFile(os.Stdin)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
defer os.Remove(path)
|
||||
}
|
||||
|
||||
if _, err := os.Stat(path); err != nil {
|
||||
return fmt.Errorf("invalid path '%s', must point to an existing directory or file", path)
|
||||
}
|
||||
|
||||
logger.Actionf("building artifact from %s", path)
|
||||
|
||||
ociClient := oci.NewClient(oci.DefaultOptions())
|
||||
if err := ociClient.Build(buildArtifactArgs.output, path, buildArtifactArgs.ignorePaths); err != nil {
|
||||
return fmt.Errorf("building artifact failed, error: %w", err)
|
||||
}
|
||||
|
||||
logger.Successf("artifact created at %s", buildArtifactArgs.output)
|
||||
return nil
|
||||
}
|
||||
|
||||
func saveReaderToFile(reader io.Reader) (string, error) {
|
||||
b, err := io.ReadAll(bufio.NewReader(reader))
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
b = bytes.TrimRight(b, "\r\n")
|
||||
f, err := os.CreateTemp("", "*.yaml")
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("unable to create temp dir for stdin")
|
||||
}
|
||||
|
||||
defer f.Close()
|
||||
|
||||
if _, err := f.Write(b); err != nil {
|
||||
return "", fmt.Errorf("error writing stdin to file: %w", err)
|
||||
}
|
||||
|
||||
return f.Name(), nil
|
||||
}
|
||||
@ -1,70 +0,0 @@
|
||||
/*
|
||||
Copyright 2022 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"os"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
. "github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
func Test_saveReaderToFile(t *testing.T) {
|
||||
g := NewWithT(t)
|
||||
|
||||
testString := `apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: myapp
|
||||
data:
|
||||
foo: bar`
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
string string
|
||||
expectErr bool
|
||||
}{
|
||||
{
|
||||
name: "yaml",
|
||||
string: testString,
|
||||
},
|
||||
{
|
||||
name: "yaml with carriage return",
|
||||
string: testString + "\r\n",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
tmpFile, err := saveReaderToFile(strings.NewReader(tt.string))
|
||||
g.Expect(err).To(BeNil())
|
||||
|
||||
t.Cleanup(func() { _ = os.Remove(tmpFile) })
|
||||
|
||||
b, err := os.ReadFile(tmpFile)
|
||||
if tt.expectErr {
|
||||
g.Expect(err).To(Not(BeNil()))
|
||||
return
|
||||
}
|
||||
|
||||
g.Expect(err).To(BeNil())
|
||||
g.Expect(string(b)).To(BeEquivalentTo(testString))
|
||||
})
|
||||
|
||||
}
|
||||
}
|
||||
@ -1,126 +0,0 @@
|
||||
/*
|
||||
Copyright 2023 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/manifoldco/promptui"
|
||||
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"sigs.k8s.io/controller-runtime/pkg/client"
|
||||
|
||||
kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
|
||||
sourcev1 "github.com/fluxcd/source-controller/api/v1"
|
||||
|
||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen"
|
||||
)
|
||||
|
||||
// bootstrapLabels are labels put on a resource by kustomize-controller. These labels on the CRD indicates
|
||||
// that flux has been bootstrapped.
|
||||
var bootstrapLabels = []string{
|
||||
fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group),
|
||||
fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group),
|
||||
}
|
||||
|
||||
// fluxClusterInfo contains information about an existing flux installation on a cluster.
|
||||
type fluxClusterInfo struct {
|
||||
// bootstrapped indicates that Flux was installed using the `flux bootstrap` command.
|
||||
bootstrapped bool
|
||||
// managedBy is the name of the tool being used to manage the installation of Flux.
|
||||
managedBy string
|
||||
// partOf indicates which distribution the instance is a part of.
|
||||
partOf string
|
||||
// version is the Flux version number in semver format.
|
||||
version string
|
||||
}
|
||||
|
||||
// getFluxClusterInfo returns information on the Flux installation running on the cluster.
|
||||
// If an error occurred, the returned error will be non-nil.
|
||||
//
|
||||
// This function retrieves the GitRepository CRD from the cluster and checks it
|
||||
// for a set of labels used to determine the Flux version and how Flux was installed.
|
||||
// It returns the NotFound error from the underlying library if it was unable to find
|
||||
// the GitRepository CRD and this can be used to check if Flux is installed.
|
||||
func getFluxClusterInfo(ctx context.Context, c client.Client) (fluxClusterInfo, error) {
|
||||
var info fluxClusterInfo
|
||||
crdMetadata := &metav1.PartialObjectMetadata{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
APIVersion: apiextensionsv1.SchemeGroupVersion.String(),
|
||||
Kind: "CustomResourceDefinition",
|
||||
},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: fmt.Sprintf("gitrepositories.%s", sourcev1.GroupVersion.Group),
|
||||
},
|
||||
}
|
||||
if err := c.Get(ctx, client.ObjectKeyFromObject(crdMetadata), crdMetadata); err != nil {
|
||||
return info, err
|
||||
}
|
||||
|
||||
info.version = crdMetadata.Labels[manifestgen.VersionLabelKey]
|
||||
|
||||
var present bool
|
||||
for _, l := range bootstrapLabels {
|
||||
_, present = crdMetadata.Labels[l]
|
||||
}
|
||||
if present {
|
||||
info.bootstrapped = true
|
||||
}
|
||||
|
||||
// the `app.kubernetes.io/managed-by` label is not set by flux but might be set by other
|
||||
// tools used to install Flux e.g Helm.
|
||||
if manager, ok := crdMetadata.Labels["app.kubernetes.io/managed-by"]; ok {
|
||||
info.managedBy = manager
|
||||
}
|
||||
|
||||
if partOf, ok := crdMetadata.Labels[manifestgen.PartOfLabelKey]; ok {
|
||||
info.partOf = partOf
|
||||
}
|
||||
return info, nil
|
||||
}
|
||||
|
||||
// confirmFluxInstallOverride displays a prompt to the user so that they can confirm before overriding
|
||||
// a Flux installation. It returns nil if the installation should continue,
|
||||
// promptui.ErrAbort if the user doesn't confirm, or an error encountered.
|
||||
func confirmFluxInstallOverride(info fluxClusterInfo) error {
|
||||
// no need to display prompt if installation is managed by Flux
|
||||
if installManagedByFlux(info.managedBy) {
|
||||
return nil
|
||||
}
|
||||
|
||||
display := fmt.Sprintf("Flux %s has been installed on this cluster with %s!", info.version, info.managedBy)
|
||||
fmt.Fprintln(rootCmd.ErrOrStderr(), display)
|
||||
prompt := promptui.Prompt{
|
||||
Label: fmt.Sprintf("Are you sure you want to override the %s installation? Y/N", info.managedBy),
|
||||
IsConfirm: true,
|
||||
}
|
||||
_, err := prompt.Run()
|
||||
return err
|
||||
}
|
||||
|
||||
func (info fluxClusterInfo) distribution() string {
|
||||
distribution := info.version
|
||||
if info.partOf != "" {
|
||||
distribution = fmt.Sprintf("%s-%s", info.partOf, info.version)
|
||||
}
|
||||
return distribution
|
||||
}
|
||||
|
||||
func installManagedByFlux(manager string) bool {
|
||||
return manager == "" || manager == "flux"
|
||||
}
|
||||
@ -1,141 +0,0 @@
|
||||
/*
|
||||
Copyright 2023 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
. "github.com/onsi/gomega"
|
||||
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"sigs.k8s.io/controller-runtime/pkg/client/fake"
|
||||
|
||||
kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
|
||||
ssautil "github.com/fluxcd/pkg/ssa/utils"
|
||||
)
|
||||
|
||||
func Test_getFluxClusterInfo(t *testing.T) {
|
||||
g := NewWithT(t)
|
||||
f, err := os.Open("./testdata/cluster_info/gitrepositories.yaml")
|
||||
g.Expect(err).To(BeNil())
|
||||
|
||||
objs, err := ssautil.ReadObjects(f)
|
||||
g.Expect(err).To(Not(HaveOccurred()))
|
||||
gitrepo := objs[0]
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
labels map[string]string
|
||||
wantErr bool
|
||||
wantInfo fluxClusterInfo
|
||||
}{
|
||||
{
|
||||
name: "no git repository CRD present",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "CRD with kustomize-controller labels",
|
||||
labels: map[string]string{
|
||||
fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group): "flux-system",
|
||||
fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group): "flux-system",
|
||||
"app.kubernetes.io/version": "v2.1.0",
|
||||
},
|
||||
wantInfo: fluxClusterInfo{
|
||||
version: "v2.1.0",
|
||||
bootstrapped: true,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "CRD with kustomize-controller labels and managed-by label",
|
||||
labels: map[string]string{
|
||||
fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group): "flux-system",
|
||||
fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group): "flux-system",
|
||||
"app.kubernetes.io/version": "v2.1.0",
|
||||
"app.kubernetes.io/managed-by": "flux",
|
||||
},
|
||||
wantInfo: fluxClusterInfo{
|
||||
version: "v2.1.0",
|
||||
bootstrapped: true,
|
||||
managedBy: "flux",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "CRD with only managed-by label",
|
||||
labels: map[string]string{
|
||||
"app.kubernetes.io/version": "v2.1.0",
|
||||
"app.kubernetes.io/managed-by": "helm",
|
||||
},
|
||||
wantInfo: fluxClusterInfo{
|
||||
version: "v2.1.0",
|
||||
managedBy: "helm",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "CRD with no labels",
|
||||
labels: map[string]string{},
|
||||
wantInfo: fluxClusterInfo{},
|
||||
},
|
||||
{
|
||||
name: "CRD with only version label",
|
||||
labels: map[string]string{
|
||||
"app.kubernetes.io/version": "v2.1.0",
|
||||
},
|
||||
wantInfo: fluxClusterInfo{
|
||||
version: "v2.1.0",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "CRD with version and part-of labels",
|
||||
labels: map[string]string{
|
||||
"app.kubernetes.io/version": "v2.1.0",
|
||||
"app.kubernetes.io/part-of": "flux",
|
||||
},
|
||||
wantInfo: fluxClusterInfo{
|
||||
version: "v2.1.0",
|
||||
partOf: "flux",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
g := NewWithT(t)
|
||||
newscheme := runtime.NewScheme()
|
||||
apiextensionsv1.AddToScheme(newscheme)
|
||||
builder := fake.NewClientBuilder().WithScheme(newscheme)
|
||||
if tt.labels != nil {
|
||||
gitrepo.SetLabels(tt.labels)
|
||||
builder = builder.WithRuntimeObjects(gitrepo)
|
||||
}
|
||||
|
||||
client := builder.Build()
|
||||
info, err := getFluxClusterInfo(context.Background(), client)
|
||||
if tt.wantErr {
|
||||
g.Expect(err).To(HaveOccurred())
|
||||
g.Expect(errors.IsNotFound(err)).To(BeTrue())
|
||||
} else {
|
||||
g.Expect(err).To(Not(HaveOccurred()))
|
||||
}
|
||||
|
||||
g.Expect(info).To(BeEquivalentTo(tt.wantInfo))
|
||||
})
|
||||
}
|
||||
}
|
||||
@ -1,86 +0,0 @@
|
||||
//go:build unit
|
||||
// +build unit
|
||||
|
||||
/*
|
||||
Copyright 2024 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import "testing"
|
||||
|
||||
func TestCreateHelmRelease(t *testing.T) {
|
||||
tmpl := map[string]string{
|
||||
"fluxns": allocateNamespace("flux-system"),
|
||||
}
|
||||
setupHRSource(t, tmpl)
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
args string
|
||||
assert assertFunc
|
||||
}{
|
||||
{
|
||||
name: "missing name",
|
||||
args: "create helmrelease --export",
|
||||
assert: assertError("name is required"),
|
||||
},
|
||||
{
|
||||
name: "missing chart template and chartRef",
|
||||
args: "create helmrelease podinfo --export",
|
||||
assert: assertError("chart or chart-ref is required"),
|
||||
},
|
||||
{
|
||||
name: "unknown source kind",
|
||||
args: "create helmrelease podinfo --source foobar/podinfo --chart podinfo --export",
|
||||
assert: assertError(`invalid argument "foobar/podinfo" for "--source" flag: source kind 'foobar' is not supported, must be one of: HelmRepository, GitRepository, Bucket`),
|
||||
},
|
||||
{
|
||||
name: "unknown chart reference kind",
|
||||
args: "create helmrelease podinfo --chart-ref foobar/podinfo --export",
|
||||
assert: assertError(`chart reference kind 'foobar' is not supported, must be one of: OCIRepository, HelmChart`),
|
||||
},
|
||||
{
|
||||
name: "basic helmrelease",
|
||||
args: "create helmrelease podinfo --source Helmrepository/podinfo --chart podinfo --interval=1m0s --export",
|
||||
assert: assertGoldenTemplateFile("testdata/create_hr/basic.yaml", tmpl),
|
||||
},
|
||||
{
|
||||
name: "chart with OCIRepository source",
|
||||
args: "create helmrelease podinfo --chart-ref OCIRepository/podinfo --interval=1m0s --export",
|
||||
assert: assertGoldenTemplateFile("testdata/create_hr/or_basic.yaml", tmpl),
|
||||
},
|
||||
{
|
||||
name: "chart with HelmChart source",
|
||||
args: "create helmrelease podinfo --chart-ref HelmChart/podinfo --interval=1m0s --export",
|
||||
assert: assertGoldenTemplateFile("testdata/create_hr/hc_basic.yaml", tmpl),
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
cmd := cmdTestCase{
|
||||
args: tt.args + " -n " + tmpl["fluxns"],
|
||||
assert: tt.assert,
|
||||
}
|
||||
cmd.runTestCmd(t)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func setupHRSource(t *testing.T, tmpl map[string]string) {
|
||||
t.Helper()
|
||||
testEnv.CreateObjectFile("./testdata/create_hr/setup-source.yaml", tmpl, t)
|
||||
}
|
||||
@ -1,128 +0,0 @@
|
||||
/*
|
||||
Copyright 2024 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
|
||||
"github.com/spf13/cobra"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"sigs.k8s.io/yaml"
|
||||
)
|
||||
|
||||
var createSecretGitHubAppCmd = &cobra.Command{
|
||||
Use: "githubapp [name]",
|
||||
Short: "Create or update a github app secret",
|
||||
Long: withPreviewNote(`The create secret githubapp command generates a Kubernetes secret that can be used for GitRepository authentication with github app`),
|
||||
Example: ` # Create a githubapp authentication secret on disk and encrypt it with Mozilla SOPS
|
||||
flux create secret githubapp podinfo-auth \
|
||||
--app-id="1" \
|
||||
--app-installation-id="2" \
|
||||
--app-private-key=./private-key-file.pem \
|
||||
--export > githubapp-auth.yaml
|
||||
|
||||
sops --encrypt --encrypted-regex '^(data|stringData)$' \
|
||||
--in-place githubapp-auth.yaml
|
||||
`,
|
||||
RunE: createSecretGitHubAppCmdRun,
|
||||
}
|
||||
|
||||
type secretGitHubAppFlags struct {
|
||||
appID string
|
||||
appInstallationID string
|
||||
privateKeyFile string
|
||||
baseURL string
|
||||
}
|
||||
|
||||
var secretGitHubAppArgs = secretGitHubAppFlags{}
|
||||
|
||||
func init() {
|
||||
createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appID, "app-id", "", "github app ID")
|
||||
createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appInstallationID, "app-installation-id", "", "github app installation ID")
|
||||
createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.privateKeyFile, "app-private-key", "", "github app private key file path")
|
||||
createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.baseURL, "app-base-url", "", "github app base URL")
|
||||
|
||||
createSecretCmd.AddCommand(createSecretGitHubAppCmd)
|
||||
}
|
||||
|
||||
func createSecretGitHubAppCmdRun(cmd *cobra.Command, args []string) error {
|
||||
if len(args) < 1 {
|
||||
return fmt.Errorf("name is required")
|
||||
}
|
||||
|
||||
secretName := args[0]
|
||||
|
||||
if secretGitHubAppArgs.appID == "" {
|
||||
return fmt.Errorf("--app-id is required")
|
||||
}
|
||||
|
||||
if secretGitHubAppArgs.appInstallationID == "" {
|
||||
return fmt.Errorf("--app-installation-id is required")
|
||||
}
|
||||
|
||||
if secretGitHubAppArgs.privateKeyFile == "" {
|
||||
return fmt.Errorf("--app-private-key is required")
|
||||
}
|
||||
|
||||
privateKey, err := os.ReadFile(secretGitHubAppArgs.privateKeyFile)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to read private key file: %w", err)
|
||||
}
|
||||
|
||||
opts := sourcesecret.Options{
|
||||
Name: secretName,
|
||||
Namespace: *kubeconfigArgs.Namespace,
|
||||
GitHubAppID: secretGitHubAppArgs.appID,
|
||||
GitHubAppInstallationID: secretGitHubAppArgs.appInstallationID,
|
||||
GitHubAppPrivateKey: string(privateKey),
|
||||
}
|
||||
|
||||
if secretGitHubAppArgs.baseURL != "" {
|
||||
opts.GitHubAppBaseURL = secretGitHubAppArgs.baseURL
|
||||
}
|
||||
|
||||
secret, err := sourcesecret.Generate(opts)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if createArgs.export {
|
||||
rootCmd.Println(secret.Content)
|
||||
return nil
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
||||
defer cancel()
|
||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
var s corev1.Secret
|
||||
if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := upsertSecret(ctx, kubeClient, s); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
logger.Actionf("githubapp secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
|
||||
return nil
|
||||
}
|
||||
@ -1,74 +0,0 @@
|
||||
/*
|
||||
Copyright 2022 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestCreateSecretGitHubApp(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
args string
|
||||
assert assertFunc
|
||||
}{
|
||||
{
|
||||
name: "create githubapp secret with missing name",
|
||||
args: "create secret githubapp",
|
||||
assert: assertError("name is required"),
|
||||
},
|
||||
{
|
||||
name: "create githubapp secret with missing app-id",
|
||||
args: "create secret githubapp appinfo",
|
||||
assert: assertError("--app-id is required"),
|
||||
},
|
||||
{
|
||||
name: "create githubapp secret with missing appInstallationID",
|
||||
args: "create secret githubapp appinfo --app-id 1",
|
||||
assert: assertError("--app-installation-id is required"),
|
||||
},
|
||||
{
|
||||
name: "create githubapp secret with missing private key file",
|
||||
args: "create secret githubapp appinfo --app-id 1 --app-installation-id 2",
|
||||
assert: assertError("--app-private-key is required"),
|
||||
},
|
||||
{
|
||||
name: "create githubapp secret with private key file that does not exist",
|
||||
args: "create secret githubapp appinfo --app-id 1 --app-installation-id 2 --app-private-key pk.pem",
|
||||
assert: assertError("unable to read private key file: open pk.pem: no such file or directory"),
|
||||
},
|
||||
{
|
||||
name: "create githubapp secret with app info",
|
||||
args: "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --export",
|
||||
assert: assertGoldenFile("testdata/create_secret/githubapp/secret.yaml"),
|
||||
},
|
||||
{
|
||||
name: "create githubapp secret with appinfo and base url",
|
||||
args: "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --app-base-url www.example.com/api/v3 --export",
|
||||
assert: assertGoldenFile("testdata/create_secret/githubapp/secret-with-baseurl.yaml"),
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
cmd := cmdTestCase{
|
||||
args: tt.args,
|
||||
assert: tt.assert,
|
||||
}
|
||||
cmd.runTestCmd(t)
|
||||
})
|
||||
}
|
||||
}
|
||||
@ -1,161 +0,0 @@
|
||||
/*
|
||||
Copyright 2024 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
|
||||
"github.com/notaryproject/notation-go/verifier/trustpolicy"
|
||||
"github.com/spf13/cobra"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"sigs.k8s.io/yaml"
|
||||
)
|
||||
|
||||
var createSecretNotationCmd = &cobra.Command{
|
||||
Use: "notation [name]",
|
||||
Short: "Create or update a Kubernetes secret for verifications of artifacts signed by Notation",
|
||||
Long: withPreviewNote(`The create secret notation command generates a Kubernetes secret with root ca certificates and trust policy.`),
|
||||
Example: ` # Create a Notation configuration secret on disk and encrypt it with Mozilla SOPS
|
||||
flux create secret notation my-notation-cert \
|
||||
--namespace=my-namespace \
|
||||
--trust-policy-file=./my-trust-policy.json \
|
||||
--ca-cert-file=./my-cert.crt \
|
||||
--export > my-notation-cert.yaml
|
||||
|
||||
sops --encrypt --encrypted-regex '^(data|stringData)$' \
|
||||
--in-place my-notation-cert.yaml`,
|
||||
|
||||
RunE: createSecretNotationCmdRun,
|
||||
}
|
||||
|
||||
type secretNotationFlags struct {
|
||||
trustPolicyFile string
|
||||
caCrtFile []string
|
||||
}
|
||||
|
||||
var secretNotationArgs secretNotationFlags
|
||||
|
||||
func init() {
|
||||
createSecretNotationCmd.Flags().StringVar(&secretNotationArgs.trustPolicyFile, "trust-policy-file", "", "notation trust policy file path")
|
||||
createSecretNotationCmd.Flags().StringSliceVar(&secretNotationArgs.caCrtFile, "ca-cert-file", []string{}, "root ca cert file path")
|
||||
|
||||
createSecretCmd.AddCommand(createSecretNotationCmd)
|
||||
}
|
||||
|
||||
func createSecretNotationCmdRun(cmd *cobra.Command, args []string) error {
|
||||
if len(args) < 1 {
|
||||
return fmt.Errorf("name is required")
|
||||
}
|
||||
|
||||
if secretNotationArgs.caCrtFile == nil || len(secretNotationArgs.caCrtFile) == 0 {
|
||||
return fmt.Errorf("--ca-cert-file is required")
|
||||
}
|
||||
|
||||
if secretNotationArgs.trustPolicyFile == "" {
|
||||
return fmt.Errorf("--trust-policy-file is required")
|
||||
}
|
||||
|
||||
name := args[0]
|
||||
|
||||
labels, err := parseLabels()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
policy, err := os.ReadFile(secretNotationArgs.trustPolicyFile)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to read trust policy file: %w", err)
|
||||
}
|
||||
|
||||
var doc trustpolicy.Document
|
||||
|
||||
if err := json.Unmarshal(policy, &doc); err != nil {
|
||||
return fmt.Errorf("failed to unmarshal trust policy %s: %w", secretNotationArgs.trustPolicyFile, err)
|
||||
}
|
||||
|
||||
if err := doc.Validate(); err != nil {
|
||||
return fmt.Errorf("invalid trust policy: %w", err)
|
||||
}
|
||||
|
||||
var (
|
||||
caCerts []sourcesecret.VerificationCrt
|
||||
fileErr error
|
||||
)
|
||||
for _, caCrtFile := range secretNotationArgs.caCrtFile {
|
||||
fileName := filepath.Base(caCrtFile)
|
||||
if !strings.HasSuffix(fileName, ".crt") && !strings.HasSuffix(fileName, ".pem") {
|
||||
fileErr = errors.Join(fileErr, fmt.Errorf("%s must end with either .crt or .pem", fileName))
|
||||
continue
|
||||
}
|
||||
caBundle, err := os.ReadFile(caCrtFile)
|
||||
if err != nil {
|
||||
fileErr = errors.Join(fileErr, fmt.Errorf("unable to read TLS CA file: %w", err))
|
||||
continue
|
||||
}
|
||||
caCerts = append(caCerts, sourcesecret.VerificationCrt{Name: fileName, CACrt: caBundle})
|
||||
}
|
||||
|
||||
if fileErr != nil {
|
||||
return fileErr
|
||||
}
|
||||
|
||||
if len(caCerts) == 0 {
|
||||
return fmt.Errorf("no CA certs found")
|
||||
}
|
||||
|
||||
opts := sourcesecret.Options{
|
||||
Name: name,
|
||||
Namespace: *kubeconfigArgs.Namespace,
|
||||
Labels: labels,
|
||||
VerificationCrts: caCerts,
|
||||
TrustPolicy: policy,
|
||||
}
|
||||
secret, err := sourcesecret.Generate(opts)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if createArgs.export {
|
||||
rootCmd.Println(secret.Content)
|
||||
return nil
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
||||
defer cancel()
|
||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
var s corev1.Secret
|
||||
if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := upsertSecret(ctx, kubeClient, s); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
logger.Actionf("notation configuration secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
|
||||
return nil
|
||||
}
|
||||
@ -1,124 +0,0 @@
|
||||
/*
|
||||
Copyright 2024 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
)
|
||||
|
||||
const (
|
||||
trustPolicy = "./testdata/create_secret/notation/test-trust-policy.json"
|
||||
invalidTrustPolicy = "./testdata/create_secret/notation/invalid-trust-policy.json"
|
||||
invalidJson = "./testdata/create_secret/notation/invalid.json"
|
||||
testCertFolder = "./testdata/create_secret/notation"
|
||||
)
|
||||
|
||||
func TestCreateNotationSecret(t *testing.T) {
|
||||
crt, err := os.Create(filepath.Join(t.TempDir(), "ca.crt"))
|
||||
if err != nil {
|
||||
t.Fatal("could not create ca.crt file")
|
||||
}
|
||||
|
||||
pem, err := os.Create(filepath.Join(t.TempDir(), "ca.pem"))
|
||||
if err != nil {
|
||||
t.Fatal("could not create ca.pem file")
|
||||
}
|
||||
|
||||
invalidCert, err := os.Create(filepath.Join(t.TempDir(), "ca.p12"))
|
||||
if err != nil {
|
||||
t.Fatal("could not create ca.p12 file")
|
||||
}
|
||||
|
||||
_, err = crt.Write([]byte("ca-data-crt"))
|
||||
if err != nil {
|
||||
t.Fatal("could not write to crt certificate file")
|
||||
}
|
||||
|
||||
_, err = pem.Write([]byte("ca-data-pem"))
|
||||
if err != nil {
|
||||
t.Fatal("could not write to pem certificate file")
|
||||
}
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
args string
|
||||
assert assertFunc
|
||||
}{
|
||||
{
|
||||
name: "no args",
|
||||
args: "create secret notation",
|
||||
assert: assertError("name is required"),
|
||||
},
|
||||
{
|
||||
name: "no trust policy",
|
||||
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s", testCertFolder),
|
||||
assert: assertError("--trust-policy-file is required"),
|
||||
},
|
||||
{
|
||||
name: "no cert",
|
||||
args: fmt.Sprintf("create secret notation notation-config --trust-policy-file=%s", trustPolicy),
|
||||
assert: assertError("--ca-cert-file is required"),
|
||||
},
|
||||
{
|
||||
name: "non pem and crt cert",
|
||||
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", invalidCert.Name(), trustPolicy),
|
||||
assert: assertError("ca.p12 must end with either .crt or .pem"),
|
||||
},
|
||||
{
|
||||
name: "invalid trust policy",
|
||||
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidTrustPolicy),
|
||||
assert: assertError("invalid trust policy: trust policy: a trust policy statement is missing a name, every statement requires a name"),
|
||||
},
|
||||
{
|
||||
name: "invalid trust policy json",
|
||||
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidJson),
|
||||
assert: assertError(fmt.Sprintf("failed to unmarshal trust policy %s: json: cannot unmarshal string into Go value of type trustpolicy.Document", invalidJson)),
|
||||
},
|
||||
{
|
||||
name: "crt secret",
|
||||
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), trustPolicy),
|
||||
assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-crt.yaml"),
|
||||
},
|
||||
{
|
||||
name: "pem secret",
|
||||
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", pem.Name(), trustPolicy),
|
||||
assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-pem.yaml"),
|
||||
},
|
||||
{
|
||||
name: "multi secret",
|
||||
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), pem.Name(), trustPolicy),
|
||||
assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-multi.yaml"),
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
defer func() {
|
||||
secretNotationArgs = secretNotationFlags{}
|
||||
}()
|
||||
|
||||
cmd := cmdTestCase{
|
||||
args: tt.args,
|
||||
assert: tt.assert,
|
||||
}
|
||||
cmd.runTestCmd(t)
|
||||
})
|
||||
}
|
||||
}
|
||||
@ -1,121 +0,0 @@
|
||||
/*
|
||||
Copyright 2022 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
|
||||
"github.com/google/go-containerregistry/pkg/name"
|
||||
"github.com/spf13/cobra"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"sigs.k8s.io/yaml"
|
||||
)
|
||||
|
||||
var createSecretOCICmd = &cobra.Command{
|
||||
Use: "oci [name]",
|
||||
Short: "Create or update a Kubernetes image pull secret",
|
||||
Long: withPreviewNote(`The create secret oci command generates a Kubernetes secret that can be used for OCIRepository authentication`),
|
||||
Example: ` # Create an OCI authentication secret on disk and encrypt it with Mozilla SOPS
|
||||
flux create secret oci podinfo-auth \
|
||||
--url=ghcr.io \
|
||||
--username=username \
|
||||
--password=password \
|
||||
--export > repo-auth.yaml
|
||||
|
||||
sops --encrypt --encrypted-regex '^(data|stringData)$' \
|
||||
--in-place repo-auth.yaml
|
||||
`,
|
||||
RunE: createSecretOCICmdRun,
|
||||
}
|
||||
|
||||
type secretOCIFlags struct {
|
||||
url string
|
||||
password string
|
||||
username string
|
||||
}
|
||||
|
||||
var secretOCIArgs = secretOCIFlags{}
|
||||
|
||||
func init() {
|
||||
createSecretOCICmd.Flags().StringVar(&secretOCIArgs.url, "url", "", "oci repository address e.g ghcr.io/stefanprodan/charts")
|
||||
createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.username, "username", "u", "", "basic authentication username")
|
||||
createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.password, "password", "p", "", "basic authentication password")
|
||||
|
||||
createSecretCmd.AddCommand(createSecretOCICmd)
|
||||
}
|
||||
|
||||
func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
|
||||
if len(args) < 1 {
|
||||
return fmt.Errorf("name is required")
|
||||
}
|
||||
|
||||
secretName := args[0]
|
||||
|
||||
if secretOCIArgs.url == "" {
|
||||
return fmt.Errorf("--url is required")
|
||||
}
|
||||
|
||||
if secretOCIArgs.username == "" {
|
||||
return fmt.Errorf("--username is required")
|
||||
}
|
||||
|
||||
if secretOCIArgs.password == "" {
|
||||
return fmt.Errorf("--password is required")
|
||||
}
|
||||
|
||||
if _, err := name.ParseReference(secretOCIArgs.url); err != nil {
|
||||
return fmt.Errorf("error parsing url: '%s'", err)
|
||||
}
|
||||
|
||||
opts := sourcesecret.Options{
|
||||
Name: secretName,
|
||||
Namespace: *kubeconfigArgs.Namespace,
|
||||
Registry: secretOCIArgs.url,
|
||||
Password: secretOCIArgs.password,
|
||||
Username: secretOCIArgs.username,
|
||||
}
|
||||
|
||||
secret, err := sourcesecret.Generate(opts)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if createArgs.export {
|
||||
rootCmd.Println(secret.Content)
|
||||
return nil
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
||||
defer cancel()
|
||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
var s corev1.Secret
|
||||
if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := upsertSecret(ctx, kubeClient, s); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
logger.Actionf("oci secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
|
||||
return nil
|
||||
}
|
||||
@ -1,51 +0,0 @@
|
||||
/*
|
||||
Copyright 2022 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestCreateSecretOCI(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
args string
|
||||
assert assertFunc
|
||||
}{
|
||||
{
|
||||
args: "create secret oci",
|
||||
assert: assertError("name is required"),
|
||||
},
|
||||
{
|
||||
args: "create secret oci ghcr",
|
||||
assert: assertError("--url is required"),
|
||||
},
|
||||
{
|
||||
args: "create secret oci ghcr --namespace=my-namespace --url ghcr.io --username stefanprodan --password=password --export",
|
||||
assert: assertGoldenFile("testdata/create_secret/oci/create-secret.yaml"),
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
cmd := cmdTestCase{
|
||||
args: tt.args,
|
||||
assert: tt.assert,
|
||||
}
|
||||
cmd.runTestCmd(t)
|
||||
})
|
||||
}
|
||||
}
|
||||
@ -1,112 +0,0 @@
|
||||
/*
|
||||
Copyright 2024 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
|
||||
"github.com/spf13/cobra"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"sigs.k8s.io/yaml"
|
||||
|
||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
|
||||
)
|
||||
|
||||
var createSecretProxyCmd = &cobra.Command{
|
||||
Use: "proxy [name]",
|
||||
Short: "Create or update a Kubernetes secret for proxy authentication",
|
||||
Long: `The create secret proxy command generates a Kubernetes secret with the
|
||||
proxy address and the basic authentication credentials.`,
|
||||
Example: ` # Create a proxy secret on disk and encrypt it with SOPS
|
||||
flux create secret proxy my-proxy \
|
||||
--namespace=my-namespace \
|
||||
--address=https://my-proxy.com \
|
||||
--username=my-username \
|
||||
--password=my-password \
|
||||
--export > proxy.yaml
|
||||
|
||||
sops --encrypt --encrypted-regex '^(data|stringData)$' \
|
||||
--in-place proxy.yaml`,
|
||||
|
||||
RunE: createSecretProxyCmdRun,
|
||||
}
|
||||
|
||||
type secretProxyFlags struct {
|
||||
address string
|
||||
username string
|
||||
password string
|
||||
}
|
||||
|
||||
var secretProxyArgs secretProxyFlags
|
||||
|
||||
func init() {
|
||||
createSecretProxyCmd.Flags().StringVar(&secretProxyArgs.address, "address", "", "proxy address")
|
||||
createSecretProxyCmd.Flags().StringVarP(&secretProxyArgs.username, "username", "u", "", "basic authentication username")
|
||||
createSecretProxyCmd.Flags().StringVarP(&secretProxyArgs.password, "password", "p", "", "basic authentication password")
|
||||
|
||||
createSecretCmd.AddCommand(createSecretProxyCmd)
|
||||
}
|
||||
|
||||
func createSecretProxyCmdRun(cmd *cobra.Command, args []string) error {
|
||||
name := args[0]
|
||||
|
||||
labels, err := parseLabels()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if secretProxyArgs.address == "" {
|
||||
return errors.New("address is required")
|
||||
}
|
||||
|
||||
opts := sourcesecret.Options{
|
||||
Name: name,
|
||||
Namespace: *kubeconfigArgs.Namespace,
|
||||
Labels: labels,
|
||||
Address: secretProxyArgs.address,
|
||||
Username: secretProxyArgs.username,
|
||||
Password: secretProxyArgs.password,
|
||||
}
|
||||
secret, err := sourcesecret.Generate(opts)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if createArgs.export {
|
||||
rootCmd.Println(secret.Content)
|
||||
return nil
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
||||
defer cancel()
|
||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
var s corev1.Secret
|
||||
if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := upsertSecret(ctx, kubeClient, s); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
logger.Actionf("proxy secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
|
||||
return nil
|
||||
}
|
||||
@ -1,47 +0,0 @@
|
||||
/*
|
||||
Copyright 2024 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestCreateProxySecret(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
args string
|
||||
assert assertFunc
|
||||
}{
|
||||
{
|
||||
args: "create secret proxy proxy-secret",
|
||||
assert: assertError("address is required"),
|
||||
},
|
||||
{
|
||||
args: "create secret proxy proxy-secret --address=https://my-proxy.com --username=my-username --password=my-password --namespace=my-namespace --export",
|
||||
assert: assertGoldenFile("testdata/create_secret/proxy/secret-proxy.yaml"),
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
cmd := cmdTestCase{
|
||||
args: tt.args,
|
||||
assert: tt.assert,
|
||||
}
|
||||
cmd.runTestCmd(t)
|
||||
})
|
||||
}
|
||||
}
|
||||
@ -1,217 +0,0 @@
|
||||
/*
|
||||
Copyright 2024 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/spf13/cobra"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"sigs.k8s.io/controller-runtime/pkg/client"
|
||||
|
||||
"github.com/fluxcd/pkg/apis/meta"
|
||||
sourcev1 "github.com/fluxcd/source-controller/api/v1"
|
||||
|
||||
"github.com/fluxcd/flux2/v2/internal/flags"
|
||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
||||
)
|
||||
|
||||
var createSourceChartCmd = &cobra.Command{
|
||||
Use: "chart [name]",
|
||||
Short: "Create or update a HelmChart source",
|
||||
Long: `The create source chart command generates a HelmChart resource and waits for the chart to be available.`,
|
||||
Example: ` # Create a source for a chart residing in a HelmRepository
|
||||
flux create source chart podinfo \
|
||||
--source=HelmRepository/podinfo \
|
||||
--chart=podinfo \
|
||||
--chart-version=6.x
|
||||
|
||||
# Create a source for a chart residing in a Git repository
|
||||
flux create source chart podinfo \
|
||||
--source=GitRepository/podinfo \
|
||||
--chart=./charts/podinfo
|
||||
|
||||
# Create a source for a chart residing in a S3 Bucket
|
||||
flux create source chart podinfo \
|
||||
--source=Bucket/podinfo \
|
||||
--chart=./charts/podinfo
|
||||
|
||||
# Create a source for a chart from OCI and verify its signature
|
||||
flux create source chart podinfo \
|
||||
--source HelmRepository/podinfo \
|
||||
--chart podinfo \
|
||||
--chart-version=6.6.2 \
|
||||
--verify-provider=cosign \
|
||||
--verify-issuer=https://token.actions.githubusercontent.com \
|
||||
--verify-subject=https://github.com/stefanprodan/podinfo/.github/workflows/release.yml@refs/tags/6.6.2`,
|
||||
RunE: createSourceChartCmdRun,
|
||||
}
|
||||
|
||||
type sourceChartFlags struct {
|
||||
chart string
|
||||
chartVersion string
|
||||
source flags.LocalHelmChartSource
|
||||
reconcileStrategy string
|
||||
verifyProvider flags.SourceOCIVerifyProvider
|
||||
verifySecretRef string
|
||||
verifyOIDCIssuer string
|
||||
verifySubject string
|
||||
}
|
||||
|
||||
var sourceChartArgs sourceChartFlags
|
||||
|
||||
func init() {
|
||||
createSourceChartCmd.Flags().StringVar(&sourceChartArgs.chart, "chart", "", "Helm chart name or path")
|
||||
createSourceChartCmd.Flags().StringVar(&sourceChartArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
|
||||
createSourceChartCmd.Flags().Var(&sourceChartArgs.source, "source", sourceChartArgs.source.Description())
|
||||
createSourceChartCmd.Flags().StringVar(&sourceChartArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart (accepted values: Revision and ChartRevision)")
|
||||
createSourceChartCmd.Flags().Var(&sourceChartArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
|
||||
createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification")
|
||||
createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifySubject, "verify-subject", "", "regular expression to use for the OIDC subject during signature verification")
|
||||
createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifyOIDCIssuer, "verify-issuer", "", "regular expression to use for the OIDC issuer during signature verification")
|
||||
|
||||
createSourceCmd.AddCommand(createSourceChartCmd)
|
||||
}
|
||||
|
||||
func createSourceChartCmdRun(cmd *cobra.Command, args []string) error {
|
||||
name := args[0]
|
||||
|
||||
if sourceChartArgs.source.Kind == "" || sourceChartArgs.source.Name == "" {
|
||||
return fmt.Errorf("chart source is required")
|
||||
}
|
||||
|
||||
if sourceChartArgs.chart == "" {
|
||||
return fmt.Errorf("chart name or path is required")
|
||||
}
|
||||
|
||||
logger.Generatef("generating HelmChart source")
|
||||
|
||||
sourceLabels, err := parseLabels()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
helmChart := &sourcev1.HelmChart{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: name,
|
||||
Namespace: *kubeconfigArgs.Namespace,
|
||||
Labels: sourceLabels,
|
||||
},
|
||||
Spec: sourcev1.HelmChartSpec{
|
||||
Chart: sourceChartArgs.chart,
|
||||
Version: sourceChartArgs.chartVersion,
|
||||
Interval: metav1.Duration{
|
||||
Duration: createArgs.interval,
|
||||
},
|
||||
ReconcileStrategy: sourceChartArgs.reconcileStrategy,
|
||||
SourceRef: sourcev1.LocalHelmChartSourceReference{
|
||||
Kind: sourceChartArgs.source.Kind,
|
||||
Name: sourceChartArgs.source.Name,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
if provider := sourceChartArgs.verifyProvider.String(); provider != "" {
|
||||
helmChart.Spec.Verify = &sourcev1.OCIRepositoryVerification{
|
||||
Provider: provider,
|
||||
}
|
||||
if secretName := sourceChartArgs.verifySecretRef; secretName != "" {
|
||||
helmChart.Spec.Verify.SecretRef = &meta.LocalObjectReference{
|
||||
Name: secretName,
|
||||
}
|
||||
}
|
||||
verifyIssuer := sourceChartArgs.verifyOIDCIssuer
|
||||
verifySubject := sourceChartArgs.verifySubject
|
||||
if verifyIssuer != "" || verifySubject != "" {
|
||||
helmChart.Spec.Verify.MatchOIDCIdentity = []sourcev1.OIDCIdentityMatch{{
|
||||
Issuer: verifyIssuer,
|
||||
Subject: verifySubject,
|
||||
}}
|
||||
}
|
||||
} else if sourceChartArgs.verifySecretRef != "" {
|
||||
return fmt.Errorf("a verification provider must be specified when a secret is specified")
|
||||
} else if sourceChartArgs.verifyOIDCIssuer != "" || sourceOCIRepositoryArgs.verifySubject != "" {
|
||||
return fmt.Errorf("a verification provider must be specified when OIDC issuer/subject is specified")
|
||||
}
|
||||
|
||||
if createArgs.export {
|
||||
return printExport(exportHelmChart(helmChart))
|
||||
}
|
||||
|
||||
logger.Actionf("applying HelmChart source")
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
||||
defer cancel()
|
||||
|
||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
namespacedName, err := upsertHelmChart(ctx, kubeClient, helmChart)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
logger.Waitingf("waiting for HelmChart source reconciliation")
|
||||
readyConditionFunc := isObjectReadyConditionFunc(kubeClient, namespacedName, helmChart)
|
||||
if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true, readyConditionFunc); err != nil {
|
||||
return err
|
||||
}
|
||||
logger.Successf("HelmChart source reconciliation completed")
|
||||
|
||||
if helmChart.Status.Artifact == nil {
|
||||
return fmt.Errorf("HelmChart source reconciliation completed but no artifact was found")
|
||||
}
|
||||
logger.Successf("fetched revision: %s", helmChart.Status.Artifact.Revision)
|
||||
return nil
|
||||
}
|
||||
|
||||
func upsertHelmChart(ctx context.Context, kubeClient client.Client,
|
||||
helmChart *sourcev1.HelmChart) (types.NamespacedName, error) {
|
||||
namespacedName := types.NamespacedName{
|
||||
Namespace: helmChart.GetNamespace(),
|
||||
Name: helmChart.GetName(),
|
||||
}
|
||||
|
||||
var existing sourcev1.HelmChart
|
||||
err := kubeClient.Get(ctx, namespacedName, &existing)
|
||||
if err != nil {
|
||||
if errors.IsNotFound(err) {
|
||||
if err := kubeClient.Create(ctx, helmChart); err != nil {
|
||||
return namespacedName, err
|
||||
} else {
|
||||
logger.Successf("source created")
|
||||
return namespacedName, nil
|
||||
}
|
||||
}
|
||||
return namespacedName, err
|
||||
}
|
||||
|
||||
existing.Labels = helmChart.Labels
|
||||
existing.Spec = helmChart.Spec
|
||||
if err := kubeClient.Update(ctx, &existing); err != nil {
|
||||
return namespacedName, err
|
||||
}
|
||||
helmChart = &existing
|
||||
logger.Successf("source updated")
|
||||
return namespacedName, nil
|
||||
}
|
||||
@ -1,91 +0,0 @@
|
||||
//go:build unit
|
||||
// +build unit
|
||||
|
||||
/*
|
||||
Copyright 2024 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import "testing"
|
||||
|
||||
func TestCreateSourceChart(t *testing.T) {
|
||||
tmpl := map[string]string{
|
||||
"fluxns": allocateNamespace("flux-system"),
|
||||
}
|
||||
setupSourceChart(t, tmpl)
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
args string
|
||||
assert assertFunc
|
||||
}{
|
||||
{
|
||||
name: "missing name",
|
||||
args: "create source chart --export",
|
||||
assert: assertError("name is required"),
|
||||
},
|
||||
{
|
||||
name: "missing source reference",
|
||||
args: "create source chart podinfo --export ",
|
||||
assert: assertError("chart source is required"),
|
||||
},
|
||||
{
|
||||
name: "missing chart name",
|
||||
args: "create source chart podinfo --source helmrepository/podinfo --export",
|
||||
assert: assertError("chart name or path is required"),
|
||||
},
|
||||
{
|
||||
name: "unknown source kind",
|
||||
args: "create source chart podinfo --source foobar/podinfo --export",
|
||||
assert: assertError(`invalid argument "foobar/podinfo" for "--source" flag: source kind 'foobar' is not supported, must be one of: HelmRepository, GitRepository, Bucket`),
|
||||
},
|
||||
{
|
||||
name: "basic chart",
|
||||
args: "create source chart podinfo --source helmrepository/podinfo --chart podinfo --export",
|
||||
assert: assertGoldenTemplateFile("testdata/create_source_chart/basic.yaml", tmpl),
|
||||
},
|
||||
{
|
||||
name: "chart with basic signature verification",
|
||||
args: "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider cosign --export",
|
||||
assert: assertGoldenTemplateFile("testdata/create_source_chart/verify_basic.yaml", tmpl),
|
||||
},
|
||||
{
|
||||
name: "unknown signature verification provider",
|
||||
args: "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider foobar --export",
|
||||
assert: assertError(`invalid argument "foobar" for "--verify-provider" flag: source OCI verify provider 'foobar' is not supported, must be one of: cosign`),
|
||||
},
|
||||
{
|
||||
name: "chart with complete signature verification",
|
||||
args: "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider cosign --verify-issuer foo --verify-subject bar --export",
|
||||
assert: assertGoldenTemplateFile("testdata/create_source_chart/verify_complete.yaml", tmpl),
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
cmd := cmdTestCase{
|
||||
args: tt.args + " -n " + tmpl["fluxns"],
|
||||
assert: tt.assert,
|
||||
}
|
||||
cmd.runTestCmd(t)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func setupSourceChart(t *testing.T, tmpl map[string]string) {
|
||||
t.Helper()
|
||||
testEnv.CreateObjectFile("./testdata/create_source_chart/setup-source.yaml", tmpl, t)
|
||||
}
|
||||
@ -1,81 +0,0 @@
|
||||
//go:build unit
|
||||
// +build unit
|
||||
|
||||
/*
|
||||
Copyright 2022 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestCreateSourceHelm(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
args string
|
||||
resultFile string
|
||||
assertFunc string
|
||||
}{
|
||||
{
|
||||
name: "no args",
|
||||
args: "create source helm",
|
||||
resultFile: "name is required",
|
||||
assertFunc: "assertError",
|
||||
},
|
||||
{
|
||||
name: "OCI repo",
|
||||
args: "create source helm podinfo --url=oci://ghcr.io/stefanprodan/charts/podinfo --interval 5m --export",
|
||||
resultFile: "./testdata/create_source_helm/oci.golden",
|
||||
assertFunc: "assertGoldenTemplateFile",
|
||||
},
|
||||
{
|
||||
name: "OCI repo with Secret ref",
|
||||
args: "create source helm podinfo --url=oci://ghcr.io/stefanprodan/charts/podinfo --interval 5m --secret-ref=creds --export",
|
||||
resultFile: "./testdata/create_source_helm/oci-with-secret.golden",
|
||||
assertFunc: "assertGoldenTemplateFile",
|
||||
},
|
||||
{
|
||||
name: "HTTPS repo",
|
||||
args: "create source helm podinfo --url=https://stefanprodan.github.io/charts/podinfo --interval 5m --export",
|
||||
resultFile: "./testdata/create_source_helm/https.golden",
|
||||
assertFunc: "assertGoldenTemplateFile",
|
||||
},
|
||||
}
|
||||
|
||||
tmpl := map[string]string{
|
||||
"fluxns": allocateNamespace("flux-system"),
|
||||
}
|
||||
setup(t, tmpl)
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
var assert assertFunc
|
||||
switch tt.assertFunc {
|
||||
case "assertGoldenTemplateFile":
|
||||
assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
|
||||
case "assertError":
|
||||
assert = assertError(tt.resultFile)
|
||||
}
|
||||
|
||||
cmd := cmdTestCase{
|
||||
args: tt.args + " -n " + tmpl["fluxns"],
|
||||
assert: assert,
|
||||
}
|
||||
cmd.runTestCmd(t)
|
||||
})
|
||||
}
|
||||
}
|
||||
@ -1,268 +0,0 @@
|
||||
/*
|
||||
Copyright 2022 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/spf13/cobra"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"sigs.k8s.io/controller-runtime/pkg/client"
|
||||
|
||||
"github.com/fluxcd/pkg/apis/meta"
|
||||
|
||||
sourcev1 "github.com/fluxcd/source-controller/api/v1"
|
||||
sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
|
||||
|
||||
"github.com/fluxcd/flux2/v2/internal/flags"
|
||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
||||
)
|
||||
|
||||
var createSourceOCIRepositoryCmd = &cobra.Command{
|
||||
Use: "oci [name]",
|
||||
Short: "Create or update an OCIRepository",
|
||||
Long: withPreviewNote(`The create source oci command generates an OCIRepository resource and waits for it to be ready.`),
|
||||
Example: ` # Create an OCIRepository for a public container image
|
||||
flux create source oci podinfo \
|
||||
--url=oci://ghcr.io/stefanprodan/manifests/podinfo \
|
||||
--tag=6.6.2 \
|
||||
--interval=10m
|
||||
|
||||
# Create an OCIRepository with OIDC signature verification
|
||||
flux create source oci podinfo \
|
||||
--url=oci://ghcr.io/stefanprodan/manifests/podinfo \
|
||||
--tag=6.6.2 \
|
||||
--interval=10m \
|
||||
--verify-provider=cosign \
|
||||
--verify-subject="^https://github.com/stefanprodan/podinfo/.github/workflows/release.yml@refs/tags/6.6.2$" \
|
||||
--verify-issuer="^https://token.actions.githubusercontent.com$"
|
||||
`,
|
||||
RunE: createSourceOCIRepositoryCmdRun,
|
||||
}
|
||||
|
||||
type sourceOCIRepositoryFlags struct {
|
||||
url string
|
||||
tag string
|
||||
semver string
|
||||
digest string
|
||||
secretRef string
|
||||
proxySecretRef string
|
||||
serviceAccount string
|
||||
certSecretRef string
|
||||
verifyProvider flags.SourceOCIVerifyProvider
|
||||
verifySecretRef string
|
||||
verifyOIDCIssuer string
|
||||
verifySubject string
|
||||
ignorePaths []string
|
||||
provider flags.SourceOCIProvider
|
||||
insecure bool
|
||||
}
|
||||
|
||||
var sourceOCIRepositoryArgs = newSourceOCIFlags()
|
||||
|
||||
func newSourceOCIFlags() sourceOCIRepositoryFlags {
|
||||
return sourceOCIRepositoryFlags{
|
||||
provider: flags.SourceOCIProvider(sourcev1b2.GenericOCIProvider),
|
||||
}
|
||||
}
|
||||
|
||||
func init() {
|
||||
createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
|
||||
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.url, "url", "", "the OCI repository URL")
|
||||
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.tag, "tag", "", "the OCI artifact tag")
|
||||
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.semver, "tag-semver", "", "the OCI artifact tag semver range")
|
||||
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.digest, "digest", "", "the OCI artifact digest")
|
||||
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.secretRef, "secret-ref", "", "the name of the Kubernetes image pull secret (type 'kubernetes.io/dockerconfigjson')")
|
||||
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
|
||||
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.serviceAccount, "service-account", "", "the name of the Kubernetes service account that refers to an image pull secret")
|
||||
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
|
||||
createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
|
||||
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification")
|
||||
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifySubject, "verify-subject", "", "regular expression to use for the OIDC subject during signature verification")
|
||||
createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifyOIDCIssuer, "verify-issuer", "", "regular expression to use for the OIDC issuer during signature verification")
|
||||
createSourceOCIRepositoryCmd.Flags().StringSliceVar(&sourceOCIRepositoryArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore resources (can specify multiple paths with commas: path1,path2)")
|
||||
createSourceOCIRepositoryCmd.Flags().BoolVar(&sourceOCIRepositoryArgs.insecure, "insecure", false, "for when connecting to a non-TLS registries over plain HTTP")
|
||||
|
||||
createSourceCmd.AddCommand(createSourceOCIRepositoryCmd)
|
||||
}
|
||||
|
||||
func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
|
||||
name := args[0]
|
||||
|
||||
if sourceOCIRepositoryArgs.url == "" {
|
||||
return fmt.Errorf("url is required")
|
||||
}
|
||||
|
||||
if sourceOCIRepositoryArgs.semver == "" && sourceOCIRepositoryArgs.tag == "" && sourceOCIRepositoryArgs.digest == "" {
|
||||
return fmt.Errorf("--tag, --tag-semver or --digest is required")
|
||||
}
|
||||
|
||||
sourceLabels, err := parseLabels()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var ignorePaths *string
|
||||
if len(sourceOCIRepositoryArgs.ignorePaths) > 0 {
|
||||
ignorePathsStr := strings.Join(sourceOCIRepositoryArgs.ignorePaths, "\n")
|
||||
ignorePaths = &ignorePathsStr
|
||||
}
|
||||
|
||||
repository := &sourcev1b2.OCIRepository{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: name,
|
||||
Namespace: *kubeconfigArgs.Namespace,
|
||||
Labels: sourceLabels,
|
||||
},
|
||||
Spec: sourcev1b2.OCIRepositorySpec{
|
||||
Provider: sourceOCIRepositoryArgs.provider.String(),
|
||||
URL: sourceOCIRepositoryArgs.url,
|
||||
Insecure: sourceOCIRepositoryArgs.insecure,
|
||||
Interval: metav1.Duration{
|
||||
Duration: createArgs.interval,
|
||||
},
|
||||
Reference: &sourcev1b2.OCIRepositoryRef{},
|
||||
Ignore: ignorePaths,
|
||||
},
|
||||
}
|
||||
|
||||
if digest := sourceOCIRepositoryArgs.digest; digest != "" {
|
||||
repository.Spec.Reference.Digest = digest
|
||||
}
|
||||
if semver := sourceOCIRepositoryArgs.semver; semver != "" {
|
||||
repository.Spec.Reference.SemVer = semver
|
||||
}
|
||||
if tag := sourceOCIRepositoryArgs.tag; tag != "" {
|
||||
repository.Spec.Reference.Tag = tag
|
||||
}
|
||||
|
||||
if createSourceArgs.fetchTimeout > 0 {
|
||||
repository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
|
||||
}
|
||||
|
||||
if saName := sourceOCIRepositoryArgs.serviceAccount; saName != "" {
|
||||
repository.Spec.ServiceAccountName = saName
|
||||
}
|
||||
|
||||
if secretName := sourceOCIRepositoryArgs.secretRef; secretName != "" {
|
||||
repository.Spec.SecretRef = &meta.LocalObjectReference{
|
||||
Name: secretName,
|
||||
}
|
||||
}
|
||||
|
||||
if secretName := sourceOCIRepositoryArgs.proxySecretRef; secretName != "" {
|
||||
repository.Spec.ProxySecretRef = &meta.LocalObjectReference{
|
||||
Name: secretName,
|
||||
}
|
||||
}
|
||||
|
||||
if secretName := sourceOCIRepositoryArgs.certSecretRef; secretName != "" {
|
||||
repository.Spec.CertSecretRef = &meta.LocalObjectReference{
|
||||
Name: secretName,
|
||||
}
|
||||
}
|
||||
|
||||
if provider := sourceOCIRepositoryArgs.verifyProvider.String(); provider != "" {
|
||||
repository.Spec.Verify = &sourcev1.OCIRepositoryVerification{
|
||||
Provider: provider,
|
||||
}
|
||||
if secretName := sourceOCIRepositoryArgs.verifySecretRef; secretName != "" {
|
||||
repository.Spec.Verify.SecretRef = &meta.LocalObjectReference{
|
||||
Name: secretName,
|
||||
}
|
||||
}
|
||||
verifyIssuer := sourceOCIRepositoryArgs.verifyOIDCIssuer
|
||||
verifySubject := sourceOCIRepositoryArgs.verifySubject
|
||||
if verifyIssuer != "" || verifySubject != "" {
|
||||
repository.Spec.Verify.MatchOIDCIdentity = []sourcev1.OIDCIdentityMatch{{
|
||||
Issuer: verifyIssuer,
|
||||
Subject: verifySubject,
|
||||
}}
|
||||
}
|
||||
} else if sourceOCIRepositoryArgs.verifySecretRef != "" {
|
||||
return fmt.Errorf("a verification provider must be specified when a secret is specified")
|
||||
} else if sourceOCIRepositoryArgs.verifyOIDCIssuer != "" || sourceOCIRepositoryArgs.verifySubject != "" {
|
||||
return fmt.Errorf("a verification provider must be specified when OIDC issuer/subject is specified")
|
||||
}
|
||||
|
||||
if createArgs.export {
|
||||
return printExport(exportOCIRepository(repository))
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
||||
defer cancel()
|
||||
|
||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
logger.Actionf("applying OCIRepository")
|
||||
namespacedName, err := upsertOCIRepository(ctx, kubeClient, repository)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
logger.Waitingf("waiting for OCIRepository reconciliation")
|
||||
if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
|
||||
isObjectReadyConditionFunc(kubeClient, namespacedName, repository)); err != nil {
|
||||
return err
|
||||
}
|
||||
logger.Successf("OCIRepository reconciliation completed")
|
||||
|
||||
if repository.Status.Artifact == nil {
|
||||
return fmt.Errorf("no artifact was found")
|
||||
}
|
||||
logger.Successf("fetched revision: %s", repository.Status.Artifact.Revision)
|
||||
return nil
|
||||
}
|
||||
|
||||
func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
|
||||
ociRepository *sourcev1b2.OCIRepository) (types.NamespacedName, error) {
|
||||
namespacedName := types.NamespacedName{
|
||||
Namespace: ociRepository.GetNamespace(),
|
||||
Name: ociRepository.GetName(),
|
||||
}
|
||||
|
||||
var existing sourcev1b2.OCIRepository
|
||||
err := kubeClient.Get(ctx, namespacedName, &existing)
|
||||
if err != nil {
|
||||
if errors.IsNotFound(err) {
|
||||
if err := kubeClient.Create(ctx, ociRepository); err != nil {
|
||||
return namespacedName, err
|
||||
} else {
|
||||
logger.Successf("OCIRepository created")
|
||||
return namespacedName, nil
|
||||
}
|
||||
}
|
||||
return namespacedName, err
|
||||
}
|
||||
|
||||
existing.Labels = ociRepository.Labels
|
||||
existing.Spec = ociRepository.Spec
|
||||
if err := kubeClient.Update(ctx, &existing); err != nil {
|
||||
return namespacedName, err
|
||||
}
|
||||
ociRepository = &existing
|
||||
logger.Successf("OCIRepository updated")
|
||||
return namespacedName, nil
|
||||
}
|
||||
@ -1,96 +0,0 @@
|
||||
/*
|
||||
Copyright 2022 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestCreateSourceOCI(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
args string
|
||||
assertFunc assertFunc
|
||||
}{
|
||||
{
|
||||
name: "NoArgs",
|
||||
args: "create source oci",
|
||||
assertFunc: assertError("name is required"),
|
||||
},
|
||||
{
|
||||
name: "NoURL",
|
||||
args: "create source oci podinfo",
|
||||
assertFunc: assertError("url is required"),
|
||||
},
|
||||
{
|
||||
name: "verify secret specified but provider missing",
|
||||
args: "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-secret-ref=cosign-pub",
|
||||
assertFunc: assertError("a verification provider must be specified when a secret is specified"),
|
||||
},
|
||||
{
|
||||
name: "verify issuer specified but provider missing",
|
||||
args: "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github.com",
|
||||
assertFunc: assertError("a verification provider must be specified when OIDC issuer/subject is specified"),
|
||||
},
|
||||
{
|
||||
name: "verify identity specified but provider missing",
|
||||
args: "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-subject=developer",
|
||||
assertFunc: assertError("a verification provider must be specified when OIDC issuer/subject is specified"),
|
||||
},
|
||||
{
|
||||
name: "verify issuer specified but subject missing",
|
||||
args: "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github --verify-provider=cosign --export",
|
||||
assertFunc: assertGoldenFile("./testdata/oci/export_with_issuer.golden"),
|
||||
},
|
||||
{
|
||||
name: "all verify fields set",
|
||||
args: "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github verify-subject=stefanprodan --verify-provider=cosign --export",
|
||||
assertFunc: assertGoldenFile("./testdata/oci/export_with_issuer.golden"),
|
||||
},
|
||||
{
|
||||
name: "verify subject specified but issuer missing",
|
||||
args: "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-subject=stefanprodan --verify-provider=cosign --export",
|
||||
assertFunc: assertGoldenFile("./testdata/oci/export_with_subject.golden"),
|
||||
},
|
||||
{
|
||||
name: "export manifest",
|
||||
args: "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --export",
|
||||
assertFunc: assertGoldenFile("./testdata/oci/export.golden"),
|
||||
},
|
||||
{
|
||||
name: "export manifest with secret",
|
||||
args: "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --secret-ref=creds --export",
|
||||
assertFunc: assertGoldenFile("./testdata/oci/export_with_secret.golden"),
|
||||
},
|
||||
{
|
||||
name: "export manifest with verify secret",
|
||||
args: "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --verify-provider=cosign --verify-secret-ref=cosign-pub --export",
|
||||
assertFunc: assertGoldenFile("./testdata/oci/export_with_verify_secret.golden"),
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
cmd := cmdTestCase{
|
||||
args: tt.args,
|
||||
assert: tt.assertFunc,
|
||||
}
|
||||
|
||||
cmd.runTestCmd(t)
|
||||
})
|
||||
}
|
||||
}
|
||||
@ -1,31 +0,0 @@
|
||||
/*
|
||||
Copyright 2024 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"github.com/spf13/cobra"
|
||||
)
|
||||
|
||||
var debugCmd = &cobra.Command{
|
||||
Use: "debug",
|
||||
Short: "Debug a flux resource",
|
||||
Long: `The debug command can be used to troubleshoot failing resource reconciliations.`,
|
||||
}
|
||||
|
||||
func init() {
|
||||
rootCmd.AddCommand(debugCmd)
|
||||
}
|
||||
@ -1,113 +0,0 @@
|
||||
/*
|
||||
Copyright 2024 The Flux authors
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
helmv2 "github.com/fluxcd/helm-controller/api/v2"
|
||||
"github.com/fluxcd/pkg/chartutil"
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/spf13/cobra"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"sigs.k8s.io/yaml"
|
||||
|
||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
||||
)
|
||||
|
||||
var debugHelmReleaseCmd = &cobra.Command{
|
||||
Use: "helmrelease [name]",
|
||||
Aliases: []string{"hr"},
|
||||
Short: "Debug a HelmRelease resource",
|
||||
Long: withPreviewNote(`The debug helmrelease command can be used to troubleshoot failing Helm release reconciliations.
|
||||
WARNING: This command will print sensitive information if Kubernetes Secrets are referenced in the HelmRelease .spec.valuesFrom field.`),
|
||||
Example: ` # Print the status of a Helm release
|
||||
flux debug hr podinfo --show-status
|
||||
|
||||
# Export the final values of a Helm release composed from referred ConfigMaps and Secrets
|
||||
flux debug hr podinfo --show-values > values.yaml`,
|
||||
RunE: debugHelmReleaseCmdRun,
|
||||
Args: cobra.ExactArgs(1),
|
||||
ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
|
||||
}
|
||||
|
||||
type debugHelmReleaseFlags struct {
|
||||
showStatus bool
|
||||
showValues bool
|
||||
}
|
||||
|
||||
var debugHelmReleaseArgs debugHelmReleaseFlags
|
||||
|
||||
func init() {
|
||||
debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showStatus, "show-status", false, "print the status of the Helm release")
|
||||
debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showValues, "show-values", false, "print the final values of the Helm release")
|
||||
debugCmd.AddCommand(debugHelmReleaseCmd)
|
||||
}
|
||||
|
||||
func debugHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
|
||||
name := args[0]
|
||||
|
||||
if (!debugHelmReleaseArgs.showStatus && !debugHelmReleaseArgs.showValues) ||
|
||||
(debugHelmReleaseArgs.showStatus && debugHelmReleaseArgs.showValues) {
|
||||
return fmt.Errorf("either --show-status or --show-values must be set")
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
||||
defer cancel()
|
||||
|
||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
hr := &helmv2.HelmRelease{}
|
||||
hrName := types.NamespacedName{Namespace: *kubeconfigArgs.Namespace, Name: name}
|
||||
if err := kubeClient.Get(ctx, hrName, hr); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if debugHelmReleaseArgs.showStatus {
|
||||
status, err := yaml.Marshal(hr.Status)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
rootCmd.Println("# Status documentation: https://fluxcd.io/flux/components/helm/helmreleases/#helmrelease-status")
|
||||
rootCmd.Print(string(status))
|
||||
return nil
|
||||
}
|
||||
|
||||
if debugHelmReleaseArgs.showValues {
|
||||
finalValues, err := chartutil.ChartValuesFromReferences(ctx,
|
||||
logr.Discard(),
|
||||
kubeClient,
|
||||
hr.GetNamespace(),
|
||||
hr.GetValues(),
|
||||
hr.Spec.ValuesFrom...)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
values, err := yaml.Marshal(finalValues)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
rootCmd.Print(string(values))
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue