mirror of https://github.com/fluxcd/flux2.git
Compare commits
No commits in common. 'main' and 'v0.6.1' have entirely different histories.
@ -1,84 +0,0 @@
|
|||||||
---
|
|
||||||
name: Bug report
|
|
||||||
description: Create a report to help us improve Flux
|
|
||||||
body:
|
|
||||||
- type: markdown
|
|
||||||
attributes:
|
|
||||||
value: |
|
|
||||||
## Support
|
|
||||||
Find out more about your support options and getting help at: https://fluxcd.io/support/
|
|
||||||
- type: textarea
|
|
||||||
validations:
|
|
||||||
required: true
|
|
||||||
attributes:
|
|
||||||
label: Describe the bug
|
|
||||||
description: A clear description of what the bug is.
|
|
||||||
- type: textarea
|
|
||||||
validations:
|
|
||||||
required: true
|
|
||||||
attributes:
|
|
||||||
label: Steps to reproduce
|
|
||||||
description: |
|
|
||||||
Steps to reproduce the problem.
|
|
||||||
placeholder: |
|
|
||||||
For example:
|
|
||||||
1. Install Flux with the additional image automation controllers
|
|
||||||
2. Run command '...'
|
|
||||||
3. See error
|
|
||||||
- type: textarea
|
|
||||||
validations:
|
|
||||||
required: true
|
|
||||||
attributes:
|
|
||||||
label: Expected behavior
|
|
||||||
description: A brief description of what you expected to happen.
|
|
||||||
- type: textarea
|
|
||||||
attributes:
|
|
||||||
label: Screenshots and recordings
|
|
||||||
description: |
|
|
||||||
If applicable, add screenshots to help explain your problem. You can also record an asciinema session: https://asciinema.org/
|
|
||||||
- type: input
|
|
||||||
validations:
|
|
||||||
required: true
|
|
||||||
attributes:
|
|
||||||
label: OS / Distro
|
|
||||||
description: The OS / distro you are executing `flux` on. If not applicable, write `N/A`.
|
|
||||||
placeholder: e.g. Windows 10, Ubuntu 20.04, Arch Linux, macOS 10.15...
|
|
||||||
- type: input
|
|
||||||
validations:
|
|
||||||
required: true
|
|
||||||
attributes:
|
|
||||||
label: Flux version
|
|
||||||
description: Run `flux version --client`. If not applicable, write `N/A`.
|
|
||||||
placeholder: e.g. v0.20.1
|
|
||||||
- type: textarea
|
|
||||||
validations:
|
|
||||||
required: true
|
|
||||||
attributes:
|
|
||||||
label: Flux check
|
|
||||||
description: Run `flux check`. If not applicable, write `N/A`.
|
|
||||||
placeholder: |
|
|
||||||
For example:
|
|
||||||
► checking prerequisites
|
|
||||||
✔ Kubernetes 1.21.1 >=1.19.0-0
|
|
||||||
► checking controllers
|
|
||||||
✔ all checks passed
|
|
||||||
- type: input
|
|
||||||
attributes:
|
|
||||||
label: Git provider
|
|
||||||
description: If applicable, add the Git provider you are having problems with, e.g. GitHub (Enterprise), GitLab, etc.
|
|
||||||
- type: input
|
|
||||||
attributes:
|
|
||||||
label: Container Registry provider
|
|
||||||
description: If applicable, add the Container Registry provider you are having problems with, e.g. DockerHub, GitHub Packages, Quay.io, etc.
|
|
||||||
- type: textarea
|
|
||||||
attributes:
|
|
||||||
label: Additional context
|
|
||||||
description: Add any other context about the problem here. This can be logs (e.g. output from `flux logs`), environment specific caveats, etc.
|
|
||||||
- type: checkboxes
|
|
||||||
id: terms
|
|
||||||
attributes:
|
|
||||||
label: Code of Conduct
|
|
||||||
description: By submitting this issue, you agree to follow our [Code of Conduct](https://github.com/fluxcd/.github/blob/main/CODE_OF_CONDUCT.md)
|
|
||||||
options:
|
|
||||||
- label: I agree to follow this project's Code of Conduct
|
|
||||||
required: true
|
|
||||||
@ -1,5 +0,0 @@
|
|||||||
blank_issues_enabled: true
|
|
||||||
contact_links:
|
|
||||||
- name: Ask a question
|
|
||||||
url: https://github.com/fluxcd/flux2/discussions
|
|
||||||
about: Please ask and answer questions here.
|
|
||||||
@ -1,16 +0,0 @@
|
|||||||
version: 2
|
|
||||||
|
|
||||||
updates:
|
|
||||||
- package-ecosystem: "github-actions"
|
|
||||||
directory: "/"
|
|
||||||
labels: ["area/ci", "dependencies"]
|
|
||||||
groups:
|
|
||||||
# Group all updates together, so that they are all applied in a single PR.
|
|
||||||
# Grouped updates are currently in beta and is subject to change.
|
|
||||||
# xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
|
|
||||||
ci:
|
|
||||||
patterns:
|
|
||||||
- "*"
|
|
||||||
schedule:
|
|
||||||
# By default, this will be on a monday.
|
|
||||||
interval: "weekly"
|
|
||||||
@ -1,9 +0,0 @@
|
|||||||
kind: Cluster
|
|
||||||
apiVersion: kind.x-k8s.io/v1alpha4
|
|
||||||
nodes:
|
|
||||||
- role: control-plane
|
|
||||||
- role: worker
|
|
||||||
- role: worker
|
|
||||||
networking:
|
|
||||||
disableDefaultCNI: true # disable kindnet
|
|
||||||
podSubnet: 192.168.0.0/16 # set to Calico's default subnet
|
|
||||||
@ -1,55 +0,0 @@
|
|||||||
# Configuration file to declaratively configure labels
|
|
||||||
# Ref: https://github.com/EndBug/label-sync#Config-files
|
|
||||||
|
|
||||||
- name: area/bootstrap
|
|
||||||
description: Bootstrap related issues and pull requests
|
|
||||||
color: '#86efc9'
|
|
||||||
- name: area/install
|
|
||||||
description: Install and uninstall related issues and pull requests
|
|
||||||
color: '#86efc9'
|
|
||||||
- name: area/diff
|
|
||||||
description: Diff related issues and pull requests
|
|
||||||
color: '#BA4192'
|
|
||||||
- name: area/bucket
|
|
||||||
description: Bucket related issues and pull requests
|
|
||||||
color: '#00b140'
|
|
||||||
- name: area/git
|
|
||||||
description: Git related issues and pull requests
|
|
||||||
color: '#863faf'
|
|
||||||
- name: area/oci
|
|
||||||
description: OCI related issues and pull requests
|
|
||||||
color: '#c739ff'
|
|
||||||
- name: area/kustomization
|
|
||||||
description: Kustomization related issues and pull requests
|
|
||||||
color: '#00e54d'
|
|
||||||
- name: area/helm
|
|
||||||
description: Helm related issues and pull requests
|
|
||||||
color: '#1673b6'
|
|
||||||
- name: area/image-automation
|
|
||||||
description: Automated image updates related issues and pull requests
|
|
||||||
color: '#c5def5'
|
|
||||||
- name: area/monitoring
|
|
||||||
description: Monitoring related issues and pull requests
|
|
||||||
color: '#dd75ae'
|
|
||||||
- name: area/multi-tenancy
|
|
||||||
description: Multi-tenancy related issues and pull requests
|
|
||||||
color: '#72CDBD'
|
|
||||||
- name: area/notification
|
|
||||||
description: Notification API related issues and pull requests
|
|
||||||
color: '#434ec1'
|
|
||||||
- name: area/source
|
|
||||||
description: Source API related issues and pull requests
|
|
||||||
color: '#863faf'
|
|
||||||
- name: area/rfc
|
|
||||||
description: Feature request proposals in the RFC format
|
|
||||||
color: '#D621C3'
|
|
||||||
aliases: ['area/RFC']
|
|
||||||
- name: backport:release/v2.3.x
|
|
||||||
description: To be backported to release/v2.3.x
|
|
||||||
color: '#ffd700'
|
|
||||||
- name: backport:release/v2.4.x
|
|
||||||
description: To be backported to release/v2.4.x
|
|
||||||
color: '#ffd700'
|
|
||||||
- name: backport:release/v2.5.x
|
|
||||||
description: To be backported to release/v2.5.x
|
|
||||||
color: '#ffd700'
|
|
||||||
@ -1,82 +0,0 @@
|
|||||||
# Flux ARM64 GitHub runners
|
|
||||||
|
|
||||||
The Flux ARM64 end-to-end tests run on Equinix Metal instances provisioned with Docker and GitHub self-hosted runners.
|
|
||||||
|
|
||||||
## Current instances
|
|
||||||
|
|
||||||
| Repository | Runner | Instance | Location |
|
|
||||||
|-----------------------------|------------------|----------------|---------------|
|
|
||||||
| flux2 | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
|
|
||||||
| flux2 | equinix-arm-dc-2 | flux-arm-dc-01 | Washington DC |
|
|
||||||
| flux2 | equinix-arm-da-1 | flux-arm-da-01 | Dallas |
|
|
||||||
| flux2 | equinix-arm-da-2 | flux-arm-da-01 | Dallas |
|
|
||||||
| flux-benchmark | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
|
|
||||||
| flux-benchmark | equinix-arm-da-1 | flux-arm-da-01 | Dallas |
|
|
||||||
| source-controller | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
|
|
||||||
| source-controller | equinix-arm-da-1 | flux-arm-da-01 | Dallas |
|
|
||||||
| image-automation-controller | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
|
|
||||||
| image-automation-controller | equinix-arm-da-1 | flux-arm-da-01 | Dallas |
|
|
||||||
|
|
||||||
Instance spec:
|
|
||||||
- Ampere Altra Q80-30 80-core processor @ 2.8GHz
|
|
||||||
- 2 x 960GB NVME
|
|
||||||
- 256GB RAM
|
|
||||||
- 2 x 25Gbps
|
|
||||||
|
|
||||||
## Instance setup
|
|
||||||
|
|
||||||
In order to add a new runner to the GitHub Actions pool,
|
|
||||||
first create a server on Equinix with the following configuration:
|
|
||||||
- Type: `c3.large.arm64`
|
|
||||||
- OS: `Ubuntu 22.04 LTS`
|
|
||||||
|
|
||||||
### Install prerequisites
|
|
||||||
|
|
||||||
- SSH into a newly created instance
|
|
||||||
```shell
|
|
||||||
ssh root@<instance-public-IP>
|
|
||||||
```
|
|
||||||
|
|
||||||
- Create the ubuntu user
|
|
||||||
```shell
|
|
||||||
adduser ubuntu
|
|
||||||
usermod -aG sudo ubuntu
|
|
||||||
su - ubuntu
|
|
||||||
```
|
|
||||||
|
|
||||||
- Create the prerequisites dir
|
|
||||||
```shell
|
|
||||||
mkdir -p prereq && cd prereq
|
|
||||||
```
|
|
||||||
|
|
||||||
- Download the prerequisites script
|
|
||||||
```shell
|
|
||||||
curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/prereq.sh > prereq.sh \
|
|
||||||
&& chmod +x ./prereq.sh
|
|
||||||
```
|
|
||||||
|
|
||||||
- Install the prerequisites
|
|
||||||
```shell
|
|
||||||
sudo ./prereq.sh
|
|
||||||
```
|
|
||||||
|
|
||||||
### Install runners
|
|
||||||
|
|
||||||
- Retrieve the GitHub runner token from the repository [settings page](https://github.com/fluxcd/flux2/settings/actions/runners/new?arch=arm64&os=linux)
|
|
||||||
|
|
||||||
- Create two directories `flux2-01`, `flux2-02`
|
|
||||||
|
|
||||||
- In each dir run:
|
|
||||||
```shell
|
|
||||||
curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/runner-setup.sh > runner-setup.sh \
|
|
||||||
&& chmod +x ./runner-setup.sh
|
|
||||||
|
|
||||||
./runner-setup.sh equinix-arm-<NUMBER> <TOKEN> <REPO>
|
|
||||||
```
|
|
||||||
|
|
||||||
- Reboot the instance
|
|
||||||
```shell
|
|
||||||
sudo reboot
|
|
||||||
```
|
|
||||||
|
|
||||||
- Navigate to the GitHub repository [runners page](https://github.com/fluxcd/flux2/settings/actions/runners) and check the runner status
|
|
||||||
@ -1,72 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
# Copyright 2021 The Flux authors. All rights reserved.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
# This script installs the prerequisites for running Flux end-to-end tests with Docker and GitHub self-hosted runners.
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
KIND_VERSION=0.22.0
|
|
||||||
KUBECTL_VERSION=1.29.0
|
|
||||||
KUSTOMIZE_VERSION=5.3.0
|
|
||||||
HELM_VERSION=3.14.1
|
|
||||||
GITHUB_RUNNER_VERSION=2.313.0
|
|
||||||
PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq pkg-config"
|
|
||||||
|
|
||||||
# install prerequisites
|
|
||||||
apt-get update \
|
|
||||||
&& apt-get install -y -q ${PACKAGES} \
|
|
||||||
&& apt-get clean \
|
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
|
||||||
|
|
||||||
# fix Kubernetes DNS resolution
|
|
||||||
rm /etc/resolv.conf
|
|
||||||
cat "/run/systemd/resolve/stub-resolv.conf" | sed '/search/d' > /etc/resolv.conf
|
|
||||||
|
|
||||||
# install docker
|
|
||||||
curl -fsSL https://get.docker.com -o get-docker.sh \
|
|
||||||
&& chmod +x get-docker.sh
|
|
||||||
./get-docker.sh
|
|
||||||
systemctl enable docker.service
|
|
||||||
systemctl enable containerd.service
|
|
||||||
usermod -aG docker ubuntu
|
|
||||||
|
|
||||||
# install kind
|
|
||||||
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v${KIND_VERSION}/kind-linux-arm64
|
|
||||||
install -o root -g root -m 0755 kind /usr/local/bin/kind
|
|
||||||
|
|
||||||
# install kubectl
|
|
||||||
curl -LO "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/arm64/kubectl"
|
|
||||||
install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
|
|
||||||
|
|
||||||
# install kustomize
|
|
||||||
curl -Lo ./kustomize.tar.gz https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_arm64.tar.gz \
|
|
||||||
&& tar -zxvf kustomize.tar.gz \
|
|
||||||
&& rm kustomize.tar.gz
|
|
||||||
install -o root -g root -m 0755 kustomize /usr/local/bin/kustomize
|
|
||||||
|
|
||||||
# install helm
|
|
||||||
curl -Lo ./helm.tar.gz https://get.helm.sh/helm-v${HELM_VERSION}-linux-arm64.tar.gz \
|
|
||||||
&& tar -zxvf helm.tar.gz \
|
|
||||||
&& rm helm.tar.gz
|
|
||||||
install -o root -g root -m 0755 linux-arm64/helm /usr/local/bin/helm
|
|
||||||
|
|
||||||
# download runner
|
|
||||||
curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
|
|
||||||
&& tar xzf actions-runner-linux-arm64.tar.gz \
|
|
||||||
&& rm actions-runner-linux-arm64.tar.gz
|
|
||||||
|
|
||||||
# install runner dependencies
|
|
||||||
./bin/installdependencies.sh
|
|
||||||
@ -1,37 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
# Copyright 2021 The Flux authors. All rights reserved.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
# This script installs a GitHub self-hosted ARM64 runner for running Flux end-to-end tests.
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
RUNNER_NAME=$1
|
|
||||||
REPOSITORY_TOKEN=$2
|
|
||||||
REPOSITORY_URL=${3:-https://github.com/fluxcd/flux2}
|
|
||||||
|
|
||||||
GITHUB_RUNNER_VERSION=2.313.0
|
|
||||||
|
|
||||||
# download runner
|
|
||||||
curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
|
|
||||||
&& tar xzf actions-runner-linux-arm64.tar.gz \
|
|
||||||
&& rm actions-runner-linux-arm64.tar.gz
|
|
||||||
|
|
||||||
# register runner with GitHub
|
|
||||||
./config.sh --unattended --url ${REPOSITORY_URL} --token ${REPOSITORY_TOKEN} --name ${RUNNER_NAME}
|
|
||||||
|
|
||||||
# start runner
|
|
||||||
sudo ./svc.sh install
|
|
||||||
sudo ./svc.sh start
|
|
||||||
@ -1,50 +0,0 @@
|
|||||||
# Flux GitHub Workflows
|
|
||||||
|
|
||||||
## End-to-end Testing
|
|
||||||
|
|
||||||
The e2e workflows run a series of tests to ensure that the Flux CLI and
|
|
||||||
the GitOps Toolkit controllers work well all together.
|
|
||||||
The tests are written in Go, Bash, Make and Terraform.
|
|
||||||
|
|
||||||
| Workflow | Jobs | Runner | Role |
|
|
||||||
|--------------------|----------------------|----------------|-----------------------------------------------|
|
|
||||||
| e2e.yaml | e2e-amd64-kubernetes | GitHub Ubuntu | integration testing with Kubernetes Kind<br/> |
|
|
||||||
| e2e-arm64.yaml | e2e-arm64-kubernetes | Equinix Ubuntu | integration testing with Kubernetes Kind<br/> |
|
|
||||||
| e2e-bootstrap.yaml | e2e-boostrap-github | GitHub Ubuntu | integration testing with GitHub API<br/> |
|
|
||||||
| e2e-azure.yaml | e2e-amd64-aks | GitHub Ubuntu | integration testing with Azure API<br/> |
|
|
||||||
| scan.yaml | scan-fossa | GitHub Ubuntu | license scanning<br/> |
|
|
||||||
| scan.yaml | scan-snyk | GitHub Ubuntu | vulnerability scanning<br/> |
|
|
||||||
| scan.yaml | scan-codeql | GitHub Ubuntu | vulnerability scanning<br/> |
|
|
||||||
|
|
||||||
## Components Update
|
|
||||||
|
|
||||||
The components update workflow scans the GitOps Toolkit controller repositories for new releases,
|
|
||||||
amd when it finds a new controller version, the workflow performs the following steps:
|
|
||||||
- Updates the controller API package version in `go.mod`.
|
|
||||||
- Patches the controller CRDs version in the `manifests/crds` overlay.
|
|
||||||
- Patches the controller Deployment version in `manifests/bases` overlay.
|
|
||||||
- Opens a Pull Request against the `main` branch.
|
|
||||||
- Triggers the e2e test suite to run for the opened PR.
|
|
||||||
|
|
||||||
|
|
||||||
| Workflow | Jobs | Runner | Role |
|
|
||||||
|-------------|-------------------|---------------|-----------------------------------------------------|
|
|
||||||
| update.yaml | update-components | GitHub Ubuntu | update the GitOps Toolkit APIs and controllers<br/> |
|
|
||||||
|
|
||||||
## Release
|
|
||||||
|
|
||||||
The release workflow is triggered by a semver Git tag and performs the following steps:
|
|
||||||
- Generates the Flux install manifests (YAML).
|
|
||||||
- Generates the OpenAPI validation schemas for the GitOps Toolkit CRDs (JSON).
|
|
||||||
- Generates a Software Bill of Materials (SPDX JSON).
|
|
||||||
- Builds the Flux CLI binaries and the multi-arch container images.
|
|
||||||
- Pushes the container images to GitHub Container Registry and DockerHub.
|
|
||||||
- Signs the sbom, the binaries checksum and the container images with Cosign and GitHub OIDC.
|
|
||||||
- Uploads the sbom, binaries, checksums and install manifests to GitHub Releases.
|
|
||||||
- Pushes the install manifests as OCI artifacts to GitHub Container Registry and DockerHub.
|
|
||||||
- Signs the OCI artifacts with Cosign and GitHub OIDC.
|
|
||||||
|
|
||||||
| Workflow | Jobs | Runner | Role |
|
|
||||||
|--------------|------------------------|---------------|------------------------------------------------------|
|
|
||||||
| release.yaml | release-flux-cli | GitHub Ubuntu | build, push and sign the CLI release artifacts<br/> |
|
|
||||||
| release.yaml | release-flux-manifests | GitHub Ubuntu | build, push and sign the Flux install manifests<br/> |
|
|
||||||
@ -1,29 +0,0 @@
|
|||||||
name: test-gh-action
|
|
||||||
|
|
||||||
on:
|
|
||||||
pull_request:
|
|
||||||
paths:
|
|
||||||
- 'action/**'
|
|
||||||
push:
|
|
||||||
paths:
|
|
||||||
- 'action/**'
|
|
||||||
branches:
|
|
||||||
- 'main'
|
|
||||||
- 'release/**'
|
|
||||||
|
|
||||||
permissions: read-all
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
actions:
|
|
||||||
strategy:
|
|
||||||
fail-fast: false
|
|
||||||
matrix:
|
|
||||||
version: [ubuntu-latest, macos-latest, windows-latest]
|
|
||||||
|
|
||||||
runs-on: ${{ matrix.version }}
|
|
||||||
name: action on ${{ matrix.version }}
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
- name: Setup flux
|
|
||||||
uses: ./action
|
|
||||||
@ -1,34 +0,0 @@
|
|||||||
name: backport
|
|
||||||
|
|
||||||
on:
|
|
||||||
pull_request_target:
|
|
||||||
types: [closed, labeled]
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
pull-request:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
permissions:
|
|
||||||
contents: write
|
|
||||||
pull-requests: write
|
|
||||||
if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
with:
|
|
||||||
ref: ${{ github.event.pull_request.head.sha }}
|
|
||||||
- name: Create backport PRs
|
|
||||||
uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0
|
|
||||||
# xref: https://github.com/korthout/backport-action#inputs
|
|
||||||
with:
|
|
||||||
# Use token to allow workflows to be triggered for the created PR
|
|
||||||
github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
|
|
||||||
# Match labels with a pattern `backport:<target-branch>`
|
|
||||||
label_pattern: '^backport:([^ ]+)$'
|
|
||||||
# A bit shorter pull-request title than the default
|
|
||||||
pull_title: '[${target_branch}] ${pull_title}'
|
|
||||||
# Simpler PR description than default
|
|
||||||
pull_description: |-
|
|
||||||
Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
|
|
||||||
@ -0,0 +1,77 @@
|
|||||||
|
name: bootstrap
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- '*'
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
github:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
- name: Restore Go cache
|
||||||
|
uses: actions/cache@v1
|
||||||
|
with:
|
||||||
|
path: ~/go/pkg/mod
|
||||||
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
||||||
|
restore-keys: |
|
||||||
|
${{ runner.os }}-go-
|
||||||
|
- name: Setup Go
|
||||||
|
uses: actions/setup-go@v2
|
||||||
|
with:
|
||||||
|
go-version: 1.15.x
|
||||||
|
- name: Setup Kubernetes
|
||||||
|
uses: engineerd/setup-kind@v0.5.0
|
||||||
|
- name: Set outputs
|
||||||
|
id: vars
|
||||||
|
run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
|
||||||
|
- name: Build
|
||||||
|
run: sudo go build -o ./bin/flux ./cmd/flux
|
||||||
|
- name: bootstrap init
|
||||||
|
run: |
|
||||||
|
./bin/flux bootstrap github --manifests ./manifests/install/ \
|
||||||
|
--owner=fluxcd-testing \
|
||||||
|
--repository=flux-test-${{ steps.vars.outputs.sha_short }} \
|
||||||
|
--branch=main \
|
||||||
|
--path=test-cluster
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
||||||
|
- name: bootstrap no-op
|
||||||
|
run: |
|
||||||
|
./bin/flux bootstrap github --manifests ./manifests/install/ \
|
||||||
|
--owner=fluxcd-testing \
|
||||||
|
--repository=flux-test-${{ steps.vars.outputs.sha_short }} \
|
||||||
|
--branch=main \
|
||||||
|
--path=test-cluster
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
||||||
|
- name: uninstall
|
||||||
|
run: |
|
||||||
|
./bin/flux uninstall --resources --crds -s --timeout=10m
|
||||||
|
- name: bootstrap reinstall
|
||||||
|
run: |
|
||||||
|
./bin/flux bootstrap github --manifests ./manifests/install/ \
|
||||||
|
--owner=fluxcd-testing \
|
||||||
|
--repository=flux-test-${{ steps.vars.outputs.sha_short }} \
|
||||||
|
--branch=main \
|
||||||
|
--path=test-cluster
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
||||||
|
- name: delete repository
|
||||||
|
run: |
|
||||||
|
./bin/flux bootstrap github --manifests ./manifests/install/ \
|
||||||
|
--owner=fluxcd-testing \
|
||||||
|
--repository=flux-test-${{ steps.vars.outputs.sha_short }} \
|
||||||
|
--branch=main \
|
||||||
|
--path=test-cluster \
|
||||||
|
--delete
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
||||||
|
- name: Debug failure
|
||||||
|
if: failure()
|
||||||
|
run: |
|
||||||
|
kubectl -n flux-system get all
|
||||||
|
kubectl -n flux-system logs deploy/source-controller
|
||||||
|
kubectl -n flux-system logs deploy/kustomize-controller
|
||||||
@ -1,256 +0,0 @@
|
|||||||
name: conformance
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
push:
|
|
||||||
branches: [ 'main', 'update-components', 'release/**', 'conform*' ]
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
env:
|
|
||||||
GO_VERSION: 1.23.x
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
conform-kubernetes:
|
|
||||||
runs-on:
|
|
||||||
group: "ARM64"
|
|
||||||
strategy:
|
|
||||||
matrix:
|
|
||||||
# Keep this list up-to-date with https://endoflife.date/kubernetes
|
|
||||||
# Build images with https://github.com/fluxcd/flux-benchmark/actions/workflows/build-kind.yaml
|
|
||||||
KUBERNETES_VERSION: [1.30.9, 1.31.5, 1.32.1 ]
|
|
||||||
fail-fast: false
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
- name: Setup Go
|
|
||||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
|
||||||
with:
|
|
||||||
go-version: ${{ env.GO_VERSION }}
|
|
||||||
cache-dependency-path: |
|
|
||||||
**/go.sum
|
|
||||||
**/go.mod
|
|
||||||
- name: Prepare
|
|
||||||
id: prep
|
|
||||||
run: |
|
|
||||||
ID=${GITHUB_SHA:0:7}-${{ matrix.KUBERNETES_VERSION }}-$(date +%s)
|
|
||||||
echo "CLUSTER=arm64-${ID}" >> $GITHUB_OUTPUT
|
|
||||||
- name: Build
|
|
||||||
run: |
|
|
||||||
make build
|
|
||||||
- name: Setup Kubernetes
|
|
||||||
uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
|
|
||||||
with:
|
|
||||||
version: v0.22.0
|
|
||||||
cluster_name: ${{ steps.prep.outputs.CLUSTER }}
|
|
||||||
node_image: ghcr.io/fluxcd/kindest/node:v${{ matrix.KUBERNETES_VERSION }}-arm64
|
|
||||||
- name: Run e2e tests
|
|
||||||
run: TEST_KUBECONFIG=$HOME/.kube/config make e2e
|
|
||||||
- name: Run multi-tenancy tests
|
|
||||||
run: |
|
|
||||||
./bin/flux install
|
|
||||||
./bin/flux create source git flux-system \
|
|
||||||
--interval=15m \
|
|
||||||
--url=https://github.com/fluxcd/flux2-multi-tenancy \
|
|
||||||
--branch=main \
|
|
||||||
--ignore-paths="./clusters/**/flux-system/"
|
|
||||||
./bin/flux create kustomization flux-system \
|
|
||||||
--interval=15m \
|
|
||||||
--source=flux-system \
|
|
||||||
--path=./clusters/staging
|
|
||||||
kubectl -n flux-system wait kustomization/tenants --for=condition=ready --timeout=5m
|
|
||||||
kubectl -n apps wait kustomization/dev-team --for=condition=ready --timeout=1m
|
|
||||||
kubectl -n apps wait helmrelease/podinfo --for=condition=ready --timeout=1m
|
|
||||||
- name: Debug failure
|
|
||||||
if: failure()
|
|
||||||
run: |
|
|
||||||
kubectl -n flux-system get all
|
|
||||||
kubectl -n flux-system describe po
|
|
||||||
kubectl -n flux-system logs deploy/source-controller
|
|
||||||
kubectl -n flux-system logs deploy/kustomize-controller
|
|
||||||
|
|
||||||
conform-k3s:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
strategy:
|
|
||||||
matrix:
|
|
||||||
# Keep this list up-to-date with https://endoflife.date/kubernetes
|
|
||||||
# Available versions can be found with "replicated cluster versions"
|
|
||||||
K3S_VERSION: [ 1.30.9, 1.31.5, 1.32.1 ]
|
|
||||||
fail-fast: false
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
- name: Setup Go
|
|
||||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
|
||||||
with:
|
|
||||||
go-version: ${{ env.GO_VERSION }}
|
|
||||||
cache-dependency-path: |
|
|
||||||
**/go.sum
|
|
||||||
**/go.mod
|
|
||||||
- name: Prepare
|
|
||||||
id: prep
|
|
||||||
run: |
|
|
||||||
ID=${GITHUB_SHA:0:7}-${{ matrix.K3S_VERSION }}-$(date +%s)
|
|
||||||
PSEUDO_RAND_SUFFIX=$(echo "${ID}" | shasum | awk '{print $1}')
|
|
||||||
echo "cluster=flux2-k3s-${PSEUDO_RAND_SUFFIX}" >> $GITHUB_OUTPUT
|
|
||||||
KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
|
|
||||||
echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
|
|
||||||
- name: Setup Kustomize
|
|
||||||
uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
|
|
||||||
- name: Build
|
|
||||||
run: make build-dev
|
|
||||||
- name: Create repository
|
|
||||||
run: |
|
|
||||||
gh repo create --private --add-readme fluxcd-testing/${{ steps.prep.outputs.cluster }}
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
|
||||||
- name: Create cluster
|
|
||||||
id: create-cluster
|
|
||||||
uses: replicatedhq/replicated-actions/create-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
|
|
||||||
with:
|
|
||||||
api-token: ${{ secrets.REPLICATED_API_TOKEN }}
|
|
||||||
kubernetes-distribution: "k3s"
|
|
||||||
kubernetes-version: ${{ matrix.K3S_VERSION }}
|
|
||||||
ttl: 20m
|
|
||||||
cluster-name: "${{ steps.prep.outputs.cluster }}"
|
|
||||||
kubeconfig-path: ${{ steps.prep.outputs.kubeconfig-path }}
|
|
||||||
export-kubeconfig: true
|
|
||||||
- name: Run e2e tests
|
|
||||||
run: TEST_KUBECONFIG=${{ steps.prep.outputs.kubeconfig-path }} make e2e
|
|
||||||
- name: Run flux bootstrap
|
|
||||||
run: |
|
|
||||||
./bin/flux bootstrap git --manifests ./manifests/install/ \
|
|
||||||
--components-extra=image-reflector-controller,image-automation-controller \
|
|
||||||
--url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
|
|
||||||
--branch=main \
|
|
||||||
--path=clusters/k3s \
|
|
||||||
--token-auth
|
|
||||||
env:
|
|
||||||
GIT_PASSWORD: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
|
||||||
- name: Run flux check
|
|
||||||
run: |
|
|
||||||
./bin/flux check
|
|
||||||
- name: Run flux reconcile
|
|
||||||
run: |
|
|
||||||
./bin/flux reconcile ks flux-system --with-source
|
|
||||||
./bin/flux get all
|
|
||||||
./bin/flux events
|
|
||||||
- name: Collect reconcile logs
|
|
||||||
if: ${{ always() }}
|
|
||||||
continue-on-error: true
|
|
||||||
run: |
|
|
||||||
kubectl -n flux-system get all
|
|
||||||
kubectl -n flux-system describe pods
|
|
||||||
kubectl -n flux-system logs deploy/source-controller
|
|
||||||
kubectl -n flux-system logs deploy/kustomize-controller
|
|
||||||
kubectl -n flux-system logs deploy/notification-controller
|
|
||||||
- name: Delete flux
|
|
||||||
run: |
|
|
||||||
./bin/flux uninstall -s --keep-namespace
|
|
||||||
kubectl delete ns flux-system --wait
|
|
||||||
- name: Delete cluster
|
|
||||||
if: ${{ always() }}
|
|
||||||
uses: replicatedhq/replicated-actions/remove-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
|
|
||||||
continue-on-error: true
|
|
||||||
with:
|
|
||||||
api-token: ${{ secrets.REPLICATED_API_TOKEN }}
|
|
||||||
cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
|
|
||||||
- name: Delete repository
|
|
||||||
if: ${{ always() }}
|
|
||||||
continue-on-error: true
|
|
||||||
run: |
|
|
||||||
gh repo delete fluxcd-testing/${{ steps.prep.outputs.cluster }} --yes
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
|
||||||
|
|
||||||
conform-openshift:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
strategy:
|
|
||||||
matrix:
|
|
||||||
# Keep this list up-to-date with https://endoflife.date/red-hat-openshift
|
|
||||||
OPENSHIFT_VERSION: [ 4.17.0-okd ]
|
|
||||||
fail-fast: false
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
- name: Setup Go
|
|
||||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
|
||||||
with:
|
|
||||||
go-version: ${{ env.GO_VERSION }}
|
|
||||||
cache-dependency-path: |
|
|
||||||
**/go.sum
|
|
||||||
**/go.mod
|
|
||||||
- name: Prepare
|
|
||||||
id: prep
|
|
||||||
run: |
|
|
||||||
ID=${GITHUB_SHA:0:7}-${{ matrix.OPENSHIFT_VERSION }}-$(date +%s)
|
|
||||||
PSEUDO_RAND_SUFFIX=$(echo "${ID}" | shasum | awk '{print $1}')
|
|
||||||
echo "cluster=flux2-openshift-${PSEUDO_RAND_SUFFIX}" >> $GITHUB_OUTPUT
|
|
||||||
KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
|
|
||||||
echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
|
|
||||||
- name: Setup Kustomize
|
|
||||||
uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
|
|
||||||
- name: Build
|
|
||||||
run: make build-dev
|
|
||||||
- name: Create repository
|
|
||||||
run: |
|
|
||||||
gh repo create --private --add-readme fluxcd-testing/${{ steps.prep.outputs.cluster }}
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
|
||||||
- name: Create cluster
|
|
||||||
id: create-cluster
|
|
||||||
uses: replicatedhq/replicated-actions/create-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
|
|
||||||
with:
|
|
||||||
api-token: ${{ secrets.REPLICATED_API_TOKEN }}
|
|
||||||
kubernetes-distribution: "openshift"
|
|
||||||
kubernetes-version: ${{ matrix.OPENSHIFT_VERSION }}
|
|
||||||
ttl: 20m
|
|
||||||
cluster-name: "${{ steps.prep.outputs.cluster }}"
|
|
||||||
kubeconfig-path: ${{ steps.prep.outputs.kubeconfig-path }}
|
|
||||||
export-kubeconfig: true
|
|
||||||
- name: Run flux bootstrap
|
|
||||||
run: |
|
|
||||||
./bin/flux bootstrap git --manifests ./manifests/openshift/ \
|
|
||||||
--components-extra=image-reflector-controller,image-automation-controller \
|
|
||||||
--url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
|
|
||||||
--branch=main \
|
|
||||||
--path=clusters/openshift \
|
|
||||||
--token-auth
|
|
||||||
env:
|
|
||||||
GIT_PASSWORD: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
|
||||||
- name: Run flux check
|
|
||||||
run: |
|
|
||||||
./bin/flux check
|
|
||||||
- name: Run flux reconcile
|
|
||||||
run: |
|
|
||||||
./bin/flux reconcile ks flux-system --with-source
|
|
||||||
./bin/flux get all
|
|
||||||
./bin/flux events
|
|
||||||
- name: Collect reconcile logs
|
|
||||||
if: ${{ always() }}
|
|
||||||
continue-on-error: true
|
|
||||||
run: |
|
|
||||||
kubectl -n flux-system get all
|
|
||||||
kubectl -n flux-system describe pods
|
|
||||||
kubectl -n flux-system logs deploy/source-controller
|
|
||||||
kubectl -n flux-system logs deploy/kustomize-controller
|
|
||||||
kubectl -n flux-system logs deploy/notification-controller
|
|
||||||
- name: Delete flux
|
|
||||||
run: |
|
|
||||||
./bin/flux uninstall -s --keep-namespace
|
|
||||||
kubectl delete ns flux-system --wait
|
|
||||||
- name: Delete cluster
|
|
||||||
if: ${{ always() }}
|
|
||||||
uses: replicatedhq/replicated-actions/remove-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
|
|
||||||
continue-on-error: true
|
|
||||||
with:
|
|
||||||
api-token: ${{ secrets.REPLICATED_API_TOKEN }}
|
|
||||||
cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
|
|
||||||
- name: Delete repository
|
|
||||||
if: ${{ always() }}
|
|
||||||
continue-on-error: true
|
|
||||||
run: |
|
|
||||||
gh repo delete fluxcd-testing/${{ steps.prep.outputs.cluster }} --yes
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
|
||||||
@ -0,0 +1,65 @@
|
|||||||
|
name: Publish docs via GitHub Pages
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- docs*
|
||||||
|
- main
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
name: Deploy docs
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout master
|
||||||
|
uses: actions/checkout@v1
|
||||||
|
- name: Copy assets
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
run: |
|
||||||
|
controller_version() {
|
||||||
|
sed -n "s/.*$1\/archive\/\(.*\).zip.*/\1/p;n" manifests/bases/$1/kustomization.yaml
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
# source-controller CRDs
|
||||||
|
SOURCE_VER=$(controller_version source-controller)
|
||||||
|
curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/api/source.md" > docs/components/source/api.md
|
||||||
|
curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/gitrepositories.md" > docs/components/source/gitrepositories.md
|
||||||
|
curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/helmrepositories.md" > docs/components/source/helmrepositories.md
|
||||||
|
curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/helmcharts.md" > docs/components/source/helmcharts.md
|
||||||
|
curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/buckets.md" > docs/components/source/buckets.md
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
# kustomize-controller CRDs
|
||||||
|
KUSTOMIZE_VER=$(controller_version kustomize-controller)
|
||||||
|
curl -# -Lf "https://raw.githubusercontent.com/fluxcd/kustomize-controller/$KUSTOMIZE_VER/docs/api/kustomize.md" > docs/components/kustomize/api.md
|
||||||
|
curl -# -Lf "https://raw.githubusercontent.com/fluxcd/kustomize-controller/$KUSTOMIZE_VER/docs/spec/v1beta1/kustomization.md" > docs/components/kustomize/kustomization.md
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
# helm-controller CRDs
|
||||||
|
HELM_VER=$(controller_version helm-controller)
|
||||||
|
curl -# -Lf "https://raw.githubusercontent.com/fluxcd/helm-controller/$HELM_VER/docs/api/helmrelease.md" > docs/components/helm/api.md
|
||||||
|
curl -# -Lf "https://raw.githubusercontent.com/fluxcd/helm-controller/$HELM_VER/docs/spec/v2beta1/helmreleases.md" > docs/components/helm/helmreleases.md
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
# notification-controller CRDs
|
||||||
|
NOTIFICATION_VER=$(controller_version notification-controller)
|
||||||
|
curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/api/notification.md" > docs/components/notification/api.md
|
||||||
|
curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/event.md" > docs/components/notification/event.md
|
||||||
|
curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/alert.md" > docs/components/notification/alert.md
|
||||||
|
curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/provider.md" > docs/components/notification/provider.md
|
||||||
|
curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/receiver.md" > docs/components/notification/receiver.md
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
# install script
|
||||||
|
cp install/flux.sh docs/install.sh
|
||||||
|
}
|
||||||
|
- name: Deploy docs
|
||||||
|
uses: mhausenblas/mkdocs-deploy-gh-pages@master
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
CUSTOM_DOMAIN: toolkit.fluxcd.io
|
||||||
@ -1,93 +0,0 @@
|
|||||||
name: e2e-azure
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
schedule:
|
|
||||||
- cron: '0 6 * * *'
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
paths:
|
|
||||||
- 'tests/**'
|
|
||||||
- '.github/workflows/e2e-azure.yaml'
|
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
paths:
|
|
||||||
- 'tests/**'
|
|
||||||
- '.github/workflows/e2e-azure.yaml'
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
e2e-aks:
|
|
||||||
runs-on: ubuntu-22.04
|
|
||||||
defaults:
|
|
||||||
run:
|
|
||||||
working-directory: ./tests/integration
|
|
||||||
# This job is currently disabled. Remove the false check when Azure subscription is enabled.
|
|
||||||
if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
|
|
||||||
steps:
|
|
||||||
- name: CheckoutD
|
|
||||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
- name: Setup Go
|
|
||||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
|
||||||
with:
|
|
||||||
go-version: 1.23.x
|
|
||||||
cache-dependency-path: tests/integration/go.sum
|
|
||||||
- name: Setup Terraform
|
|
||||||
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
|
|
||||||
- name: Setup Flux CLI
|
|
||||||
run: make build
|
|
||||||
working-directory: ./
|
|
||||||
- name: Setup SOPS
|
|
||||||
run: |
|
|
||||||
mkdir -p $HOME/.local/bin
|
|
||||||
wget -O $HOME/.local/bin/sops https://github.com/mozilla/sops/releases/download/v$SOPS_VER/sops-v$SOPS_VER.linux
|
|
||||||
chmod +x $HOME/.local/bin/sops
|
|
||||||
env:
|
|
||||||
SOPS_VER: 3.7.1
|
|
||||||
- name: Authenticate to Azure
|
|
||||||
uses: Azure/login@a65d910e8af852a8061c627c456678983e180302 # v1.4.6
|
|
||||||
with:
|
|
||||||
creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
|
|
||||||
- name: Set dynamic variables in .env
|
|
||||||
run: |
|
|
||||||
cat > .env <<EOF
|
|
||||||
export TF_VAR_tags='{ "environment"="github", "ci"="true", "repo"="flux2", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)" }'
|
|
||||||
EOF
|
|
||||||
- name: Print .env for dynamic tag value reference
|
|
||||||
run: cat .env
|
|
||||||
- name: Run Azure e2e tests
|
|
||||||
env:
|
|
||||||
ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
|
|
||||||
ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
|
|
||||||
ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
|
|
||||||
ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
|
|
||||||
TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
|
|
||||||
TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
|
|
||||||
TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
|
|
||||||
GITREPO_SSH_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_CONTENTS }}
|
|
||||||
GITREPO_SSH_PUB_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_PUB_CONTENTS }}
|
|
||||||
run: |
|
|
||||||
source .env
|
|
||||||
mkdir -p ./build/ssh
|
|
||||||
touch ./build/ssh/key
|
|
||||||
echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
|
|
||||||
export GITREPO_SSH_PATH=build/ssh/key
|
|
||||||
touch ./build/ssh/key.pub
|
|
||||||
echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
|
|
||||||
export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
|
|
||||||
make test-azure
|
|
||||||
- name: Ensure resource cleanup
|
|
||||||
if: ${{ always() }}
|
|
||||||
env:
|
|
||||||
ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
|
|
||||||
ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
|
|
||||||
ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
|
|
||||||
ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
|
|
||||||
TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
|
|
||||||
TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
|
|
||||||
TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
|
|
||||||
run: source .env && make destroy-azure
|
|
||||||
@ -1,128 +0,0 @@
|
|||||||
name: e2e-bootstrap
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
push:
|
|
||||||
branches: [ 'main', 'release/**' ]
|
|
||||||
pull_request:
|
|
||||||
branches: [ 'main', 'release/**' ]
|
|
||||||
paths-ignore: [ 'docs/**', 'rfcs/**' ]
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
e2e-boostrap-github:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
- name: Setup Go
|
|
||||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
|
||||||
with:
|
|
||||||
go-version: 1.23.x
|
|
||||||
cache-dependency-path: |
|
|
||||||
**/go.sum
|
|
||||||
**/go.mod
|
|
||||||
- name: Setup Kubernetes
|
|
||||||
uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
|
|
||||||
with:
|
|
||||||
version: v0.24.0
|
|
||||||
cluster_name: kind
|
|
||||||
# The versions below should target the newest Kubernetes version
|
|
||||||
# Keep this up-to-date with https://endoflife.date/kubernetes
|
|
||||||
node_image: ghcr.io/fluxcd/kindest/node:v1.31.0-amd64
|
|
||||||
kubectl_version: v1.31.0
|
|
||||||
- name: Setup Kustomize
|
|
||||||
uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
|
|
||||||
- name: Setup yq
|
|
||||||
uses: fluxcd/pkg/actions/yq@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
|
|
||||||
- name: Build
|
|
||||||
run: make build-dev
|
|
||||||
- name: Set outputs
|
|
||||||
id: vars
|
|
||||||
run: |
|
|
||||||
REPOSITORY_NAME=${{ github.event.repository.name }}
|
|
||||||
BRANCH_NAME=${GITHUB_REF##*/}
|
|
||||||
COMMIT_SHA=$(git rev-parse HEAD)
|
|
||||||
PSEUDO_RAND_SUFFIX=$(echo "${BRANCH_NAME}-${COMMIT_SHA}" | shasum | awk '{print $1}')
|
|
||||||
TEST_REPO_NAME="${REPOSITORY_NAME}-${PSEUDO_RAND_SUFFIX}"
|
|
||||||
echo "test_repo_name=$TEST_REPO_NAME" >> $GITHUB_OUTPUT
|
|
||||||
- name: bootstrap init
|
|
||||||
run: |
|
|
||||||
./bin/flux bootstrap github --manifests ./manifests/install/ \
|
|
||||||
--owner=fluxcd-testing \
|
|
||||||
--image-pull-secret=ghcr-auth \
|
|
||||||
--registry-creds=fluxcd:$GITHUB_TOKEN \
|
|
||||||
--repository=${{ steps.vars.outputs.test_repo_name }} \
|
|
||||||
--branch=main \
|
|
||||||
--path=test-cluster \
|
|
||||||
--team=team-z
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
|
||||||
- name: verify image pull secret
|
|
||||||
run: |
|
|
||||||
kubectl -n flux-system get secret ghcr-auth | grep dockerconfigjson
|
|
||||||
- name: bootstrap no-op
|
|
||||||
run: |
|
|
||||||
./bin/flux bootstrap github --manifests ./manifests/install/ \
|
|
||||||
--owner=fluxcd-testing \
|
|
||||||
--image-pull-secret=ghcr-auth \
|
|
||||||
--repository=${{ steps.vars.outputs.test_repo_name }} \
|
|
||||||
--branch=main \
|
|
||||||
--path=test-cluster \
|
|
||||||
--team=team-z
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
|
||||||
- name: bootstrap customize
|
|
||||||
run: |
|
|
||||||
make setup-bootstrap-patch
|
|
||||||
./bin/flux bootstrap github --manifests ./manifests/install/ \
|
|
||||||
--owner=fluxcd-testing \
|
|
||||||
--repository=${{ steps.vars.outputs.test_repo_name }} \
|
|
||||||
--branch=main \
|
|
||||||
--path=test-cluster \
|
|
||||||
--team=team-z
|
|
||||||
if [ $(kubectl get deployments.apps source-controller -o jsonpath='{.spec.template.spec.securityContext.runAsUser}') != "10000" ]; then
|
|
||||||
echo "Bootstrap not customized as controller is not running as user 10000" && exit 1
|
|
||||||
fi
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
|
||||||
GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
|
|
||||||
GITHUB_ORG_NAME: fluxcd-testing
|
|
||||||
- name: uninstall
|
|
||||||
run: |
|
|
||||||
./bin/flux uninstall -s --keep-namespace
|
|
||||||
kubectl delete ns flux-system --timeout=10m --wait=true
|
|
||||||
- name: test image automation
|
|
||||||
run: |
|
|
||||||
make setup-image-automation
|
|
||||||
./bin/flux bootstrap github --manifests ./manifests/install/ \
|
|
||||||
--owner=fluxcd-testing \
|
|
||||||
--repository=${{ steps.vars.outputs.test_repo_name }} \
|
|
||||||
--branch=main \
|
|
||||||
--path=test-cluster \
|
|
||||||
--read-write-key
|
|
||||||
./bin/flux reconcile image repository podinfo
|
|
||||||
./bin/flux reconcile image update flux-system
|
|
||||||
./bin/flux get images all
|
|
||||||
kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system | \
|
|
||||||
yq '.status.lastPushCommit | length > 1' | grep 'true'
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
|
||||||
GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
|
|
||||||
GITHUB_ORG_NAME: fluxcd-testing
|
|
||||||
- name: delete repository
|
|
||||||
if: ${{ always() }}
|
|
||||||
continue-on-error: true
|
|
||||||
run: |
|
|
||||||
gh repo delete fluxcd-testing/${{ steps.vars.outputs.test_repo_name }} --yes
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
|
|
||||||
- name: Debug failure
|
|
||||||
if: failure()
|
|
||||||
run: |
|
|
||||||
kubectl -n flux-system get all
|
|
||||||
kubectl -n flux-system logs deploy/source-controller
|
|
||||||
kubectl -n flux-system logs deploy/kustomize-controller
|
|
||||||
@ -1,104 +0,0 @@
|
|||||||
name: e2e-gcp
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
schedule:
|
|
||||||
- cron: '0 6 * * *'
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
paths:
|
|
||||||
- 'tests/**'
|
|
||||||
- '.github/workflows/e2e-gcp.yaml'
|
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
paths:
|
|
||||||
- 'tests/**'
|
|
||||||
- '.github/workflows/e2e-gcp.yaml'
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
e2e-gcp:
|
|
||||||
runs-on: ubuntu-22.04
|
|
||||||
defaults:
|
|
||||||
run:
|
|
||||||
working-directory: ./tests/integration
|
|
||||||
if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
- name: Setup Go
|
|
||||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
|
||||||
with:
|
|
||||||
go-version: 1.23.x
|
|
||||||
cache-dependency-path: tests/integration/go.sum
|
|
||||||
- name: Setup Terraform
|
|
||||||
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
|
|
||||||
- name: Setup Flux CLI
|
|
||||||
run: make build
|
|
||||||
working-directory: ./
|
|
||||||
- name: Setup SOPS
|
|
||||||
run: |
|
|
||||||
mkdir -p $HOME/.local/bin
|
|
||||||
wget -O $HOME/.local/bin/sops https://github.com/mozilla/sops/releases/download/v$SOPS_VER/sops-v$SOPS_VER.linux
|
|
||||||
chmod +x $HOME/.local/bin/sops
|
|
||||||
env:
|
|
||||||
SOPS_VER: 3.7.1
|
|
||||||
- name: Authenticate to Google Cloud
|
|
||||||
uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
|
|
||||||
id: 'auth'
|
|
||||||
with:
|
|
||||||
credentials_json: '${{ secrets.FLUX2_E2E_GOOGLE_CREDENTIALS }}'
|
|
||||||
token_format: 'access_token'
|
|
||||||
- name: Setup gcloud
|
|
||||||
uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
|
|
||||||
- name: Setup QEMU
|
|
||||||
uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
|
|
||||||
- name: Setup Docker Buildx
|
|
||||||
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
|
|
||||||
- name: Log into us-central1-docker.pkg.dev
|
|
||||||
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
|
|
||||||
with:
|
|
||||||
registry: us-central1-docker.pkg.dev
|
|
||||||
username: oauth2accesstoken
|
|
||||||
password: ${{ steps.auth.outputs.access_token }}
|
|
||||||
- name: Set dynamic variables in .env
|
|
||||||
run: |
|
|
||||||
cat > .env <<EOF
|
|
||||||
export TF_VAR_tags='{ "environment"="github", "ci"="true", "repo"="flux2", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)" }'
|
|
||||||
EOF
|
|
||||||
- name: Print .env for dynamic tag value reference
|
|
||||||
run: cat .env
|
|
||||||
- name: Run GCP e2e tests
|
|
||||||
env:
|
|
||||||
TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
|
|
||||||
TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
|
|
||||||
TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
|
|
||||||
TF_VAR_gcp_email: ${{ secrets.TF_VAR_gcp_email }}
|
|
||||||
TF_VAR_gcp_keyring: ${{ secrets.TF_VAR_gcp_keyring }}
|
|
||||||
TF_VAR_gcp_crypto_key: ${{ secrets.TF_VAR_gcp_crypto_key }}
|
|
||||||
GITREPO_SSH_CONTENTS: ${{ secrets.GCP_GITREPO_SSH_CONTENTS }}
|
|
||||||
GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GCP_GITREPO_SSH_PUB_CONTENTS }}
|
|
||||||
run: |
|
|
||||||
source .env
|
|
||||||
mkdir -p ./build/ssh
|
|
||||||
touch ./build/ssh/key
|
|
||||||
echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
|
|
||||||
export GITREPO_SSH_PATH=build/ssh/key
|
|
||||||
touch ./build/ssh/key.pub
|
|
||||||
echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
|
|
||||||
export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
|
|
||||||
make test-gcp
|
|
||||||
- name: Ensure resource cleanup
|
|
||||||
if: ${{ always() }}
|
|
||||||
env:
|
|
||||||
TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
|
|
||||||
TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
|
|
||||||
TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
|
|
||||||
TF_VAR_gcp_email: ${{ secrets.TF_VAR_gcp_email }}
|
|
||||||
TF_VAR_gcp_keyring: ${{ secrets.TF_VAR_gcp_keyring }}
|
|
||||||
TF_VAR_gcp_crypto_key: ${{ secrets.TF_VAR_gcp_crypto_key }}
|
|
||||||
run: source .env && make destroy-gcp
|
|
||||||
@ -0,0 +1,25 @@
|
|||||||
|
name: FOSSA
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches: [main]
|
||||||
|
pull_request:
|
||||||
|
branches: [main]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v2
|
||||||
|
- uses: actions/setup-go@v2
|
||||||
|
with:
|
||||||
|
go-version: "^1.14.x"
|
||||||
|
- name: Add GOPATH to GITHUB_ENV
|
||||||
|
run: echo "GOPATH=$(go env GOPATH)" >>"$GITHUB_ENV"
|
||||||
|
- name: Add GOPATH to GITHUB_PATH
|
||||||
|
run: echo "$GOPATH/bin" >>"$GITHUB_PATH"
|
||||||
|
- name: Run FOSSA scan and upload build data
|
||||||
|
uses: fossa-contrib/fossa-action@v1
|
||||||
|
with:
|
||||||
|
# FOSSA Push-Only API Token
|
||||||
|
fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
|
||||||
|
github-token: ${{ github.token }}
|
||||||
@ -1,39 +0,0 @@
|
|||||||
name: ossf
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
schedule:
|
|
||||||
# Weekly on Saturdays.
|
|
||||||
- cron: '30 1 * * 6'
|
|
||||||
|
|
||||||
permissions: read-all
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
scorecard:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
permissions:
|
|
||||||
security-events: write
|
|
||||||
id-token: write
|
|
||||||
actions: read
|
|
||||||
contents: read
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
- name: Run analysis
|
|
||||||
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
|
|
||||||
with:
|
|
||||||
results_file: results.sarif
|
|
||||||
results_format: sarif
|
|
||||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
publish_results: true
|
|
||||||
- name: Upload artifact
|
|
||||||
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
|
|
||||||
with:
|
|
||||||
name: SARIF file
|
|
||||||
path: results.sarif
|
|
||||||
retention-days: 5
|
|
||||||
- name: Upload SARIF results
|
|
||||||
uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
|
|
||||||
with:
|
|
||||||
sarif_file: results.sarif
|
|
||||||
@ -0,0 +1,21 @@
|
|||||||
|
name: rebase
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
types: [opened]
|
||||||
|
issue_comment:
|
||||||
|
types: [created]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
rebase:
|
||||||
|
if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && (github.event.comment.author_association == 'CONTRIBUTOR' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER')
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout the latest code
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
with:
|
||||||
|
fetch-depth: 0
|
||||||
|
- name: Automatic Rebase
|
||||||
|
uses: cirrus-actions/rebase@1.3.1
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
|
||||||
@ -1,86 +0,0 @@
|
|||||||
name: scan
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
push:
|
|
||||||
branches: [ 'main', 'release/**' ]
|
|
||||||
pull_request:
|
|
||||||
branches: [ 'main', 'release/**' ]
|
|
||||||
schedule:
|
|
||||||
- cron: '18 10 * * 3'
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
scan-fossa:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
if: github.actor != 'dependabot[bot]'
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
- name: Run FOSSA scan and upload build data
|
|
||||||
uses: fossa-contrib/fossa-action@cdc5065bcdee31a32e47d4585df72d66e8e941c2 # v3.0.0
|
|
||||||
with:
|
|
||||||
# FOSSA Push-Only API Token
|
|
||||||
fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
|
|
||||||
github-token: ${{ github.token }}
|
|
||||||
|
|
||||||
scan-snyk:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
permissions:
|
|
||||||
security-events: write
|
|
||||||
if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
- name: Setup Kustomize
|
|
||||||
uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
|
|
||||||
- name: Setup Go
|
|
||||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
|
||||||
with:
|
|
||||||
go-version-file: 'go.mod'
|
|
||||||
cache-dependency-path: |
|
|
||||||
**/go.sum
|
|
||||||
**/go.mod
|
|
||||||
- name: Download modules and build manifests
|
|
||||||
run: |
|
|
||||||
make tidy
|
|
||||||
make cmd/flux/.manifests.done
|
|
||||||
- uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf
|
|
||||||
- name: Run Snyk to check for vulnerabilities
|
|
||||||
continue-on-error: true
|
|
||||||
run: |
|
|
||||||
snyk test --all-projects --sarif-file-output=snyk.sarif
|
|
||||||
env:
|
|
||||||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
|
||||||
- name: Upload result to GitHub Code Scanning
|
|
||||||
continue-on-error: true
|
|
||||||
uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
|
|
||||||
with:
|
|
||||||
sarif_file: snyk.sarif
|
|
||||||
|
|
||||||
scan-codeql:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
permissions:
|
|
||||||
security-events: write
|
|
||||||
if: github.actor != 'dependabot[bot]'
|
|
||||||
steps:
|
|
||||||
- name: Checkout repository
|
|
||||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
- name: Setup Go
|
|
||||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
|
||||||
with:
|
|
||||||
go-version-file: 'go.mod'
|
|
||||||
cache-dependency-path: |
|
|
||||||
**/go.sum
|
|
||||||
**/go.mod
|
|
||||||
- name: Initialize CodeQL
|
|
||||||
uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
|
|
||||||
with:
|
|
||||||
languages: go
|
|
||||||
# xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
|
|
||||||
# xref: https://codeql.github.com/codeql-query-help/go/
|
|
||||||
queries: security-and-quality
|
|
||||||
- name: Autobuild
|
|
||||||
uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
|
|
||||||
- name: Perform CodeQL Analysis
|
|
||||||
uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
|
|
||||||
@ -1,28 +0,0 @@
|
|||||||
name: sync-labels
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
paths:
|
|
||||||
- .github/labels.yaml
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
labels:
|
|
||||||
name: Run sync
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
permissions:
|
|
||||||
issues: write
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
- uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
|
|
||||||
with:
|
|
||||||
# Configuration file
|
|
||||||
config-file: |
|
|
||||||
https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
|
|
||||||
.github/labels.yaml
|
|
||||||
# Strictly declarative
|
|
||||||
delete-other-labels: true
|
|
||||||
@ -1,108 +0,0 @@
|
|||||||
name: update
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
schedule:
|
|
||||||
- cron: "0 * * * *"
|
|
||||||
push:
|
|
||||||
branches: [main]
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
update-components:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
permissions:
|
|
||||||
contents: write
|
|
||||||
pull-requests: write
|
|
||||||
steps:
|
|
||||||
- name: Check out code
|
|
||||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
- name: Setup Go
|
|
||||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
|
||||||
with:
|
|
||||||
go-version: 1.23.x
|
|
||||||
cache-dependency-path: |
|
|
||||||
**/go.sum
|
|
||||||
**/go.mod
|
|
||||||
- name: Update component versions
|
|
||||||
id: update
|
|
||||||
run: |
|
|
||||||
PR_BODY=$(mktemp)
|
|
||||||
|
|
||||||
bump_version() {
|
|
||||||
local LATEST_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
|
|
||||||
local CTRL_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
|
|
||||||
local CRD_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p" manifests/crds/kustomization.yaml)
|
|
||||||
local MOD_VERSION=$(go list -m -f '{{ .Version }}' "github.com/fluxcd/$1/api")
|
|
||||||
|
|
||||||
local changed=false
|
|
||||||
|
|
||||||
if [[ "${CTRL_VERSION}" != "${LATEST_VERSION}" ]]; then
|
|
||||||
sed -i "s/\($1\/releases\/download\/\)v.*\(\/.*\)/\1${LATEST_VERSION}\2/g" "manifests/bases/$1/kustomization.yaml"
|
|
||||||
changed=true
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ "${CRD_VERSION}" != "${LATEST_VERSION}" ]]; then
|
|
||||||
sed -i "s/\($1\/releases\/download\/\)v.*\(\/.*\)/\1${LATEST_VERSION}\2/g" "manifests/crds/kustomization.yaml"
|
|
||||||
changed=true
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ "${MOD_VERSION}" != "${LATEST_VERSION}" ]]; then
|
|
||||||
go mod edit -require="github.com/fluxcd/$1/api@${LATEST_VERSION}"
|
|
||||||
make tidy
|
|
||||||
changed=true
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ "$changed" == true ]]; then
|
|
||||||
echo "- $1 to ${LATEST_VERSION}" >> $PR_BODY
|
|
||||||
echo " https://github.com/fluxcd/$1/blob/${LATEST_VERSION}/CHANGELOG.md" >> $PR_BODY
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
{
|
|
||||||
# bump controller versions
|
|
||||||
bump_version helm-controller
|
|
||||||
bump_version kustomize-controller
|
|
||||||
bump_version source-controller
|
|
||||||
bump_version notification-controller
|
|
||||||
bump_version image-reflector-controller
|
|
||||||
bump_version image-automation-controller
|
|
||||||
|
|
||||||
# diff change
|
|
||||||
git diff
|
|
||||||
|
|
||||||
# export PR_BODY for PR and commit
|
|
||||||
# NB: this may look strange but it is the way it should be done to
|
|
||||||
# maintain our precious newlines
|
|
||||||
# Ref: https://github.com/github/docs/issues/21529
|
|
||||||
echo 'pr_body<<EOF' >> $GITHUB_OUTPUT
|
|
||||||
cat $PR_BODY >> $GITHUB_OUTPUT
|
|
||||||
echo 'EOF' >> $GITHUB_OUTPUT
|
|
||||||
}
|
|
||||||
|
|
||||||
- name: Create Pull Request
|
|
||||||
id: cpr
|
|
||||||
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
|
|
||||||
with:
|
|
||||||
token: ${{ secrets.BOT_GITHUB_TOKEN }}
|
|
||||||
commit-message: |
|
|
||||||
Update toolkit components
|
|
||||||
|
|
||||||
${{ steps.update.outputs.pr_body }}
|
|
||||||
committer: GitHub <noreply@github.com>
|
|
||||||
author: fluxcdbot <fluxcdbot@users.noreply.github.com>
|
|
||||||
signoff: true
|
|
||||||
branch: update-components
|
|
||||||
title: Update toolkit components
|
|
||||||
body: |
|
|
||||||
${{ steps.update.outputs.pr_body }}
|
|
||||||
labels: |
|
|
||||||
dependencies
|
|
||||||
reviewers: ${{ secrets.ASSIGNEES }}
|
|
||||||
|
|
||||||
- name: Check output
|
|
||||||
run: |
|
|
||||||
echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
|
|
||||||
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
|
|
||||||
@ -0,0 +1,76 @@
|
|||||||
|
name: Update Components
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
|
schedule:
|
||||||
|
- cron: "0 * * * *"
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
update-components:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Check out code
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
|
- name: Update component versions
|
||||||
|
id: update
|
||||||
|
run: |
|
||||||
|
PR_BODY=""
|
||||||
|
|
||||||
|
bump_version() {
|
||||||
|
local RELEASE_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
|
||||||
|
local CURRENT_VERSION=$(sed -n "s/.*$1\/archive\/\(.*\).zip.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
|
||||||
|
|
||||||
|
if [[ "${RELEASE_VERSION}" != "${CURRENT_VERSION}" ]]; then
|
||||||
|
# bump kustomize
|
||||||
|
sed -i "s/\($1\/archive\/\)v.*\(.zip\/\/$1-\).*\(\/config.*\)/\1${RELEASE_VERSION}\2${RELEASE_VERSION/v}\3/g" "manifests/bases/$1/kustomization.yaml"
|
||||||
|
|
||||||
|
if [[ ! -z $(go list -m all | grep "github.com/fluxcd/$1/api" | awk '{print $2}') ]]; then
|
||||||
|
# bump go mod
|
||||||
|
go mod edit -require="github.com/fluxcd/$1/api@${RELEASE_VERSION}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
PR_BODY="$PR_BODY- $1 to ${RELEASE_VERSION}%0A"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
# bump controller versions
|
||||||
|
bump_version helm-controller
|
||||||
|
bump_version kustomize-controller
|
||||||
|
bump_version source-controller
|
||||||
|
bump_version notification-controller
|
||||||
|
bump_version image-reflector-controller
|
||||||
|
bump_version image-automation-controller
|
||||||
|
|
||||||
|
# add missing and remove unused modules
|
||||||
|
go mod tidy
|
||||||
|
|
||||||
|
# diff change
|
||||||
|
git diff
|
||||||
|
|
||||||
|
# export PR_BODY for PR
|
||||||
|
echo "::set-output name=pr_body::$PR_BODY"
|
||||||
|
}
|
||||||
|
|
||||||
|
- name: Create Pull Request
|
||||||
|
id: cpr
|
||||||
|
uses: peter-evans/create-pull-request@v3
|
||||||
|
with:
|
||||||
|
token: ${{ secrets.BOT_GITHUB_TOKEN }}
|
||||||
|
commit-message: Update toolkit components
|
||||||
|
committer: GitHub <noreply@github.com>
|
||||||
|
author: fluxcdbot <fluxcdbot@users.noreply.github.com>
|
||||||
|
title: Update toolkit components
|
||||||
|
body: |
|
||||||
|
${{ steps.update.outputs.pr_body }}
|
||||||
|
|
||||||
|
Auto-generated by [create-pull-request][1]
|
||||||
|
|
||||||
|
[1]: https://github.com/peter-evans/create-pull-request
|
||||||
|
branch: update-components
|
||||||
|
reviewers: ${{ secrets.ASSIGNEES }}
|
||||||
|
|
||||||
|
- name: Check output
|
||||||
|
run: |
|
||||||
|
echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
|
||||||
@ -1,5 +0,0 @@
|
|||||||
annotations:
|
|
||||||
- checks:
|
|
||||||
- dangerous-workflow
|
|
||||||
reasons:
|
|
||||||
- reason: not-applicable # This workflow does not run untrusted code, the bot will only backport a code if the a PR was approved and merged into main.
|
|
||||||
@ -1,21 +0,0 @@
|
|||||||
FROM alpine:3.21 AS builder
|
|
||||||
|
|
||||||
RUN apk add --no-cache ca-certificates curl
|
|
||||||
|
|
||||||
ARG ARCH=linux/amd64
|
|
||||||
ARG KUBECTL_VER=1.32.2
|
|
||||||
|
|
||||||
RUN curl -sL https://dl.k8s.io/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
|
|
||||||
-o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
|
|
||||||
|
|
||||||
RUN kubectl version --client=true
|
|
||||||
|
|
||||||
FROM alpine:3.21 AS flux-cli
|
|
||||||
|
|
||||||
RUN apk add --no-cache ca-certificates
|
|
||||||
|
|
||||||
COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/
|
|
||||||
COPY --chmod=755 flux /usr/local/bin/
|
|
||||||
|
|
||||||
USER 65534:65534
|
|
||||||
ENTRYPOINT [ "flux" ]
|
|
||||||
@ -0,0 +1,6 @@
|
|||||||
|
FROM stefanprodan/alpine-base:latest
|
||||||
|
|
||||||
|
COPY entrypoint.sh /entrypoint.sh
|
||||||
|
RUN chmod +x /entrypoint.sh
|
||||||
|
|
||||||
|
ENTRYPOINT ["/entrypoint.sh"]
|
||||||
@ -1,22 +1,89 @@
|
|||||||
# Flux GitHub Action
|
# Flux GitHub Action
|
||||||
|
|
||||||
To install the latest Flux CLI on Linux, macOS or Windows GitHub runners:
|
Usage:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
steps:
|
steps:
|
||||||
- name: Setup Flux CLI
|
- name: Setup Flux CLI
|
||||||
uses: fluxcd/flux2/action@main
|
uses: fluxcd/flux2/action@main
|
||||||
|
- name: Run Flux commands
|
||||||
|
run: flux -v
|
||||||
|
```
|
||||||
|
|
||||||
|
This action places the `flux` binary inside your repository root under `bin/flux`.
|
||||||
|
You should add `bin/flux` to your `.gitignore` file, as in the following example:
|
||||||
|
|
||||||
|
```gitignore
|
||||||
|
# ignore flux binary
|
||||||
|
bin/flux
|
||||||
|
```
|
||||||
|
|
||||||
|
Note that this action can only be used on GitHub **Linux AMD64** runners.
|
||||||
|
|
||||||
|
### Automate Flux updates
|
||||||
|
|
||||||
|
Example workflow for updating Flux's components generated with `flux bootstrap --arch=amd64 --path=clusters/production`:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
name: update-flux
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
|
schedule:
|
||||||
|
- cron: "0 * * * *"
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
components:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Check out code
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
- name: Setup Flux CLI
|
||||||
|
uses: fluxcd/flux2/action@main
|
||||||
|
- name: Check for updates
|
||||||
|
id: update
|
||||||
|
run: |
|
||||||
|
flux install --arch=amd64 \
|
||||||
|
--export > ./clusters/production/flux-system/gotk-components.yaml
|
||||||
|
|
||||||
|
VERSION="$(flux -v)"
|
||||||
|
echo "::set-output name=flux_version::$VERSION"
|
||||||
|
- name: Create Pull Request
|
||||||
|
uses: peter-evans/create-pull-request@v3
|
||||||
with:
|
with:
|
||||||
version: 'latest'
|
token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
- name: Run Flux CLI
|
branch: update-flux
|
||||||
run: flux version --client
|
commit-message: Update to ${{ steps.update.outputs.flux_version }}
|
||||||
|
title: Update to ${{ steps.update.outputs.flux_version }}
|
||||||
|
body: |
|
||||||
|
${{ steps.update.outputs.flux_version }}
|
||||||
```
|
```
|
||||||
|
|
||||||
The Flux GitHub Action can be used to automate various tasks in CI, such as:
|
### End-to-end testing
|
||||||
|
|
||||||
|
Example workflow for running Flux in Kubernetes Kind:
|
||||||
|
|
||||||
- [Automate Flux upgrades on clusters via Pull Requests](https://fluxcd.io/flux/flux-gh-action/#automate-flux-updates)
|
```yaml
|
||||||
- [Push Kubernetes manifests to container registries](https://fluxcd.io/flux/flux-gh-action/#push-kubernetes-manifests-to-container-registries)
|
name: e2e
|
||||||
- [Run end-to-end testing with Flux and Kubernetes Kind](https://fluxcd.io/flux/flux-gh-action/#end-to-end-testing)
|
|
||||||
|
|
||||||
For more information, please see the [Flux GitHub Action documentation](https://fluxcd.io/flux/flux-gh-action/).
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- '*'
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
kubernetes:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
- name: Setup Flux CLI
|
||||||
|
uses: fluxcd/flux2/action@main
|
||||||
|
- name: Setup Kubernetes Kind
|
||||||
|
uses: engineerd/setup-kind@v0.5.0
|
||||||
|
- name: Install Flux in Kubernetes Kind
|
||||||
|
run: flux install
|
||||||
|
```
|
||||||
|
|
||||||
|
A complete e2e testing workflow is available here
|
||||||
|
[flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example/blob/main/.github/workflows/e2e.yaml)
|
||||||
|
|||||||
@ -1,120 +1,15 @@
|
|||||||
name: Setup Flux CLI
|
name: 'kustomize'
|
||||||
description: A GitHub Action for installing the Flux CLI
|
description: 'A GitHub Action for running Flux commands'
|
||||||
author: Flux project
|
author: 'Flux project'
|
||||||
branding:
|
branding:
|
||||||
color: blue
|
icon: 'command'
|
||||||
icon: command
|
color: 'blue'
|
||||||
inputs:
|
inputs:
|
||||||
version:
|
version:
|
||||||
description: "Flux version e.g. 2.0.0 (defaults to latest stable release)"
|
description: 'strict semver'
|
||||||
required: false
|
|
||||||
arch:
|
|
||||||
description: "arch can be amd64, arm64 or arm"
|
|
||||||
required: false
|
|
||||||
deprecationMessage: "No longer required, action will now detect runner arch."
|
|
||||||
bindir:
|
|
||||||
description: "Alternative location for the Flux binary, defaults to path relative to $RUNNER_TOOL_CACHE."
|
|
||||||
required: false
|
|
||||||
token:
|
|
||||||
description: "Token used to authentication against the GitHub.com API. Defaults to the token from the GitHub context of the workflow."
|
|
||||||
required: false
|
required: false
|
||||||
runs:
|
runs:
|
||||||
using: composite
|
using: 'docker'
|
||||||
steps:
|
image: 'Dockerfile'
|
||||||
- name: "Download the binary to the runner's cache dir"
|
args:
|
||||||
shell: bash
|
- ${{ inputs.version }}
|
||||||
run: |
|
|
||||||
VERSION=${{ inputs.version }}
|
|
||||||
|
|
||||||
TOKEN=${{ inputs.token }}
|
|
||||||
if [[ -z "$TOKEN" ]]; then
|
|
||||||
TOKEN=${{ github.token }}
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
|
|
||||||
VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
|
|
||||||
fi
|
|
||||||
if [[ -z "$VERSION" ]]; then
|
|
||||||
echo "Unable to determine Flux CLI version"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
if [[ $VERSION = v* ]]; then
|
|
||||||
VERSION="${VERSION:1}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
|
|
||||||
if [[ "$OS" == "macos" ]]; then
|
|
||||||
OS="darwin"
|
|
||||||
fi
|
|
||||||
|
|
||||||
ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
|
|
||||||
if [[ "$ARCH" == "x64" ]]; then
|
|
||||||
ARCH="amd64"
|
|
||||||
elif [[ "$ARCH" == "x86" ]]; then
|
|
||||||
ARCH="386"
|
|
||||||
fi
|
|
||||||
|
|
||||||
FLUX_EXEC_FILE="flux"
|
|
||||||
if [[ "$OS" == "windows" ]]; then
|
|
||||||
FLUX_EXEC_FILE="${FLUX_EXEC_FILE}.exe"
|
|
||||||
fi
|
|
||||||
|
|
||||||
FLUX_TOOL_DIR=${{ inputs.bindir }}
|
|
||||||
if [[ -z "$FLUX_TOOL_DIR" ]]; then
|
|
||||||
FLUX_TOOL_DIR="${RUNNER_TOOL_CACHE}/flux2/${VERSION}/${OS}/${ARCH}"
|
|
||||||
fi
|
|
||||||
if [[ ! -x "$FLUX_TOOL_DIR/FLUX_EXEC_FILE" ]]; then
|
|
||||||
DL_DIR="$(mktemp -dt flux2-XXXXXX)"
|
|
||||||
trap 'rm -rf $DL_DIR' EXIT
|
|
||||||
|
|
||||||
echo "Downloading flux ${VERSION} for ${OS}/${ARCH}"
|
|
||||||
FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.tar.gz"
|
|
||||||
if [[ "$OS" == "windows" ]]; then
|
|
||||||
FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.zip"
|
|
||||||
fi
|
|
||||||
|
|
||||||
FLUX_CHECKSUMS_FILE="flux_${VERSION}_checksums.txt"
|
|
||||||
|
|
||||||
FLUX_DOWNLOAD_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/"
|
|
||||||
|
|
||||||
curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"
|
|
||||||
curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"
|
|
||||||
|
|
||||||
echo "Verifying checksum"
|
|
||||||
sum=""
|
|
||||||
if command -v openssl > /dev/null; then
|
|
||||||
sum=$(openssl sha256 "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $2}')
|
|
||||||
elif command -v sha256sum > /dev/null; then
|
|
||||||
sum=$(sha256sum "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $1}')
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ -z "$sum" ]]; then
|
|
||||||
echo "Neither openssl nor sha256sum found. Cannot calculate checksum."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
expected_sum=$(grep " $FLUX_TARGET_FILE\$" "$DL_DIR/$FLUX_CHECKSUMS_FILE" | awk '{print $1}')
|
|
||||||
if [ "$sum" != "$expected_sum" ]; then
|
|
||||||
echo "SHA sum of ${FLUX_TARGET_FILE} does not match. Aborting."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Installing flux to ${FLUX_TOOL_DIR}"
|
|
||||||
mkdir -p "$FLUX_TOOL_DIR"
|
|
||||||
|
|
||||||
if [[ "$OS" == "windows" ]]; then
|
|
||||||
unzip "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_EXEC_FILE" -d "$FLUX_TOOL_DIR"
|
|
||||||
else
|
|
||||||
tar xzf "$DL_DIR/$FLUX_TARGET_FILE" -C "$FLUX_TOOL_DIR" $FLUX_EXEC_FILE
|
|
||||||
fi
|
|
||||||
|
|
||||||
chmod +x "$FLUX_TOOL_DIR/$FLUX_EXEC_FILE"
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Adding flux to path"
|
|
||||||
echo "$FLUX_TOOL_DIR" >> "$GITHUB_PATH"
|
|
||||||
|
|
||||||
- name: "Print installed flux version"
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
flux -v
|
|
||||||
|
|||||||
@ -0,0 +1,40 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Copyright 2020 The Flux authors
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
VERSION=$1
|
||||||
|
|
||||||
|
if [ -z $VERSION ]; then
|
||||||
|
# Find latest release if no version is specified
|
||||||
|
VERSION=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Download linux binary
|
||||||
|
BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_amd64.tar.gz"
|
||||||
|
curl -sL $BIN_URL | tar xz
|
||||||
|
|
||||||
|
# Copy binary to GitHub runner
|
||||||
|
mkdir -p $GITHUB_WORKSPACE/bin
|
||||||
|
mv ./flux $GITHUB_WORKSPACE/bin
|
||||||
|
chmod +x $GITHUB_WORKSPACE/bin/flux
|
||||||
|
|
||||||
|
# Print version
|
||||||
|
$GITHUB_WORKSPACE/bin/flux -v
|
||||||
|
|
||||||
|
# Add binary to GitHub runner path
|
||||||
|
echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
|
||||||
|
echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin" >> $GITHUB_PATH
|
||||||
@ -1,57 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2021 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"sigs.k8s.io/controller-runtime/pkg/client"
|
|
||||||
|
|
||||||
notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
|
|
||||||
)
|
|
||||||
|
|
||||||
// notificationv1.Alert
|
|
||||||
|
|
||||||
var alertType = apiType{
|
|
||||||
kind: notificationv1.AlertKind,
|
|
||||||
humanKind: "alert",
|
|
||||||
groupVersion: notificationv1.GroupVersion,
|
|
||||||
}
|
|
||||||
|
|
||||||
type alertAdapter struct {
|
|
||||||
*notificationv1.Alert
|
|
||||||
}
|
|
||||||
|
|
||||||
func (a alertAdapter) asClientObject() client.Object {
|
|
||||||
return a.Alert
|
|
||||||
}
|
|
||||||
|
|
||||||
func (a alertAdapter) deepCopyClientObject() client.Object {
|
|
||||||
return a.Alert.DeepCopy()
|
|
||||||
}
|
|
||||||
|
|
||||||
// notificationv1.Alert
|
|
||||||
|
|
||||||
type alertListAdapter struct {
|
|
||||||
*notificationv1.AlertList
|
|
||||||
}
|
|
||||||
|
|
||||||
func (a alertListAdapter) asClientList() client.ObjectList {
|
|
||||||
return a.AlertList
|
|
||||||
}
|
|
||||||
|
|
||||||
func (a alertListAdapter) len() int {
|
|
||||||
return len(a.AlertList.Items)
|
|
||||||
}
|
|
||||||
@ -1,57 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2021 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"sigs.k8s.io/controller-runtime/pkg/client"
|
|
||||||
|
|
||||||
notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
|
|
||||||
)
|
|
||||||
|
|
||||||
// notificationv1.Provider
|
|
||||||
|
|
||||||
var alertProviderType = apiType{
|
|
||||||
kind: notificationv1.ProviderKind,
|
|
||||||
humanKind: "alert provider",
|
|
||||||
groupVersion: notificationv1.GroupVersion,
|
|
||||||
}
|
|
||||||
|
|
||||||
type alertProviderAdapter struct {
|
|
||||||
*notificationv1.Provider
|
|
||||||
}
|
|
||||||
|
|
||||||
func (a alertProviderAdapter) asClientObject() client.Object {
|
|
||||||
return a.Provider
|
|
||||||
}
|
|
||||||
|
|
||||||
func (a alertProviderAdapter) deepCopyClientObject() client.Object {
|
|
||||||
return a.Provider.DeepCopy()
|
|
||||||
}
|
|
||||||
|
|
||||||
// notificationv1.Provider
|
|
||||||
|
|
||||||
type alertProviderListAdapter struct {
|
|
||||||
*notificationv1.ProviderList
|
|
||||||
}
|
|
||||||
|
|
||||||
func (a alertProviderListAdapter) asClientList() client.ObjectList {
|
|
||||||
return a.ProviderList
|
|
||||||
}
|
|
||||||
|
|
||||||
func (a alertProviderListAdapter) len() int {
|
|
||||||
return len(a.ProviderList.Items)
|
|
||||||
}
|
|
||||||
@ -1,298 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2021 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
"github.com/fluxcd/pkg/git"
|
|
||||||
"github.com/fluxcd/pkg/git/gogit"
|
|
||||||
"github.com/spf13/cobra"
|
|
||||||
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/flags"
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/bootstrap"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
|
|
||||||
)
|
|
||||||
|
|
||||||
var bootstrapBServerCmd = &cobra.Command{
|
|
||||||
Use: "bitbucket-server",
|
|
||||||
Short: "Deploy Flux on a cluster connected to a Bitbucket Server repository",
|
|
||||||
Long: `The bootstrap bitbucket-server command creates the Bitbucket Server repository if it doesn't exists and
|
|
||||||
commits the Flux manifests to the master branch.
|
|
||||||
Then it configures the target cluster to synchronize with the repository.
|
|
||||||
If the Flux components are present on the cluster,
|
|
||||||
the bootstrap command will perform an upgrade if needed.`,
|
|
||||||
Example: ` # Create a Bitbucket Server API token and export it as an env var
|
|
||||||
export BITBUCKET_TOKEN=<my-token>
|
|
||||||
|
|
||||||
# Run bootstrap for a private repository using HTTPS token authentication
|
|
||||||
flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --token-auth --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for a private repository using SSH authentication
|
|
||||||
flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for a public repository on a personal account
|
|
||||||
flux bootstrap bitbucket-server --owner=<user> --repository=<repository name> --private=false --personal --hostname=<domain> --token-auth --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for an existing repository with a branch named main
|
|
||||||
flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --branch=main --hostname=<domain> --token-auth --path=clusters/my-cluster`,
|
|
||||||
RunE: bootstrapBServerCmdRun,
|
|
||||||
}
|
|
||||||
|
|
||||||
const (
|
|
||||||
bServerDefaultPermission = "push"
|
|
||||||
bServerTokenEnvVar = "BITBUCKET_TOKEN"
|
|
||||||
)
|
|
||||||
|
|
||||||
type bServerFlags struct {
|
|
||||||
owner string
|
|
||||||
repository string
|
|
||||||
interval time.Duration
|
|
||||||
personal bool
|
|
||||||
username string
|
|
||||||
private bool
|
|
||||||
hostname string
|
|
||||||
path flags.SafeRelativePath
|
|
||||||
teams []string
|
|
||||||
readWriteKey bool
|
|
||||||
reconcile bool
|
|
||||||
}
|
|
||||||
|
|
||||||
var bServerArgs bServerFlags
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
bootstrapBServerCmd.Flags().StringVar(&bServerArgs.owner, "owner", "", "Bitbucket Server user or project name")
|
|
||||||
bootstrapBServerCmd.Flags().StringVar(&bServerArgs.repository, "repository", "", "Bitbucket Server repository name")
|
|
||||||
bootstrapBServerCmd.Flags().StringSliceVar(&bServerArgs.teams, "group", []string{}, "Bitbucket Server groups to be given write access (also accepts comma-separated values)")
|
|
||||||
bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.personal, "personal", false, "if true, the owner is assumed to be a Bitbucket Server user; otherwise a group")
|
|
||||||
bootstrapBServerCmd.Flags().StringVarP(&bServerArgs.username, "username", "u", "git", "authentication username")
|
|
||||||
bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.private, "private", true, "if true, the repository is setup or configured as private")
|
|
||||||
bootstrapBServerCmd.Flags().DurationVar(&bServerArgs.interval, "interval", time.Minute, "sync interval")
|
|
||||||
bootstrapBServerCmd.Flags().StringVar(&bServerArgs.hostname, "hostname", "", "Bitbucket Server hostname")
|
|
||||||
bootstrapBServerCmd.Flags().Var(&bServerArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
|
|
||||||
bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
|
|
||||||
bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
|
|
||||||
|
|
||||||
bootstrapCmd.AddCommand(bootstrapBServerCmd)
|
|
||||||
}
|
|
||||||
|
|
||||||
func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
|
|
||||||
bitbucketToken := os.Getenv(bServerTokenEnvVar)
|
|
||||||
if bitbucketToken == "" {
|
|
||||||
var err error
|
|
||||||
bitbucketToken, err = readPasswordFromStdin("Please enter your Bitbucket personal access token (PAT): ")
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("could not read token: %w", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if bServerArgs.hostname == "" {
|
|
||||||
return fmt.Errorf("invalid hostname %q", bServerArgs.hostname)
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := bootstrapValidate(); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
|
||||||
defer cancel()
|
|
||||||
|
|
||||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if !bootstrapArgs.force {
|
|
||||||
err = confirmBootstrap(ctx, kubeClient)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Manifest base
|
|
||||||
if ver, err := getVersion(bootstrapArgs.version); err != nil {
|
|
||||||
return err
|
|
||||||
} else {
|
|
||||||
bootstrapArgs.version = ver
|
|
||||||
}
|
|
||||||
manifestsBase, err := buildEmbeddedManifestBase()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
defer os.RemoveAll(manifestsBase)
|
|
||||||
|
|
||||||
user := bServerArgs.username
|
|
||||||
if bServerArgs.personal {
|
|
||||||
user = bServerArgs.owner
|
|
||||||
}
|
|
||||||
|
|
||||||
var caBundle []byte
|
|
||||||
if bootstrapArgs.caFile != "" {
|
|
||||||
var err error
|
|
||||||
caBundle, err = os.ReadFile(bootstrapArgs.caFile)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("unable to read TLS CA file: %w", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Build Bitbucket Server provider
|
|
||||||
providerCfg := provider.Config{
|
|
||||||
Provider: provider.GitProviderStash,
|
|
||||||
Hostname: bServerArgs.hostname,
|
|
||||||
Username: user,
|
|
||||||
Token: bitbucketToken,
|
|
||||||
CaBundle: caBundle,
|
|
||||||
}
|
|
||||||
|
|
||||||
providerClient, err := provider.BuildGitProvider(providerCfg)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Lazy go-git repository
|
|
||||||
tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("failed to create temporary working dir: %w", err)
|
|
||||||
}
|
|
||||||
defer os.RemoveAll(tmpDir)
|
|
||||||
|
|
||||||
clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
|
|
||||||
gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
|
|
||||||
Transport: git.HTTPS,
|
|
||||||
Username: user,
|
|
||||||
Password: bitbucketToken,
|
|
||||||
CAFile: caBundle,
|
|
||||||
}, clientOpts...)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("failed to create a Git client: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Install manifest config
|
|
||||||
installOptions := install.Options{
|
|
||||||
BaseURL: rootArgs.defaults.BaseURL,
|
|
||||||
Version: bootstrapArgs.version,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
Components: bootstrapComponents(),
|
|
||||||
Registry: bootstrapArgs.registry,
|
|
||||||
RegistryCredential: bootstrapArgs.registryCredential,
|
|
||||||
ImagePullSecret: bootstrapArgs.imagePullSecret,
|
|
||||||
WatchAllNamespaces: bootstrapArgs.watchAllNamespaces,
|
|
||||||
NetworkPolicy: bootstrapArgs.networkPolicy,
|
|
||||||
LogLevel: bootstrapArgs.logLevel.String(),
|
|
||||||
NotificationController: rootArgs.defaults.NotificationController,
|
|
||||||
ManifestFile: rootArgs.defaults.ManifestFile,
|
|
||||||
Timeout: rootArgs.timeout,
|
|
||||||
TargetPath: bServerArgs.path.ToSlash(),
|
|
||||||
ClusterDomain: bootstrapArgs.clusterDomain,
|
|
||||||
TolerationKeys: bootstrapArgs.tolerationKeys,
|
|
||||||
}
|
|
||||||
if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
|
|
||||||
installOptions.BaseURL = customBaseURL
|
|
||||||
}
|
|
||||||
|
|
||||||
// Source generation and secret config
|
|
||||||
secretOpts := sourcesecret.Options{
|
|
||||||
Name: bootstrapArgs.secretName,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
TargetPath: bServerArgs.path.String(),
|
|
||||||
ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
|
|
||||||
}
|
|
||||||
if bootstrapArgs.tokenAuth {
|
|
||||||
if bServerArgs.personal {
|
|
||||||
secretOpts.Username = bServerArgs.owner
|
|
||||||
} else {
|
|
||||||
secretOpts.Username = bServerArgs.username
|
|
||||||
}
|
|
||||||
secretOpts.Password = bitbucketToken
|
|
||||||
secretOpts.CACrt = caBundle
|
|
||||||
} else {
|
|
||||||
keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
secretOpts.Keypair = keypair
|
|
||||||
secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
|
|
||||||
secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
|
|
||||||
secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
|
|
||||||
|
|
||||||
secretOpts.SSHHostname = bServerArgs.hostname
|
|
||||||
if bootstrapArgs.sshHostname != "" {
|
|
||||||
secretOpts.SSHHostname = bootstrapArgs.sshHostname
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Sync manifest config
|
|
||||||
syncOpts := sync.Options{
|
|
||||||
Interval: bServerArgs.interval,
|
|
||||||
Name: *kubeconfigArgs.Namespace,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
Branch: bootstrapArgs.branch,
|
|
||||||
Secret: bootstrapArgs.secretName,
|
|
||||||
TargetPath: bServerArgs.path.ToSlash(),
|
|
||||||
ManifestFile: sync.MakeDefaultOptions().ManifestFile,
|
|
||||||
RecurseSubmodules: bootstrapArgs.recurseSubmodules,
|
|
||||||
}
|
|
||||||
|
|
||||||
entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Bootstrap config
|
|
||||||
|
|
||||||
bootstrapOpts := []bootstrap.GitProviderOption{
|
|
||||||
bootstrap.WithProviderRepository(bServerArgs.owner, bServerArgs.repository, bServerArgs.personal),
|
|
||||||
bootstrap.WithBranch(bootstrapArgs.branch),
|
|
||||||
bootstrap.WithBootstrapTransportType("https"),
|
|
||||||
bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
|
|
||||||
bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
|
|
||||||
bootstrap.WithProviderTeamPermissions(mapTeamSlice(bServerArgs.teams, bServerDefaultPermission)),
|
|
||||||
bootstrap.WithReadWriteKeyPermissions(bServerArgs.readWriteKey),
|
|
||||||
bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
|
|
||||||
bootstrap.WithLogger(logger),
|
|
||||||
bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
|
|
||||||
}
|
|
||||||
if bootstrapArgs.sshHostname != "" {
|
|
||||||
bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
|
|
||||||
}
|
|
||||||
if bootstrapArgs.tokenAuth {
|
|
||||||
bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
|
|
||||||
}
|
|
||||||
if !bServerArgs.private {
|
|
||||||
bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
|
|
||||||
}
|
|
||||||
if bServerArgs.reconcile {
|
|
||||||
bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
|
|
||||||
}
|
|
||||||
|
|
||||||
// Setup bootstrapper with constructed configs
|
|
||||||
b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Run
|
|
||||||
return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
|
|
||||||
}
|
|
||||||
@ -1,403 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2021 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"fmt"
|
|
||||||
"net/url"
|
|
||||||
"os"
|
|
||||||
"strings"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
"github.com/manifoldco/promptui"
|
|
||||||
"github.com/spf13/cobra"
|
|
||||||
corev1 "k8s.io/api/core/v1"
|
|
||||||
|
|
||||||
"github.com/fluxcd/pkg/git"
|
|
||||||
"github.com/fluxcd/pkg/git/gogit"
|
|
||||||
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/flags"
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/bootstrap"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
|
|
||||||
)
|
|
||||||
|
|
||||||
var bootstrapGitCmd = &cobra.Command{
|
|
||||||
Use: "git",
|
|
||||||
Short: "Deploy Flux on a cluster connected to a Git repository",
|
|
||||||
Long: `The bootstrap git command commits the Flux manifests to the
|
|
||||||
branch of a Git repository. And then it configures the target cluster to synchronize with
|
|
||||||
that repository. If the Flux components are present on the cluster, the bootstrap
|
|
||||||
command will perform an upgrade if needed.`,
|
|
||||||
Example: ` # Run bootstrap for a Git repository and authenticate with your SSH agent
|
|
||||||
flux bootstrap git --url=ssh://git@example.com/repository.git --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for a Git repository and authenticate using a password
|
|
||||||
flux bootstrap git --url=https://example.com/repository.git --password=<password> --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for a Git repository and authenticate using a password from environment variable
|
|
||||||
GIT_PASSWORD=<password> && flux bootstrap git --url=https://example.com/repository.git --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for a Git repository with a passwordless private key
|
|
||||||
flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key> --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for a Git repository with a private key and password
|
|
||||||
flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key> --password=<password> --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for a Git repository on AWS CodeCommit
|
|
||||||
flux bootstrap git --url=ssh://<SSH-Key-ID>@git-codecommit.<region>.amazonaws.com/v1/repos/<repository> --private-key-file=<path/to/private.key> --password=<SSH-passphrase> --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for a Git repository on Azure Devops
|
|
||||||
flux bootstrap git --url=ssh://git@ssh.dev.azure.com/v3/<org>/<project>/<repository> --private-key-file=<path/to/rsa-sha2-private.key> --ssh-hostkey-algos=rsa-sha2-512,rsa-sha2-256 --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for a Git repository on Oracle VBS
|
|
||||||
flux bootstrap git --url=https://repository_url.git --with-bearer-token=true --password=<PAT> --path=clusters/my-cluster
|
|
||||||
`,
|
|
||||||
RunE: bootstrapGitCmdRun,
|
|
||||||
}
|
|
||||||
|
|
||||||
type gitFlags struct {
|
|
||||||
url string
|
|
||||||
interval time.Duration
|
|
||||||
path flags.SafeRelativePath
|
|
||||||
username string
|
|
||||||
password string
|
|
||||||
silent bool
|
|
||||||
insecureHttpAllowed bool
|
|
||||||
withBearerToken bool
|
|
||||||
}
|
|
||||||
|
|
||||||
const (
|
|
||||||
gitPasswordEnvVar = "GIT_PASSWORD"
|
|
||||||
)
|
|
||||||
|
|
||||||
var gitArgs gitFlags
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
bootstrapGitCmd.Flags().StringVar(&gitArgs.url, "url", "", "Git repository URL")
|
|
||||||
bootstrapGitCmd.Flags().DurationVar(&gitArgs.interval, "interval", time.Minute, "sync interval")
|
|
||||||
bootstrapGitCmd.Flags().Var(&gitArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
|
|
||||||
bootstrapGitCmd.Flags().StringVarP(&gitArgs.username, "username", "u", "git", "basic authentication username")
|
|
||||||
bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
|
|
||||||
bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
|
|
||||||
bootstrapGitCmd.Flags().BoolVar(&gitArgs.insecureHttpAllowed, "allow-insecure-http", false, "allows insecure HTTP connections")
|
|
||||||
bootstrapGitCmd.Flags().BoolVar(&gitArgs.withBearerToken, "with-bearer-token", false, "use password as bearer token for Authorization header")
|
|
||||||
|
|
||||||
bootstrapCmd.AddCommand(bootstrapGitCmd)
|
|
||||||
}
|
|
||||||
|
|
||||||
func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
|
|
||||||
if gitArgs.withBearerToken {
|
|
||||||
bootstrapArgs.tokenAuth = true
|
|
||||||
}
|
|
||||||
|
|
||||||
gitPassword := os.Getenv(gitPasswordEnvVar)
|
|
||||||
if gitPassword != "" && gitArgs.password == "" {
|
|
||||||
gitArgs.password = gitPassword
|
|
||||||
}
|
|
||||||
if bootstrapArgs.tokenAuth && gitArgs.password == "" {
|
|
||||||
var err error
|
|
||||||
gitPassword, err = readPasswordFromStdin("Please enter your Git repository password: ")
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("could not read token: %w", err)
|
|
||||||
}
|
|
||||||
gitArgs.password = gitPassword
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := bootstrapValidate(); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
repositoryURL, err := url.Parse(gitArgs.url)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if strings.Contains(repositoryURL.Hostname(), "git-codecommit") && strings.Contains(repositoryURL.Hostname(), "amazonaws.com") {
|
|
||||||
if repositoryURL.Scheme == string(git.SSH) {
|
|
||||||
if repositoryURL.User == nil {
|
|
||||||
return fmt.Errorf("invalid AWS CodeCommit url: ssh username should be specified in the url")
|
|
||||||
}
|
|
||||||
if repositoryURL.User.Username() == git.DefaultPublicKeyAuthUser {
|
|
||||||
return fmt.Errorf("invalid AWS CodeCommit url: ssh username should be the SSH key ID for the provided private key")
|
|
||||||
}
|
|
||||||
if bootstrapArgs.privateKeyFile == "" {
|
|
||||||
return fmt.Errorf("private key file is required for bootstrapping against AWS CodeCommit using ssh")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if repositoryURL.Scheme == string(git.HTTPS) && !bootstrapArgs.tokenAuth {
|
|
||||||
return fmt.Errorf("--token-auth=true must be specified for using an HTTPS AWS CodeCommit url")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
|
||||||
defer cancel()
|
|
||||||
|
|
||||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if !bootstrapArgs.force {
|
|
||||||
err = confirmBootstrap(ctx, kubeClient)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Manifest base
|
|
||||||
if ver, err := getVersion(bootstrapArgs.version); err != nil {
|
|
||||||
return err
|
|
||||||
} else {
|
|
||||||
bootstrapArgs.version = ver
|
|
||||||
}
|
|
||||||
manifestsBase, err := buildEmbeddedManifestBase()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
defer os.RemoveAll(manifestsBase)
|
|
||||||
|
|
||||||
// Lazy go-git repository
|
|
||||||
tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("failed to create temporary working dir: %w", err)
|
|
||||||
}
|
|
||||||
defer os.RemoveAll(tmpDir)
|
|
||||||
|
|
||||||
var caBundle []byte
|
|
||||||
if bootstrapArgs.caFile != "" {
|
|
||||||
var err error
|
|
||||||
caBundle, err = os.ReadFile(bootstrapArgs.caFile)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("unable to read TLS CA file: %w", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
authOpts, err := getAuthOpts(repositoryURL, caBundle)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("failed to create authentication options for %s: %w", repositoryURL.String(), err)
|
|
||||||
}
|
|
||||||
|
|
||||||
clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
|
|
||||||
if gitArgs.insecureHttpAllowed {
|
|
||||||
clientOpts = append(clientOpts, gogit.WithInsecureCredentialsOverHTTP())
|
|
||||||
}
|
|
||||||
gitClient, err := gogit.NewClient(tmpDir, authOpts, clientOpts...)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("failed to create a Git client: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Install manifest config
|
|
||||||
installOptions := install.Options{
|
|
||||||
BaseURL: rootArgs.defaults.BaseURL,
|
|
||||||
Version: bootstrapArgs.version,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
Components: bootstrapComponents(),
|
|
||||||
Registry: bootstrapArgs.registry,
|
|
||||||
RegistryCredential: bootstrapArgs.registryCredential,
|
|
||||||
ImagePullSecret: bootstrapArgs.imagePullSecret,
|
|
||||||
WatchAllNamespaces: bootstrapArgs.watchAllNamespaces,
|
|
||||||
NetworkPolicy: bootstrapArgs.networkPolicy,
|
|
||||||
LogLevel: bootstrapArgs.logLevel.String(),
|
|
||||||
NotificationController: rootArgs.defaults.NotificationController,
|
|
||||||
ManifestFile: rootArgs.defaults.ManifestFile,
|
|
||||||
Timeout: rootArgs.timeout,
|
|
||||||
TargetPath: gitArgs.path.ToSlash(),
|
|
||||||
ClusterDomain: bootstrapArgs.clusterDomain,
|
|
||||||
TolerationKeys: bootstrapArgs.tolerationKeys,
|
|
||||||
}
|
|
||||||
if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
|
|
||||||
installOptions.BaseURL = customBaseURL
|
|
||||||
}
|
|
||||||
|
|
||||||
// Source generation and secret config
|
|
||||||
secretOpts := sourcesecret.Options{
|
|
||||||
Name: bootstrapArgs.secretName,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
TargetPath: gitArgs.path.String(),
|
|
||||||
ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
|
|
||||||
}
|
|
||||||
|
|
||||||
if bootstrapArgs.tokenAuth {
|
|
||||||
if gitArgs.withBearerToken {
|
|
||||||
secretOpts.BearerToken = gitArgs.password
|
|
||||||
} else {
|
|
||||||
secretOpts.Username = gitArgs.username
|
|
||||||
secretOpts.Password = gitArgs.password
|
|
||||||
}
|
|
||||||
|
|
||||||
secretOpts.CACrt = caBundle
|
|
||||||
|
|
||||||
// Remove port of the given host when not syncing over HTTP/S to not assume port for protocol
|
|
||||||
// This _might_ be overwritten later on by e.g. --ssh-hostname
|
|
||||||
if repositoryURL.Scheme != "https" && repositoryURL.Scheme != "http" {
|
|
||||||
repositoryURL.Host = repositoryURL.Hostname()
|
|
||||||
}
|
|
||||||
|
|
||||||
// Configure repository URL to match auth config for sync.
|
|
||||||
repositoryURL.User = nil
|
|
||||||
if !gitArgs.insecureHttpAllowed {
|
|
||||||
repositoryURL.Scheme = "https"
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
|
|
||||||
secretOpts.Password = gitArgs.password
|
|
||||||
secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
|
|
||||||
secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
|
|
||||||
|
|
||||||
// Configure repository URL to match auth config for sync
|
|
||||||
|
|
||||||
// Override existing user when user is not already set
|
|
||||||
// or when a username was passed in
|
|
||||||
if repositoryURL.User == nil || gitArgs.username != "git" {
|
|
||||||
repositoryURL.User = url.User(gitArgs.username)
|
|
||||||
}
|
|
||||||
|
|
||||||
repositoryURL.Scheme = "ssh"
|
|
||||||
if bootstrapArgs.sshHostname != "" {
|
|
||||||
repositoryURL.Host = bootstrapArgs.sshHostname
|
|
||||||
}
|
|
||||||
|
|
||||||
keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
secretOpts.Keypair = keypair
|
|
||||||
|
|
||||||
// Configure last as it depends on the config above.
|
|
||||||
secretOpts.SSHHostname = repositoryURL.Host
|
|
||||||
}
|
|
||||||
|
|
||||||
// Sync manifest config
|
|
||||||
syncOpts := sync.Options{
|
|
||||||
Interval: gitArgs.interval,
|
|
||||||
Name: *kubeconfigArgs.Namespace,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
URL: repositoryURL.String(),
|
|
||||||
Branch: bootstrapArgs.branch,
|
|
||||||
Secret: bootstrapArgs.secretName,
|
|
||||||
TargetPath: gitArgs.path.ToSlash(),
|
|
||||||
ManifestFile: sync.MakeDefaultOptions().ManifestFile,
|
|
||||||
RecurseSubmodules: bootstrapArgs.recurseSubmodules,
|
|
||||||
}
|
|
||||||
|
|
||||||
entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Bootstrap config
|
|
||||||
bootstrapOpts := []bootstrap.GitOption{
|
|
||||||
bootstrap.WithRepositoryURL(gitArgs.url),
|
|
||||||
bootstrap.WithBranch(bootstrapArgs.branch),
|
|
||||||
bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
|
|
||||||
bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
|
|
||||||
bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
|
|
||||||
bootstrap.WithPostGenerateSecretFunc(promptPublicKey),
|
|
||||||
bootstrap.WithLogger(logger),
|
|
||||||
bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
|
|
||||||
}
|
|
||||||
|
|
||||||
// Setup bootstrapper with constructed configs
|
|
||||||
b, err := bootstrap.NewPlainGitProvider(gitClient, kubeClient, bootstrapOpts...)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Run
|
|
||||||
return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
|
|
||||||
}
|
|
||||||
|
|
||||||
// getAuthOpts retruns a AuthOptions based on the scheme
|
|
||||||
// of the given URL and the configured flags. If the protocol equals
|
|
||||||
// "ssh" but no private key is configured, authentication using the local
|
|
||||||
// SSH-agent is attempted.
|
|
||||||
func getAuthOpts(u *url.URL, caBundle []byte) (*git.AuthOptions, error) {
|
|
||||||
switch u.Scheme {
|
|
||||||
case "http":
|
|
||||||
if !gitArgs.insecureHttpAllowed {
|
|
||||||
return nil, fmt.Errorf("scheme http is insecure, pass --allow-insecure-http=true to allow it")
|
|
||||||
}
|
|
||||||
httpAuth := git.AuthOptions{
|
|
||||||
Transport: git.HTTP,
|
|
||||||
}
|
|
||||||
if gitArgs.withBearerToken {
|
|
||||||
httpAuth.BearerToken = gitArgs.password
|
|
||||||
} else {
|
|
||||||
httpAuth.Username = gitArgs.username
|
|
||||||
httpAuth.Password = gitArgs.password
|
|
||||||
}
|
|
||||||
return &httpAuth, nil
|
|
||||||
case "https":
|
|
||||||
httpsAuth := git.AuthOptions{
|
|
||||||
Transport: git.HTTPS,
|
|
||||||
CAFile: caBundle,
|
|
||||||
}
|
|
||||||
if gitArgs.withBearerToken {
|
|
||||||
httpsAuth.BearerToken = gitArgs.password
|
|
||||||
} else {
|
|
||||||
httpsAuth.Username = gitArgs.username
|
|
||||||
httpsAuth.Password = gitArgs.password
|
|
||||||
}
|
|
||||||
return &httpsAuth, nil
|
|
||||||
case "ssh":
|
|
||||||
authOpts := &git.AuthOptions{
|
|
||||||
Transport: git.SSH,
|
|
||||||
Username: u.User.Username(),
|
|
||||||
Password: gitArgs.password,
|
|
||||||
}
|
|
||||||
if bootstrapArgs.privateKeyFile != "" {
|
|
||||||
pk, err := os.ReadFile(bootstrapArgs.privateKeyFile)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
kh, err := sourcesecret.ScanHostKey(u.Host)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
authOpts.Identity = pk
|
|
||||||
authOpts.KnownHosts = kh
|
|
||||||
}
|
|
||||||
return authOpts, nil
|
|
||||||
default:
|
|
||||||
return nil, fmt.Errorf("scheme %q is not supported", u.Scheme)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func promptPublicKey(ctx context.Context, secret corev1.Secret, _ sourcesecret.Options) error {
|
|
||||||
ppk, ok := secret.StringData[sourcesecret.PublicKeySecretKey]
|
|
||||||
if !ok {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.Successf("public key: %s", strings.TrimSpace(ppk))
|
|
||||||
|
|
||||||
if !gitArgs.silent {
|
|
||||||
prompt := promptui.Prompt{
|
|
||||||
Label: "Please give the key access to your repository",
|
|
||||||
IsConfirm: true,
|
|
||||||
}
|
|
||||||
_, err := prompt.Run()
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("aborting")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
@ -1,276 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2023 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
"github.com/fluxcd/pkg/git"
|
|
||||||
"github.com/fluxcd/pkg/git/gogit"
|
|
||||||
"github.com/spf13/cobra"
|
|
||||||
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/flags"
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/bootstrap"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
|
|
||||||
)
|
|
||||||
|
|
||||||
var bootstrapGiteaCmd = &cobra.Command{
|
|
||||||
Use: "gitea",
|
|
||||||
Short: "Deploy Flux on a cluster connected to a Gitea repository",
|
|
||||||
Long: `The bootstrap gitea command creates the Gitea repository if it doesn't exists and
|
|
||||||
commits the Flux manifests to the specified branch.
|
|
||||||
Then it configures the target cluster to synchronize with that repository.
|
|
||||||
If the Flux components are present on the cluster,
|
|
||||||
the bootstrap command will perform an upgrade if needed.`,
|
|
||||||
Example: ` # Create a Gitea personal access token and export it as an env var
|
|
||||||
export GITEA_TOKEN=<my-token>
|
|
||||||
|
|
||||||
# Run bootstrap for a private repository owned by a Gitea organization
|
|
||||||
flux bootstrap gitea --owner=<organization> --repository=<repository name> --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for a private repository and assign organization teams to it
|
|
||||||
flux bootstrap gitea --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug> --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for a private repository and assign organization teams with their access level(e.g maintain, admin) to it
|
|
||||||
flux bootstrap gitea --owner=<organization> --repository=<repository name> --team=<team1 slug>:<access-level> --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for a public repository on a personal account
|
|
||||||
flux bootstrap gitea --owner=<user> --repository=<repository name> --private=false --personal=true --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for a private repository hosted on Gitea Enterprise using SSH auth
|
|
||||||
flux bootstrap gitea --owner=<organization> --repository=<repository name> --hostname=<domain> --ssh-hostname=<domain> --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for a private repository hosted on Gitea Enterprise using HTTPS auth
|
|
||||||
flux bootstrap gitea --owner=<organization> --repository=<repository name> --hostname=<domain> --token-auth --path=clusters/my-cluster
|
|
||||||
|
|
||||||
# Run bootstrap for an existing repository with a branch named main
|
|
||||||
flux bootstrap gitea --owner=<organization> --repository=<repository name> --branch=main --path=clusters/my-cluster`,
|
|
||||||
RunE: bootstrapGiteaCmdRun,
|
|
||||||
}
|
|
||||||
|
|
||||||
type giteaFlags struct {
|
|
||||||
owner string
|
|
||||||
repository string
|
|
||||||
interval time.Duration
|
|
||||||
personal bool
|
|
||||||
private bool
|
|
||||||
hostname string
|
|
||||||
path flags.SafeRelativePath
|
|
||||||
teams []string
|
|
||||||
readWriteKey bool
|
|
||||||
reconcile bool
|
|
||||||
}
|
|
||||||
|
|
||||||
const (
|
|
||||||
gtDefaultPermission = "maintain"
|
|
||||||
gtDefaultDomain = "gitea.com"
|
|
||||||
gtTokenEnvVar = "GITEA_TOKEN"
|
|
||||||
)
|
|
||||||
|
|
||||||
var giteaArgs giteaFlags
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.owner, "owner", "", "Gitea user or organization name")
|
|
||||||
bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.repository, "repository", "", "Gitea repository name")
|
|
||||||
bootstrapGiteaCmd.Flags().StringSliceVar(&giteaArgs.teams, "team", []string{}, "Gitea team and the access to be given to it(team:maintain). Defaults to maintainer access if no access level is specified (also accepts comma-separated values)")
|
|
||||||
bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.personal, "personal", false, "if true, the owner is assumed to be a Gitea user; otherwise an org")
|
|
||||||
bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.private, "private", true, "if true, the repository is setup or configured as private")
|
|
||||||
bootstrapGiteaCmd.Flags().DurationVar(&giteaArgs.interval, "interval", time.Minute, "sync interval")
|
|
||||||
bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.hostname, "hostname", gtDefaultDomain, "Gitea hostname")
|
|
||||||
bootstrapGiteaCmd.Flags().Var(&giteaArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
|
|
||||||
bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
|
|
||||||
bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
|
|
||||||
|
|
||||||
bootstrapCmd.AddCommand(bootstrapGiteaCmd)
|
|
||||||
}
|
|
||||||
|
|
||||||
func bootstrapGiteaCmdRun(cmd *cobra.Command, args []string) error {
|
|
||||||
gtToken := os.Getenv(gtTokenEnvVar)
|
|
||||||
if gtToken == "" {
|
|
||||||
var err error
|
|
||||||
gtToken, err = readPasswordFromStdin("Please enter your Gitea personal access token (PAT): ")
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("could not read token: %w", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := bootstrapValidate(); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
|
||||||
defer cancel()
|
|
||||||
|
|
||||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Manifest base
|
|
||||||
if ver, err := getVersion(bootstrapArgs.version); err != nil {
|
|
||||||
return err
|
|
||||||
} else {
|
|
||||||
bootstrapArgs.version = ver
|
|
||||||
}
|
|
||||||
manifestsBase, err := buildEmbeddedManifestBase()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
defer os.RemoveAll(manifestsBase)
|
|
||||||
|
|
||||||
var caBundle []byte
|
|
||||||
if bootstrapArgs.caFile != "" {
|
|
||||||
var err error
|
|
||||||
caBundle, err = os.ReadFile(bootstrapArgs.caFile)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("unable to read TLS CA file: %w", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
// Build Gitea provider
|
|
||||||
providerCfg := provider.Config{
|
|
||||||
Provider: provider.GitProviderGitea,
|
|
||||||
Hostname: giteaArgs.hostname,
|
|
||||||
Token: gtToken,
|
|
||||||
CaBundle: caBundle,
|
|
||||||
}
|
|
||||||
providerClient, err := provider.BuildGitProvider(providerCfg)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("failed to create temporary working dir: %w", err)
|
|
||||||
}
|
|
||||||
defer os.RemoveAll(tmpDir)
|
|
||||||
|
|
||||||
clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
|
|
||||||
gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
|
|
||||||
Transport: git.HTTPS,
|
|
||||||
Username: giteaArgs.owner,
|
|
||||||
Password: gtToken,
|
|
||||||
CAFile: caBundle,
|
|
||||||
}, clientOpts...)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("failed to create a Git client: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Install manifest config
|
|
||||||
installOptions := install.Options{
|
|
||||||
BaseURL: rootArgs.defaults.BaseURL,
|
|
||||||
Version: bootstrapArgs.version,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
Components: bootstrapComponents(),
|
|
||||||
Registry: bootstrapArgs.registry,
|
|
||||||
RegistryCredential: bootstrapArgs.registryCredential,
|
|
||||||
ImagePullSecret: bootstrapArgs.imagePullSecret,
|
|
||||||
WatchAllNamespaces: bootstrapArgs.watchAllNamespaces,
|
|
||||||
NetworkPolicy: bootstrapArgs.networkPolicy,
|
|
||||||
LogLevel: bootstrapArgs.logLevel.String(),
|
|
||||||
NotificationController: rootArgs.defaults.NotificationController,
|
|
||||||
ManifestFile: rootArgs.defaults.ManifestFile,
|
|
||||||
Timeout: rootArgs.timeout,
|
|
||||||
TargetPath: giteaArgs.path.ToSlash(),
|
|
||||||
ClusterDomain: bootstrapArgs.clusterDomain,
|
|
||||||
TolerationKeys: bootstrapArgs.tolerationKeys,
|
|
||||||
}
|
|
||||||
if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
|
|
||||||
installOptions.BaseURL = customBaseURL
|
|
||||||
}
|
|
||||||
|
|
||||||
// Source generation and secret config
|
|
||||||
secretOpts := sourcesecret.Options{
|
|
||||||
Name: bootstrapArgs.secretName,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
TargetPath: giteaArgs.path.ToSlash(),
|
|
||||||
ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
|
|
||||||
}
|
|
||||||
if bootstrapArgs.tokenAuth {
|
|
||||||
secretOpts.Username = "git"
|
|
||||||
secretOpts.Password = gtToken
|
|
||||||
secretOpts.CACrt = caBundle
|
|
||||||
} else {
|
|
||||||
secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
|
|
||||||
secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
|
|
||||||
secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
|
|
||||||
|
|
||||||
secretOpts.SSHHostname = giteaArgs.hostname
|
|
||||||
if bootstrapArgs.sshHostname != "" {
|
|
||||||
secretOpts.SSHHostname = bootstrapArgs.sshHostname
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Sync manifest config
|
|
||||||
syncOpts := sync.Options{
|
|
||||||
Interval: giteaArgs.interval,
|
|
||||||
Name: *kubeconfigArgs.Namespace,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
Branch: bootstrapArgs.branch,
|
|
||||||
Secret: bootstrapArgs.secretName,
|
|
||||||
TargetPath: giteaArgs.path.ToSlash(),
|
|
||||||
ManifestFile: sync.MakeDefaultOptions().ManifestFile,
|
|
||||||
RecurseSubmodules: bootstrapArgs.recurseSubmodules,
|
|
||||||
}
|
|
||||||
|
|
||||||
entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Bootstrap config
|
|
||||||
bootstrapOpts := []bootstrap.GitProviderOption{
|
|
||||||
bootstrap.WithProviderRepository(giteaArgs.owner, giteaArgs.repository, giteaArgs.personal),
|
|
||||||
bootstrap.WithBranch(bootstrapArgs.branch),
|
|
||||||
bootstrap.WithBootstrapTransportType("https"),
|
|
||||||
bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
|
|
||||||
bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
|
|
||||||
bootstrap.WithProviderTeamPermissions(mapTeamSlice(giteaArgs.teams, gtDefaultPermission)),
|
|
||||||
bootstrap.WithReadWriteKeyPermissions(giteaArgs.readWriteKey),
|
|
||||||
bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
|
|
||||||
bootstrap.WithLogger(logger),
|
|
||||||
bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
|
|
||||||
}
|
|
||||||
if bootstrapArgs.sshHostname != "" {
|
|
||||||
bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
|
|
||||||
}
|
|
||||||
if bootstrapArgs.tokenAuth {
|
|
||||||
bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
|
|
||||||
}
|
|
||||||
if !giteaArgs.private {
|
|
||||||
bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
|
|
||||||
}
|
|
||||||
if giteaArgs.reconcile {
|
|
||||||
bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
|
|
||||||
}
|
|
||||||
|
|
||||||
// Setup bootstrapper with constructed configs
|
|
||||||
b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Run
|
|
||||||
return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
|
|
||||||
}
|
|
||||||
@ -1,31 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2021 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"github.com/spf13/cobra"
|
|
||||||
)
|
|
||||||
|
|
||||||
var buildCmd = &cobra.Command{
|
|
||||||
Use: "build",
|
|
||||||
Short: "Build a flux resource",
|
|
||||||
Long: `The build command is used to build flux resources.`,
|
|
||||||
}
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
rootCmd.AddCommand(buildCmd)
|
|
||||||
}
|
|
||||||
@ -1,117 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2022 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bufio"
|
|
||||||
"bytes"
|
|
||||||
"fmt"
|
|
||||||
"io"
|
|
||||||
"os"
|
|
||||||
"strings"
|
|
||||||
|
|
||||||
"github.com/spf13/cobra"
|
|
||||||
|
|
||||||
oci "github.com/fluxcd/pkg/oci/client"
|
|
||||||
"github.com/fluxcd/pkg/sourceignore"
|
|
||||||
)
|
|
||||||
|
|
||||||
var buildArtifactCmd = &cobra.Command{
|
|
||||||
Use: "artifact",
|
|
||||||
Short: "Build artifact",
|
|
||||||
Long: withPreviewNote(`The build artifact command creates a tgz file with the manifests
|
|
||||||
from the given directory or a single manifest file.`),
|
|
||||||
Example: ` # Build the given manifests directory into an artifact
|
|
||||||
flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz
|
|
||||||
|
|
||||||
# Build the given single manifest file into an artifact
|
|
||||||
flux build artifact --path ./path/to/local/manifest.yaml --output ./path/to/artifact.tgz
|
|
||||||
|
|
||||||
# List the files bundled in the artifact
|
|
||||||
tar -ztvf ./path/to/artifact.tgz
|
|
||||||
`,
|
|
||||||
RunE: buildArtifactCmdRun,
|
|
||||||
}
|
|
||||||
|
|
||||||
type buildArtifactFlags struct {
|
|
||||||
output string
|
|
||||||
path string
|
|
||||||
ignorePaths []string
|
|
||||||
}
|
|
||||||
|
|
||||||
var excludeOCI = append(strings.Split(sourceignore.ExcludeVCS, ","), strings.Split(sourceignore.ExcludeExt, ",")...)
|
|
||||||
|
|
||||||
var buildArtifactArgs buildArtifactFlags
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.path, "path", "p", "", "Path to the directory where the Kubernetes manifests are located.")
|
|
||||||
buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.output, "output", "o", "artifact.tgz", "Path to where the artifact tgz file should be written.")
|
|
||||||
buildArtifactCmd.Flags().StringSliceVar(&buildArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
|
|
||||||
|
|
||||||
buildCmd.AddCommand(buildArtifactCmd)
|
|
||||||
}
|
|
||||||
|
|
||||||
func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
|
|
||||||
if buildArtifactArgs.path == "" {
|
|
||||||
return fmt.Errorf("invalid path %q", buildArtifactArgs.path)
|
|
||||||
}
|
|
||||||
|
|
||||||
path := buildArtifactArgs.path
|
|
||||||
var err error
|
|
||||||
if buildArtifactArgs.path == "-" {
|
|
||||||
path, err = saveReaderToFile(os.Stdin)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
defer os.Remove(path)
|
|
||||||
}
|
|
||||||
|
|
||||||
if _, err := os.Stat(path); err != nil {
|
|
||||||
return fmt.Errorf("invalid path '%s', must point to an existing directory or file", path)
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.Actionf("building artifact from %s", path)
|
|
||||||
|
|
||||||
ociClient := oci.NewClient(oci.DefaultOptions())
|
|
||||||
if err := ociClient.Build(buildArtifactArgs.output, path, buildArtifactArgs.ignorePaths); err != nil {
|
|
||||||
return fmt.Errorf("building artifact failed, error: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.Successf("artifact created at %s", buildArtifactArgs.output)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func saveReaderToFile(reader io.Reader) (string, error) {
|
|
||||||
b, err := io.ReadAll(bufio.NewReader(reader))
|
|
||||||
if err != nil {
|
|
||||||
return "", err
|
|
||||||
}
|
|
||||||
b = bytes.TrimRight(b, "\r\n")
|
|
||||||
f, err := os.CreateTemp("", "*.yaml")
|
|
||||||
if err != nil {
|
|
||||||
return "", fmt.Errorf("unable to create temp dir for stdin")
|
|
||||||
}
|
|
||||||
|
|
||||||
defer f.Close()
|
|
||||||
|
|
||||||
if _, err := f.Write(b); err != nil {
|
|
||||||
return "", fmt.Errorf("error writing stdin to file: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
return f.Name(), nil
|
|
||||||
}
|
|
||||||
@ -1,70 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2022 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"os"
|
|
||||||
"strings"
|
|
||||||
"testing"
|
|
||||||
|
|
||||||
. "github.com/onsi/gomega"
|
|
||||||
)
|
|
||||||
|
|
||||||
func Test_saveReaderToFile(t *testing.T) {
|
|
||||||
g := NewWithT(t)
|
|
||||||
|
|
||||||
testString := `apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: myapp
|
|
||||||
data:
|
|
||||||
foo: bar`
|
|
||||||
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
string string
|
|
||||||
expectErr bool
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
name: "yaml",
|
|
||||||
string: testString,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "yaml with carriage return",
|
|
||||||
string: testString + "\r\n",
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
tmpFile, err := saveReaderToFile(strings.NewReader(tt.string))
|
|
||||||
g.Expect(err).To(BeNil())
|
|
||||||
|
|
||||||
t.Cleanup(func() { _ = os.Remove(tmpFile) })
|
|
||||||
|
|
||||||
b, err := os.ReadFile(tmpFile)
|
|
||||||
if tt.expectErr {
|
|
||||||
g.Expect(err).To(Not(BeNil()))
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
g.Expect(err).To(BeNil())
|
|
||||||
g.Expect(string(b)).To(BeEquivalentTo(testString))
|
|
||||||
})
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@ -1,174 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2021 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
"os/signal"
|
|
||||||
|
|
||||||
"github.com/spf13/cobra"
|
|
||||||
|
|
||||||
kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
|
|
||||||
ssautil "github.com/fluxcd/pkg/ssa/utils"
|
|
||||||
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/build"
|
|
||||||
)
|
|
||||||
|
|
||||||
var buildKsCmd = &cobra.Command{
|
|
||||||
Use: "kustomization",
|
|
||||||
Aliases: []string{"ks"},
|
|
||||||
Short: "Build Kustomization",
|
|
||||||
Long: `The build command queries the Kubernetes API and fetches the specified Flux Kustomization.
|
|
||||||
It then uses the fetched in cluster flux kustomization to perform needed transformation on the local kustomization.yaml
|
|
||||||
pointed at by --path. The local kustomization.yaml is generated if it does not exist. Finally it builds the overlays using the local kustomization.yaml, and write the resulting multi-doc YAML to stdout.
|
|
||||||
|
|
||||||
It is possible to specify a Flux kustomization file using --kustomization-file.`,
|
|
||||||
Example: `# Build the local manifests as they were built on the cluster
|
|
||||||
flux build kustomization my-app --path ./path/to/local/manifests
|
|
||||||
|
|
||||||
# Build using a local flux kustomization file
|
|
||||||
flux build kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml
|
|
||||||
|
|
||||||
# Build in dry-run mode without connecting to the cluster.
|
|
||||||
# Note that variable substitutions from Secrets and ConfigMaps are skipped in dry-run mode.
|
|
||||||
flux build kustomization my-app --path ./path/to/local/manifests \
|
|
||||||
--kustomization-file ./path/to/local/my-app.yaml \
|
|
||||||
--dry-run
|
|
||||||
|
|
||||||
# Exclude files by providing a comma separated list of entries that follow the .gitignore pattern fromat.
|
|
||||||
flux build kustomization my-app --path ./path/to/local/manifests \
|
|
||||||
--kustomization-file ./path/to/local/my-app.yaml \
|
|
||||||
--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"
|
|
||||||
|
|
||||||
# Run recursively on all encountered Kustomizations
|
|
||||||
flux build kustomization my-app --path ./path/to/local/manifests \
|
|
||||||
--recursive \
|
|
||||||
--local-sources GitRepository/flux-system/my-repo=./path/to/local/git`,
|
|
||||||
ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
|
|
||||||
RunE: buildKsCmdRun,
|
|
||||||
}
|
|
||||||
|
|
||||||
type buildKsFlags struct {
|
|
||||||
kustomizationFile string
|
|
||||||
path string
|
|
||||||
ignorePaths []string
|
|
||||||
dryRun bool
|
|
||||||
strictSubst bool
|
|
||||||
recursive bool
|
|
||||||
localSources map[string]string
|
|
||||||
}
|
|
||||||
|
|
||||||
var buildKsArgs buildKsFlags
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
buildKsCmd.Flags().StringVar(&buildKsArgs.path, "path", "", "Path to the manifests location.")
|
|
||||||
buildKsCmd.Flags().StringVar(&buildKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
|
|
||||||
buildKsCmd.Flags().StringSliceVar(&buildKsArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in .gitignore format")
|
|
||||||
buildKsCmd.Flags().BoolVar(&buildKsArgs.dryRun, "dry-run", false, "Dry run mode.")
|
|
||||||
buildKsCmd.Flags().BoolVar(&buildKsArgs.strictSubst, "strict-substitute", false,
|
|
||||||
"When enabled, the post build substitutions will fail if a var without a default value is declared in files but is missing from the input vars.")
|
|
||||||
buildKsCmd.Flags().BoolVarP(&buildKsArgs.recursive, "recursive", "r", false, "Recursively build Kustomizations")
|
|
||||||
buildKsCmd.Flags().StringToStringVar(&buildKsArgs.localSources, "local-sources", nil, "Comma-separated list of repositories in format: Kind/namespace/name=path")
|
|
||||||
buildCmd.AddCommand(buildKsCmd)
|
|
||||||
}
|
|
||||||
|
|
||||||
func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
|
|
||||||
if len(args) < 1 {
|
|
||||||
return fmt.Errorf("%s name is required", kustomizationType.humanKind)
|
|
||||||
}
|
|
||||||
name := args[0]
|
|
||||||
|
|
||||||
if buildKsArgs.path == "" {
|
|
||||||
return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
|
|
||||||
}
|
|
||||||
|
|
||||||
if fs, err := os.Stat(buildKsArgs.path); err != nil || !fs.IsDir() {
|
|
||||||
return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
|
|
||||||
}
|
|
||||||
|
|
||||||
if buildKsArgs.dryRun && buildKsArgs.kustomizationFile == "" {
|
|
||||||
return fmt.Errorf("dry-run mode requires a kustomization file")
|
|
||||||
}
|
|
||||||
|
|
||||||
if buildKsArgs.kustomizationFile != "" {
|
|
||||||
if fs, err := os.Stat(buildKsArgs.kustomizationFile); os.IsNotExist(err) || fs.IsDir() {
|
|
||||||
return fmt.Errorf("invalid kustomization file %q", buildKsArgs.kustomizationFile)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
var builder *build.Builder
|
|
||||||
if buildKsArgs.dryRun {
|
|
||||||
builder, err = build.NewBuilder(name, buildKsArgs.path,
|
|
||||||
build.WithTimeout(rootArgs.timeout),
|
|
||||||
build.WithKustomizationFile(buildKsArgs.kustomizationFile),
|
|
||||||
build.WithDryRun(buildKsArgs.dryRun),
|
|
||||||
build.WithNamespace(*kubeconfigArgs.Namespace),
|
|
||||||
build.WithIgnore(buildKsArgs.ignorePaths),
|
|
||||||
build.WithStrictSubstitute(buildKsArgs.strictSubst),
|
|
||||||
build.WithRecursive(buildKsArgs.recursive),
|
|
||||||
build.WithLocalSources(buildKsArgs.localSources),
|
|
||||||
)
|
|
||||||
} else {
|
|
||||||
builder, err = build.NewBuilder(name, buildKsArgs.path,
|
|
||||||
build.WithClientConfig(kubeconfigArgs, kubeclientOptions),
|
|
||||||
build.WithTimeout(rootArgs.timeout),
|
|
||||||
build.WithKustomizationFile(buildKsArgs.kustomizationFile),
|
|
||||||
build.WithIgnore(buildKsArgs.ignorePaths),
|
|
||||||
build.WithStrictSubstitute(buildKsArgs.strictSubst),
|
|
||||||
build.WithRecursive(buildKsArgs.recursive),
|
|
||||||
build.WithLocalSources(buildKsArgs.localSources),
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// create a signal channel
|
|
||||||
sigc := make(chan os.Signal, 1)
|
|
||||||
signal.Notify(sigc, os.Interrupt)
|
|
||||||
|
|
||||||
errChan := make(chan error)
|
|
||||||
go func() {
|
|
||||||
objects, err := builder.Build()
|
|
||||||
if err != nil {
|
|
||||||
errChan <- err
|
|
||||||
}
|
|
||||||
|
|
||||||
manifests, err := ssautil.ObjectsToYAML(objects)
|
|
||||||
if err != nil {
|
|
||||||
errChan <- err
|
|
||||||
}
|
|
||||||
|
|
||||||
cmd.Print(manifests)
|
|
||||||
errChan <- nil
|
|
||||||
}()
|
|
||||||
|
|
||||||
select {
|
|
||||||
case <-sigc:
|
|
||||||
fmt.Println("Build cancelled... exiting.")
|
|
||||||
return builder.Cancel()
|
|
||||||
case err := <-errChan:
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
|
|
||||||
}
|
|
||||||
@ -1,220 +0,0 @@
|
|||||||
//go:build unit
|
|
||||||
// +build unit
|
|
||||||
|
|
||||||
/*
|
|
||||||
Copyright 2021 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bytes"
|
|
||||||
"os"
|
|
||||||
"path/filepath"
|
|
||||||
"testing"
|
|
||||||
"text/template"
|
|
||||||
)
|
|
||||||
|
|
||||||
func setup(t *testing.T, tmpl map[string]string) {
|
|
||||||
t.Helper()
|
|
||||||
testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)
|
|
||||||
testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-kustomization.yaml", tmpl, t)
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestBuildKustomization(t *testing.T) {
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args string
|
|
||||||
resultFile string
|
|
||||||
assertFunc string
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
name: "no args",
|
|
||||||
args: "build kustomization podinfo",
|
|
||||||
resultFile: "invalid resource path \"\"",
|
|
||||||
assertFunc: "assertError",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "build podinfo",
|
|
||||||
args: "build kustomization podinfo --path ./testdata/build-kustomization/podinfo",
|
|
||||||
resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
|
|
||||||
assertFunc: "assertGoldenTemplateFile",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "build podinfo without service",
|
|
||||||
args: "build kustomization podinfo --path ./testdata/build-kustomization/delete-service",
|
|
||||||
resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
|
|
||||||
assertFunc: "assertGoldenTemplateFile",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "build deployment and configmap with var substitution",
|
|
||||||
args: "build kustomization podinfo --path ./testdata/build-kustomization/var-substitution",
|
|
||||||
resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
|
|
||||||
assertFunc: "assertGoldenTemplateFile",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "build ignore",
|
|
||||||
args: "build kustomization podinfo --path ./testdata/build-kustomization/ignore --ignore-paths \"!configmap.yaml,!secret.yaml\"",
|
|
||||||
resultFile: "./testdata/build-kustomization/podinfo-with-ignore-result.yaml",
|
|
||||||
assertFunc: "assertGoldenTemplateFile",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "build with recursive",
|
|
||||||
args: "build kustomization podinfo --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
|
|
||||||
resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
|
|
||||||
assertFunc: "assertGoldenTemplateFile",
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
tmpl := map[string]string{
|
|
||||||
"fluxns": allocateNamespace("flux-system"),
|
|
||||||
}
|
|
||||||
setup(t, tmpl)
|
|
||||||
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
var assert assertFunc
|
|
||||||
|
|
||||||
switch tt.assertFunc {
|
|
||||||
case "assertGoldenTemplateFile":
|
|
||||||
assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
|
|
||||||
case "assertError":
|
|
||||||
assert = assertError(tt.resultFile)
|
|
||||||
}
|
|
||||||
|
|
||||||
cmd := cmdTestCase{
|
|
||||||
args: tt.args + " -n " + tmpl["fluxns"],
|
|
||||||
assert: assert,
|
|
||||||
}
|
|
||||||
|
|
||||||
cmd.runTestCmd(t)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestBuildLocalKustomization(t *testing.T) {
|
|
||||||
podinfo := `apiVersion: kustomize.toolkit.fluxcd.io/v1
|
|
||||||
kind: Kustomization
|
|
||||||
metadata:
|
|
||||||
name: podinfo
|
|
||||||
namespace: {{ .fluxns }}
|
|
||||||
spec:
|
|
||||||
interval: 5m0s
|
|
||||||
path: ./kustomize
|
|
||||||
force: true
|
|
||||||
prune: true
|
|
||||||
sourceRef:
|
|
||||||
kind: GitRepository
|
|
||||||
name: podinfo
|
|
||||||
targetNamespace: default
|
|
||||||
postBuild:
|
|
||||||
substitute:
|
|
||||||
cluster_env: "prod"
|
|
||||||
cluster_region: "eu-central-1"
|
|
||||||
`
|
|
||||||
|
|
||||||
tmpFile := filepath.Join(t.TempDir(), "podinfo.yaml")
|
|
||||||
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args string
|
|
||||||
resultFile string
|
|
||||||
assertFunc string
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
name: "no args",
|
|
||||||
args: "build kustomization podinfo --kustomization-file ./wrongfile/ --path ./testdata/build-kustomization/podinfo",
|
|
||||||
resultFile: "invalid kustomization file \"./wrongfile/\"",
|
|
||||||
assertFunc: "assertError",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "build podinfo",
|
|
||||||
args: "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo",
|
|
||||||
resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
|
|
||||||
assertFunc: "assertGoldenTemplateFile",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "build podinfo without service",
|
|
||||||
args: "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/delete-service",
|
|
||||||
resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
|
|
||||||
assertFunc: "assertGoldenTemplateFile",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "build deployment and configmap with var substitution",
|
|
||||||
args: "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/var-substitution",
|
|
||||||
resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
|
|
||||||
assertFunc: "assertGoldenTemplateFile",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "build deployment and configmap with var substitution in dry-run mode",
|
|
||||||
args: "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/var-substitution --dry-run",
|
|
||||||
resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
|
|
||||||
assertFunc: "assertGoldenTemplateFile",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "build with recursive",
|
|
||||||
args: "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
|
|
||||||
resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
|
|
||||||
assertFunc: "assertGoldenTemplateFile",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "build with recursive in dry-run mode",
|
|
||||||
args: "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization --dry-run",
|
|
||||||
resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
|
|
||||||
assertFunc: "assertGoldenTemplateFile",
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
tmpl := map[string]string{
|
|
||||||
"fluxns": allocateNamespace("flux-system"),
|
|
||||||
}
|
|
||||||
setup(t, tmpl)
|
|
||||||
|
|
||||||
temp, err := template.New("podinfo").Parse(podinfo)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
var b bytes.Buffer
|
|
||||||
err = temp.Execute(&b, tmpl)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
err = os.WriteFile(tmpFile, b.Bytes(), 0666)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
var assert assertFunc
|
|
||||||
|
|
||||||
switch tt.assertFunc {
|
|
||||||
case "assertGoldenTemplateFile":
|
|
||||||
assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
|
|
||||||
case "assertError":
|
|
||||||
assert = assertError(tt.resultFile)
|
|
||||||
}
|
|
||||||
|
|
||||||
cmd := cmdTestCase{
|
|
||||||
args: tt.args + " -n " + tmpl["fluxns"],
|
|
||||||
assert: assert,
|
|
||||||
}
|
|
||||||
|
|
||||||
cmd.runTestCmd(t)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@ -1,53 +0,0 @@
|
|||||||
//go:build e2e
|
|
||||||
// +build e2e
|
|
||||||
|
|
||||||
/*
|
|
||||||
Copyright 2021 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"encoding/json"
|
|
||||||
"strings"
|
|
||||||
"testing"
|
|
||||||
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestCheckPre(t *testing.T) {
|
|
||||||
jsonOutput, err := utils.ExecKubectlCommand(context.TODO(), utils.ModeCapture, *kubeconfigArgs.KubeConfig, *kubeconfigArgs.Context, "version", "--output", "json")
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("Error running utils.ExecKubectlCommand: %v", err.Error())
|
|
||||||
}
|
|
||||||
|
|
||||||
var versions map[string]interface{}
|
|
||||||
if err := json.Unmarshal([]byte(jsonOutput), &versions); err != nil {
|
|
||||||
t.Fatalf("Error unmarshalling '%s': %v", jsonOutput, err.Error())
|
|
||||||
}
|
|
||||||
|
|
||||||
serverGitVersion := strings.TrimPrefix(
|
|
||||||
versions["serverVersion"].(map[string]interface{})["gitVersion"].(string),
|
|
||||||
"v")
|
|
||||||
|
|
||||||
cmd := cmdTestCase{
|
|
||||||
args: "check --pre",
|
|
||||||
assert: assertGoldenTemplateFile("testdata/check/check_pre.golden", map[string]string{
|
|
||||||
"serverVersion": serverGitVersion,
|
|
||||||
}),
|
|
||||||
}
|
|
||||||
cmd.runTestCmd(t)
|
|
||||||
}
|
|
||||||
@ -1,126 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2023 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"fmt"
|
|
||||||
|
|
||||||
"github.com/manifoldco/promptui"
|
|
||||||
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
||||||
"sigs.k8s.io/controller-runtime/pkg/client"
|
|
||||||
|
|
||||||
kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
|
|
||||||
sourcev1 "github.com/fluxcd/source-controller/api/v1"
|
|
||||||
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen"
|
|
||||||
)
|
|
||||||
|
|
||||||
// bootstrapLabels are labels put on a resource by kustomize-controller. These labels on the CRD indicates
|
|
||||||
// that flux has been bootstrapped.
|
|
||||||
var bootstrapLabels = []string{
|
|
||||||
fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group),
|
|
||||||
fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group),
|
|
||||||
}
|
|
||||||
|
|
||||||
// fluxClusterInfo contains information about an existing flux installation on a cluster.
|
|
||||||
type fluxClusterInfo struct {
|
|
||||||
// bootstrapped indicates that Flux was installed using the `flux bootstrap` command.
|
|
||||||
bootstrapped bool
|
|
||||||
// managedBy is the name of the tool being used to manage the installation of Flux.
|
|
||||||
managedBy string
|
|
||||||
// partOf indicates which distribution the instance is a part of.
|
|
||||||
partOf string
|
|
||||||
// version is the Flux version number in semver format.
|
|
||||||
version string
|
|
||||||
}
|
|
||||||
|
|
||||||
// getFluxClusterInfo returns information on the Flux installation running on the cluster.
|
|
||||||
// If an error occurred, the returned error will be non-nil.
|
|
||||||
//
|
|
||||||
// This function retrieves the GitRepository CRD from the cluster and checks it
|
|
||||||
// for a set of labels used to determine the Flux version and how Flux was installed.
|
|
||||||
// It returns the NotFound error from the underlying library if it was unable to find
|
|
||||||
// the GitRepository CRD and this can be used to check if Flux is installed.
|
|
||||||
func getFluxClusterInfo(ctx context.Context, c client.Client) (fluxClusterInfo, error) {
|
|
||||||
var info fluxClusterInfo
|
|
||||||
crdMetadata := &metav1.PartialObjectMetadata{
|
|
||||||
TypeMeta: metav1.TypeMeta{
|
|
||||||
APIVersion: apiextensionsv1.SchemeGroupVersion.String(),
|
|
||||||
Kind: "CustomResourceDefinition",
|
|
||||||
},
|
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
|
||||||
Name: fmt.Sprintf("gitrepositories.%s", sourcev1.GroupVersion.Group),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
if err := c.Get(ctx, client.ObjectKeyFromObject(crdMetadata), crdMetadata); err != nil {
|
|
||||||
return info, err
|
|
||||||
}
|
|
||||||
|
|
||||||
info.version = crdMetadata.Labels[manifestgen.VersionLabelKey]
|
|
||||||
|
|
||||||
var present bool
|
|
||||||
for _, l := range bootstrapLabels {
|
|
||||||
_, present = crdMetadata.Labels[l]
|
|
||||||
}
|
|
||||||
if present {
|
|
||||||
info.bootstrapped = true
|
|
||||||
}
|
|
||||||
|
|
||||||
// the `app.kubernetes.io/managed-by` label is not set by flux but might be set by other
|
|
||||||
// tools used to install Flux e.g Helm.
|
|
||||||
if manager, ok := crdMetadata.Labels["app.kubernetes.io/managed-by"]; ok {
|
|
||||||
info.managedBy = manager
|
|
||||||
}
|
|
||||||
|
|
||||||
if partOf, ok := crdMetadata.Labels[manifestgen.PartOfLabelKey]; ok {
|
|
||||||
info.partOf = partOf
|
|
||||||
}
|
|
||||||
return info, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// confirmFluxInstallOverride displays a prompt to the user so that they can confirm before overriding
|
|
||||||
// a Flux installation. It returns nil if the installation should continue,
|
|
||||||
// promptui.ErrAbort if the user doesn't confirm, or an error encountered.
|
|
||||||
func confirmFluxInstallOverride(info fluxClusterInfo) error {
|
|
||||||
// no need to display prompt if installation is managed by Flux
|
|
||||||
if installManagedByFlux(info.managedBy) {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
display := fmt.Sprintf("Flux %s has been installed on this cluster with %s!", info.version, info.managedBy)
|
|
||||||
fmt.Fprintln(rootCmd.ErrOrStderr(), display)
|
|
||||||
prompt := promptui.Prompt{
|
|
||||||
Label: fmt.Sprintf("Are you sure you want to override the %s installation? Y/N", info.managedBy),
|
|
||||||
IsConfirm: true,
|
|
||||||
}
|
|
||||||
_, err := prompt.Run()
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
func (info fluxClusterInfo) distribution() string {
|
|
||||||
distribution := info.version
|
|
||||||
if info.partOf != "" {
|
|
||||||
distribution = fmt.Sprintf("%s-%s", info.partOf, info.version)
|
|
||||||
}
|
|
||||||
return distribution
|
|
||||||
}
|
|
||||||
|
|
||||||
func installManagedByFlux(manager string) bool {
|
|
||||||
return manager == "" || manager == "flux"
|
|
||||||
}
|
|
||||||
@ -1,141 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2023 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
"testing"
|
|
||||||
|
|
||||||
. "github.com/onsi/gomega"
|
|
||||||
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
|
||||||
"k8s.io/apimachinery/pkg/api/errors"
|
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
|
||||||
"sigs.k8s.io/controller-runtime/pkg/client/fake"
|
|
||||||
|
|
||||||
kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
|
|
||||||
ssautil "github.com/fluxcd/pkg/ssa/utils"
|
|
||||||
)
|
|
||||||
|
|
||||||
func Test_getFluxClusterInfo(t *testing.T) {
|
|
||||||
g := NewWithT(t)
|
|
||||||
f, err := os.Open("./testdata/cluster_info/gitrepositories.yaml")
|
|
||||||
g.Expect(err).To(BeNil())
|
|
||||||
|
|
||||||
objs, err := ssautil.ReadObjects(f)
|
|
||||||
g.Expect(err).To(Not(HaveOccurred()))
|
|
||||||
gitrepo := objs[0]
|
|
||||||
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
labels map[string]string
|
|
||||||
wantErr bool
|
|
||||||
wantInfo fluxClusterInfo
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
name: "no git repository CRD present",
|
|
||||||
wantErr: true,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "CRD with kustomize-controller labels",
|
|
||||||
labels: map[string]string{
|
|
||||||
fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group): "flux-system",
|
|
||||||
fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group): "flux-system",
|
|
||||||
"app.kubernetes.io/version": "v2.1.0",
|
|
||||||
},
|
|
||||||
wantInfo: fluxClusterInfo{
|
|
||||||
version: "v2.1.0",
|
|
||||||
bootstrapped: true,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "CRD with kustomize-controller labels and managed-by label",
|
|
||||||
labels: map[string]string{
|
|
||||||
fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group): "flux-system",
|
|
||||||
fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group): "flux-system",
|
|
||||||
"app.kubernetes.io/version": "v2.1.0",
|
|
||||||
"app.kubernetes.io/managed-by": "flux",
|
|
||||||
},
|
|
||||||
wantInfo: fluxClusterInfo{
|
|
||||||
version: "v2.1.0",
|
|
||||||
bootstrapped: true,
|
|
||||||
managedBy: "flux",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "CRD with only managed-by label",
|
|
||||||
labels: map[string]string{
|
|
||||||
"app.kubernetes.io/version": "v2.1.0",
|
|
||||||
"app.kubernetes.io/managed-by": "helm",
|
|
||||||
},
|
|
||||||
wantInfo: fluxClusterInfo{
|
|
||||||
version: "v2.1.0",
|
|
||||||
managedBy: "helm",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "CRD with no labels",
|
|
||||||
labels: map[string]string{},
|
|
||||||
wantInfo: fluxClusterInfo{},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "CRD with only version label",
|
|
||||||
labels: map[string]string{
|
|
||||||
"app.kubernetes.io/version": "v2.1.0",
|
|
||||||
},
|
|
||||||
wantInfo: fluxClusterInfo{
|
|
||||||
version: "v2.1.0",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "CRD with version and part-of labels",
|
|
||||||
labels: map[string]string{
|
|
||||||
"app.kubernetes.io/version": "v2.1.0",
|
|
||||||
"app.kubernetes.io/part-of": "flux",
|
|
||||||
},
|
|
||||||
wantInfo: fluxClusterInfo{
|
|
||||||
version: "v2.1.0",
|
|
||||||
partOf: "flux",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
g := NewWithT(t)
|
|
||||||
newscheme := runtime.NewScheme()
|
|
||||||
apiextensionsv1.AddToScheme(newscheme)
|
|
||||||
builder := fake.NewClientBuilder().WithScheme(newscheme)
|
|
||||||
if tt.labels != nil {
|
|
||||||
gitrepo.SetLabels(tt.labels)
|
|
||||||
builder = builder.WithRuntimeObjects(gitrepo)
|
|
||||||
}
|
|
||||||
|
|
||||||
client := builder.Build()
|
|
||||||
info, err := getFluxClusterInfo(context.Background(), client)
|
|
||||||
if tt.wantErr {
|
|
||||||
g.Expect(err).To(HaveOccurred())
|
|
||||||
g.Expect(errors.IsNotFound(err)).To(BeTrue())
|
|
||||||
} else {
|
|
||||||
g.Expect(err).To(Not(HaveOccurred()))
|
|
||||||
}
|
|
||||||
|
|
||||||
g.Expect(info).To(BeEquivalentTo(tt.wantInfo))
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@ -1,86 +0,0 @@
|
|||||||
//go:build unit
|
|
||||||
// +build unit
|
|
||||||
|
|
||||||
/*
|
|
||||||
Copyright 2024 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import "testing"
|
|
||||||
|
|
||||||
func TestCreateHelmRelease(t *testing.T) {
|
|
||||||
tmpl := map[string]string{
|
|
||||||
"fluxns": allocateNamespace("flux-system"),
|
|
||||||
}
|
|
||||||
setupHRSource(t, tmpl)
|
|
||||||
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args string
|
|
||||||
assert assertFunc
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
name: "missing name",
|
|
||||||
args: "create helmrelease --export",
|
|
||||||
assert: assertError("name is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "missing chart template and chartRef",
|
|
||||||
args: "create helmrelease podinfo --export",
|
|
||||||
assert: assertError("chart or chart-ref is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "unknown source kind",
|
|
||||||
args: "create helmrelease podinfo --source foobar/podinfo --chart podinfo --export",
|
|
||||||
assert: assertError(`invalid argument "foobar/podinfo" for "--source" flag: source kind 'foobar' is not supported, must be one of: HelmRepository, GitRepository, Bucket`),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "unknown chart reference kind",
|
|
||||||
args: "create helmrelease podinfo --chart-ref foobar/podinfo --export",
|
|
||||||
assert: assertError(`chart reference kind 'foobar' is not supported, must be one of: OCIRepository, HelmChart`),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "basic helmrelease",
|
|
||||||
args: "create helmrelease podinfo --source Helmrepository/podinfo --chart podinfo --interval=1m0s --export",
|
|
||||||
assert: assertGoldenTemplateFile("testdata/create_hr/basic.yaml", tmpl),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "chart with OCIRepository source",
|
|
||||||
args: "create helmrelease podinfo --chart-ref OCIRepository/podinfo --interval=1m0s --export",
|
|
||||||
assert: assertGoldenTemplateFile("testdata/create_hr/or_basic.yaml", tmpl),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "chart with HelmChart source",
|
|
||||||
args: "create helmrelease podinfo --chart-ref HelmChart/podinfo --interval=1m0s --export",
|
|
||||||
assert: assertGoldenTemplateFile("testdata/create_hr/hc_basic.yaml", tmpl),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
cmd := cmdTestCase{
|
|
||||||
args: tt.args + " -n " + tmpl["fluxns"],
|
|
||||||
assert: tt.assert,
|
|
||||||
}
|
|
||||||
cmd.runTestCmd(t)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func setupHRSource(t *testing.T, tmpl map[string]string) {
|
|
||||||
t.Helper()
|
|
||||||
testEnv.CreateObjectFile("./testdata/create_hr/setup-source.yaml", tmpl, t)
|
|
||||||
}
|
|
||||||
@ -1,178 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2020 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
|
|
||||||
"github.com/spf13/cobra"
|
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
||||||
|
|
||||||
autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
|
|
||||||
sourcev1 "github.com/fluxcd/source-controller/api/v1"
|
|
||||||
)
|
|
||||||
|
|
||||||
var createImageUpdateCmd = &cobra.Command{
|
|
||||||
Use: "update [name]",
|
|
||||||
Short: "Create or update an ImageUpdateAutomation object",
|
|
||||||
Long: withPreviewNote(`The create image update command generates an ImageUpdateAutomation resource.
|
|
||||||
An ImageUpdateAutomation object specifies an automated update to images
|
|
||||||
mentioned in YAMLs in a git repository.`),
|
|
||||||
Example: ` # Configure image updates for the main repository created by flux bootstrap
|
|
||||||
flux create image update flux-system \
|
|
||||||
--git-repo-ref=flux-system \
|
|
||||||
--git-repo-path="./clusters/my-cluster" \
|
|
||||||
--checkout-branch=main \
|
|
||||||
--author-name=flux \
|
|
||||||
--author-email=flux@example.com \
|
|
||||||
--commit-template="{{range .Updated.Images}}{{println .}}{{end}}"
|
|
||||||
|
|
||||||
# Configure image updates to push changes to a different branch, if the branch doesn't exists it will be created
|
|
||||||
flux create image update flux-system \
|
|
||||||
--git-repo-ref=flux-system \
|
|
||||||
--git-repo-path="./clusters/my-cluster" \
|
|
||||||
--checkout-branch=main \
|
|
||||||
--push-branch=image-updates \
|
|
||||||
--author-name=flux \
|
|
||||||
--author-email=flux@example.com \
|
|
||||||
--commit-template="{{range .Updated.Images}}{{println .}}{{end}}"
|
|
||||||
|
|
||||||
# Configure image updates for a Git repository in a different namespace
|
|
||||||
flux create image update apps \
|
|
||||||
--namespace=apps \
|
|
||||||
--git-repo-ref=flux-system \
|
|
||||||
--git-repo-namespace=flux-system \
|
|
||||||
--git-repo-path="./clusters/my-cluster" \
|
|
||||||
--checkout-branch=main \
|
|
||||||
--push-branch=image-updates \
|
|
||||||
--author-name=flux \
|
|
||||||
--author-email=flux@example.com \
|
|
||||||
--commit-template="{{range .Updated.Images}}{{println .}}{{end}}"
|
|
||||||
`,
|
|
||||||
RunE: createImageUpdateRun,
|
|
||||||
}
|
|
||||||
|
|
||||||
type imageUpdateFlags struct {
|
|
||||||
gitRepoName string
|
|
||||||
gitRepoNamespace string
|
|
||||||
gitRepoPath string
|
|
||||||
checkoutBranch string
|
|
||||||
pushBranch string
|
|
||||||
commitTemplate string
|
|
||||||
authorName string
|
|
||||||
authorEmail string
|
|
||||||
}
|
|
||||||
|
|
||||||
var imageUpdateArgs = imageUpdateFlags{}
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
flags := createImageUpdateCmd.Flags()
|
|
||||||
flags.StringVar(&imageUpdateArgs.gitRepoName, "git-repo-ref", "", "the name of a GitRepository resource with details of the upstream Git repository")
|
|
||||||
flags.StringVar(&imageUpdateArgs.gitRepoNamespace, "git-repo-namespace", "", "the namespace of the GitRepository resource, defaults to the ImageUpdateAutomation namespace")
|
|
||||||
flags.StringVar(&imageUpdateArgs.gitRepoPath, "git-repo-path", "", "path to the directory containing the manifests to be updated, defaults to the repository root")
|
|
||||||
flags.StringVar(&imageUpdateArgs.checkoutBranch, "checkout-branch", "", "the branch to checkout")
|
|
||||||
flags.StringVar(&imageUpdateArgs.pushBranch, "push-branch", "", "the branch to push commits to, defaults to the checkout branch if not specified")
|
|
||||||
flags.StringVar(&imageUpdateArgs.commitTemplate, "commit-template", "", "a template for commit messages")
|
|
||||||
flags.StringVar(&imageUpdateArgs.authorName, "author-name", "", "the name to use for commit author")
|
|
||||||
flags.StringVar(&imageUpdateArgs.authorEmail, "author-email", "", "the email to use for commit author")
|
|
||||||
|
|
||||||
createImageCmd.AddCommand(createImageUpdateCmd)
|
|
||||||
}
|
|
||||||
|
|
||||||
func createImageUpdateRun(cmd *cobra.Command, args []string) error {
|
|
||||||
objectName := args[0]
|
|
||||||
|
|
||||||
if imageUpdateArgs.gitRepoName == "" {
|
|
||||||
return fmt.Errorf("a reference to a GitRepository is required (--git-repo-ref)")
|
|
||||||
}
|
|
||||||
|
|
||||||
if imageUpdateArgs.checkoutBranch == "" {
|
|
||||||
return fmt.Errorf("the Git repository branch is required (--checkout-branch)")
|
|
||||||
}
|
|
||||||
|
|
||||||
if imageUpdateArgs.authorName == "" {
|
|
||||||
return fmt.Errorf("the author name is required (--author-name)")
|
|
||||||
}
|
|
||||||
|
|
||||||
if imageUpdateArgs.authorEmail == "" {
|
|
||||||
return fmt.Errorf("the author email is required (--author-email)")
|
|
||||||
}
|
|
||||||
|
|
||||||
labels, err := parseLabels()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
var update = autov1.ImageUpdateAutomation{
|
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
|
||||||
Name: objectName,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
Labels: labels,
|
|
||||||
},
|
|
||||||
Spec: autov1.ImageUpdateAutomationSpec{
|
|
||||||
SourceRef: autov1.CrossNamespaceSourceReference{
|
|
||||||
Kind: sourcev1.GitRepositoryKind,
|
|
||||||
Name: imageUpdateArgs.gitRepoName,
|
|
||||||
Namespace: imageUpdateArgs.gitRepoNamespace,
|
|
||||||
},
|
|
||||||
|
|
||||||
GitSpec: &autov1.GitSpec{
|
|
||||||
Checkout: &autov1.GitCheckoutSpec{
|
|
||||||
Reference: sourcev1.GitRepositoryRef{
|
|
||||||
Branch: imageUpdateArgs.checkoutBranch,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
Commit: autov1.CommitSpec{
|
|
||||||
Author: autov1.CommitUser{
|
|
||||||
Name: imageUpdateArgs.authorName,
|
|
||||||
Email: imageUpdateArgs.authorEmail,
|
|
||||||
},
|
|
||||||
MessageTemplate: imageUpdateArgs.commitTemplate,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
Interval: metav1.Duration{
|
|
||||||
Duration: createArgs.interval,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
if imageUpdateArgs.pushBranch != "" {
|
|
||||||
update.Spec.GitSpec.Push = &autov1.PushSpec{
|
|
||||||
Branch: imageUpdateArgs.pushBranch,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if imageUpdateArgs.gitRepoPath != "" {
|
|
||||||
update.Spec.Update = &autov1.UpdateStrategy{
|
|
||||||
Path: imageUpdateArgs.gitRepoPath,
|
|
||||||
Strategy: autov1.UpdateStrategySetters,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if createArgs.export {
|
|
||||||
return printExport(exportImageUpdate(&update))
|
|
||||||
}
|
|
||||||
|
|
||||||
var existing autov1.ImageUpdateAutomation
|
|
||||||
copyName(&existing, &update)
|
|
||||||
err = imageUpdateAutomationType.upsertAndWait(imageUpdateAutomationAdapter{&existing}, func() error {
|
|
||||||
existing.Spec = update.Spec
|
|
||||||
existing.Labels = update.Labels
|
|
||||||
return nil
|
|
||||||
})
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
@ -0,0 +1,117 @@
|
|||||||
|
/*
|
||||||
|
Copyright 2020 The Flux authors
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/spf13/cobra"
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
|
||||||
|
autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
|
||||||
|
)
|
||||||
|
|
||||||
|
var createImageUpdateCmd = &cobra.Command{
|
||||||
|
Use: "update <name>",
|
||||||
|
Short: "Create or update an ImageUpdateAutomation object",
|
||||||
|
Long: `The create image update command generates an ImageUpdateAutomation resource.
|
||||||
|
An ImageUpdateAutomation object specifies an automated update to images
|
||||||
|
mentioned in YAMLs in a git repository.`,
|
||||||
|
RunE: createImageUpdateRun,
|
||||||
|
}
|
||||||
|
|
||||||
|
type imageUpdateFlags struct {
|
||||||
|
// git checkout spec
|
||||||
|
gitRepoRef string
|
||||||
|
branch string
|
||||||
|
// commit spec
|
||||||
|
commitTemplate string
|
||||||
|
authorName string
|
||||||
|
authorEmail string
|
||||||
|
}
|
||||||
|
|
||||||
|
var imageUpdateArgs = imageUpdateFlags{}
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
flags := createImageUpdateCmd.Flags()
|
||||||
|
flags.StringVar(&imageUpdateArgs.gitRepoRef, "git-repo-ref", "", "the name of a GitRepository resource with details of the upstream git repository")
|
||||||
|
flags.StringVar(&imageUpdateArgs.branch, "branch", "", "the branch to checkout and push commits to")
|
||||||
|
flags.StringVar(&imageUpdateArgs.commitTemplate, "commit-template", "", "a template for commit messages")
|
||||||
|
flags.StringVar(&imageUpdateArgs.authorName, "author-name", "", "the name to use for commit author")
|
||||||
|
flags.StringVar(&imageUpdateArgs.authorEmail, "author-email", "", "the email to use for commit author")
|
||||||
|
|
||||||
|
createImageCmd.AddCommand(createImageUpdateCmd)
|
||||||
|
}
|
||||||
|
|
||||||
|
func createImageUpdateRun(cmd *cobra.Command, args []string) error {
|
||||||
|
if len(args) < 1 {
|
||||||
|
return fmt.Errorf("ImageUpdateAutomation name is required")
|
||||||
|
}
|
||||||
|
objectName := args[0]
|
||||||
|
|
||||||
|
if imageUpdateArgs.gitRepoRef == "" {
|
||||||
|
return fmt.Errorf("a reference to a GitRepository is required (--git-repo-ref)")
|
||||||
|
}
|
||||||
|
|
||||||
|
if imageUpdateArgs.branch == "" {
|
||||||
|
return fmt.Errorf("the Git repoistory branch is required (--branch)")
|
||||||
|
}
|
||||||
|
|
||||||
|
labels, err := parseLabels()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
var update = autov1.ImageUpdateAutomation{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: objectName,
|
||||||
|
Namespace: namespace,
|
||||||
|
Labels: labels,
|
||||||
|
},
|
||||||
|
Spec: autov1.ImageUpdateAutomationSpec{
|
||||||
|
Checkout: autov1.GitCheckoutSpec{
|
||||||
|
GitRepositoryRef: corev1.LocalObjectReference{
|
||||||
|
Name: imageUpdateArgs.gitRepoRef,
|
||||||
|
},
|
||||||
|
Branch: imageUpdateArgs.branch,
|
||||||
|
},
|
||||||
|
Interval: metav1.Duration{Duration: interval},
|
||||||
|
Update: autov1.UpdateStrategy{
|
||||||
|
Setters: &autov1.SettersStrategy{},
|
||||||
|
},
|
||||||
|
Commit: autov1.CommitSpec{
|
||||||
|
AuthorName: imageUpdateArgs.authorName,
|
||||||
|
AuthorEmail: imageUpdateArgs.authorEmail,
|
||||||
|
MessageTemplate: imageUpdateArgs.commitTemplate,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
if export {
|
||||||
|
return printExport(exportImageUpdate(&update))
|
||||||
|
}
|
||||||
|
|
||||||
|
var existing autov1.ImageUpdateAutomation
|
||||||
|
copyName(&existing, &update)
|
||||||
|
err = imageUpdateAutomationType.upsertAndWait(imageUpdateAutomationAdapter{&existing}, func() error {
|
||||||
|
existing.Spec = update.Spec
|
||||||
|
existing.Labels = update.Labels
|
||||||
|
return nil
|
||||||
|
})
|
||||||
|
return err
|
||||||
|
}
|
||||||
@ -1,70 +0,0 @@
|
|||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
"testing"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestCreateGitSecret(t *testing.T) {
|
|
||||||
file, err := os.CreateTemp(t.TempDir(), "ca-crt")
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal("could not create CA certificate file")
|
|
||||||
}
|
|
||||||
_, err = file.Write([]byte("ca-data"))
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal("could not write to CA certificate file")
|
|
||||||
}
|
|
||||||
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args string
|
|
||||||
assert assertFunc
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
name: "no args",
|
|
||||||
args: "create secret git",
|
|
||||||
assert: assertError("name is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "basic secret",
|
|
||||||
args: "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=my-username --password=my-password --namespace=my-namespace --export",
|
|
||||||
assert: assertGoldenFile("./testdata/create_secret/git/secret-git-basic.yaml"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "ssh key",
|
|
||||||
args: "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa.private --namespace=my-namespace --export",
|
|
||||||
assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret.yaml"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "ssh key with password",
|
|
||||||
args: "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa-password.private --password=password --namespace=my-namespace --export",
|
|
||||||
assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret-password.yaml"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "git authentication with bearer token",
|
|
||||||
args: "create secret git bearer-token-auth --url=https://github.com/stefanprodan/podinfo --bearer-token=ghp_baR2qnFF0O41WlucePL3udt2N9vVZS4R0hAS --namespace=my-namespace --export",
|
|
||||||
assert: assertGoldenFile("testdata/create_secret/git/git-bearer-token.yaml"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "git authentication with CA certificate",
|
|
||||||
args: fmt.Sprintf("create secret git ca-crt --url=https://github.com/stefanprodan/podinfo --password=my-password --username=my-username --ca-crt-file=%s --namespace=my-namespace --export", file.Name()),
|
|
||||||
assert: assertGoldenFile("testdata/create_secret/git/secret-ca-crt.yaml"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "git authentication with basic auth and bearer token",
|
|
||||||
args: "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=aaa --password=zzzz --bearer-token=aaaa --namespace=my-namespace --export",
|
|
||||||
assert: assertError("user credentials and bearer token cannot be used together"),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
cmd := cmdTestCase{
|
|
||||||
args: tt.args,
|
|
||||||
assert: tt.assert,
|
|
||||||
}
|
|
||||||
cmd.runTestCmd(t)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@ -1,128 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2024 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
|
|
||||||
"github.com/spf13/cobra"
|
|
||||||
corev1 "k8s.io/api/core/v1"
|
|
||||||
"sigs.k8s.io/yaml"
|
|
||||||
)
|
|
||||||
|
|
||||||
var createSecretGitHubAppCmd = &cobra.Command{
|
|
||||||
Use: "githubapp [name]",
|
|
||||||
Short: "Create or update a github app secret",
|
|
||||||
Long: withPreviewNote(`The create secret githubapp command generates a Kubernetes secret that can be used for GitRepository authentication with github app`),
|
|
||||||
Example: ` # Create a githubapp authentication secret on disk and encrypt it with Mozilla SOPS
|
|
||||||
flux create secret githubapp podinfo-auth \
|
|
||||||
--app-id="1" \
|
|
||||||
--app-installation-id="2" \
|
|
||||||
--app-private-key=./private-key-file.pem \
|
|
||||||
--export > githubapp-auth.yaml
|
|
||||||
|
|
||||||
sops --encrypt --encrypted-regex '^(data|stringData)$' \
|
|
||||||
--in-place githubapp-auth.yaml
|
|
||||||
`,
|
|
||||||
RunE: createSecretGitHubAppCmdRun,
|
|
||||||
}
|
|
||||||
|
|
||||||
type secretGitHubAppFlags struct {
|
|
||||||
appID string
|
|
||||||
appInstallationID string
|
|
||||||
privateKeyFile string
|
|
||||||
baseURL string
|
|
||||||
}
|
|
||||||
|
|
||||||
var secretGitHubAppArgs = secretGitHubAppFlags{}
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appID, "app-id", "", "github app ID")
|
|
||||||
createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appInstallationID, "app-installation-id", "", "github app installation ID")
|
|
||||||
createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.privateKeyFile, "app-private-key", "", "github app private key file path")
|
|
||||||
createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.baseURL, "app-base-url", "", "github app base URL")
|
|
||||||
|
|
||||||
createSecretCmd.AddCommand(createSecretGitHubAppCmd)
|
|
||||||
}
|
|
||||||
|
|
||||||
func createSecretGitHubAppCmdRun(cmd *cobra.Command, args []string) error {
|
|
||||||
if len(args) < 1 {
|
|
||||||
return fmt.Errorf("name is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
secretName := args[0]
|
|
||||||
|
|
||||||
if secretGitHubAppArgs.appID == "" {
|
|
||||||
return fmt.Errorf("--app-id is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
if secretGitHubAppArgs.appInstallationID == "" {
|
|
||||||
return fmt.Errorf("--app-installation-id is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
if secretGitHubAppArgs.privateKeyFile == "" {
|
|
||||||
return fmt.Errorf("--app-private-key is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
privateKey, err := os.ReadFile(secretGitHubAppArgs.privateKeyFile)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("unable to read private key file: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
opts := sourcesecret.Options{
|
|
||||||
Name: secretName,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
GitHubAppID: secretGitHubAppArgs.appID,
|
|
||||||
GitHubAppInstallationID: secretGitHubAppArgs.appInstallationID,
|
|
||||||
GitHubAppPrivateKey: string(privateKey),
|
|
||||||
}
|
|
||||||
|
|
||||||
if secretGitHubAppArgs.baseURL != "" {
|
|
||||||
opts.GitHubAppBaseURL = secretGitHubAppArgs.baseURL
|
|
||||||
}
|
|
||||||
|
|
||||||
secret, err := sourcesecret.Generate(opts)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if createArgs.export {
|
|
||||||
rootCmd.Println(secret.Content)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
|
||||||
defer cancel()
|
|
||||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
var s corev1.Secret
|
|
||||||
if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if err := upsertSecret(ctx, kubeClient, s); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.Actionf("githubapp secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
@ -1,74 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2022 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"testing"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestCreateSecretGitHubApp(t *testing.T) {
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args string
|
|
||||||
assert assertFunc
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
name: "create githubapp secret with missing name",
|
|
||||||
args: "create secret githubapp",
|
|
||||||
assert: assertError("name is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "create githubapp secret with missing app-id",
|
|
||||||
args: "create secret githubapp appinfo",
|
|
||||||
assert: assertError("--app-id is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "create githubapp secret with missing appInstallationID",
|
|
||||||
args: "create secret githubapp appinfo --app-id 1",
|
|
||||||
assert: assertError("--app-installation-id is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "create githubapp secret with missing private key file",
|
|
||||||
args: "create secret githubapp appinfo --app-id 1 --app-installation-id 2",
|
|
||||||
assert: assertError("--app-private-key is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "create githubapp secret with private key file that does not exist",
|
|
||||||
args: "create secret githubapp appinfo --app-id 1 --app-installation-id 2 --app-private-key pk.pem",
|
|
||||||
assert: assertError("unable to read private key file: open pk.pem: no such file or directory"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "create githubapp secret with app info",
|
|
||||||
args: "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --export",
|
|
||||||
assert: assertGoldenFile("testdata/create_secret/githubapp/secret.yaml"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "create githubapp secret with appinfo and base url",
|
|
||||||
args: "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --app-base-url www.example.com/api/v3 --export",
|
|
||||||
assert: assertGoldenFile("testdata/create_secret/githubapp/secret-with-baseurl.yaml"),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
cmd := cmdTestCase{
|
|
||||||
args: tt.args,
|
|
||||||
assert: tt.assert,
|
|
||||||
}
|
|
||||||
cmd.runTestCmd(t)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@ -1,47 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2022 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"testing"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestCreateHelmSecret(t *testing.T) {
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args string
|
|
||||||
assert assertFunc
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
args: "create secret helm",
|
|
||||||
assert: assertError("name is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
args: "create secret helm helm-secret --username=my-username --password=my-password --namespace=my-namespace --export",
|
|
||||||
assert: assertGoldenFile("testdata/create_secret/helm/secret-helm.yaml"),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
cmd := cmdTestCase{
|
|
||||||
args: tt.args,
|
|
||||||
assert: tt.assert,
|
|
||||||
}
|
|
||||||
cmd.runTestCmd(t)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@ -1,161 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2024 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"encoding/json"
|
|
||||||
"errors"
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
"path/filepath"
|
|
||||||
"strings"
|
|
||||||
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
|
|
||||||
"github.com/notaryproject/notation-go/verifier/trustpolicy"
|
|
||||||
"github.com/spf13/cobra"
|
|
||||||
corev1 "k8s.io/api/core/v1"
|
|
||||||
"sigs.k8s.io/yaml"
|
|
||||||
)
|
|
||||||
|
|
||||||
var createSecretNotationCmd = &cobra.Command{
|
|
||||||
Use: "notation [name]",
|
|
||||||
Short: "Create or update a Kubernetes secret for verifications of artifacts signed by Notation",
|
|
||||||
Long: withPreviewNote(`The create secret notation command generates a Kubernetes secret with root ca certificates and trust policy.`),
|
|
||||||
Example: ` # Create a Notation configuration secret on disk and encrypt it with Mozilla SOPS
|
|
||||||
flux create secret notation my-notation-cert \
|
|
||||||
--namespace=my-namespace \
|
|
||||||
--trust-policy-file=./my-trust-policy.json \
|
|
||||||
--ca-cert-file=./my-cert.crt \
|
|
||||||
--export > my-notation-cert.yaml
|
|
||||||
|
|
||||||
sops --encrypt --encrypted-regex '^(data|stringData)$' \
|
|
||||||
--in-place my-notation-cert.yaml`,
|
|
||||||
|
|
||||||
RunE: createSecretNotationCmdRun,
|
|
||||||
}
|
|
||||||
|
|
||||||
type secretNotationFlags struct {
|
|
||||||
trustPolicyFile string
|
|
||||||
caCrtFile []string
|
|
||||||
}
|
|
||||||
|
|
||||||
var secretNotationArgs secretNotationFlags
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
createSecretNotationCmd.Flags().StringVar(&secretNotationArgs.trustPolicyFile, "trust-policy-file", "", "notation trust policy file path")
|
|
||||||
createSecretNotationCmd.Flags().StringSliceVar(&secretNotationArgs.caCrtFile, "ca-cert-file", []string{}, "root ca cert file path")
|
|
||||||
|
|
||||||
createSecretCmd.AddCommand(createSecretNotationCmd)
|
|
||||||
}
|
|
||||||
|
|
||||||
func createSecretNotationCmdRun(cmd *cobra.Command, args []string) error {
|
|
||||||
if len(args) < 1 {
|
|
||||||
return fmt.Errorf("name is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
if secretNotationArgs.caCrtFile == nil || len(secretNotationArgs.caCrtFile) == 0 {
|
|
||||||
return fmt.Errorf("--ca-cert-file is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
if secretNotationArgs.trustPolicyFile == "" {
|
|
||||||
return fmt.Errorf("--trust-policy-file is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
name := args[0]
|
|
||||||
|
|
||||||
labels, err := parseLabels()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
policy, err := os.ReadFile(secretNotationArgs.trustPolicyFile)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("unable to read trust policy file: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
var doc trustpolicy.Document
|
|
||||||
|
|
||||||
if err := json.Unmarshal(policy, &doc); err != nil {
|
|
||||||
return fmt.Errorf("failed to unmarshal trust policy %s: %w", secretNotationArgs.trustPolicyFile, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := doc.Validate(); err != nil {
|
|
||||||
return fmt.Errorf("invalid trust policy: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
var (
|
|
||||||
caCerts []sourcesecret.VerificationCrt
|
|
||||||
fileErr error
|
|
||||||
)
|
|
||||||
for _, caCrtFile := range secretNotationArgs.caCrtFile {
|
|
||||||
fileName := filepath.Base(caCrtFile)
|
|
||||||
if !strings.HasSuffix(fileName, ".crt") && !strings.HasSuffix(fileName, ".pem") {
|
|
||||||
fileErr = errors.Join(fileErr, fmt.Errorf("%s must end with either .crt or .pem", fileName))
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
caBundle, err := os.ReadFile(caCrtFile)
|
|
||||||
if err != nil {
|
|
||||||
fileErr = errors.Join(fileErr, fmt.Errorf("unable to read TLS CA file: %w", err))
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
caCerts = append(caCerts, sourcesecret.VerificationCrt{Name: fileName, CACrt: caBundle})
|
|
||||||
}
|
|
||||||
|
|
||||||
if fileErr != nil {
|
|
||||||
return fileErr
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(caCerts) == 0 {
|
|
||||||
return fmt.Errorf("no CA certs found")
|
|
||||||
}
|
|
||||||
|
|
||||||
opts := sourcesecret.Options{
|
|
||||||
Name: name,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
Labels: labels,
|
|
||||||
VerificationCrts: caCerts,
|
|
||||||
TrustPolicy: policy,
|
|
||||||
}
|
|
||||||
secret, err := sourcesecret.Generate(opts)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if createArgs.export {
|
|
||||||
rootCmd.Println(secret.Content)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
|
||||||
defer cancel()
|
|
||||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
var s corev1.Secret
|
|
||||||
if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if err := upsertSecret(ctx, kubeClient, s); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.Actionf("notation configuration secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
@ -1,124 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2024 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
"path/filepath"
|
|
||||||
"testing"
|
|
||||||
)
|
|
||||||
|
|
||||||
const (
|
|
||||||
trustPolicy = "./testdata/create_secret/notation/test-trust-policy.json"
|
|
||||||
invalidTrustPolicy = "./testdata/create_secret/notation/invalid-trust-policy.json"
|
|
||||||
invalidJson = "./testdata/create_secret/notation/invalid.json"
|
|
||||||
testCertFolder = "./testdata/create_secret/notation"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestCreateNotationSecret(t *testing.T) {
|
|
||||||
crt, err := os.Create(filepath.Join(t.TempDir(), "ca.crt"))
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal("could not create ca.crt file")
|
|
||||||
}
|
|
||||||
|
|
||||||
pem, err := os.Create(filepath.Join(t.TempDir(), "ca.pem"))
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal("could not create ca.pem file")
|
|
||||||
}
|
|
||||||
|
|
||||||
invalidCert, err := os.Create(filepath.Join(t.TempDir(), "ca.p12"))
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal("could not create ca.p12 file")
|
|
||||||
}
|
|
||||||
|
|
||||||
_, err = crt.Write([]byte("ca-data-crt"))
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal("could not write to crt certificate file")
|
|
||||||
}
|
|
||||||
|
|
||||||
_, err = pem.Write([]byte("ca-data-pem"))
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal("could not write to pem certificate file")
|
|
||||||
}
|
|
||||||
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args string
|
|
||||||
assert assertFunc
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
name: "no args",
|
|
||||||
args: "create secret notation",
|
|
||||||
assert: assertError("name is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "no trust policy",
|
|
||||||
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s", testCertFolder),
|
|
||||||
assert: assertError("--trust-policy-file is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "no cert",
|
|
||||||
args: fmt.Sprintf("create secret notation notation-config --trust-policy-file=%s", trustPolicy),
|
|
||||||
assert: assertError("--ca-cert-file is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "non pem and crt cert",
|
|
||||||
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", invalidCert.Name(), trustPolicy),
|
|
||||||
assert: assertError("ca.p12 must end with either .crt or .pem"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "invalid trust policy",
|
|
||||||
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidTrustPolicy),
|
|
||||||
assert: assertError("invalid trust policy: trust policy: a trust policy statement is missing a name, every statement requires a name"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "invalid trust policy json",
|
|
||||||
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidJson),
|
|
||||||
assert: assertError(fmt.Sprintf("failed to unmarshal trust policy %s: json: cannot unmarshal string into Go value of type trustpolicy.Document", invalidJson)),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "crt secret",
|
|
||||||
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), trustPolicy),
|
|
||||||
assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-crt.yaml"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "pem secret",
|
|
||||||
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", pem.Name(), trustPolicy),
|
|
||||||
assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-pem.yaml"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "multi secret",
|
|
||||||
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), pem.Name(), trustPolicy),
|
|
||||||
assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-multi.yaml"),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
defer func() {
|
|
||||||
secretNotationArgs = secretNotationFlags{}
|
|
||||||
}()
|
|
||||||
|
|
||||||
cmd := cmdTestCase{
|
|
||||||
args: tt.args,
|
|
||||||
assert: tt.assert,
|
|
||||||
}
|
|
||||||
cmd.runTestCmd(t)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@ -1,121 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2022 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"fmt"
|
|
||||||
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
|
|
||||||
"github.com/google/go-containerregistry/pkg/name"
|
|
||||||
"github.com/spf13/cobra"
|
|
||||||
corev1 "k8s.io/api/core/v1"
|
|
||||||
"sigs.k8s.io/yaml"
|
|
||||||
)
|
|
||||||
|
|
||||||
var createSecretOCICmd = &cobra.Command{
|
|
||||||
Use: "oci [name]",
|
|
||||||
Short: "Create or update a Kubernetes image pull secret",
|
|
||||||
Long: withPreviewNote(`The create secret oci command generates a Kubernetes secret that can be used for OCIRepository authentication`),
|
|
||||||
Example: ` # Create an OCI authentication secret on disk and encrypt it with Mozilla SOPS
|
|
||||||
flux create secret oci podinfo-auth \
|
|
||||||
--url=ghcr.io \
|
|
||||||
--username=username \
|
|
||||||
--password=password \
|
|
||||||
--export > repo-auth.yaml
|
|
||||||
|
|
||||||
sops --encrypt --encrypted-regex '^(data|stringData)$' \
|
|
||||||
--in-place repo-auth.yaml
|
|
||||||
`,
|
|
||||||
RunE: createSecretOCICmdRun,
|
|
||||||
}
|
|
||||||
|
|
||||||
type secretOCIFlags struct {
|
|
||||||
url string
|
|
||||||
password string
|
|
||||||
username string
|
|
||||||
}
|
|
||||||
|
|
||||||
var secretOCIArgs = secretOCIFlags{}
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
createSecretOCICmd.Flags().StringVar(&secretOCIArgs.url, "url", "", "oci repository address e.g ghcr.io/stefanprodan/charts")
|
|
||||||
createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.username, "username", "u", "", "basic authentication username")
|
|
||||||
createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.password, "password", "p", "", "basic authentication password")
|
|
||||||
|
|
||||||
createSecretCmd.AddCommand(createSecretOCICmd)
|
|
||||||
}
|
|
||||||
|
|
||||||
func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
|
|
||||||
if len(args) < 1 {
|
|
||||||
return fmt.Errorf("name is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
secretName := args[0]
|
|
||||||
|
|
||||||
if secretOCIArgs.url == "" {
|
|
||||||
return fmt.Errorf("--url is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
if secretOCIArgs.username == "" {
|
|
||||||
return fmt.Errorf("--username is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
if secretOCIArgs.password == "" {
|
|
||||||
return fmt.Errorf("--password is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
if _, err := name.ParseReference(secretOCIArgs.url); err != nil {
|
|
||||||
return fmt.Errorf("error parsing url: '%s'", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
opts := sourcesecret.Options{
|
|
||||||
Name: secretName,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
Registry: secretOCIArgs.url,
|
|
||||||
Password: secretOCIArgs.password,
|
|
||||||
Username: secretOCIArgs.username,
|
|
||||||
}
|
|
||||||
|
|
||||||
secret, err := sourcesecret.Generate(opts)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if createArgs.export {
|
|
||||||
rootCmd.Println(secret.Content)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
|
||||||
defer cancel()
|
|
||||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
var s corev1.Secret
|
|
||||||
if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if err := upsertSecret(ctx, kubeClient, s); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.Actionf("oci secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
@ -1,51 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2022 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"testing"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestCreateSecretOCI(t *testing.T) {
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args string
|
|
||||||
assert assertFunc
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
args: "create secret oci",
|
|
||||||
assert: assertError("name is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
args: "create secret oci ghcr",
|
|
||||||
assert: assertError("--url is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
args: "create secret oci ghcr --namespace=my-namespace --url ghcr.io --username stefanprodan --password=password --export",
|
|
||||||
assert: assertGoldenFile("testdata/create_secret/oci/create-secret.yaml"),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
cmd := cmdTestCase{
|
|
||||||
args: tt.args,
|
|
||||||
assert: tt.assert,
|
|
||||||
}
|
|
||||||
cmd.runTestCmd(t)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@ -1,112 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2024 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"errors"
|
|
||||||
|
|
||||||
"github.com/spf13/cobra"
|
|
||||||
corev1 "k8s.io/api/core/v1"
|
|
||||||
"sigs.k8s.io/yaml"
|
|
||||||
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
|
|
||||||
)
|
|
||||||
|
|
||||||
var createSecretProxyCmd = &cobra.Command{
|
|
||||||
Use: "proxy [name]",
|
|
||||||
Short: "Create or update a Kubernetes secret for proxy authentication",
|
|
||||||
Long: `The create secret proxy command generates a Kubernetes secret with the
|
|
||||||
proxy address and the basic authentication credentials.`,
|
|
||||||
Example: ` # Create a proxy secret on disk and encrypt it with SOPS
|
|
||||||
flux create secret proxy my-proxy \
|
|
||||||
--namespace=my-namespace \
|
|
||||||
--address=https://my-proxy.com \
|
|
||||||
--username=my-username \
|
|
||||||
--password=my-password \
|
|
||||||
--export > proxy.yaml
|
|
||||||
|
|
||||||
sops --encrypt --encrypted-regex '^(data|stringData)$' \
|
|
||||||
--in-place proxy.yaml`,
|
|
||||||
|
|
||||||
RunE: createSecretProxyCmdRun,
|
|
||||||
}
|
|
||||||
|
|
||||||
type secretProxyFlags struct {
|
|
||||||
address string
|
|
||||||
username string
|
|
||||||
password string
|
|
||||||
}
|
|
||||||
|
|
||||||
var secretProxyArgs secretProxyFlags
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
createSecretProxyCmd.Flags().StringVar(&secretProxyArgs.address, "address", "", "proxy address")
|
|
||||||
createSecretProxyCmd.Flags().StringVarP(&secretProxyArgs.username, "username", "u", "", "basic authentication username")
|
|
||||||
createSecretProxyCmd.Flags().StringVarP(&secretProxyArgs.password, "password", "p", "", "basic authentication password")
|
|
||||||
|
|
||||||
createSecretCmd.AddCommand(createSecretProxyCmd)
|
|
||||||
}
|
|
||||||
|
|
||||||
func createSecretProxyCmdRun(cmd *cobra.Command, args []string) error {
|
|
||||||
name := args[0]
|
|
||||||
|
|
||||||
labels, err := parseLabels()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if secretProxyArgs.address == "" {
|
|
||||||
return errors.New("address is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
opts := sourcesecret.Options{
|
|
||||||
Name: name,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
Labels: labels,
|
|
||||||
Address: secretProxyArgs.address,
|
|
||||||
Username: secretProxyArgs.username,
|
|
||||||
Password: secretProxyArgs.password,
|
|
||||||
}
|
|
||||||
secret, err := sourcesecret.Generate(opts)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if createArgs.export {
|
|
||||||
rootCmd.Println(secret.Content)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
|
||||||
defer cancel()
|
|
||||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
var s corev1.Secret
|
|
||||||
if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if err := upsertSecret(ctx, kubeClient, s); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.Actionf("proxy secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
@ -1,47 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2024 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"testing"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestCreateProxySecret(t *testing.T) {
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args string
|
|
||||||
assert assertFunc
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
args: "create secret proxy proxy-secret",
|
|
||||||
assert: assertError("address is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
args: "create secret proxy proxy-secret --address=https://my-proxy.com --username=my-username --password=my-password --namespace=my-namespace --export",
|
|
||||||
assert: assertGoldenFile("testdata/create_secret/proxy/secret-proxy.yaml"),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
cmd := cmdTestCase{
|
|
||||||
args: tt.args,
|
|
||||||
assert: tt.assert,
|
|
||||||
}
|
|
||||||
cmd.runTestCmd(t)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@ -1,122 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2020, 2021 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
|
|
||||||
"github.com/spf13/cobra"
|
|
||||||
corev1 "k8s.io/api/core/v1"
|
|
||||||
"sigs.k8s.io/yaml"
|
|
||||||
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
|
||||||
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
|
|
||||||
)
|
|
||||||
|
|
||||||
var createSecretTLSCmd = &cobra.Command{
|
|
||||||
Use: "tls [name]",
|
|
||||||
Short: "Create or update a Kubernetes secret with TLS certificates",
|
|
||||||
Long: `The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`,
|
|
||||||
Example: ` # Create a TLS secret on disk and encrypt it with SOPS.
|
|
||||||
# Files are expected to be PEM-encoded.
|
|
||||||
flux create secret tls certs \
|
|
||||||
--namespace=my-namespace \
|
|
||||||
--tls-crt-file=./client.crt \
|
|
||||||
--tls-key-file=./client.key \
|
|
||||||
--ca-crt-file=./ca.crt \
|
|
||||||
--export > certs.yaml
|
|
||||||
|
|
||||||
sops --encrypt --encrypted-regex '^(data|stringData)$' \
|
|
||||||
--in-place certs.yaml`,
|
|
||||||
RunE: createSecretTLSCmdRun,
|
|
||||||
}
|
|
||||||
|
|
||||||
type secretTLSFlags struct {
|
|
||||||
caCrtFile string
|
|
||||||
tlsKeyFile string
|
|
||||||
tlsCrtFile string
|
|
||||||
}
|
|
||||||
|
|
||||||
var secretTLSArgs secretTLSFlags
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
|
|
||||||
createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
|
|
||||||
createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
|
|
||||||
|
|
||||||
createSecretCmd.AddCommand(createSecretTLSCmd)
|
|
||||||
}
|
|
||||||
|
|
||||||
func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
|
|
||||||
name := args[0]
|
|
||||||
|
|
||||||
labels, err := parseLabels()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
opts := sourcesecret.Options{
|
|
||||||
Name: name,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
Labels: labels,
|
|
||||||
}
|
|
||||||
|
|
||||||
if secretTLSArgs.caCrtFile != "" {
|
|
||||||
opts.CACrt, err = os.ReadFile(secretTLSArgs.caCrtFile)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("unable to read TLS CA file: %w", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if secretTLSArgs.tlsCrtFile != "" && secretTLSArgs.tlsKeyFile != "" {
|
|
||||||
if opts.TLSCrt, err = os.ReadFile(secretTLSArgs.tlsCrtFile); err != nil {
|
|
||||||
return fmt.Errorf("failed to read cert file: %w", err)
|
|
||||||
}
|
|
||||||
if opts.TLSKey, err = os.ReadFile(secretTLSArgs.tlsKeyFile); err != nil {
|
|
||||||
return fmt.Errorf("failed to read key file: %w", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
secret, err := sourcesecret.Generate(opts)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if createArgs.export {
|
|
||||||
rootCmd.Print(secret.Content)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
|
||||||
defer cancel()
|
|
||||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
var s corev1.Secret
|
|
||||||
if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if err := upsertSecret(ctx, kubeClient, s); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.Actionf("tls secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
@ -1,31 +0,0 @@
|
|||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"testing"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestCreateTlsSecret(t *testing.T) {
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args string
|
|
||||||
assert assertFunc
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
args: "create secret tls",
|
|
||||||
assert: assertError("name is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
args: "create secret tls certs --namespace=my-namespace --tls-crt-file=./testdata/create_secret/tls/test-cert.pem --tls-key-file=./testdata/create_secret/tls/test-key.pem --ca-crt-file=./testdata/create_secret/tls/test-ca.pem --export",
|
|
||||||
assert: assertGoldenFile("testdata/create_secret/tls/secret-tls.yaml"),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
cmd := cmdTestCase{
|
|
||||||
args: tt.args,
|
|
||||||
assert: tt.assert,
|
|
||||||
}
|
|
||||||
cmd.runTestCmd(t)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@ -1,217 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2024 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"fmt"
|
|
||||||
|
|
||||||
"github.com/spf13/cobra"
|
|
||||||
"k8s.io/apimachinery/pkg/api/errors"
|
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
||||||
"k8s.io/apimachinery/pkg/types"
|
|
||||||
"k8s.io/apimachinery/pkg/util/wait"
|
|
||||||
"sigs.k8s.io/controller-runtime/pkg/client"
|
|
||||||
|
|
||||||
"github.com/fluxcd/pkg/apis/meta"
|
|
||||||
sourcev1 "github.com/fluxcd/source-controller/api/v1"
|
|
||||||
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/flags"
|
|
||||||
"github.com/fluxcd/flux2/v2/internal/utils"
|
|
||||||
)
|
|
||||||
|
|
||||||
var createSourceChartCmd = &cobra.Command{
|
|
||||||
Use: "chart [name]",
|
|
||||||
Short: "Create or update a HelmChart source",
|
|
||||||
Long: `The create source chart command generates a HelmChart resource and waits for the chart to be available.`,
|
|
||||||
Example: ` # Create a source for a chart residing in a HelmRepository
|
|
||||||
flux create source chart podinfo \
|
|
||||||
--source=HelmRepository/podinfo \
|
|
||||||
--chart=podinfo \
|
|
||||||
--chart-version=6.x
|
|
||||||
|
|
||||||
# Create a source for a chart residing in a Git repository
|
|
||||||
flux create source chart podinfo \
|
|
||||||
--source=GitRepository/podinfo \
|
|
||||||
--chart=./charts/podinfo
|
|
||||||
|
|
||||||
# Create a source for a chart residing in a S3 Bucket
|
|
||||||
flux create source chart podinfo \
|
|
||||||
--source=Bucket/podinfo \
|
|
||||||
--chart=./charts/podinfo
|
|
||||||
|
|
||||||
# Create a source for a chart from OCI and verify its signature
|
|
||||||
flux create source chart podinfo \
|
|
||||||
--source HelmRepository/podinfo \
|
|
||||||
--chart podinfo \
|
|
||||||
--chart-version=6.6.2 \
|
|
||||||
--verify-provider=cosign \
|
|
||||||
--verify-issuer=https://token.actions.githubusercontent.com \
|
|
||||||
--verify-subject=https://github.com/stefanprodan/podinfo/.github/workflows/release.yml@refs/tags/6.6.2`,
|
|
||||||
RunE: createSourceChartCmdRun,
|
|
||||||
}
|
|
||||||
|
|
||||||
type sourceChartFlags struct {
|
|
||||||
chart string
|
|
||||||
chartVersion string
|
|
||||||
source flags.LocalHelmChartSource
|
|
||||||
reconcileStrategy string
|
|
||||||
verifyProvider flags.SourceOCIVerifyProvider
|
|
||||||
verifySecretRef string
|
|
||||||
verifyOIDCIssuer string
|
|
||||||
verifySubject string
|
|
||||||
}
|
|
||||||
|
|
||||||
var sourceChartArgs sourceChartFlags
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
createSourceChartCmd.Flags().StringVar(&sourceChartArgs.chart, "chart", "", "Helm chart name or path")
|
|
||||||
createSourceChartCmd.Flags().StringVar(&sourceChartArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
|
|
||||||
createSourceChartCmd.Flags().Var(&sourceChartArgs.source, "source", sourceChartArgs.source.Description())
|
|
||||||
createSourceChartCmd.Flags().StringVar(&sourceChartArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart (accepted values: Revision and ChartRevision)")
|
|
||||||
createSourceChartCmd.Flags().Var(&sourceChartArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
|
|
||||||
createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification")
|
|
||||||
createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifySubject, "verify-subject", "", "regular expression to use for the OIDC subject during signature verification")
|
|
||||||
createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifyOIDCIssuer, "verify-issuer", "", "regular expression to use for the OIDC issuer during signature verification")
|
|
||||||
|
|
||||||
createSourceCmd.AddCommand(createSourceChartCmd)
|
|
||||||
}
|
|
||||||
|
|
||||||
func createSourceChartCmdRun(cmd *cobra.Command, args []string) error {
|
|
||||||
name := args[0]
|
|
||||||
|
|
||||||
if sourceChartArgs.source.Kind == "" || sourceChartArgs.source.Name == "" {
|
|
||||||
return fmt.Errorf("chart source is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
if sourceChartArgs.chart == "" {
|
|
||||||
return fmt.Errorf("chart name or path is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.Generatef("generating HelmChart source")
|
|
||||||
|
|
||||||
sourceLabels, err := parseLabels()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
helmChart := &sourcev1.HelmChart{
|
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
|
||||||
Name: name,
|
|
||||||
Namespace: *kubeconfigArgs.Namespace,
|
|
||||||
Labels: sourceLabels,
|
|
||||||
},
|
|
||||||
Spec: sourcev1.HelmChartSpec{
|
|
||||||
Chart: sourceChartArgs.chart,
|
|
||||||
Version: sourceChartArgs.chartVersion,
|
|
||||||
Interval: metav1.Duration{
|
|
||||||
Duration: createArgs.interval,
|
|
||||||
},
|
|
||||||
ReconcileStrategy: sourceChartArgs.reconcileStrategy,
|
|
||||||
SourceRef: sourcev1.LocalHelmChartSourceReference{
|
|
||||||
Kind: sourceChartArgs.source.Kind,
|
|
||||||
Name: sourceChartArgs.source.Name,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
if provider := sourceChartArgs.verifyProvider.String(); provider != "" {
|
|
||||||
helmChart.Spec.Verify = &sourcev1.OCIRepositoryVerification{
|
|
||||||
Provider: provider,
|
|
||||||
}
|
|
||||||
if secretName := sourceChartArgs.verifySecretRef; secretName != "" {
|
|
||||||
helmChart.Spec.Verify.SecretRef = &meta.LocalObjectReference{
|
|
||||||
Name: secretName,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
verifyIssuer := sourceChartArgs.verifyOIDCIssuer
|
|
||||||
verifySubject := sourceChartArgs.verifySubject
|
|
||||||
if verifyIssuer != "" || verifySubject != "" {
|
|
||||||
helmChart.Spec.Verify.MatchOIDCIdentity = []sourcev1.OIDCIdentityMatch{{
|
|
||||||
Issuer: verifyIssuer,
|
|
||||||
Subject: verifySubject,
|
|
||||||
}}
|
|
||||||
}
|
|
||||||
} else if sourceChartArgs.verifySecretRef != "" {
|
|
||||||
return fmt.Errorf("a verification provider must be specified when a secret is specified")
|
|
||||||
} else if sourceChartArgs.verifyOIDCIssuer != "" || sourceOCIRepositoryArgs.verifySubject != "" {
|
|
||||||
return fmt.Errorf("a verification provider must be specified when OIDC issuer/subject is specified")
|
|
||||||
}
|
|
||||||
|
|
||||||
if createArgs.export {
|
|
||||||
return printExport(exportHelmChart(helmChart))
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.Actionf("applying HelmChart source")
|
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
|
||||||
defer cancel()
|
|
||||||
|
|
||||||
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
namespacedName, err := upsertHelmChart(ctx, kubeClient, helmChart)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.Waitingf("waiting for HelmChart source reconciliation")
|
|
||||||
readyConditionFunc := isObjectReadyConditionFunc(kubeClient, namespacedName, helmChart)
|
|
||||||
if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true, readyConditionFunc); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
logger.Successf("HelmChart source reconciliation completed")
|
|
||||||
|
|
||||||
if helmChart.Status.Artifact == nil {
|
|
||||||
return fmt.Errorf("HelmChart source reconciliation completed but no artifact was found")
|
|
||||||
}
|
|
||||||
logger.Successf("fetched revision: %s", helmChart.Status.Artifact.Revision)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func upsertHelmChart(ctx context.Context, kubeClient client.Client,
|
|
||||||
helmChart *sourcev1.HelmChart) (types.NamespacedName, error) {
|
|
||||||
namespacedName := types.NamespacedName{
|
|
||||||
Namespace: helmChart.GetNamespace(),
|
|
||||||
Name: helmChart.GetName(),
|
|
||||||
}
|
|
||||||
|
|
||||||
var existing sourcev1.HelmChart
|
|
||||||
err := kubeClient.Get(ctx, namespacedName, &existing)
|
|
||||||
if err != nil {
|
|
||||||
if errors.IsNotFound(err) {
|
|
||||||
if err := kubeClient.Create(ctx, helmChart); err != nil {
|
|
||||||
return namespacedName, err
|
|
||||||
} else {
|
|
||||||
logger.Successf("source created")
|
|
||||||
return namespacedName, nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return namespacedName, err
|
|
||||||
}
|
|
||||||
|
|
||||||
existing.Labels = helmChart.Labels
|
|
||||||
existing.Spec = helmChart.Spec
|
|
||||||
if err := kubeClient.Update(ctx, &existing); err != nil {
|
|
||||||
return namespacedName, err
|
|
||||||
}
|
|
||||||
helmChart = &existing
|
|
||||||
logger.Successf("source updated")
|
|
||||||
return namespacedName, nil
|
|
||||||
}
|
|
||||||
@ -1,91 +0,0 @@
|
|||||||
//go:build unit
|
|
||||||
// +build unit
|
|
||||||
|
|
||||||
/*
|
|
||||||
Copyright 2024 The Flux authors
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import "testing"
|
|
||||||
|
|
||||||
func TestCreateSourceChart(t *testing.T) {
|
|
||||||
tmpl := map[string]string{
|
|
||||||
"fluxns": allocateNamespace("flux-system"),
|
|
||||||
}
|
|
||||||
setupSourceChart(t, tmpl)
|
|
||||||
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args string
|
|
||||||
assert assertFunc
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
name: "missing name",
|
|
||||||
args: "create source chart --export",
|
|
||||||
assert: assertError("name is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "missing source reference",
|
|
||||||
args: "create source chart podinfo --export ",
|
|
||||||
assert: assertError("chart source is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "missing chart name",
|
|
||||||
args: "create source chart podinfo --source helmrepository/podinfo --export",
|
|
||||||
assert: assertError("chart name or path is required"),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "unknown source kind",
|
|
||||||
args: "create source chart podinfo --source foobar/podinfo --export",
|
|
||||||
assert: assertError(`invalid argument "foobar/podinfo" for "--source" flag: source kind 'foobar' is not supported, must be one of: HelmRepository, GitRepository, Bucket`),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "basic chart",
|
|
||||||
args: "create source chart podinfo --source helmrepository/podinfo --chart podinfo --export",
|
|
||||||
assert: assertGoldenTemplateFile("testdata/create_source_chart/basic.yaml", tmpl),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "chart with basic signature verification",
|
|
||||||
args: "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider cosign --export",
|
|
||||||
assert: assertGoldenTemplateFile("testdata/create_source_chart/verify_basic.yaml", tmpl),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "unknown signature verification provider",
|
|
||||||
args: "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider foobar --export",
|
|
||||||
assert: assertError(`invalid argument "foobar" for "--verify-provider" flag: source OCI verify provider 'foobar' is not supported, must be one of: cosign`),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "chart with complete signature verification",
|
|
||||||
args: "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider cosign --verify-issuer foo --verify-subject bar --export",
|
|
||||||
assert: assertGoldenTemplateFile("testdata/create_source_chart/verify_complete.yaml", tmpl),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
cmd := cmdTestCase{
|
|
||||||
args: tt.args + " -n " + tmpl["fluxns"],
|
|
||||||
assert: tt.assert,
|
|
||||||
}
|
|
||||||
cmd.runTestCmd(t)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func setupSourceChart(t *testing.T, tmpl map[string]string) {
|
|
||||||
t.Helper()
|
|
||||||
testEnv.CreateObjectFile("./testdata/create_source_chart/setup-source.yaml", tmpl, t)
|
|
||||||
}
|
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue