1
0
mirror of synced 2026-07-10 18:50:48 +00:00

Compare commits

..

52 Commits

Author SHA1 Message Date
Hidde Beydals 4c0987a9a6 Concept: encrypt init command for SOPS bootstrap
Signed-off-by: Hidde Beydals <hello@hidde.co>
2021-07-13 00:38:46 +02:00
Hidde Beydals fd364828a1 Merge pull request #1544 from fluxcd/create-target-namespace
Add create target namespace arg to helmrelease cmd
2021-06-18 17:00:05 +02:00
Hidde Beydals afa58d8c08 Merge pull request #1541 from fluxcd/update-components
Update toolkit components
2021-06-18 16:58:35 +02:00
Stefan Prodan 179062876e Add create target namespace arg to helmrelease cmd
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-06-18 17:39:31 +03:00
fluxcdbot a796f3609f Update toolkit components
- helm-controller to v0.11.1
  https://github.com/fluxcd/helm-controller/blob/v0.11.1/CHANGELOG.md
- source-controller to v0.15.1
  https://github.com/fluxcd/source-controller/blob/v0.15.1/CHANGELOG.md

Signed-off-by: GitHub <noreply@github.com>
2021-06-18 13:44:52 +00:00
Hidde Beydals b7c6db74d2 Merge pull request #1542 from fluxcd/update-deps
Update source-controller to v0.15.1
2021-06-18 15:21:57 +02:00
Hidde Beydals 4f7b040405 Update source-controller to v0.15.1
This includes an introduction of a `--pass-credentials` flag for the
`flux create source helm` command to allow configuring the new
option introduced.

Signed-off-by: Hidde Beydals <hello@hidde.co>
2021-06-18 15:04:48 +02:00
Stefan Prodan 34ca29830e Merge pull request #1540 from fluxcd/e2e-arm64
Run conformance tests on ARM64 Kubernetes clusters
2021-06-18 14:14:39 +03:00
Stefan Prodan 78f1b634fa Run end-to-end tests on Ampere ARM64
GitHub self-hosted runner info:
- Owner: Stefan Prodan
- VM: Oracle Cloud VM.Standard.A1.Flex 4CPU 24GB RAM
- OS: Linux 5.4.0-1045-oracle #49-Ubuntu SMP aarch64
- Packages: docker, kind, kubectl, kustomize

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-06-18 13:07:58 +03:00
Stefan Prodan 044bc64ad9 Merge pull request #1528 from NissesSenap/bug/arc-sync
Remove resourceNames in integration secrets
2021-06-18 10:25:22 +03:00
Edvin N 091f439498 Merge branch 'main' into bug/arc-sync 2021-06-18 08:47:58 +02:00
Stefan Prodan a17b0a1ce0 Merge pull request #1535 from fluxcd/update-components
Update source-controller to v0.15.0
2021-06-17 20:29:52 +03:00
fluxcdbot 354cd5e177 Update toolkit components
- source-controller to v0.15.0
  https://github.com/fluxcd/source-controller/blob/v0.15.0/CHANGELOG.md

Signed-off-by: GitHub <noreply@github.com>
2021-06-17 17:05:08 +00:00
Stefan Prodan 4e8f1221f7 Merge pull request #1534 from fluxcd/skip-deploy-key-prompt
Allow disabling the deploy key prompt for bootstrap git
2021-06-17 16:49:00 +03:00
Stefan Prodan 6b179aa7d9 Allow disabling the deploy key prompt for bootstrap git
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-06-17 15:20:49 +03:00
Edvin Norling f748114dfa Remove resourceNames in integration secrets
* Solves #1524
* We remove resourceName due to the following:
  Note: You cannot restrict create or deletecollection requests by resourceName.
  For create, this limitation is because the object name is not known at authorization time.
* Fix typo in azure-registry cronjob
Signed-off-by: Edvin Norling <edvin.norling@xenit.se>
2021-06-16 14:45:30 +02:00
Stefan Prodan 5de83f015a Merge pull request #1519 from fluxcd/kustomize-v4
Update to Kustomize v4
2021-06-15 11:40:49 +03:00
Stefan Prodan a6620e478a Update to Kustomize v4
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-06-15 11:25:57 +03:00
Stefan Prodan c7fcffdd8e Merge pull request #1490 from fluxcd/update-components
Update toolkit components
2021-06-14 18:22:15 +03:00
fluxcdbot 160f59a984 Update toolkit components
- helm-controller to v0.11.0
  https://github.com/fluxcd/helm-controller/blob/v0.11.0/CHANGELOG.md
- kustomize-controller to v0.13.0
  https://github.com/fluxcd/kustomize-controller/blob/v0.13.0/CHANGELOG.md
- source-controller to v0.14.0
  https://github.com/fluxcd/source-controller/blob/v0.14.0/CHANGELOG.md
- notification-controller to v0.15.0
  https://github.com/fluxcd/notification-controller/blob/v0.15.0/CHANGELOG.md
- image-reflector-controller to v0.10.0
  https://github.com/fluxcd/image-reflector-controller/blob/v0.10.0/CHANGELOG.md
- image-automation-controller to v0.12.0
  https://github.com/fluxcd/image-automation-controller/blob/v0.12.0/CHANGELOG.md

Signed-off-by: GitHub <noreply@github.com>
2021-06-14 15:02:31 +00:00
Stefan Prodan d38d487c2a Merge pull request #1505 from fluxcd/fix-yq-example
Fix yq example for create secret git
2021-06-11 14:00:44 +03:00
Stefan Prodan db28907543 Fix yq example for create secret git
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-06-11 12:58:46 +03:00
Stefan Prodan c4261399b5 Merge pull request #1472 from fluxcd/go-git-v5.4.2
Update go-git to v5.4.2
2021-06-02 20:58:39 +03:00
Stefan Prodan b4edb46269 Update go-git to v5.4.2
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-06-02 20:20:02 +03:00
Stefan Prodan a20ed0e630 Merge pull request #1471 from fluxcd/update-components
Update toolkit components
2021-06-02 20:17:46 +03:00
fluxcdbot cea869e285 Update toolkit components
- kustomize-controller to v0.12.2
  https://github.com/fluxcd/kustomize-controller/blob/v0.12.2/CHANGELOG.md
- source-controller to v0.13.2
  https://github.com/fluxcd/source-controller/blob/v0.13.2/CHANGELOG.md
- image-automation-controller to v0.11.0
  https://github.com/fluxcd/image-automation-controller/blob/v0.11.0/CHANGELOG.md

Signed-off-by: GitHub <noreply@github.com>
2021-06-02 16:46:24 +00:00
Stefan Prodan e12db14d1e Merge pull request #1469 from stealthybox/integrations-fixes
Fix and Refactor integrations
2021-06-02 18:38:47 +03:00
leigh capili 296bf3cc6c Fix eventhub integration config patches
Signed-off-by: leigh capili <leigh@null.net>
2021-06-01 14:42:02 -06:00
leigh capili 1789aa180d Remove unused kustomizeconfigs from integrations
Signed-off-by: leigh capili <leigh@null.net>
2021-06-01 14:42:02 -06:00
leigh capili bd255800db Template AzureIdentityBinding using $(AZ_IDENTITY_NAME) for integrations
Signed-off-by: leigh capili <leigh@null.net>
2021-06-01 14:42:02 -06:00
leigh capili 1355962b3c Fix GCP integration container image
Signed-off-by: leigh capili <leigh@null.net>
2021-06-01 14:42:01 -06:00
leigh capili bb0114e379 Remove per-cloud /kbin/kubectl patches
Signed-off-by: leigh capili <leigh@null.net>
2021-06-01 14:42:01 -06:00
leigh capili f9622a5b9e Add /kbin/kubectl to _base integrations
Signed-off-by: leigh capili <leigh@null.net>
2021-06-01 14:42:01 -06:00
leigh capili 3a74fcd75c Add Makefile to test integrations
Signed-off-by: leigh capili <leigh@null.net>
2021-06-01 14:42:00 -06:00
Stefan Prodan 7265276cc2 Merge pull request #1454 from fluxcd/gofish
Add GoFish as an install option for Flux CLI
2021-05-28 13:08:47 +03:00
Stefan Prodan b98027b528 Add GoFish as an install option for Flux CLI
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-05-28 12:57:02 +03:00
Stefan Prodan b6ae7d2cdd Merge pull request #1453 from fluxcd/update-components
Update source-controller to v0.13.1
2021-05-28 12:49:09 +03:00
fluxcdbot aa887c61c3 Update toolkit components
- source-controller to v0.13.1
  https://github.com/fluxcd/source-controller/blob/v0.13.1/CHANGELOG.md

Signed-off-by: GitHub <noreply@github.com>
2021-05-28 09:30:21 +00:00
Hidde Beydals 700cef0989 Merge pull request #1349 from fluxcd/fix-throttling
Avoid throttling when some Flux CRDs are not registered
2021-05-26 17:42:22 +02:00
Stefan Prodan 3ed3e553e7 Avoid throttling when some Flux CRDs are not registered
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-05-26 18:29:04 +03:00
Hidde Beydals d68158ddc9 Merge pull request #1408 from fluxcd/update-components
Update toolkit components
2021-05-26 17:06:31 +02:00
fluxcdbot 9f83a69242 Update toolkit components
- kustomize-controller to v0.12.1
  https://github.com/fluxcd/kustomize-controller/blob/v0.12.1/CHANGELOG.md
- source-controller to v0.13.0
  https://github.com/fluxcd/source-controller/blob/v0.13.0/CHANGELOG.md
- notification-controller to v0.14.1
  https://github.com/fluxcd/notification-controller/blob/v0.14.1/CHANGELOG.md
- image-automation-controller to v0.10.0
  https://github.com/fluxcd/image-automation-controller/blob/v0.10.0/CHANGELOG.md

Signed-off-by: GitHub <noreply@github.com>
2021-05-26 14:53:26 +00:00
Hidde Beydals bf69dbd43d Merge pull request #1449 from fluxcd/update-go-git
Update go-git to v5.4.1
2021-05-26 16:15:36 +02:00
Hidde Beydals 465ea5ccfd Update go-git to v5.4.1
Signed-off-by: Hidde Beydals <hello@hidde.co>
2021-05-26 15:56:50 +02:00
Stefan Prodan 92ef39e2ad Merge pull request #1411 from NissesSenap/feature/azure-eventhub
Add example manifests for Azure eventhub credentials renewal
2021-05-25 16:35:12 +03:00
Edvin Norling 0404790df9 How to automatically renew Azure eventhub
To use JWT to communicate with Azure eventhub we need to renew the JWT credentials
from time to time. This example yaml helps out with that
* Supports both deployment and cronjob based renewal
  * static service principal
  * aad-pod-identity in azure

Signed-off-by: Edvin Norling <edvin.norling@xenit.se>
2021-05-25 13:43:18 +02:00
Stefan Prodan f880e93df4 Merge pull request #1415 from allymparker/main
Fix service account name in registry-credentials-sync deployment kustomization
2021-05-14 20:06:59 +03:00
Ally Parker 4697b1101d Fix service account
Signed-off-by: Ally Parker <ally.parker@red-gate.com>
2021-05-14 16:40:30 +01:00
Stefan Prodan 50ff2accd2 Merge pull request #1412 from fluxcd/enable-crd-upgrades
Enable CRDs upgrade for kube-prometheus-stack
2021-05-12 19:06:49 +03:00
Stefan Prodan c7d876eb8f Enable CRDs upgrade for kube-prometheus-stack
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-05-12 18:40:00 +03:00
Stefan Prodan eda392dfcd Merge pull request #1399 from SomtochiAma/kube-prometheus
Replace monitoring stack with kube-prometheus-stack
2021-05-12 09:21:34 +03:00
Somtochi Onyekwere 3b91e14f6d Use kube-prometheus-stack for monitoring
Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
2021-05-12 06:53:21 +01:00
72 changed files with 1570 additions and 433 deletions
+109
View File
@@ -0,0 +1,109 @@
name: e2e-arm64
on:
workflow_dispatch:
push:
branches: [ main, update-components ]
jobs:
ampere:
# Runner info
# Owner: Stefan Prodan
# VM: Oracle Cloud VM.Standard.A1.Flex 4CPU 24GB RAM
# OS: Linux 5.4.0-1045-oracle #49-Ubuntu SMP aarch64
# Packages: docker, kind, kubectl, kustomize
runs-on: [self-hosted, Linux, ARM64]
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup Go
uses: actions/setup-go@v2
with:
go-version: 1.16.x
- name: Prepare
id: prep
run: |
echo ::set-output name=CLUSTER::arm64-${GITHUB_SHA:0:7}-$(date +%s)
echo ::set-output name=CONTEXT::kind-arm64-${GITHUB_SHA:0:7}-$(date +%s)
- name: Run unit tests
run: make test
- name: Check if working tree is dirty
run: |
if [[ $(git diff --stat) != '' ]]; then
git diff
echo 'run make test and commit changes'
exit 1
fi
- name: Build
run: |
go build -o /tmp/flux ./cmd/flux
- name: Setup Kubernetes Kind
run: |
kind create cluster --name ${{ steps.prep.outputs.CLUSTER }}
- name: flux check --pre
run: |
/tmp/flux check --pre \
--context ${{ steps.prep.outputs.CONTEXT }}
- name: flux install
run: |
/tmp/flux install \
--components-extra=image-reflector-controller,image-automation-controller \
--context ${{ steps.prep.outputs.CONTEXT }}
- name: flux create source git
run: |
/tmp/flux create source git podinfo-gogit \
--git-implementation=go-git \
--url https://github.com/stefanprodan/podinfo \
--tag-semver=">1.0.0" \
--context ${{ steps.prep.outputs.CONTEXT }}
/tmp/flux create source git podinfo-libgit2 \
--git-implementation=libgit2 \
--url https://github.com/stefanprodan/podinfo \
--branch="master" \
--context ${{ steps.prep.outputs.CONTEXT }}
- name: flux create kustomization
run: |
/tmp/flux create kustomization podinfo \
--source=podinfo-gogit \
--path="./deploy/overlays/dev" \
--prune=true \
--interval=5m \
--validation=client \
--health-check="Deployment/frontend.dev" \
--health-check="Deployment/backend.dev" \
--health-check-timeout=3m \
--context ${{ steps.prep.outputs.CONTEXT }}
- name: flux create tenant
run: |
/tmp/flux create tenant dev-team \
--with-namespace=apps \
--context ${{ steps.prep.outputs.CONTEXT }}
- name: flux create helmrelease
run: |
/tmp/flux -n apps create source helm podinfo \
--url https://stefanprodan.github.io/podinfo \
--context ${{ steps.prep.outputs.CONTEXT }}
/tmp/flux -n apps create hr podinfo-helm \
--source=HelmRepository/podinfo \
--chart=podinfo \
--chart-version="6.0.x" \
--service-account=dev-team \
--context ${{ steps.prep.outputs.CONTEXT }}
- name: flux get all
run: |
/tmp/flux get all --all-namespaces \
--context ${{ steps.prep.outputs.CONTEXT }}
- name: flux uninstall
run: |
/tmp/flux uninstall -s \
--context ${{ steps.prep.outputs.CONTEXT }}
- name: Debug failure
if: failure()
run: |
kubectl --context ${{ steps.prep.outputs.CONTEXT }} -n flux-system get all
/tmp/flux logs --all-namespaces
- name: Cleanup
if: always()
run: |
kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}
+11 -5
View File
@@ -22,13 +22,19 @@ Delivery on top of Kubernetes.
## Flux installation
With Homebrew:
With [Homebrew](https://brew.sh) for macOS and Linux:
```sh
brew install fluxcd/tap/flux
```
With Bash:
With [GoFish](https://gofi.sh) for Windows, macOS and Linux:
```sh
gofish install flux
```
With Bash for macOS and Linux:
```sh
curl -s https://fluxcd.io/install.sh | sudo bash
@@ -46,10 +52,10 @@ Arch Linux (AUR) packages:
- [flux-scm](https://aur.archlinux.org/packages/flux-scm): build the latest
(unstable) version from source code from our git `main` branch
Binaries for macOS, Windows and Linux AMD64/ARM are available to download on the
[release page](https://github.com/fluxcd/flux2/releases).
Binaries for macOS AMD64/ARM64, Linux AMD64/ARM/ARM64 and Windows are available to
download on the [release page](https://github.com/fluxcd/flux2/releases).
A container image with `kubectl` and `flux` is available on Docker Hub and GitHub:
A multi-arch container image with `kubectl` and `flux` is available on Docker Hub and GitHub:
* `docker.io/fluxcd/flux-cli:<version>`
* `ghcr.io/fluxcd/flux-cli:<version>`
+13 -22
View File
@@ -30,7 +30,6 @@ import (
"github.com/go-git/go-git/v5/plumbing/transport/ssh"
"github.com/manifoldco/promptui"
"github.com/spf13/cobra"
cryptossh "golang.org/x/crypto/ssh"
corev1 "k8s.io/api/core/v1"
"github.com/fluxcd/flux2/internal/bootstrap"
@@ -70,6 +69,7 @@ type gitFlags struct {
path flags.SafeRelativePath
username string
password string
silent bool
}
var gitArgs gitFlags
@@ -80,6 +80,7 @@ func init() {
bootstrapGitCmd.Flags().Var(&gitArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
bootstrapGitCmd.Flags().StringVarP(&gitArgs.username, "username", "u", "git", "basic authentication username")
bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
bootstrapCmd.AddCommand(bootstrapGitCmd)
}
@@ -233,20 +234,7 @@ func transportForURL(u *url.URL) (transport.AuthMethod, error) {
}, nil
case "ssh":
if bootstrapArgs.privateKeyFile != "" {
// TODO(hidde): replace custom logic with https://github.com/go-git/go-git/pull/298
// once made available in go-git release.
bytes, err := ioutil.ReadFile(bootstrapArgs.privateKeyFile)
if err != nil {
return nil, err
}
signer, err := cryptossh.ParsePrivateKey(bytes)
if _, ok := err.(*cryptossh.PassphraseMissingError); ok {
signer, err = cryptossh.ParsePrivateKeyWithPassphrase(bytes, []byte(gitArgs.password))
}
if err != nil {
return nil, err
}
return &ssh.PublicKeys{Signer: signer, User: u.User.Username()}, nil
return ssh.NewPublicKeysFromFile(u.User.Username(), bootstrapArgs.privateKeyFile, gitArgs.password)
}
return nil, nil
default:
@@ -261,13 +249,16 @@ func promptPublicKey(ctx context.Context, secret corev1.Secret, _ sourcesecret.O
}
logger.Successf("public key: %s", strings.TrimSpace(ppk))
prompt := promptui.Prompt{
Label: "Please give the key access to your repository",
IsConfirm: true,
}
_, err := prompt.Run()
if err != nil {
return fmt.Errorf("aborting")
if !gitArgs.silent {
prompt := promptui.Prompt{
Label: "Please give the key access to your repository",
IsConfirm: true,
}
_, err := prompt.Run()
if err != nil {
return fmt.Errorf("aborting")
}
}
return nil
}
+9 -2
View File
@@ -87,7 +87,8 @@ var createHelmReleaseCmd = &cobra.Command{
# Create a HelmRelease targeting another namespace than the resource
flux create hr podinfo \
--target-namespace=default \
--target-namespace=test \
--create-target-namespace=true \
--source=HelmRepository/podinfo \
--chart=podinfo
@@ -113,6 +114,7 @@ type helmReleaseFlags struct {
chart string
chartVersion string
targetNamespace string
createNamespace bool
valuesFiles []string
valuesFrom flags.HelmReleaseValuesFrom
saName string
@@ -128,6 +130,7 @@ func init() {
createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.dependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.targetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
createHelmReleaseCmd.Flags().BoolVar(&helmReleaseArgs.createNamespace, "create-target-namespace", false, "create the target namespace if it does not exist")
createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFiles, "values", nil, "local path to values.yaml files, also accepts comma-separated values")
createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.valuesFrom, "values-from", helmReleaseArgs.valuesFrom.Description())
@@ -167,6 +170,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
Duration: createArgs.interval,
},
TargetNamespace: helmReleaseArgs.targetNamespace,
Chart: helmv2.HelmChartTemplate{
Spec: helmv2.HelmChartTemplateSpec{
Chart: helmReleaseArgs.chart,
@@ -178,6 +182,9 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
},
},
},
Install: &helmv2.Install{
CreateNamespace: helmReleaseArgs.createNamespace,
},
Suspend: false,
},
}
@@ -187,7 +194,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
}
if helmReleaseArgs.crds != "" {
helmRelease.Spec.Install = &helmv2.Install{CRDs: helmv2.Create}
helmRelease.Spec.Install.CRDs = helmv2.Create
helmRelease.Spec.Upgrade = &helmv2.Upgrade{CRDs: helmv2.CRDsPolicy(helmReleaseArgs.crds.String())}
}
+4 -8
View File
@@ -63,19 +63,15 @@ For Git over HTTP/S, the provided basic authentication credentials are stored in
--username=username \
--password=password
# Create a Git SSH secret on disk and print the deploy key
# Create a Git SSH secret on disk
flux create secret git podinfo-auth \
--url=ssh://git@github.com/stefanprodan/podinfo \
--export > podinfo-auth.yaml
yq read podinfo-auth.yaml 'data."identity.pub"' | base64 --decode
# Create a Git SSH secret on disk and encrypt it with Mozilla SOPS
flux create secret git podinfo-auth \
--namespace=apps \
--url=ssh://git@github.com/stefanprodan/podinfo \
--export > podinfo-auth.yaml
# Print the deploy key
yq eval '.stringData."identity.pub"' podinfo-auth.yaml
# Encrypt the secret on disk with Mozilla SOPS
sops --encrypt --encrypted-regex '^(data|stringData)$' \
--in-place podinfo-auth.yaml`,
RunE: createSecretGitCmdRun,
+11 -7
View File
@@ -66,13 +66,14 @@ For private Helm repositories, the basic authentication credentials are stored i
}
type sourceHelmFlags struct {
url string
username string
password string
certFile string
keyFile string
caFile string
secretRef string
url string
username string
password string
certFile string
keyFile string
caFile string
secretRef string
passCredentials bool
}
var sourceHelmArgs sourceHelmFlags
@@ -85,6 +86,7 @@ func init() {
createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.keyFile, "key-file", "", "TLS authentication key file path")
createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.caFile, "ca-file", "", "TLS authentication CA file path")
createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS or basic auth credentials")
createSourceHelmCmd.Flags().BoolVarP(&sourceHelmArgs.passCredentials, "pass-credentials", "", false, "pass credentials to all domains")
createSourceCmd.AddCommand(createSourceHelmCmd)
}
@@ -132,6 +134,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
Name: sourceHelmArgs.secretRef,
}
helmRepository.Spec.PassCredentials = sourceHelmArgs.passCredentials
}
if createArgs.export {
@@ -175,6 +178,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
Name: secretName,
}
helmRepository.Spec.PassCredentials = sourceHelmArgs.passCredentials
logger.Successf("authentication configured")
}
}
+39
View File
@@ -0,0 +1,39 @@
/*
Copyright 2021 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"github.com/spf13/cobra"
)
var encryptCmd = &cobra.Command{
Use: "encrypt",
Short: "Encrypt secrets using SOPS",
Long: "The encrypt sub-commands initialise and manage Secret encryption using SOPS.",
}
type encryptFlags struct {
export bool
}
var encryptArgs encryptFlags
func init() {
encryptCmd.PersistentFlags().BoolVar(&encryptArgs.export, "export", false, "export in YAML format to stdout")
rootCmd.AddCommand(encryptCmd)
}
+113
View File
@@ -0,0 +1,113 @@
/*
Copyright 2021 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"context"
"fmt"
"io/ioutil"
"os"
"path/filepath"
"filippo.io/age"
"github.com/fluxcd/flux2/internal/utils"
"github.com/go-git/go-git/v5"
"github.com/spf13/cobra"
corev1 "k8s.io/api/core/v1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
var encryptInitCmd = &cobra.Command{
Use: "init",
Short: "Init SOPS encryption with age identity",
Long: "The encryption init command creates a new age identity and writes a .sops.yaml file to the current working directory.",
Example: ` # Init SOPS encryption with a new age identity
flux encryption init`,
RunE: encryptInitCmdRun,
}
func init() {
encryptCmd.AddCommand(encryptInitCmd)
}
func encryptInitCmdRun(cmd *cobra.Command, args []string) error {
// Confirm our current path is in a Git repository
path, err := os.Getwd()
if err != nil {
return err
}
if _, err := git.PlainOpen(path); err != nil {
if err == git.ErrRepositoryNotExists {
err = fmt.Errorf("'%s' is not in a Git repository", path)
}
return err
}
// Abort early if .sops.yaml already exists
sopsCfgPath := filepath.Join(path, ".sops.yaml")
if _, err := os.Stat(sopsCfgPath); err == nil || os.IsExist(err) {
return fmt.Errorf("'%s' already contains a .sops.yaml config", path)
}
// Generate a new identity
i, err := age.GenerateX25519Identity()
if err != nil {
return err
}
logger.Successf("Generated identity %s", i.Recipient().String())
// Attempt to configure identity in .sops.yaml
const sopsCfg = `creation_rules:
- path_regex: .*.yaml
encrypted_regex: ^(data|stringData)$
age: %s
`
if err := ioutil.WriteFile(sopsCfgPath, []byte(fmt.Sprintf(sopsCfg, i.Recipient().String())), 0644); err != nil {
logger.Failuref("Failed to write recipient to .sops.yaml file")
return err
}
logger.Successf("Configured recipient in .sops.yaml file")
// Init client
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
defer cancel()
kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
if err != nil {
return err
}
// Create a secret
secret := &corev1.Secret{
ObjectMeta: v1.ObjectMeta{
Name: "sops-age",
Namespace: rootArgs.namespace,
},
StringData: map[string]string{
"flux-auto.age": i.String(),
},
}
if err := kubeClient.Create(ctx, secret); err != nil {
return err
}
logger.Successf(`Secret '%s' with private key created`, secret.Name)
// TODO(hidde): lookup kustomize based on path ref? Do direct cluster mutation? (Preferably not!)
// Feels something is missing in general to provide a user experience improving bridge between "die hard"
// `--export` and "please do not do this" direct-apply-to-cluster.
return nil
}
+19 -19
View File
@@ -3,34 +3,34 @@ module github.com/fluxcd/flux2
go 1.16
require (
filippo.io/age v1.0.0-rc.3
github.com/Masterminds/semver/v3 v3.1.0
github.com/cyphar/filepath-securejoin v0.2.2
github.com/fluxcd/go-git-providers v0.1.1
github.com/fluxcd/helm-controller/api v0.10.1
github.com/fluxcd/image-automation-controller/api v0.9.1
github.com/fluxcd/image-reflector-controller/api v0.9.1
github.com/fluxcd/kustomize-controller/api v0.12.0
github.com/fluxcd/notification-controller/api v0.13.0
github.com/fluxcd/pkg/apis/meta v0.9.0
github.com/fluxcd/pkg/runtime v0.11.0
github.com/fluxcd/helm-controller/api v0.11.1
github.com/fluxcd/image-automation-controller/api v0.12.0
github.com/fluxcd/image-reflector-controller/api v0.10.0
github.com/fluxcd/kustomize-controller/api v0.13.0
github.com/fluxcd/notification-controller/api v0.15.0
github.com/fluxcd/pkg/apis/meta v0.10.0
github.com/fluxcd/pkg/runtime v0.12.0
github.com/fluxcd/pkg/ssh v0.0.5
github.com/fluxcd/pkg/untar v0.0.5
github.com/fluxcd/pkg/version v0.0.1
github.com/fluxcd/source-controller/api v0.12.2
github.com/go-git/go-git/v5 v5.1.0
github.com/fluxcd/source-controller/api v0.15.1
github.com/go-git/go-git/v5 v5.4.2
github.com/google/go-containerregistry v0.2.0
github.com/manifoldco/promptui v0.7.0
github.com/olekukonko/tablewriter v0.0.4
github.com/spf13/cobra v1.1.1
github.com/spf13/cobra v1.1.3
github.com/spf13/pflag v1.0.5
golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0
k8s.io/api v0.20.4
k8s.io/apiextensions-apiserver v0.20.4
k8s.io/apimachinery v0.20.4
k8s.io/cli-runtime v0.20.2 // indirect
k8s.io/client-go v0.20.4
sigs.k8s.io/cli-utils v0.22.2
sigs.k8s.io/controller-runtime v0.8.3
sigs.k8s.io/kustomize/api v0.7.4
golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b
k8s.io/api v0.21.1
k8s.io/apiextensions-apiserver v0.21.1
k8s.io/apimachinery v0.21.1
k8s.io/client-go v0.21.1
sigs.k8s.io/cli-utils v0.25.1-0.20210608181808-f3974341173a
sigs.k8s.io/controller-runtime v0.9.0
sigs.k8s.io/kustomize/api v0.8.10
sigs.k8s.io/yaml v1.2.0
)
+306 -296
View File
File diff suppressed because it is too large Load Diff
+4
View File
@@ -156,6 +156,10 @@ func KubeConfig(kubeConfigPath string, kubeContext string) (*rest.Config, error)
return nil, fmt.Errorf("kubernetes configuration load failed: %w", err)
}
// avoid throttling request when some Flux CRDs are not registered
cfg.QPS = 50
cfg.Burst = 100
return cfg, nil
}
@@ -1,8 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/fluxcd/helm-controller/releases/download/v0.10.1/helm-controller.crds.yaml
- https://github.com/fluxcd/helm-controller/releases/download/v0.10.1/helm-controller.deployment.yaml
- https://github.com/fluxcd/helm-controller/releases/download/v0.11.1/helm-controller.crds.yaml
- https://github.com/fluxcd/helm-controller/releases/download/v0.11.1/helm-controller.deployment.yaml
- account.yaml
patchesJson6902:
- target:
@@ -1,8 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.9.1/image-automation-controller.crds.yaml
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.9.1/image-automation-controller.deployment.yaml
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.12.0/image-automation-controller.crds.yaml
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.12.0/image-automation-controller.deployment.yaml
- account.yaml
patchesJson6902:
- target:
@@ -1,8 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.9.1/image-reflector-controller.crds.yaml
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.9.1/image-reflector-controller.deployment.yaml
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.10.0/image-reflector-controller.crds.yaml
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.10.0/image-reflector-controller.deployment.yaml
- account.yaml
patchesJson6902:
- target:
@@ -1,8 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.0/kustomize-controller.crds.yaml
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.0/kustomize-controller.deployment.yaml
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.13.0/kustomize-controller.crds.yaml
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.13.0/kustomize-controller.deployment.yaml
- account.yaml
patchesJson6902:
- target:
@@ -1,8 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/fluxcd/notification-controller/releases/download/v0.13.0/notification-controller.crds.yaml
- https://github.com/fluxcd/notification-controller/releases/download/v0.13.0/notification-controller.deployment.yaml
- https://github.com/fluxcd/notification-controller/releases/download/v0.15.0/notification-controller.crds.yaml
- https://github.com/fluxcd/notification-controller/releases/download/v0.15.0/notification-controller.deployment.yaml
- account.yaml
patchesJson6902:
- target:
@@ -1,8 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/fluxcd/source-controller/releases/download/v0.12.2/source-controller.crds.yaml
- https://github.com/fluxcd/source-controller/releases/download/v0.12.2/source-controller.deployment.yaml
- https://github.com/fluxcd/source-controller/releases/download/v0.15.1/source-controller.crds.yaml
- https://github.com/fluxcd/source-controller/releases/download/v0.15.1/source-controller.deployment.yaml
- account.yaml
patchesJson6902:
- target:
+6 -6
View File
@@ -1,9 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/fluxcd/source-controller/releases/download/v0.12.2/source-controller.crds.yaml
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.0/kustomize-controller.crds.yaml
- https://github.com/fluxcd/helm-controller/releases/download/v0.10.1/helm-controller.crds.yaml
- https://github.com/fluxcd/notification-controller/releases/download/v0.13.0/notification-controller.crds.yaml
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.9.1/image-reflector-controller.crds.yaml
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.9.1/image-automation-controller.crds.yaml
- https://github.com/fluxcd/source-controller/releases/download/v0.15.1/source-controller.crds.yaml
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.13.0/kustomize-controller.crds.yaml
- https://github.com/fluxcd/helm-controller/releases/download/v0.11.1/helm-controller.crds.yaml
- https://github.com/fluxcd/notification-controller/releases/download/v0.15.0/notification-controller.crds.yaml
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.10.0/image-reflector-controller.crds.yaml
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.12.0/image-automation-controller.crds.yaml
+14
View File
@@ -0,0 +1,14 @@
bases := $(shell dirname $(shell find | grep kustomization.yaml | sort))
all: $(bases)
permutations := $(bases) $(addsuffix /,$(bases))
.PHONY: $(permutations)
$(permutations):
@echo $@
@warnings=$$(kustomize build $@ -o /dev/null 2>&1); \
if [ "$$warnings" ]; then \
echo "$$warnings"; \
false; \
fi
@@ -0,0 +1,32 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: credentials-sync-eventhub
namespace: flux-system
spec:
template:
spec:
initContainers:
- image: bitnami/kubectl
securityContext:
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
name: copy-kubectl
# it's okay to do this because kubectl is a statically linked binary
command:
- sh
- -ceu
- cp $(which kubectl) /kbin/
resources: {}
volumeMounts:
- name: kbin
mountPath: /kbin
containers:
- name: sync
volumeMounts:
- name: kbin
mountPath: /kbin
volumes:
- name: kbin
emptyDir: {}
@@ -0,0 +1,23 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app: credentials-sync-eventhub
resources:
- sync.yaml
patchesStrategicMerge:
- kubectl-patch.yaml
vars:
- name: KUBE_SECRET
objref:
kind: ConfigMap
name: credentials-sync-eventhub
apiVersion: v1
fieldref:
fieldpath: data.KUBE_SECRET
configurations:
- kustomizeconfig.yaml
@@ -0,0 +1,3 @@
varReference:
- path: rules/resourceNames
kind: Role
@@ -0,0 +1,133 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: credentials-sync-eventhub
data:
# Patch this ConfigMap with additional values needed for your cloud
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
ADDRESS: "fluxv2" # the Azure Event Hub name
SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
---
# This Deployment frequently fetches registry tokens and applies them as an imagePullSecret.
# It's done as a 1-replica Deployment rather than a CronJob, because CronJob scheduling can
# block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
# This deployment will immediately fetch a token, which reduces latency for working image updates.
apiVersion: apps/v1
kind: Deployment
metadata:
name: credentials-sync-eventhub
namespace: flux-system
spec:
replicas: 1
strategy:
type: Recreate
template:
spec:
serviceAccountName: credentials-sync-eventhub
securityContext:
runAsNonRoot: true
runAsUser: 1001
containers:
- image: busybox # override this with a cloud-specific image
name: sync
envFrom:
- configMapRef:
name: credentials-sync-eventhub
env:
- name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
value: |-
reconcile() {
echo reconciling...
}
command:
- bash
- -ceu
- |-
# template reconcile() into the script
# env var is expanded by k8s before the pod starts
$(RECONCILE_SH)
apply-secret() {
/kbin/kubectl create secret generic "${1}" \
--from-literal=token="${2}" \
--from-literal=address="${3}" \
--dry-run=client -o=yaml \
| grep -v "creationTimestamp:" \
| /kbin/kubectl apply -f -
}
pause_loop() {
sleep "${SYNC_PERIOD:-3600}" || true
}
graceful_exit() {
echo "Trapped signal -- $(date)"
job_ids="$(
jobs \
| grep "pause_loop" \
| cut -d] -f1 \
| tr [ %
)"
# shellcheck disable=SC2086
if [ "${job_ids}" ]; then
kill ${job_ids}
fi
wait
echo "Graceful exit -- $(date)"
}
trap graceful_exit INT TERM
echo "Loop started (period: ${SYNC_PERIOD} s) -- $(date)"
while true; do
reconcile & wait $!
pause_loop & wait $!
done
resources: {}
volumeMounts:
- mountPath: /.azure
name: cache-volume
volumes:
- emptyDir: {}
name: cache-volume
# RBAC necessary for our Deployment to apply our secret that will store the JWT token
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: credentials-sync-eventhub
namespace: flux-system
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- create
- update
- patch
# Lock this down to the specific Secret name (Optional)
#resourceNames:
# - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: credentials-sync-eventhub
namespace: flux-system
subjects:
- kind: ServiceAccount
name: credentials-sync-eventhub
roleRef:
kind: Role
name: credentials-sync-eventhub
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: credentials-sync-eventhub
namespace: flux-system
@@ -1,7 +1,7 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: credentials-sync
name: credentials-sync-eventhub
namespace: flux-system
spec:
jobTemplate:
@@ -0,0 +1,23 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app: credentials-sync-eventhub
resources:
- sync.yaml
patchesStrategicMerge:
- kubectl-patch.yaml
vars:
- name: KUBE_SECRET
objref:
kind: ConfigMap
name: credentials-sync-eventhub
apiVersion: v1
fieldref:
fieldpath: data.KUBE_SECRET
configurations:
- kustomizeconfig.yaml
@@ -0,0 +1,3 @@
varReference:
- path: rules/resourceNames
kind: Role
@@ -0,0 +1,109 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: credentials-sync-eventhub
data:
# Patch this ConfigMap with additional values needed for your cloud
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
ADDRESS: "fluxv2" # the Azure Event Hub name
---
# This CronJob frequently fetches registry tokens and applies them as an imagePullSecret.
# note: CronJob scheduling can block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
# To run the job immediately, do `kubectl create job --from=cronjob/credentials-sync-eventhub -n flux-system credentials-sync-eventhub-init`
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: credentials-sync-eventhub
namespace: flux-system
spec:
suspend: false
schedule: 0 */6 * * *
failedJobsHistoryLimit: 1
successfulJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
serviceAccountName: credentials-sync-eventhub
securityContext:
runAsNonRoot: true
runAsUser: 1001
restartPolicy: Never
containers:
- image: busybox # override this with a cloud-specific image
name: sync
envFrom:
- configMapRef:
name: credentials-sync-eventhub
env:
- name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
value: |-
reconcile() {
echo reconciling...
}
command:
- bash
- -ceu
- |-
# template reconcile() into the script
# env var is expanded by k8s before the pod starts
$(RECONCILE_SH)
apply-secret() {
/kbin/kubectl create secret generic "${1}" \
--from-literal=token="${2}" \
--from-literal=address="${3}" \
--dry-run=client -o=yaml \
| grep -v "creationTimestamp:" \
| /kbin/kubectl apply -f -
}
reconcile
resources: {}
volumeMounts:
- mountPath: /.azure
name: cache-volume
volumes:
- emptyDir: {}
name: cache-volume
# RBAC necessary for our Deployment to apply our secret that will store the JWT token
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: credentials-sync-eventhub
namespace: flux-system
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- create
- update
- patch
# Lock this down to the specific Secret name (Optional)
resourceNames:
- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: credentials-sync-eventhub
namespace: flux-system
subjects:
- kind: ServiceAccount
name: credentials-sync-eventhub
roleRef:
kind: Role
name: credentials-sync-eventhub
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: credentials-sync-eventhub
namespace: flux-system
@@ -0,0 +1,16 @@
# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file
---
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentity
metadata:
name: lab # if this is changed, also change in config-patches.yaml
namespace: flux-system
---
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentityBinding
metadata:
name: lab
namespace: flux-system
spec:
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
@@ -0,0 +1,41 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: credentials-sync-eventhub
data:
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
ADDRESS: "fluxv2" # the Azure Event Hub name
# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
# az identity create -n eventhub-write
# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
# az identity show -n eventhub-write -otsv --query clientId
# az identity show -n eventhub-write -otsv --query resourceId
---
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentity
metadata:
name: lab
namespace: flux-system
spec:
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
type: 0
# Set the reconcile period + specify the pod-identity via the aadpodidbinding label
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: credentials-sync-eventhub
namespace: flux-system
spec:
schedule: 0 * * * * # JWT tokens expire every 24 hours; refresh faster than that
jobTemplate:
spec:
template:
metadata:
labels:
aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
@@ -0,0 +1,27 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namePrefix: jwt-
commonLabels:
app: jwt-eventhub-credentials-sync
namespace: flux-system
bases:
- ../_base
resources:
- az-identity.yaml
patchesStrategicMerge:
- config-patches.yaml
- reconcile-patch.yaml
vars:
- name: AZ_IDENTITY_NAME
objref:
kind: AzureIdentity
name: lab
apiVersion: aadpodidentity.k8s.io/v1
configurations:
- kustomizeconfig.yaml
@@ -0,0 +1,7 @@
varReference:
- path: spec/jobTemplate/spec/template/metadata/labels
kind: CronJob
- path: spec/azureIdentity
kind: AzureIdentityBinding
- path: spec/selector
kind: AzureIdentityBinding
@@ -0,0 +1,27 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: credentials-sync-eventhub
namespace: flux-system
spec:
jobTemplate:
spec:
template:
spec:
containers:
- name: sync
image: mcr.microsoft.com/azure-cli
env:
- name: RECONCILE_SH
value: |-
reconcile() {
echo "Starting JWT token sync -- $(date)"
echo "Logging into Azure"
az login --identity
echo "Getting JWT token"
token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
echo "Creating secret: ${KUBE_SECRET}"
apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
echo "Finished JWT token sync -- $(date)"
echo
}
@@ -0,0 +1,15 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: credentials-sync-eventhub
data:
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
ADDRESS: "fluxv2" # the Azure Event Hub name
# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
# az identity create -n eventhub-write
# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
# az identity show -n eventhub-write -otsv --query clientId
# az identity show -n eventhub-write -otsv --query resourceId
@@ -0,0 +1,17 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namePrefix: jwt-
commonLabels:
app: jwt-eventhub-credentials-sync
namespace: flux-system
bases:
- ../_base
resources:
- secret-azure-credentials.yaml
patchesStrategicMerge:
- config-patches.yaml
- reconcile-patch.yaml
@@ -0,0 +1,42 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: credentials-sync-eventhub
namespace: flux-system
spec:
jobTemplate:
spec:
template:
spec:
containers:
- name: sync
image: mcr.microsoft.com/azure-cli
env:
- name: RECONCILE_SH
value: |-
reconcile() {
echo "Starting JWT token sync -- $(date)"
echo "Logging into Azure"
az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID}
echo "Getting JWT token"
token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
echo "Creating secret: ${KUBE_SECRET}"
apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
echo "Finished JWT token sync -- $(date)"
echo
}
- name: AZURE_CLIENT_ID
valueFrom:
secretKeyRef:
name: azure-credentials
key: AZURE_CLIENT_ID
- name: AZURE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: azure-credentials
key: AZURE_CLIENT_SECRET
- name: AZURE_TENANT_ID
valueFrom:
secretKeyRef:
name: azure-credentials
key: AZURE_TENANT_ID
@@ -0,0 +1,14 @@
apiVersion: v1
data:
AZURE_CLIENT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
AZURE_CLIENT_SECRET: c28tbXVjaC1zZWNyZXQ=
AZURE_TENANT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
kind: Secret
metadata:
name: azure-credentials
namespace: flux-system
type: Opaque
# This is just a example secret, you should never store secrets in git.
# One way forward can be to use sealed-secrets or SOPS
# https://fluxcd.io/docs/guides/sealed-secrets/
# https://fluxcd.io/docs/guides/mozilla-sops/
@@ -0,0 +1,16 @@
# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file
---
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentity
metadata:
name: lab # if this is changed, also change in config-patches.yaml
namespace: flux-system
---
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentityBinding
metadata:
name: lab # this can have a different name, but it's nice to keep them the same
namespace: flux-system
spec:
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
@@ -0,0 +1,39 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: credentials-sync-eventhub
data:
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
ADDRESS: "fluxv2" # the Azure Event Hub name
SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
# az identity create -n eventhub-write
# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
# az identity show -n eventhub-write -otsv --query clientId
# az identity show -n eventhub-write -otsv --query resourceId
---
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentity
metadata:
name: lab
namespace: flux-system
spec:
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
type: 0
# Specify the pod-identity via the aadpodidbinding label
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: credentials-sync-eventhub
namespace: flux-system
spec:
template:
metadata:
labels:
aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
@@ -0,0 +1,27 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namePrefix: jwt-
commonLabels:
app: jwt-eventhub-credentials-sync
namespace: flux-system
bases:
- ../_base
resources:
- az-identity.yaml
patchesStrategicMerge:
- config-patches.yaml
- reconcile-patch.yaml
vars:
- name: AZ_IDENTITY_NAME
objref:
kind: AzureIdentity
name: lab
apiVersion: aadpodidentity.k8s.io/v1
configurations:
- kustomizeconfig.yaml
@@ -0,0 +1,7 @@
varReference:
- path: spec/template/metadata/labels
kind: Deployment
- path: spec/azureIdentity
kind: AzureIdentityBinding
- path: spec/selector
kind: AzureIdentityBinding
@@ -0,0 +1,26 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: credentials-sync-eventhub
namespace: flux-system
spec:
template:
spec:
containers:
- name: sync
image: mcr.microsoft.com/azure-cli
env:
- name: RECONCILE_SH
value: |-
reconcile() {
echo "Starting JWT token sync -- $(date)"
echo "Logging into Azure"
az login --identity
echo "Getting JWT token"
token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
echo "Creating secret: ${KUBE_SECRET}"
apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
echo "Finished JWT token sync -- $(date)"
echo
}
@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: credentials-sync-eventhub
data:
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
ADDRESS: "fluxv2" # the Azure Event Hub name
SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
# az identity create -n eventhub-write
# az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
# az identity show -n eventhub-write -otsv --query clientId
# az identity show -n eventhub-write -otsv --query resourceId
# Specify the pod-identity via the aadpodidbinding label
@@ -0,0 +1,17 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namePrefix: jwt-
commonLabels:
app: jwt-eventhub-credentials-sync
namespace: flux-system
bases:
- ../_base
resources:
- secret-azure-credentials.yaml
patchesStrategicMerge:
- config-patches.yaml
- reconcile-patch.yaml
@@ -0,0 +1,41 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: credentials-sync-eventhub
namespace: flux-system
spec:
template:
spec:
containers:
- name: sync
image: mcr.microsoft.com/azure-cli
env:
- name: RECONCILE_SH
value: |-
reconcile() {
echo "Starting JWT token sync -- $(date)"
echo "Logging into Azure"
az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID}
echo "Getting JWT token"
token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
echo "Creating secret: ${KUBE_SECRET}"
apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
echo "Finished JWT token sync -- $(date)"
echo
}
- name: AZURE_CLIENT_ID
valueFrom:
secretKeyRef:
name: azure-credentials
key: AZURE_CLIENT_ID
- name: AZURE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: azure-credentials
key: AZURE_CLIENT_SECRET
- name: AZURE_TENANT_ID
valueFrom:
secretKeyRef:
name: azure-credentials
key: AZURE_TENANT_ID
@@ -0,0 +1,14 @@
apiVersion: v1
data:
AZURE_CLIENT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
AZURE_CLIENT_SECRET: c28tbXVjaC1zZWNyZXQ=
AZURE_TENANT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
kind: Secret
metadata:
name: azure-credentials
namespace: flux-system
type: Opaque
# This is just a example secret, you should never store secrets in git.
# One way forward can be to use sealed-secrets or SOPS
# https://fluxcd.io/docs/guides/sealed-secrets/
# https://fluxcd.io/docs/guides/mozilla-sops/
@@ -7,6 +7,9 @@ commonLabels:
resources:
- sync.yaml
patchesStrategicMerge:
- kubectl-patch.yaml
vars:
- name: KUBE_SECRET
objref:
@@ -24,7 +24,7 @@ spec:
type: Recreate
template:
spec:
serviceAccount: credentials-sync
serviceAccountName: credentials-sync
containers:
- image: busybox # override this with a cloud-specific image
name: sync
@@ -102,8 +102,8 @@ rules:
- update
- patch
# # Lock this down to the specific Secret name (Optional)
resourceNames:
- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
#resourceNames:
#- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -7,6 +7,9 @@ commonLabels:
resources:
- sync.yaml
patchesStrategicMerge:
- kubectl-patch.yaml
vars:
- name: KUBE_SECRET
objref:
@@ -49,7 +49,7 @@ spec:
apply-secret() {
/kbin/kubectl create secret docker-registry "${1}" \
--docker-passwrod="${2}" \
--docker-password="${2}" \
--docker-username="${3}" \
--docker-server="${4}" \
--dry-run=client -o=yaml \
@@ -14,7 +14,6 @@ bases:
patchesStrategicMerge:
- config-patches.yaml
- kubectl-patch.yaml
- reconcile-patch.yaml
## uncomment if using encrypted-secret.yaml
@@ -5,3 +5,12 @@ kind: AzureIdentity
metadata:
name: credentials-sync # if this is changed, also change in config-patches.yaml
namespace: flux-system
---
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentityBinding
metadata:
name: credentials-sync # this can have a different name, but it's nice to keep them the same
namespace: flux-system
spec:
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
@@ -14,7 +14,6 @@ resources:
patchesStrategicMerge:
- config-patches.yaml
- kubectl-patch.yaml
- reconcile-patch.yaml
vars:
@@ -1,3 +1,7 @@
varReference:
- path: spec/jobTemplate/spec/template/metadata/labels
kind: Deployment
kind: CronJob
- path: spec/azureIdentity
kind: AzureIdentityBinding
- path: spec/selector
kind: AzureIdentityBinding
@@ -10,7 +10,7 @@ spec:
spec:
containers:
- name: sync
image: aws/aws-cli
image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
env:
- name: RECONCILE_SH
value: |-
@@ -14,7 +14,6 @@ bases:
patchesStrategicMerge:
- config-patches.yaml
- kubectl-patch.yaml
- reconcile-patch.yaml
## uncomment if using encrypted-secret.yaml
@@ -5,3 +5,12 @@ kind: AzureIdentity
metadata:
name: credentials-sync # if this is changed, also change in config-patches.yaml
namespace: flux-system
---
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentityBinding
metadata:
name: credentials-sync # this can have a different name, but it's nice to keep them the same
namespace: flux-system
spec:
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
@@ -1,28 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: credentials-sync
namespace: flux-system
spec:
template:
spec:
initContainers:
- image: bitnami/kubectl
name: copy-kubectl
# it's okay to do this because kubectl is a statically linked binary
command:
- sh
- -ceu
- cp $(which kubectl) /kbin/
resources: {}
volumeMounts:
- name: kbin
mountPath: /kbin
containers:
- name: sync
volumeMounts:
- name: kbin
mountPath: /kbin
volumes:
- name: kbin
emptyDir: {}
@@ -14,7 +14,6 @@ resources:
patchesStrategicMerge:
- config-patches.yaml
- kubectl-patch.yaml
- reconcile-patch.yaml
vars:
@@ -1,3 +1,7 @@
varReference:
- path: spec/template/metadata/labels
kind: Deployment
- path: spec/azureIdentity
kind: AzureIdentityBinding
- path: spec/selector
kind: AzureIdentityBinding
@@ -9,7 +9,7 @@ spec:
spec:
containers:
- name: sync
image: aws/aws-cli
image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
env:
- name: RECONCILE_SH
value: |-
@@ -482,16 +482,20 @@
"job": true,
"kubernetes_namespace": true,
"kubernetes_pod_name": true,
"namespace": true,
"pod_template_hash": true,
"status": true,
"type": true
"type": true,
"pod": true,
"container": true,
"endpoint": true,
"exported_namespace": true
},
"indexByName": {},
"renameByName": {
"Value": "Status",
"kind": "Kind",
"name": "Name"
"name": "Name",
"namespace": "Namespace"
}
}
}
@@ -594,15 +598,19 @@
"job": true,
"kubernetes_namespace": true,
"kubernetes_pod_name": true,
"namespace": true,
"pod_template_hash": true,
"pod": true,
"status": true,
"type": true
"type": true,
"container": true,
"endpoint": true,
"exported_namespace": true
},
"indexByName": {},
"renameByName": {
"Value": "Status",
"kind": "Kind",
"namespace": "Namespace",
"name": "Name"
}
}
@@ -831,7 +839,7 @@
"schemaVersion": 26,
"style": "light",
"tags": [
"gitops-toolkit"
"flux"
],
"templating": {
"list": [
@@ -1356,7 +1356,7 @@
"schemaVersion": 26,
"style": "light",
"tags": [
"gitops-toolkit"
"flux"
],
"templating": {
"list": [
@@ -1424,7 +1424,7 @@
]
},
"timezone": "",
"title": "GitOps Toolkit Control Plane",
"uid": "gitops-toolkit-control-plane",
"title": "Flux Control Plane",
"uid": "flux-control-plane",
"version": 1
}
@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: monitoring
resources:
- namespace.yaml
- repository.yaml
- release.yaml
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
@@ -0,0 +1,29 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: kube-prometheus-stack
spec:
interval: 5m
chart:
spec:
chart: kube-prometheus-stack
sourceRef:
kind: HelmRepository
name: prometheus-community
interval: 1m
install:
crds: Create
upgrade:
crds: CreateReplace
values:
alertmanager:
enabled: false
grafana:
sidecar:
dashboards:
searchNamespace: ALL
prometheus:
prometheusSpec:
podMonitorSelector:
matchLabels:
app.kubernetes.io/part-of: flux
@@ -0,0 +1,7 @@
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
name: prometheus-community
spec:
interval: 1m
url: https://prometheus-community.github.io/helm-charts
@@ -0,0 +1,13 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: flux-system
resources:
- podmonitor.yaml
configMapGenerator:
- name: flux-grafana-dashboards
files:
- ../grafana/dashboards/control-plane.json
- ../grafana/dashboards/cluster.json
options:
labels:
grafana_dashboard: flux-system
@@ -0,0 +1,24 @@
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: flux-system
namespace: flux-system
labels:
app.kubernetes.io/part-of: flux
spec:
namespaceSelector:
matchNames:
- flux-system
selector:
matchExpressions:
- key: app
operator: In
values:
- helm-controller
- source-controller
- kustomize-controller
- notification-controller
- image-automation-controller
- image-reflector-controller
podMetricsEndpoints:
- targetPort: http-prom
+19 -4
View File
@@ -26,9 +26,11 @@ import (
"path"
"path/filepath"
"strings"
"sync"
"sigs.k8s.io/kustomize/api/filesys"
"sigs.k8s.io/kustomize/api/krusty"
kustypes "sigs.k8s.io/kustomize/api/types"
"github.com/fluxcd/pkg/untar"
)
@@ -113,7 +115,14 @@ func generate(base string, options Options) error {
return nil
}
var kustomizeBuildMutex sync.Mutex
func build(base, output string) error {
// TODO(stefan): temporary workaround for concurrent map read and map write bug
// https://github.com/kubernetes-sigs/kustomize/issues/3659
kustomizeBuildMutex.Lock()
defer kustomizeBuildMutex.Unlock()
kfile := filepath.Join(base, "kustomization.yaml")
fs := filesys.MakeFsOnDisk()
@@ -137,10 +146,16 @@ func build(base, output string) error {
}
}
opt := krusty.MakeDefaultOptions()
opt.DoLegacyResourceSort = true
k := krusty.MakeKustomizer(fs, opt)
m, err := k.Run(base)
buildOptions := &krusty.Options{
DoLegacyResourceSort: true,
LoadRestrictions: kustypes.LoadRestrictionsNone,
AddManagedbyLabel: false,
DoPrune: false,
PluginConfig: kustypes.DisabledPluginConfig(),
}
k := krusty.MakeKustomizer(buildOptions)
m, err := k.Run(fs, base)
if err != nil {
return err
}
@@ -21,8 +21,8 @@ import (
"os"
"path/filepath"
"sigs.k8s.io/kustomize/api/k8sdeps/kunstruct"
"sigs.k8s.io/kustomize/api/konfig"
"sigs.k8s.io/kustomize/api/provider"
kustypes "sigs.k8s.io/kustomize/api/types"
"sigs.k8s.io/yaml"
@@ -35,7 +35,8 @@ func Generate(options Options) (*manifestgen.Manifest, error) {
scan := func(base string) ([]string, error) {
var paths []string
uf := kunstruct.NewKunstructuredFactoryImpl()
pvd := provider.NewDefaultDepProvider()
rf := pvd.GetResourceFactory()
err := options.FileSystem.Walk(base, func(path string, info os.FileInfo, err error) error {
if err != nil {
return err
@@ -58,7 +59,7 @@ func Generate(options Options) (*manifestgen.Manifest, error) {
if err != nil {
return err
}
if _, err := uf.SliceFromBytes(fContents); err != nil {
if _, err := rf.SliceFromBytes(fContents); err != nil {
return nil
}
paths = append(paths, path)