Merge pull request #1544 from fluxcd/create-target-namespace

Add create target namespace arg to helmrelease cmd

.github/workflows/e2e-arm64.yaml

@@ -0,0 +1,109 @@
+name: e2e-arm64
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main, update-components ]
+
+jobs:
+  ampere:
+    # Runner info
+    # Owner: Stefan Prodan
+    # VM: Oracle Cloud VM.Standard.A1.Flex 4CPU 24GB RAM
+    # OS: Linux 5.4.0-1045-oracle #49-Ubuntu SMP aarch64
+    # Packages: docker, kind, kubectl, kustomize
+    runs-on: [self-hosted, Linux, ARM64]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16.x
+      - name: Prepare
+        id: prep
+        run: |
+          echo ::set-output name=CLUSTER::arm64-${GITHUB_SHA:0:7}-$(date +%s)
+          echo ::set-output name=CONTEXT::kind-arm64-${GITHUB_SHA:0:7}-$(date +%s)
+      - name: Run unit tests
+        run: make test
+      - name: Check if working tree is dirty
+        run: |
+          if [[ $(git diff --stat) != '' ]]; then
+            git diff
+            echo 'run make test and commit changes'
+            exit 1
+          fi
+      - name: Build
+        run: |
+          go build -o /tmp/flux ./cmd/flux
+      - name: Setup Kubernetes Kind
+        run: |
+          kind create cluster --name ${{ steps.prep.outputs.CLUSTER }}
+      - name: flux check --pre
+        run: |
+          /tmp/flux check --pre \
+          --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux install
+        run: |
+          /tmp/flux install \
+          --components-extra=image-reflector-controller,image-automation-controller \
+          --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux create source git
+        run: |
+          /tmp/flux create source git podinfo-gogit \
+            --git-implementation=go-git \
+            --url https://github.com/stefanprodan/podinfo  \
+            --tag-semver=">1.0.0" \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+          /tmp/flux create source git podinfo-libgit2 \
+            --git-implementation=libgit2 \
+            --url https://github.com/stefanprodan/podinfo  \
+            --branch="master" \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux create kustomization
+        run: |
+          /tmp/flux create kustomization podinfo \
+            --source=podinfo-gogit \
+            --path="./deploy/overlays/dev" \
+            --prune=true \
+            --interval=5m \
+            --validation=client \
+            --health-check="Deployment/frontend.dev" \
+            --health-check="Deployment/backend.dev" \
+            --health-check-timeout=3m \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux create tenant
+        run: |
+          /tmp/flux create tenant dev-team \
+            --with-namespace=apps \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux create helmrelease
+        run: |
+          /tmp/flux -n apps create source helm podinfo \
+            --url https://stefanprodan.github.io/podinfo \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+
+          /tmp/flux -n apps create hr podinfo-helm \
+            --source=HelmRepository/podinfo \
+            --chart=podinfo \
+            --chart-version="6.0.x" \
+            --service-account=dev-team \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux get all
+        run: |
+          /tmp/flux get all --all-namespaces \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux uninstall
+        run: |
+          /tmp/flux uninstall -s \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: Debug failure
+        if: failure()
+        run: |
+          kubectl --context ${{ steps.prep.outputs.CONTEXT }} -n flux-system get all
+          /tmp/flux logs --all-namespaces
+      - name: Cleanup
+        if: always()
+        run: |
+          kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}

README.md

@@ -22,13 +22,19 @@ Delivery on top of Kubernetes.
 
 ## Flux installation
 
-With Homebrew:
+With [Homebrew](https://brew.sh) for macOS and Linux:
 
 ```sh
 brew install fluxcd/tap/flux
 ```
 
-With Bash:
+With [GoFish](https://gofi.sh) for Windows, macOS and Linux:
+
+```sh
+gofish install flux
+```
+
+With Bash for macOS and Linux:
 
 ```sh
 curl -s https://fluxcd.io/install.sh | sudo bash
@@ -46,10 +52,10 @@ Arch Linux (AUR) packages:
 - [flux-scm](https://aur.archlinux.org/packages/flux-scm): build the latest
   (unstable) version from source code from our git `main` branch
 
-Binaries for macOS, Windows and Linux AMD64/ARM are available to download on the
-[release page](https://github.com/fluxcd/flux2/releases).
+Binaries for macOS AMD64/ARM64, Linux AMD64/ARM/ARM64 and Windows are available to
+download on the [release page](https://github.com/fluxcd/flux2/releases).
 
-A container image with `kubectl` and `flux` is available on Docker Hub and GitHub:
+A multi-arch container image with `kubectl` and `flux` is available on Docker Hub and GitHub:
 
 * `docker.io/fluxcd/flux-cli:<version>`
 * `ghcr.io/fluxcd/flux-cli:<version>`

cmd/flux/bootstrap_git.go

@@ -69,6 +69,7 @@ type gitFlags struct {
 	path     flags.SafeRelativePath
 	username string
 	password string
+	silent   bool
 }
 
 var gitArgs gitFlags
@@ -79,6 +80,7 @@ func init() {
 	bootstrapGitCmd.Flags().Var(&gitArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.username, "username", "u", "git", "basic authentication username")
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
+	bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 
 	bootstrapCmd.AddCommand(bootstrapGitCmd)
 }
@@ -247,13 +249,16 @@ func promptPublicKey(ctx context.Context, secret corev1.Secret, _ sourcesecret.O
 	}
 
 	logger.Successf("public key: %s", strings.TrimSpace(ppk))
-	prompt := promptui.Prompt{
-		Label:     "Please give the key access to your repository",
-		IsConfirm: true,
-	}
-	_, err := prompt.Run()
-	if err != nil {
-		return fmt.Errorf("aborting")
+
+	if !gitArgs.silent {
+		prompt := promptui.Prompt{
+			Label:     "Please give the key access to your repository",
+			IsConfirm: true,
+		}
+		_, err := prompt.Run()
+		if err != nil {
+			return fmt.Errorf("aborting")
+		}
 	}
 	return nil
 }

cmd/flux/create_helmrelease.go

@@ -87,7 +87,8 @@ var createHelmReleaseCmd = &cobra.Command{
 
   # Create a HelmRelease targeting another namespace than the resource
   flux create hr podinfo \
-    --target-namespace=default \
+    --target-namespace=test \
+    --create-target-namespace=true \
     --source=HelmRepository/podinfo \
     --chart=podinfo
 
@@ -113,6 +114,7 @@ type helmReleaseFlags struct {
 	chart           string
 	chartVersion    string
 	targetNamespace string
+	createNamespace bool
 	valuesFiles     []string
 	valuesFrom      flags.HelmReleaseValuesFrom
 	saName          string
@@ -128,6 +130,7 @@ func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.dependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.targetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
+	createHelmReleaseCmd.Flags().BoolVar(&helmReleaseArgs.createNamespace, "create-target-namespace", false, "create the target namespace if it does not exist")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFiles, "values", nil, "local path to values.yaml files, also accepts comma-separated values")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.valuesFrom, "values-from", helmReleaseArgs.valuesFrom.Description())
@@ -167,6 +170,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 				Duration: createArgs.interval,
 			},
 			TargetNamespace: helmReleaseArgs.targetNamespace,
+
 			Chart: helmv2.HelmChartTemplate{
 				Spec: helmv2.HelmChartTemplateSpec{
 					Chart:   helmReleaseArgs.chart,
@@ -178,6 +182,9 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 					},
 				},
 			},
+			Install: &helmv2.Install{
+				CreateNamespace: helmReleaseArgs.createNamespace,
+			},
 			Suspend: false,
 		},
 	}
@@ -187,7 +194,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	if helmReleaseArgs.crds != "" {
-		helmRelease.Spec.Install = &helmv2.Install{CRDs: helmv2.Create}
+		helmRelease.Spec.Install.CRDs = helmv2.Create
 		helmRelease.Spec.Upgrade = &helmv2.Upgrade{CRDs: helmv2.CRDsPolicy(helmReleaseArgs.crds.String())}
 	}
 

cmd/flux/create_secret_git.go

@@ -63,19 +63,15 @@ For Git over HTTP/S, the provided basic authentication credentials are stored in
     --username=username \
     --password=password
 
-  # Create a Git SSH secret on disk and print the deploy key
+  # Create a Git SSH secret on disk
   flux create secret git podinfo-auth \
     --url=ssh://git@github.com/stefanprodan/podinfo \
     --export > podinfo-auth.yaml
 
-  yq read podinfo-auth.yaml 'data."identity.pub"' | base64 --decode
-
-  # Create a Git SSH secret on disk and encrypt it with Mozilla SOPS
-  flux create secret git podinfo-auth \
-    --namespace=apps \
-    --url=ssh://git@github.com/stefanprodan/podinfo \
-    --export > podinfo-auth.yaml
+  # Print the deploy key
+  yq eval '.stringData."identity.pub"' podinfo-auth.yaml
 
+  # Encrypt the secret on disk with Mozilla SOPS
   sops --encrypt --encrypted-regex '^(data|stringData)$' \
     --in-place podinfo-auth.yaml`,
 	RunE: createSecretGitCmdRun,

cmd/flux/create_source_helm.go

@@ -66,13 +66,14 @@ For private Helm repositories, the basic authentication credentials are stored i
 }
 
 type sourceHelmFlags struct {
-	url       string
-	username  string
-	password  string
-	certFile  string
-	keyFile   string
-	caFile    string
-	secretRef string
+	url             string
+	username        string
+	password        string
+	certFile        string
+	keyFile         string
+	caFile          string
+	secretRef       string
+	passCredentials bool
 }
 
 var sourceHelmArgs sourceHelmFlags
@@ -85,6 +86,7 @@ func init() {
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.keyFile, "key-file", "", "TLS authentication key file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.caFile, "ca-file", "", "TLS authentication CA file path")
 	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS or basic auth credentials")
+	createSourceHelmCmd.Flags().BoolVarP(&sourceHelmArgs.passCredentials, "pass-credentials", "", false, "pass credentials to all domains")
 
 	createSourceCmd.AddCommand(createSourceHelmCmd)
 }
@@ -132,6 +134,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: sourceHelmArgs.secretRef,
 		}
+		helmRepository.Spec.PassCredentials = sourceHelmArgs.passCredentials
 	}
 
 	if createArgs.export {
@@ -175,6 +178,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
 				Name: secretName,
 			}
+			helmRepository.Spec.PassCredentials = sourceHelmArgs.passCredentials
 			logger.Successf("authentication configured")
 		}
 	}

go.mod

@@ -6,31 +6,30 @@ require (
 	github.com/Masterminds/semver/v3 v3.1.0
 	github.com/cyphar/filepath-securejoin v0.2.2
 	github.com/fluxcd/go-git-providers v0.1.1
-	github.com/fluxcd/helm-controller/api v0.10.1
-	github.com/fluxcd/image-automation-controller/api v0.10.0
-	github.com/fluxcd/image-reflector-controller/api v0.9.1
-	github.com/fluxcd/kustomize-controller/api v0.12.1
-	github.com/fluxcd/notification-controller/api v0.14.1
-	github.com/fluxcd/pkg/apis/meta v0.9.0
-	github.com/fluxcd/pkg/runtime v0.11.0
+	github.com/fluxcd/helm-controller/api v0.11.1
+	github.com/fluxcd/image-automation-controller/api v0.12.0
+	github.com/fluxcd/image-reflector-controller/api v0.10.0
+	github.com/fluxcd/kustomize-controller/api v0.13.0
+	github.com/fluxcd/notification-controller/api v0.15.0
+	github.com/fluxcd/pkg/apis/meta v0.10.0
+	github.com/fluxcd/pkg/runtime v0.12.0
 	github.com/fluxcd/pkg/ssh v0.0.5
 	github.com/fluxcd/pkg/untar v0.0.5
 	github.com/fluxcd/pkg/version v0.0.1
-	github.com/fluxcd/source-controller/api v0.13.0
-	github.com/go-git/go-git/v5 v5.4.1
+	github.com/fluxcd/source-controller/api v0.15.1
+	github.com/go-git/go-git/v5 v5.4.2
 	github.com/google/go-containerregistry v0.2.0
 	github.com/manifoldco/promptui v0.7.0
 	github.com/olekukonko/tablewriter v0.0.4
-	github.com/spf13/cobra v1.1.1
+	github.com/spf13/cobra v1.1.3
 	github.com/spf13/pflag v1.0.5
 	golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b
-	k8s.io/api v0.20.4
-	k8s.io/apiextensions-apiserver v0.20.4
-	k8s.io/apimachinery v0.20.4
-	k8s.io/cli-runtime v0.20.2 // indirect
-	k8s.io/client-go v0.20.4
-	sigs.k8s.io/cli-utils v0.22.2
-	sigs.k8s.io/controller-runtime v0.8.3
-	sigs.k8s.io/kustomize/api v0.7.4
+	k8s.io/api v0.21.1
+	k8s.io/apiextensions-apiserver v0.21.1
+	k8s.io/apimachinery v0.21.1
+	k8s.io/client-go v0.21.1
+	sigs.k8s.io/cli-utils v0.25.1-0.20210608181808-f3974341173a
+	sigs.k8s.io/controller-runtime v0.9.0
+	sigs.k8s.io/kustomize/api v0.8.10
 	sigs.k8s.io/yaml v1.2.0
 )

manifests/bases/helm-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/helm-controller/releases/download/v0.10.1/helm-controller.crds.yaml
-- https://github.com/fluxcd/helm-controller/releases/download/v0.10.1/helm-controller.deployment.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.11.1/helm-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.11.1/helm-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/image-automation-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.10.0/image-automation-controller.crds.yaml
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.10.0/image-automation-controller.deployment.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.12.0/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.12.0/image-automation-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/image-reflector-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.9.1/image-reflector-controller.crds.yaml
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.9.1/image-reflector-controller.deployment.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.10.0/image-reflector-controller.crds.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.10.0/image-reflector-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/kustomize-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.1/kustomize-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.1/kustomize-controller.deployment.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.13.0/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.13.0/kustomize-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/notification-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/notification-controller/releases/download/v0.14.1/notification-controller.crds.yaml
-- https://github.com/fluxcd/notification-controller/releases/download/v0.14.1/notification-controller.deployment.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.15.0/notification-controller.crds.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.15.0/notification-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
   - target:

manifests/bases/source-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.13.0/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v0.13.0/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.15.1/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.15.1/source-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/crds/kustomization.yaml

@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.13.0/source-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.1/kustomize-controller.crds.yaml
-- https://github.com/fluxcd/helm-controller/releases/download/v0.10.1/helm-controller.crds.yaml
-- https://github.com/fluxcd/notification-controller/releases/download/v0.14.1/notification-controller.crds.yaml
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.9.1/image-reflector-controller.crds.yaml
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.10.0/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.15.1/source-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.13.0/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.11.1/helm-controller.crds.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.15.0/notification-controller.crds.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.10.0/image-reflector-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.12.0/image-automation-controller.crds.yaml

manifests/integrations/Makefile

@@ -0,0 +1,14 @@
+
+bases := $(shell dirname $(shell find | grep kustomization.yaml | sort))
+
+all: $(bases)
+
+permutations := $(bases) $(addsuffix /,$(bases))
+.PHONY: $(permutations)
+$(permutations):
+	@echo $@
+	@warnings=$$(kustomize build $@ -o /dev/null 2>&1); \
+		if [ "$$warnings" ]; then \
+			echo "$$warnings"; \
+			false; \
+		fi

manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml

@@ -7,6 +7,9 @@ commonLabels:
 resources:
   - sync.yaml
 
+patchesStrategicMerge:
+  - kubectl-patch.yaml
+
 vars:
   - name: KUBE_SECRET
     objref:
@@ -15,13 +18,6 @@ vars:
       apiVersion: v1
     fieldref:
       fieldpath: data.KUBE_SECRET
-  - name: ADDRESS
-    objref:
-      kind: ConfigMap
-      name: credentials-sync-eventhub
-      apiVersion: v1
-    fieldref:
-      fieldpath: data.ADDRESS
 
 configurations:
   - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/_base/sync.yaml

@@ -109,9 +109,9 @@ rules:
       - create
       - update
       - patch
-    # # Lock this down to the specific Secret name  (Optional)
+    # Lock this down to the specific Secret name  (Optional)
     #resourceNames:
-    #  - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+    # - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml

@@ -1,7 +1,7 @@
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
-  name: credentials-sync
+  name: credentials-sync-eventhub
   namespace: flux-system
 spec:
   jobTemplate:

manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml

@@ -7,6 +7,9 @@ commonLabels:
 resources:
   - sync.yaml
 
+patchesStrategicMerge:
+  - kubectl-patch.yaml
+
 vars:
   - name: KUBE_SECRET
     objref:
@@ -15,13 +18,6 @@ vars:
       apiVersion: v1
     fieldref:
       fieldpath: data.KUBE_SECRET
-  - name: ADDRESS
-    objref:
-      kind: ConfigMap
-      name: credentials-sync-eventhub
-      apiVersion: v1
-    fieldref:
-      fieldpath: data.ADDRESS
 
 configurations:
   - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml

@@ -85,9 +85,9 @@ rules:
       - create
       - update
       - patch
-    # # Lock this down to the specific Secret name  (Optional)
-    #resourceNames:
-    #  - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+    # Lock this down to the specific Secret name  (Optional)
+    resourceNames:
+     - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml

@@ -12,5 +12,5 @@ metadata:
   name: lab
   namespace: flux-system
 spec:
-  azureIdentity: lab
-  selector: lab
+  azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+  selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml

@@ -23,15 +23,6 @@ spec:
   clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
   resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
   type: 0
----
-apiVersion: aadpodidentity.k8s.io/v1
-kind: AzureIdentityBinding
-metadata:
-  name: lab
-  namespace: flux-system
-spec:
-  azureIdentity: jwt-lab
-  selector: jwt-lab
 
 # Set the reconcile period + specify the pod-identity via the aadpodidbinding label
 ---

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kubectl-patch.yaml

@@ -1,34 +0,0 @@
-apiVersion: batch/v1beta1
-kind: CronJob
-metadata:
-  name: credentials-sync-eventhub
-  namespace: flux-system
-spec:
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          initContainers:
-            - image: bitnami/kubectl
-              securityContext:
-                privileged: false
-                readOnlyRootFilesystem: true
-                allowPrivilegeEscalation: false
-              name: copy-kubectl
-              # it's okay to do this because kubectl is a statically linked binary
-              command:
-                - sh
-                - -ceu
-                - cp $(which kubectl) /kbin/
-              resources: {}
-              volumeMounts:
-                - name: kbin
-                  mountPath: /kbin
-          containers:
-            - name: sync
-              volumeMounts:
-                - name: kbin
-                  mountPath: /kbin
-          volumes:
-            - name: kbin
-              emptyDir: {}

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml

@@ -14,7 +14,6 @@ resources:
 
 patchesStrategicMerge:
   - config-patches.yaml
-  - kubectl-patch.yaml
   - reconcile-patch.yaml
 
 vars:

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml

@@ -1,3 +1,7 @@
 varReference:
-  - path: spec/jobTemplate/spec/template/metadata/labels
-    kind: CronJob
+- path: spec/jobTemplate/spec/template/metadata/labels
+  kind: CronJob
+- path: spec/azureIdentity
+  kind: AzureIdentityBinding
+- path: spec/selector
+  kind: AzureIdentityBinding

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml

@@ -3,7 +3,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: credentials-sync-eventhub
-  namespace: flux-system
 data:
   KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
   ADDRESS: "fluxv2" # the Azure Event Hub name

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kubectl-patch.yaml

@@ -1,34 +0,0 @@
-apiVersion: batch/v1beta1
-kind: CronJob
-metadata:
-  name: credentials-sync-eventhub
-  namespace: flux-system
-spec:
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          initContainers:
-            - image: bitnami/kubectl
-              securityContext:
-                privileged: false
-                readOnlyRootFilesystem: true
-                allowPrivilegeEscalation: false
-              name: copy-kubectl
-              # it's okay to do this because kubectl is a statically linked binary
-              command:
-                - sh
-                - -ceu
-                - cp $(which kubectl) /kbin/
-              resources: {}
-              volumeMounts:
-                - name: kbin
-                  mountPath: /kbin
-          containers:
-            - name: sync
-              volumeMounts:
-                - name: kbin
-                  mountPath: /kbin
-          volumes:
-            - name: kbin
-              emptyDir: {}

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml

@@ -14,8 +14,4 @@ resources:
 
 patchesStrategicMerge:
   - config-patches.yaml
-  - kubectl-patch.yaml
   - reconcile-patch.yaml
-
-configurations:
-  - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomizeconfig.yaml

@@ -1,3 +0,0 @@
-varReference:
-  - path: spec/jobTemplate/spec/template/metadata/labels
-    kind: CronJob

manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml

@@ -9,8 +9,8 @@ metadata:
 apiVersion: aadpodidentity.k8s.io/v1
 kind: AzureIdentityBinding
 metadata:
-  name: lab
+  name: lab # this can have a different name, but it's nice to keep them the same
   namespace: flux-system
 spec:
-  azureIdentity: lab
-  selector: lab
+  azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+  selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml

@@ -24,15 +24,6 @@ spec:
   clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
   resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
   type: 0
----
-apiVersion: aadpodidentity.k8s.io/v1
-kind: AzureIdentityBinding
-metadata:
-  name: lab
-  namespace: flux-system
-spec:
-  azureIdentity: jwt-lab
-  selector: jwt-lab
 
 # Specify the pod-identity via the aadpodidbinding label
 ---

manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml

@@ -14,7 +14,6 @@ resources:
 
 patchesStrategicMerge:
   - config-patches.yaml
-  - kubectl-patch.yaml
   - reconcile-patch.yaml
 
 vars:

manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml

@@ -1,3 +1,7 @@
 varReference:
 - path: spec/template/metadata/labels
   kind: Deployment
+- path: spec/azureIdentity
+  kind: AzureIdentityBinding
+- path: spec/selector
+  kind: AzureIdentityBinding

manifests/integrations/eventhub-credentials-sync/generic/kubectl-patch.yaml

@@ -1,32 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: credentials-sync-eventhub
-  namespace: flux-system
-spec:
-  template:
-    spec:
-      initContainers:
-        - image: bitnami/kubectl
-          securityContext:
-            privileged: false
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
-          name: copy-kubectl
-          # it's okay to do this because kubectl is a statically linked binary
-          command:
-            - sh
-            - -ceu
-            - cp $(which kubectl) /kbin/
-          resources: {}
-          volumeMounts:
-            - name: kbin
-              mountPath: /kbin
-      containers:
-        - name: sync
-          volumeMounts:
-            - name: kbin
-              mountPath: /kbin
-      volumes:
-        - name: kbin
-          emptyDir: {}

manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml

@@ -14,8 +14,4 @@ resources:
 
 patchesStrategicMerge:
   - config-patches.yaml
-  - kubectl-patch.yaml
   - reconcile-patch.yaml
-
-configurations:
-  - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/generic/kustomizeconfig.yaml

@@ -1,3 +0,0 @@
-varReference:
-- path: spec/template/metadata/labels
-  kind: Deployment

manifests/integrations/registry-credentials-sync/_base/kustomization.yaml

@@ -7,6 +7,9 @@ commonLabels:
 resources:
 - sync.yaml
 
+patchesStrategicMerge:
+  - kubectl-patch.yaml
+
 vars:
 - name: KUBE_SECRET
   objref:

manifests/integrations/registry-credentials-sync/_base/sync.yaml

@@ -102,8 +102,8 @@ rules:
   - update
   - patch
   # # Lock this down to the specific Secret name  (Optional)
-  resourceNames:
-  - $(KUBE_SECRET)  # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+  #resourceNames:
+  #- $(KUBE_SECRET)  # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml

@@ -7,6 +7,9 @@ commonLabels:
 resources:
 - sync.yaml
 
+patchesStrategicMerge:
+  - kubectl-patch.yaml
+
 vars:
 - name: KUBE_SECRET
   objref:

manifests/integrations/registry-credentials-sync/_cronjobs/_base/sync.yaml

@@ -49,7 +49,7 @@ spec:
 
               apply-secret() {
                 /kbin/kubectl create secret docker-registry "${1}" \
-                  --docker-passwrod="${2}" \
+                  --docker-password="${2}" \
                   --docker-username="${3}" \
                   --docker-server="${4}" \
                   --dry-run=client -o=yaml \

manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml

@@ -14,7 +14,6 @@ bases:
 
 patchesStrategicMerge:
 - config-patches.yaml
-- kubectl-patch.yaml
 - reconcile-patch.yaml
 
 ## uncomment if using encrypted-secret.yaml

manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml

@@ -5,3 +5,12 @@ kind: AzureIdentity
 metadata:
   name: credentials-sync  # if this is changed, also change in config-patches.yaml
   namespace: flux-system
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentityBinding
+metadata:
+  name: credentials-sync  # this can have a different name, but it's nice to keep them the same
+  namespace: flux-system
+spec:
+  azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+  selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml

@@ -14,7 +14,6 @@ resources:
 
 patchesStrategicMerge:
 - config-patches.yaml
-- kubectl-patch.yaml
 - reconcile-patch.yaml
 
 vars:

manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml

@@ -1,3 +1,7 @@
 varReference:
 - path: spec/jobTemplate/spec/template/metadata/labels
-  kind: Deployment
+  kind: CronJob
+- path: spec/azureIdentity
+  kind: AzureIdentityBinding
+- path: spec/selector
+  kind: AzureIdentityBinding

manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml

@@ -10,7 +10,7 @@ spec:
         spec:
           containers:
           - name: sync
-            image: aws/aws-cli
+            image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
             env:
             - name: RECONCILE_SH
               value: |-

manifests/integrations/registry-credentials-sync/aws/kustomization.yaml

@@ -14,7 +14,6 @@ bases:
 
 patchesStrategicMerge:
 - config-patches.yaml
-- kubectl-patch.yaml
 - reconcile-patch.yaml
 
 ## uncomment if using encrypted-secret.yaml

manifests/integrations/registry-credentials-sync/azure/az-identity.yaml

@@ -5,3 +5,12 @@ kind: AzureIdentity
 metadata:
   name: credentials-sync  # if this is changed, also change in config-patches.yaml
   namespace: flux-system
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentityBinding
+metadata:
+  name: credentials-sync  # this can have a different name, but it's nice to keep them the same
+  namespace: flux-system
+spec:
+  azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+  selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/registry-credentials-sync/azure/kubectl-patch.yaml

@@ -1,28 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: credentials-sync
-  namespace: flux-system
-spec:
-  template:
-    spec:
-      initContainers:
-      - image: bitnami/kubectl
-        name: copy-kubectl
-        # it's okay to do this because kubectl is a statically linked binary
-        command:
-        - sh
-        - -ceu
-        - cp $(which kubectl) /kbin/
-        resources: {}
-        volumeMounts:
-        - name: kbin
-          mountPath: /kbin
-      containers:
-      - name: sync
-        volumeMounts:
-        - name: kbin
-          mountPath: /kbin
-      volumes:
-      - name: kbin
-        emptyDir: {}

manifests/integrations/registry-credentials-sync/azure/kustomization.yaml

@@ -14,7 +14,6 @@ resources:
 
 patchesStrategicMerge:
 - config-patches.yaml
-- kubectl-patch.yaml
 - reconcile-patch.yaml
 
 vars:

manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml

@@ -1,3 +1,7 @@
 varReference:
 - path: spec/template/metadata/labels
   kind: Deployment
+- path: spec/azureIdentity
+  kind: AzureIdentityBinding
+- path: spec/selector
+  kind: AzureIdentityBinding

manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml

@@ -9,7 +9,7 @@ spec:
     spec:
       containers:
       - name: sync
-        image: aws/aws-cli
+        image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
         env:
         - name: RECONCILE_SH
           value: |-

pkg/manifestgen/install/manifests.go

@@ -26,9 +26,11 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
+	"sync"
 
 	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/krusty"
+	kustypes "sigs.k8s.io/kustomize/api/types"
 
 	"github.com/fluxcd/pkg/untar"
 )
@@ -113,7 +115,14 @@ func generate(base string, options Options) error {
 	return nil
 }
 
+var kustomizeBuildMutex sync.Mutex
+
 func build(base, output string) error {
+	// TODO(stefan): temporary workaround for concurrent map read and map write bug
+	// https://github.com/kubernetes-sigs/kustomize/issues/3659
+	kustomizeBuildMutex.Lock()
+	defer kustomizeBuildMutex.Unlock()
+
 	kfile := filepath.Join(base, "kustomization.yaml")
 
 	fs := filesys.MakeFsOnDisk()
@@ -137,10 +146,16 @@ func build(base, output string) error {
 		}
 	}
 
-	opt := krusty.MakeDefaultOptions()
-	opt.DoLegacyResourceSort = true
-	k := krusty.MakeKustomizer(fs, opt)
-	m, err := k.Run(base)
+	buildOptions := &krusty.Options{
+		DoLegacyResourceSort: true,
+		LoadRestrictions:     kustypes.LoadRestrictionsNone,
+		AddManagedbyLabel:    false,
+		DoPrune:              false,
+		PluginConfig:         kustypes.DisabledPluginConfig(),
+	}
+
+	k := krusty.MakeKustomizer(buildOptions)
+	m, err := k.Run(fs, base)
 	if err != nil {
 		return err
 	}

pkg/manifestgen/kustomization/kustomization.go

@@ -21,8 +21,8 @@ import (
 	"os"
 	"path/filepath"
 
-	"sigs.k8s.io/kustomize/api/k8sdeps/kunstruct"
 	"sigs.k8s.io/kustomize/api/konfig"
+	"sigs.k8s.io/kustomize/api/provider"
 	kustypes "sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/yaml"
 
@@ -35,7 +35,8 @@ func Generate(options Options) (*manifestgen.Manifest, error) {
 
 	scan := func(base string) ([]string, error) {
 		var paths []string
-		uf := kunstruct.NewKunstructuredFactoryImpl()
+		pvd := provider.NewDefaultDepProvider()
+		rf := pvd.GetResourceFactory()
 		err := options.FileSystem.Walk(base, func(path string, info os.FileInfo, err error) error {
 			if err != nil {
 				return err
@@ -58,7 +59,7 @@ func Generate(options Options) (*manifestgen.Manifest, error) {
 			if err != nil {
 				return err
 			}
-			if _, err := uf.SliceFromBytes(fContents); err != nil {
+			if _, err := rf.SliceFromBytes(fContents); err != nil {
 				return nil
 			}
 			paths = append(paths, path)