Compare commits
22 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
a17b0a1ce0 | ||
|
|
354cd5e177 | ||
|
|
4e8f1221f7 | ||
|
|
6b179aa7d9 | ||
|
|
5de83f015a | ||
|
|
a6620e478a | ||
|
|
c7fcffdd8e | ||
|
|
160f59a984 | ||
|
|
d38d487c2a | ||
|
|
db28907543 | ||
|
|
c4261399b5 | ||
|
|
b4edb46269 | ||
|
|
a20ed0e630 | ||
|
|
cea869e285 | ||
|
|
e12db14d1e | ||
|
|
296bf3cc6c | ||
|
|
1789aa180d | ||
|
|
bd255800db | ||
|
|
1355962b3c | ||
|
|
bb0114e379 | ||
|
|
f9622a5b9e | ||
|
|
3a74fcd75c |
@@ -69,6 +69,7 @@ type gitFlags struct {
|
||||
path flags.SafeRelativePath
|
||||
username string
|
||||
password string
|
||||
silent bool
|
||||
}
|
||||
|
||||
var gitArgs gitFlags
|
||||
@@ -79,6 +80,7 @@ func init() {
|
||||
bootstrapGitCmd.Flags().Var(&gitArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
|
||||
bootstrapGitCmd.Flags().StringVarP(&gitArgs.username, "username", "u", "git", "basic authentication username")
|
||||
bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
|
||||
bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
|
||||
|
||||
bootstrapCmd.AddCommand(bootstrapGitCmd)
|
||||
}
|
||||
@@ -247,13 +249,16 @@ func promptPublicKey(ctx context.Context, secret corev1.Secret, _ sourcesecret.O
|
||||
}
|
||||
|
||||
logger.Successf("public key: %s", strings.TrimSpace(ppk))
|
||||
prompt := promptui.Prompt{
|
||||
Label: "Please give the key access to your repository",
|
||||
IsConfirm: true,
|
||||
}
|
||||
_, err := prompt.Run()
|
||||
if err != nil {
|
||||
return fmt.Errorf("aborting")
|
||||
|
||||
if !gitArgs.silent {
|
||||
prompt := promptui.Prompt{
|
||||
Label: "Please give the key access to your repository",
|
||||
IsConfirm: true,
|
||||
}
|
||||
_, err := prompt.Run()
|
||||
if err != nil {
|
||||
return fmt.Errorf("aborting")
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -63,19 +63,15 @@ For Git over HTTP/S, the provided basic authentication credentials are stored in
|
||||
--username=username \
|
||||
--password=password
|
||||
|
||||
# Create a Git SSH secret on disk and print the deploy key
|
||||
# Create a Git SSH secret on disk
|
||||
flux create secret git podinfo-auth \
|
||||
--url=ssh://git@github.com/stefanprodan/podinfo \
|
||||
--export > podinfo-auth.yaml
|
||||
|
||||
yq read podinfo-auth.yaml 'data."identity.pub"' | base64 --decode
|
||||
|
||||
# Create a Git SSH secret on disk and encrypt it with Mozilla SOPS
|
||||
flux create secret git podinfo-auth \
|
||||
--namespace=apps \
|
||||
--url=ssh://git@github.com/stefanprodan/podinfo \
|
||||
--export > podinfo-auth.yaml
|
||||
# Print the deploy key
|
||||
yq eval '.stringData."identity.pub"' podinfo-auth.yaml
|
||||
|
||||
# Encrypt the secret on disk with Mozilla SOPS
|
||||
sops --encrypt --encrypted-regex '^(data|stringData)$' \
|
||||
--in-place podinfo-auth.yaml`,
|
||||
RunE: createSecretGitCmdRun,
|
||||
|
||||
35
go.mod
35
go.mod
@@ -6,31 +6,30 @@ require (
|
||||
github.com/Masterminds/semver/v3 v3.1.0
|
||||
github.com/cyphar/filepath-securejoin v0.2.2
|
||||
github.com/fluxcd/go-git-providers v0.1.1
|
||||
github.com/fluxcd/helm-controller/api v0.10.1
|
||||
github.com/fluxcd/image-automation-controller/api v0.10.0
|
||||
github.com/fluxcd/image-reflector-controller/api v0.9.1
|
||||
github.com/fluxcd/kustomize-controller/api v0.12.1
|
||||
github.com/fluxcd/notification-controller/api v0.14.1
|
||||
github.com/fluxcd/pkg/apis/meta v0.9.0
|
||||
github.com/fluxcd/pkg/runtime v0.11.0
|
||||
github.com/fluxcd/helm-controller/api v0.11.0
|
||||
github.com/fluxcd/image-automation-controller/api v0.12.0
|
||||
github.com/fluxcd/image-reflector-controller/api v0.10.0
|
||||
github.com/fluxcd/kustomize-controller/api v0.13.0
|
||||
github.com/fluxcd/notification-controller/api v0.15.0
|
||||
github.com/fluxcd/pkg/apis/meta v0.10.0
|
||||
github.com/fluxcd/pkg/runtime v0.12.0
|
||||
github.com/fluxcd/pkg/ssh v0.0.5
|
||||
github.com/fluxcd/pkg/untar v0.0.5
|
||||
github.com/fluxcd/pkg/version v0.0.1
|
||||
github.com/fluxcd/source-controller/api v0.13.1
|
||||
github.com/go-git/go-git/v5 v5.4.1
|
||||
github.com/fluxcd/source-controller/api v0.15.0
|
||||
github.com/go-git/go-git/v5 v5.4.2
|
||||
github.com/google/go-containerregistry v0.2.0
|
||||
github.com/manifoldco/promptui v0.7.0
|
||||
github.com/olekukonko/tablewriter v0.0.4
|
||||
github.com/spf13/cobra v1.1.1
|
||||
github.com/spf13/cobra v1.1.3
|
||||
github.com/spf13/pflag v1.0.5
|
||||
golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b
|
||||
k8s.io/api v0.20.4
|
||||
k8s.io/apiextensions-apiserver v0.20.4
|
||||
k8s.io/apimachinery v0.20.4
|
||||
k8s.io/cli-runtime v0.20.2 // indirect
|
||||
k8s.io/client-go v0.20.4
|
||||
sigs.k8s.io/cli-utils v0.22.2
|
||||
sigs.k8s.io/controller-runtime v0.8.3
|
||||
sigs.k8s.io/kustomize/api v0.7.4
|
||||
k8s.io/api v0.21.1
|
||||
k8s.io/apiextensions-apiserver v0.21.1
|
||||
k8s.io/apimachinery v0.21.1
|
||||
k8s.io/client-go v0.21.1
|
||||
sigs.k8s.io/cli-utils v0.25.1-0.20210608181808-f3974341173a
|
||||
sigs.k8s.io/controller-runtime v0.9.0
|
||||
sigs.k8s.io/kustomize/api v0.8.10
|
||||
sigs.k8s.io/yaml v1.2.0
|
||||
)
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- https://github.com/fluxcd/helm-controller/releases/download/v0.10.1/helm-controller.crds.yaml
|
||||
- https://github.com/fluxcd/helm-controller/releases/download/v0.10.1/helm-controller.deployment.yaml
|
||||
- https://github.com/fluxcd/helm-controller/releases/download/v0.11.0/helm-controller.crds.yaml
|
||||
- https://github.com/fluxcd/helm-controller/releases/download/v0.11.0/helm-controller.deployment.yaml
|
||||
- account.yaml
|
||||
patchesJson6902:
|
||||
- target:
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.10.0/image-automation-controller.crds.yaml
|
||||
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.10.0/image-automation-controller.deployment.yaml
|
||||
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.12.0/image-automation-controller.crds.yaml
|
||||
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.12.0/image-automation-controller.deployment.yaml
|
||||
- account.yaml
|
||||
patchesJson6902:
|
||||
- target:
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.9.1/image-reflector-controller.crds.yaml
|
||||
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.9.1/image-reflector-controller.deployment.yaml
|
||||
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.10.0/image-reflector-controller.crds.yaml
|
||||
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.10.0/image-reflector-controller.deployment.yaml
|
||||
- account.yaml
|
||||
patchesJson6902:
|
||||
- target:
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.1/kustomize-controller.crds.yaml
|
||||
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.1/kustomize-controller.deployment.yaml
|
||||
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.13.0/kustomize-controller.crds.yaml
|
||||
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.13.0/kustomize-controller.deployment.yaml
|
||||
- account.yaml
|
||||
patchesJson6902:
|
||||
- target:
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- https://github.com/fluxcd/notification-controller/releases/download/v0.14.1/notification-controller.crds.yaml
|
||||
- https://github.com/fluxcd/notification-controller/releases/download/v0.14.1/notification-controller.deployment.yaml
|
||||
- https://github.com/fluxcd/notification-controller/releases/download/v0.15.0/notification-controller.crds.yaml
|
||||
- https://github.com/fluxcd/notification-controller/releases/download/v0.15.0/notification-controller.deployment.yaml
|
||||
- account.yaml
|
||||
patchesJson6902:
|
||||
- target:
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- https://github.com/fluxcd/source-controller/releases/download/v0.13.1/source-controller.crds.yaml
|
||||
- https://github.com/fluxcd/source-controller/releases/download/v0.13.1/source-controller.deployment.yaml
|
||||
- https://github.com/fluxcd/source-controller/releases/download/v0.15.0/source-controller.crds.yaml
|
||||
- https://github.com/fluxcd/source-controller/releases/download/v0.15.0/source-controller.deployment.yaml
|
||||
- account.yaml
|
||||
patchesJson6902:
|
||||
- target:
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- https://github.com/fluxcd/source-controller/releases/download/v0.13.1/source-controller.crds.yaml
|
||||
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.1/kustomize-controller.crds.yaml
|
||||
- https://github.com/fluxcd/helm-controller/releases/download/v0.10.1/helm-controller.crds.yaml
|
||||
- https://github.com/fluxcd/notification-controller/releases/download/v0.14.1/notification-controller.crds.yaml
|
||||
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.9.1/image-reflector-controller.crds.yaml
|
||||
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.10.0/image-automation-controller.crds.yaml
|
||||
- https://github.com/fluxcd/source-controller/releases/download/v0.15.0/source-controller.crds.yaml
|
||||
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.13.0/kustomize-controller.crds.yaml
|
||||
- https://github.com/fluxcd/helm-controller/releases/download/v0.11.0/helm-controller.crds.yaml
|
||||
- https://github.com/fluxcd/notification-controller/releases/download/v0.15.0/notification-controller.crds.yaml
|
||||
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.10.0/image-reflector-controller.crds.yaml
|
||||
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.12.0/image-automation-controller.crds.yaml
|
||||
|
||||
14
manifests/integrations/Makefile
Normal file
14
manifests/integrations/Makefile
Normal file
@@ -0,0 +1,14 @@
|
||||
|
||||
bases := $(shell dirname $(shell find | grep kustomization.yaml | sort))
|
||||
|
||||
all: $(bases)
|
||||
|
||||
permutations := $(bases) $(addsuffix /,$(bases))
|
||||
.PHONY: $(permutations)
|
||||
$(permutations):
|
||||
@echo $@
|
||||
@warnings=$$(kustomize build $@ -o /dev/null 2>&1); \
|
||||
if [ "$$warnings" ]; then \
|
||||
echo "$$warnings"; \
|
||||
false; \
|
||||
fi
|
||||
@@ -7,6 +7,9 @@ commonLabels:
|
||||
resources:
|
||||
- sync.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- kubectl-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: KUBE_SECRET
|
||||
objref:
|
||||
@@ -15,13 +18,6 @@ vars:
|
||||
apiVersion: v1
|
||||
fieldref:
|
||||
fieldpath: data.KUBE_SECRET
|
||||
- name: ADDRESS
|
||||
objref:
|
||||
kind: ConfigMap
|
||||
name: credentials-sync-eventhub
|
||||
apiVersion: v1
|
||||
fieldref:
|
||||
fieldpath: data.ADDRESS
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
|
||||
@@ -109,9 +109,9 @@ rules:
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
# # Lock this down to the specific Secret name (Optional)
|
||||
#resourceNames:
|
||||
# - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
||||
# Lock this down to the specific Secret name (Optional)
|
||||
resourceNames:
|
||||
- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
jobTemplate:
|
||||
@@ -7,6 +7,9 @@ commonLabels:
|
||||
resources:
|
||||
- sync.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- kubectl-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: KUBE_SECRET
|
||||
objref:
|
||||
@@ -15,13 +18,6 @@ vars:
|
||||
apiVersion: v1
|
||||
fieldref:
|
||||
fieldpath: data.KUBE_SECRET
|
||||
- name: ADDRESS
|
||||
objref:
|
||||
kind: ConfigMap
|
||||
name: credentials-sync-eventhub
|
||||
apiVersion: v1
|
||||
fieldref:
|
||||
fieldpath: data.ADDRESS
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
|
||||
@@ -85,9 +85,9 @@ rules:
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
# # Lock this down to the specific Secret name (Optional)
|
||||
#resourceNames:
|
||||
# - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
||||
# Lock this down to the specific Secret name (Optional)
|
||||
resourceNames:
|
||||
- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
||||
@@ -12,5 +12,5 @@ metadata:
|
||||
name: lab
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: lab
|
||||
selector: lab
|
||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
|
||||
@@ -23,15 +23,6 @@ spec:
|
||||
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
|
||||
resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
|
||||
type: 0
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: lab
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: jwt-lab
|
||||
selector: jwt-lab
|
||||
|
||||
# Set the reconcile period + specify the pod-identity via the aadpodidbinding label
|
||||
---
|
||||
|
||||
@@ -1,34 +0,0 @@
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
initContainers:
|
||||
- image: bitnami/kubectl
|
||||
securityContext:
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
name: copy-kubectl
|
||||
# it's okay to do this because kubectl is a statically linked binary
|
||||
command:
|
||||
- sh
|
||||
- -ceu
|
||||
- cp $(which kubectl) /kbin/
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
containers:
|
||||
- name: sync
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
volumes:
|
||||
- name: kbin
|
||||
emptyDir: {}
|
||||
@@ -14,7 +14,6 @@ resources:
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
vars:
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
varReference:
|
||||
- path: spec/jobTemplate/spec/template/metadata/labels
|
||||
kind: CronJob
|
||||
- path: spec/jobTemplate/spec/template/metadata/labels
|
||||
kind: CronJob
|
||||
- path: spec/azureIdentity
|
||||
kind: AzureIdentityBinding
|
||||
- path: spec/selector
|
||||
kind: AzureIdentityBinding
|
||||
|
||||
@@ -3,7 +3,6 @@ apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
data:
|
||||
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
|
||||
ADDRESS: "fluxv2" # the Azure Event Hub name
|
||||
|
||||
@@ -1,34 +0,0 @@
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
initContainers:
|
||||
- image: bitnami/kubectl
|
||||
securityContext:
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
name: copy-kubectl
|
||||
# it's okay to do this because kubectl is a statically linked binary
|
||||
command:
|
||||
- sh
|
||||
- -ceu
|
||||
- cp $(which kubectl) /kbin/
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
containers:
|
||||
- name: sync
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
volumes:
|
||||
- name: kbin
|
||||
emptyDir: {}
|
||||
@@ -14,8 +14,4 @@ resources:
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
varReference:
|
||||
- path: spec/jobTemplate/spec/template/metadata/labels
|
||||
kind: CronJob
|
||||
@@ -9,8 +9,8 @@ metadata:
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: lab
|
||||
name: lab # this can have a different name, but it's nice to keep them the same
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: lab
|
||||
selector: lab
|
||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
|
||||
@@ -24,15 +24,6 @@ spec:
|
||||
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
|
||||
resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
|
||||
type: 0
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: lab
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: jwt-lab
|
||||
selector: jwt-lab
|
||||
|
||||
# Specify the pod-identity via the aadpodidbinding label
|
||||
---
|
||||
|
||||
@@ -14,7 +14,6 @@ resources:
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
vars:
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
varReference:
|
||||
- path: spec/template/metadata/labels
|
||||
kind: Deployment
|
||||
- path: spec/azureIdentity
|
||||
kind: AzureIdentityBinding
|
||||
- path: spec/selector
|
||||
kind: AzureIdentityBinding
|
||||
|
||||
@@ -1,32 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
initContainers:
|
||||
- image: bitnami/kubectl
|
||||
securityContext:
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
name: copy-kubectl
|
||||
# it's okay to do this because kubectl is a statically linked binary
|
||||
command:
|
||||
- sh
|
||||
- -ceu
|
||||
- cp $(which kubectl) /kbin/
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
containers:
|
||||
- name: sync
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
volumes:
|
||||
- name: kbin
|
||||
emptyDir: {}
|
||||
@@ -14,8 +14,4 @@ resources:
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
varReference:
|
||||
- path: spec/template/metadata/labels
|
||||
kind: Deployment
|
||||
@@ -7,6 +7,9 @@ commonLabels:
|
||||
resources:
|
||||
- sync.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- kubectl-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: KUBE_SECRET
|
||||
objref:
|
||||
|
||||
@@ -7,6 +7,9 @@ commonLabels:
|
||||
resources:
|
||||
- sync.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- kubectl-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: KUBE_SECRET
|
||||
objref:
|
||||
|
||||
@@ -14,7 +14,6 @@ bases:
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
## uncomment if using encrypted-secret.yaml
|
||||
|
||||
@@ -5,3 +5,12 @@ kind: AzureIdentity
|
||||
metadata:
|
||||
name: credentials-sync # if this is changed, also change in config-patches.yaml
|
||||
namespace: flux-system
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: credentials-sync # this can have a different name, but it's nice to keep them the same
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
|
||||
@@ -14,7 +14,6 @@ resources:
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
vars:
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
varReference:
|
||||
- path: spec/jobTemplate/spec/template/metadata/labels
|
||||
kind: Deployment
|
||||
kind: CronJob
|
||||
- path: spec/azureIdentity
|
||||
kind: AzureIdentityBinding
|
||||
- path: spec/selector
|
||||
kind: AzureIdentityBinding
|
||||
|
||||
@@ -10,7 +10,7 @@ spec:
|
||||
spec:
|
||||
containers:
|
||||
- name: sync
|
||||
image: aws/aws-cli
|
||||
image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
|
||||
env:
|
||||
- name: RECONCILE_SH
|
||||
value: |-
|
||||
|
||||
@@ -14,7 +14,6 @@ bases:
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
## uncomment if using encrypted-secret.yaml
|
||||
|
||||
@@ -5,3 +5,12 @@ kind: AzureIdentity
|
||||
metadata:
|
||||
name: credentials-sync # if this is changed, also change in config-patches.yaml
|
||||
namespace: flux-system
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: credentials-sync # this can have a different name, but it's nice to keep them the same
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
|
||||
@@ -1,28 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
initContainers:
|
||||
- image: bitnami/kubectl
|
||||
name: copy-kubectl
|
||||
# it's okay to do this because kubectl is a statically linked binary
|
||||
command:
|
||||
- sh
|
||||
- -ceu
|
||||
- cp $(which kubectl) /kbin/
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
containers:
|
||||
- name: sync
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
volumes:
|
||||
- name: kbin
|
||||
emptyDir: {}
|
||||
@@ -14,7 +14,6 @@ resources:
|
||||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
vars:
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
varReference:
|
||||
- path: spec/template/metadata/labels
|
||||
kind: Deployment
|
||||
- path: spec/azureIdentity
|
||||
kind: AzureIdentityBinding
|
||||
- path: spec/selector
|
||||
kind: AzureIdentityBinding
|
||||
|
||||
@@ -9,7 +9,7 @@ spec:
|
||||
spec:
|
||||
containers:
|
||||
- name: sync
|
||||
image: aws/aws-cli
|
||||
image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
|
||||
env:
|
||||
- name: RECONCILE_SH
|
||||
value: |-
|
||||
|
||||
@@ -26,9 +26,11 @@ import (
|
||||
"path"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"sigs.k8s.io/kustomize/api/filesys"
|
||||
"sigs.k8s.io/kustomize/api/krusty"
|
||||
kustypes "sigs.k8s.io/kustomize/api/types"
|
||||
|
||||
"github.com/fluxcd/pkg/untar"
|
||||
)
|
||||
@@ -113,7 +115,14 @@ func generate(base string, options Options) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
var kustomizeBuildMutex sync.Mutex
|
||||
|
||||
func build(base, output string) error {
|
||||
// TODO(stefan): temporary workaround for concurrent map read and map write bug
|
||||
// https://github.com/kubernetes-sigs/kustomize/issues/3659
|
||||
kustomizeBuildMutex.Lock()
|
||||
defer kustomizeBuildMutex.Unlock()
|
||||
|
||||
kfile := filepath.Join(base, "kustomization.yaml")
|
||||
|
||||
fs := filesys.MakeFsOnDisk()
|
||||
@@ -137,10 +146,16 @@ func build(base, output string) error {
|
||||
}
|
||||
}
|
||||
|
||||
opt := krusty.MakeDefaultOptions()
|
||||
opt.DoLegacyResourceSort = true
|
||||
k := krusty.MakeKustomizer(fs, opt)
|
||||
m, err := k.Run(base)
|
||||
buildOptions := &krusty.Options{
|
||||
DoLegacyResourceSort: true,
|
||||
LoadRestrictions: kustypes.LoadRestrictionsNone,
|
||||
AddManagedbyLabel: false,
|
||||
DoPrune: false,
|
||||
PluginConfig: kustypes.DisabledPluginConfig(),
|
||||
}
|
||||
|
||||
k := krusty.MakeKustomizer(buildOptions)
|
||||
m, err := k.Run(fs, base)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -21,8 +21,8 @@ import (
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
"sigs.k8s.io/kustomize/api/k8sdeps/kunstruct"
|
||||
"sigs.k8s.io/kustomize/api/konfig"
|
||||
"sigs.k8s.io/kustomize/api/provider"
|
||||
kustypes "sigs.k8s.io/kustomize/api/types"
|
||||
"sigs.k8s.io/yaml"
|
||||
|
||||
@@ -35,7 +35,8 @@ func Generate(options Options) (*manifestgen.Manifest, error) {
|
||||
|
||||
scan := func(base string) ([]string, error) {
|
||||
var paths []string
|
||||
uf := kunstruct.NewKunstructuredFactoryImpl()
|
||||
pvd := provider.NewDefaultDepProvider()
|
||||
rf := pvd.GetResourceFactory()
|
||||
err := options.FileSystem.Walk(base, func(path string, info os.FileInfo, err error) error {
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -58,7 +59,7 @@ func Generate(options Options) (*manifestgen.Manifest, error) {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if _, err := uf.SliceFromBytes(fContents); err != nil {
|
||||
if _, err := rf.SliceFromBytes(fContents); err != nil {
|
||||
return nil
|
||||
}
|
||||
paths = append(paths, path)
|
||||
|
||||
Reference in New Issue
Block a user