X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=deploy%2Fcluster%2Ftemplates%2Fflux-addon.yaml;h=e3b1f59b2abfc14968e42023441a8566572d6625;hb=d63ac9f8de3b8fdfc2f0d122354e2f6f0ac5a063;hp=81322e228e11ca28f23890a49c9f76ef2bbdff6c;hpb=7f5b95aaf15bca22ac6506ac5e1b5db0d0437222;p=icn.git diff --git a/deploy/cluster/templates/flux-addon.yaml b/deploy/cluster/templates/flux-addon.yaml index 81322e2..e3b1f59 100644 --- a/deploy/cluster/templates/flux-addon.yaml +++ b/deploy/cluster/templates/flux-addon.yaml @@ -3,28 +3,27 @@ apiVersion: v1 data: flux-system.yaml: | - --- - # Flux version: v0.20.0 - # Components: source-controller,kustomize-controller,helm-controller,notification-controller apiVersion: v1 kind: Namespace metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest name: flux-system --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: alerts.notification.toolkit.fluxcd.io spec: group: notification.toolkit.fluxcd.io @@ -96,6 +95,15 @@ data: - ImagePolicy - ImageUpdateAutomation type: string + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object name: description: Name of the referent maxLength: 53 @@ -231,12 +239,12 @@ data: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: buckets.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io @@ -248,8 +256,8 @@ data: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL + - jsonPath: .spec.endpoint + name: Endpoint type: string - jsonPath: .status.conditions[?(@.type=="Ready")].status name: Ready @@ -281,6 +289,33 @@ data: description: BucketSpec defines the desired state of an S3 compatible bucket properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object bucketName: description: The bucket name. type: string @@ -325,8 +360,8 @@ data: of this source. type: boolean timeout: - default: 20s - description: The timeout for download operations, defaults to 20s. + default: 60s + description: The timeout for download operations, defaults to 60s. type: string required: - bucketName @@ -334,6 +369,8 @@ data: - interval type: object status: + default: + observedGeneration: -1 description: BucketStatus defines the observed state of a bucket properties: artifact: @@ -341,7 +378,7 @@ data: Bucket sync. properties: checksum: - description: Checksum is the SHA1 checksum of the artifact. + description: Checksum is the SHA256 checksum of the artifact. type: string lastUpdateTime: description: LastUpdateTime is the timestamp corresponding to @@ -462,12 +499,12 @@ data: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: gitrepositories.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io @@ -513,6 +550,33 @@ data: spec: description: GitRepositorySpec defines the desired state of a Git repository. properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object gitImplementation: default: go-git description: Determines which git client library to use. Defaults @@ -598,9 +662,9 @@ data: of this source. type: boolean timeout: - default: 20s + default: 60s description: The timeout for remote Git operations like cloning, defaults - to 20s. + to 60s. type: string url: description: The repository URL, can be a HTTP/S or SSH address. @@ -634,6 +698,8 @@ data: - url type: object status: + default: + observedGeneration: -1 description: GitRepositoryStatus defines the observed state of a Git repository. properties: artifact: @@ -641,7 +707,7 @@ data: repository sync. properties: checksum: - description: Checksum is the SHA1 checksum of the artifact. + description: Checksum is the SHA256 checksum of the artifact. type: string lastUpdateTime: description: LastUpdateTime is the timestamp corresponding to @@ -740,7 +806,7 @@ data: description: Artifact represents the output of a source synchronisation. properties: checksum: - description: Checksum is the SHA1 checksum of the artifact. + description: Checksum is the SHA256 checksum of the artifact. type: string lastUpdateTime: description: LastUpdateTime is the timestamp corresponding to @@ -792,12 +858,12 @@ data: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: helmcharts.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io @@ -852,6 +918,33 @@ data: spec: description: HelmChartSpec defines the desired state of a Helm chart. properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object chart: description: The name or path the Helm chart is available at in the SourceRef. @@ -920,6 +1013,8 @@ data: - sourceRef type: object status: + default: + observedGeneration: -1 description: HelmChartStatus defines the observed state of the HelmChart. properties: artifact: @@ -927,7 +1022,7 @@ data: chart sync. properties: checksum: - description: Checksum is the SHA1 checksum of the artifact. + description: Checksum is the SHA256 checksum of the artifact. type: string lastUpdateTime: description: LastUpdateTime is the timestamp corresponding to @@ -1047,12 +1142,12 @@ data: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: helmreleases.helm.toolkit.fluxcd.io spec: group: helm.toolkit.fluxcd.io @@ -1357,11 +1452,20 @@ data: with an array of operation objects. items: description: JSON6902 is a JSON6902 operation object. - https://tools.ietf.org/html/rfc6902#section-4 + https://datatracker.ietf.org/doc/html/rfc6902#section-4 properties: from: + description: From contains a JSON-pointer value + that references a location within the target + document where the operation is performed. + The meaning of the value depends on the value + of Op, and is NOT taken into account by all + operations. type: string op: + description: Op indicates the operation to perform. + Its value MUST be one of "add", "remove", + "replace", "move", "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 enum: - test - remove @@ -1371,8 +1475,17 @@ data: - copy type: string path: + description: Path contains the JSON-pointer + value that references a location within the + target document where the operation is performed. + The meaning of the value depends on the value + of Op. type: string value: + description: Value contains a valid JSON structure. + The meaning of the value depends on the value + of Op, and is NOT taken into account by all + operations. x-kubernetes-preserve-unknown-fields: true required: - op @@ -1526,6 +1639,10 @@ data: description: DisableHooks prevents hooks from running during the Helm rollback action. type: boolean + disableWait: + description: DisableWait disables waiting for all the resources + to be deleted after a Helm uninstall is performed. + type: boolean keepHistory: description: KeepHistory tells Helm to remove all associated resources and mark the release as deleted, but retain the release history. @@ -1807,12 +1924,12 @@ data: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: helmrepositories.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io @@ -1858,6 +1975,33 @@ data: spec: description: HelmRepositorySpec defines the reference to a Helm repository. properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object interval: description: The interval at which to check the upstream for updates. type: string @@ -1898,6 +2042,8 @@ data: - url type: object status: + default: + observedGeneration: -1 description: HelmRepositoryStatus defines the observed state of the HelmRepository. properties: artifact: @@ -1905,7 +2051,7 @@ data: repository sync. properties: checksum: - description: Checksum is the SHA1 checksum of the artifact. + description: Checksum is the SHA256 checksum of the artifact. type: string lastUpdateTime: description: LastUpdateTime is the timestamp corresponding to @@ -2025,12 +2171,12 @@ data: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: kustomizations.kustomize.toolkit.fluxcd.io spec: group: kustomize.toolkit.fluxcd.io @@ -2200,13 +2346,12 @@ data: objects, capable of targeting objects based on kind, label and annotation selectors. items: - description: Patch contains either a StrategicMerge or a JSON6902 - patch, either a file or inline, and the target the patch should - be applied to. + description: Patch contains an inline StrategicMerge or JSON6902 + patch, and the target the patch should be applied to. properties: patch: - description: Patch contains the JSON6902 patch document with - an array of operation objects. + description: Patch contains an inline StrategicMerge patch or + an inline JSON6902 patch with an array of operation objects. type: string target: description: Target points to the resources that the patch document @@ -2257,11 +2402,18 @@ data: description: Patch contains the JSON6902 patch document with an array of operation objects. items: - description: JSON6902 is a JSON6902 operation object. https://tools.ietf.org/html/rfc6902#section-4 + description: JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4 properties: from: + description: From contains a JSON-pointer value that references + a location within the target document where the operation + is performed. The meaning of the value depends on the + value of Op, and is NOT taken into account by all operations. type: string op: + description: Op indicates the operation to perform. Its + value MUST be one of "add", "remove", "replace", "move", + "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 enum: - test - remove @@ -2271,8 +2423,15 @@ data: - copy type: string path: + description: Path contains the JSON-pointer value that + references a location within the target document where + the operation is performed. The meaning of the value + depends on the value of Op. type: string value: + description: Value contains a valid JSON structure. The + meaning of the value depends on the value of Op, and + is NOT taken into account by all operations. x-kubernetes-preserve-unknown-fields: true required: - op @@ -2723,13 +2882,12 @@ data: objects, capable of targeting objects based on kind, label and annotation selectors. items: - description: Patch contains either a StrategicMerge or a JSON6902 - patch, either a file or inline, and the target the patch should - be applied to. + description: Patch contains an inline StrategicMerge or JSON6902 + patch, and the target the patch should be applied to. properties: patch: - description: Patch contains the JSON6902 patch document with - an array of operation objects. + description: Patch contains an inline StrategicMerge patch or + an inline JSON6902 patch with an array of operation objects. type: string target: description: Target points to the resources that the patch document @@ -2781,11 +2939,18 @@ data: description: Patch contains the JSON6902 patch document with an array of operation objects. items: - description: JSON6902 is a JSON6902 operation object. https://tools.ietf.org/html/rfc6902#section-4 + description: JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4 properties: from: + description: From contains a JSON-pointer value that references + a location within the target document where the operation + is performed. The meaning of the value depends on the + value of Op, and is NOT taken into account by all operations. type: string op: + description: Op indicates the operation to perform. Its + value MUST be one of "add", "remove", "replace", "move", + "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 enum: - test - remove @@ -2795,8 +2960,15 @@ data: - copy type: string path: + description: Path contains the JSON-pointer value that + references a location within the target document where + the operation is performed. The meaning of the value + depends on the value of Op. type: string value: + description: Value contains a valid JSON structure. The + meaning of the value depends on the value of Op, and + is NOT taken into account by all operations. x-kubernetes-preserve-unknown-fields: true required: - op @@ -2893,6 +3065,14 @@ data: maxLength: 253 minLength: 1 type: string + optional: + default: false + description: Optional indicates whether the referenced resource + must exist, or whether to tolerate its absence. If true + and the referenced resource is absent, proceed as if the + resource was present but empty, without any variables + defined. + type: boolean required: - kind - name @@ -3100,12 +3280,12 @@ data: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: providers.notification.toolkit.fluxcd.io spec: group: notification.toolkit.fluxcd.io @@ -3177,6 +3357,10 @@ data: required: - name type: object + suspend: + description: This flag tells the controller to suspend subsequent + events handling. Defaults to false. + type: boolean type: description: Type of provider enum: @@ -3198,6 +3382,7 @@ data: - matrix - opsgenie - alertmanager + - grafana type: string username: description: Bot username for this provider @@ -3300,12 +3485,12 @@ data: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: receivers.notification.toolkit.fluxcd.io spec: group: notification.toolkit.fluxcd.io @@ -3374,6 +3559,15 @@ data: - ImagePolicy - ImageUpdateAutomation type: string + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object name: description: Name of the referent maxLength: 53 @@ -3522,7 +3716,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: helm-controller namespace: flux-system --- @@ -3532,7 +3726,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: kustomize-controller namespace: flux-system --- @@ -3542,7 +3736,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: notification-controller namespace: flux-system --- @@ -3552,7 +3746,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: source-controller namespace: flux-system --- @@ -3562,7 +3756,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: crd-controller-flux-system rules: - apiGroups: @@ -3643,7 +3837,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: cluster-reconciler-flux-system roleRef: apiGroup: rbac.authorization.k8s.io @@ -3663,7 +3857,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: crd-controller-flux-system roleRef: apiGroup: rbac.authorization.k8s.io @@ -3695,7 +3889,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: notification-controller namespace: flux-system @@ -3715,7 +3909,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: source-controller namespace: flux-system @@ -3735,7 +3929,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: webhook-receiver namespace: flux-system @@ -3755,7 +3949,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: helm-controller namespace: flux-system @@ -3774,7 +3968,7 @@ data: spec: containers: - args: - - --events-addr=http://notification-controller/ + - --events-addr=http://notification-controller.flux-system.svc.cluster.local/ - --watch-all-namespaces=true - --log-level=info - --log-encoding=json @@ -3784,7 +3978,7 @@ data: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/fluxcd/helm-controller:v0.12.1 + image: ghcr.io/fluxcd/helm-controller:v0.17.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -3794,6 +3988,7 @@ data: ports: - containerPort: 8080 name: http-prom + protocol: TCP - containerPort: 9440 name: healthz protocol: TCP @@ -3810,7 +4005,14 @@ data: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /tmp name: temp @@ -3828,7 +4030,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: kustomize-controller namespace: flux-system @@ -3847,7 +4049,7 @@ data: spec: containers: - args: - - --events-addr=http://notification-controller/ + - --events-addr=http://notification-controller.flux-system.svc.cluster.local/ - --watch-all-namespaces=true - --log-level=info - --log-encoding=json @@ -3857,7 +4059,7 @@ data: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/fluxcd/kustomize-controller:v0.16.0 + image: ghcr.io/fluxcd/kustomize-controller:v0.21.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -3867,6 +4069,7 @@ data: ports: - containerPort: 8080 name: http-prom + protocol: TCP - containerPort: 9440 name: healthz protocol: TCP @@ -3883,7 +4086,14 @@ data: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /tmp name: temp @@ -3903,7 +4113,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: notification-controller namespace: flux-system @@ -3931,7 +4141,7 @@ data: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/fluxcd/notification-controller:v0.18.1 + image: ghcr.io/fluxcd/notification-controller:v0.22.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -3941,10 +4151,13 @@ data: ports: - containerPort: 9090 name: http + protocol: TCP - containerPort: 9292 name: http-webhook + protocol: TCP - containerPort: 8080 name: http-prom + protocol: TCP - containerPort: 9440 name: healthz protocol: TCP @@ -3961,7 +4174,14 @@ data: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /tmp name: temp @@ -3979,7 +4199,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: source-controller namespace: flux-system @@ -4000,7 +4220,7 @@ data: spec: containers: - args: - - --events-addr=http://notification-controller/ + - --events-addr=http://notification-controller.flux-system.svc.cluster.local/ - --watch-all-namespaces=true - --log-level=info - --log-encoding=json @@ -4012,7 +4232,7 @@ data: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/fluxcd/source-controller:v0.17.0 + image: ghcr.io/fluxcd/source-controller:v0.21.2 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -4022,10 +4242,13 @@ data: ports: - containerPort: 9090 name: http + protocol: TCP - containerPort: 8080 name: http-prom + protocol: TCP - containerPort: 9440 name: healthz + protocol: TCP readinessProbe: httpGet: path: / @@ -4039,7 +4262,14 @@ data: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /data name: data @@ -4063,7 +4293,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: allow-egress namespace: flux-system spec: @@ -4083,7 +4313,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: allow-scraping namespace: flux-system spec: @@ -4103,7 +4333,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.0 + app.kubernetes.io/version: v0.27.0 name: allow-webhooks namespace: flux-system spec: @@ -4116,7 +4346,31 @@ data: policyTypes: - Ingress --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: psp:privileged:flux-system + namespace: flux-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:privileged + subjects: + - kind: Group + name: system:serviceaccounts:flux-system + apiGroup: rbac.authorization.k8s.io sync.yaml: | + {{- if .Values.flux.decryptionSecret }} + --- + apiVersion: v1 + type: Opaque + kind: Secret + metadata: + name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg + namespace: flux-system + data: + sops.asc: {{ .Values.flux.decryptionSecret | b64enc }} + {{- end }} --- apiVersion: source.toolkit.fluxcd.io/v1beta1 kind: GitRepository @@ -4143,6 +4397,12 @@ data: sourceRef: kind: GitRepository name: {{ .Values.flux.repositoryName }} + {{- if .Values.flux.decryptionSecret }} + decryption: + provider: sops + secretRef: + name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg + {{- end }} kind: ConfigMap metadata: creationTimestamp: null