X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=deploy%2Fcluster%2Ftemplates%2Fflux-addon.yaml;h=e3b1f59b2abfc14968e42023441a8566572d6625;hb=d63ac9f8de3b8fdfc2f0d122354e2f6f0ac5a063;hp=c0402531a0b5ad26efd23a926357c71cd1bc3954;hpb=324241118a350eae37a7909306817f582d0db5b6;p=icn.git diff --git a/deploy/cluster/templates/flux-addon.yaml b/deploy/cluster/templates/flux-addon.yaml index c040253..e3b1f59 100644 --- a/deploy/cluster/templates/flux-addon.yaml +++ b/deploy/cluster/templates/flux-addon.yaml @@ -3,17 +3,15 @@ apiVersion: v1 data: flux-system.yaml: | - --- - # This manifest was generated by flux. DO NOT EDIT. - # Flux Version: v0.25.3 - # Components: source-controller,kustomize-controller,helm-controller,notification-controller apiVersion: v1 kind: Namespace metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest name: flux-system --- apiVersion: apiextensions.k8s.io/v1 @@ -25,7 +23,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: alerts.notification.toolkit.fluxcd.io spec: group: notification.toolkit.fluxcd.io @@ -97,6 +95,15 @@ data: - ImagePolicy - ImageUpdateAutomation type: string + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object name: description: Name of the referent maxLength: 53 @@ -232,12 +239,12 @@ data: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: buckets.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io @@ -353,8 +360,8 @@ data: of this source. type: boolean timeout: - default: 20s - description: The timeout for download operations, defaults to 20s. + default: 60s + description: The timeout for download operations, defaults to 60s. type: string required: - bucketName @@ -492,12 +499,12 @@ data: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: gitrepositories.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io @@ -655,9 +662,9 @@ data: of this source. type: boolean timeout: - default: 20s + default: 60s description: The timeout for remote Git operations like cloning, defaults - to 20s. + to 60s. type: string url: description: The repository URL, can be a HTTP/S or SSH address. @@ -851,12 +858,12 @@ data: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: helmcharts.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io @@ -1140,7 +1147,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: helmreleases.helm.toolkit.fluxcd.io spec: group: helm.toolkit.fluxcd.io @@ -1632,6 +1639,10 @@ data: description: DisableHooks prevents hooks from running during the Helm rollback action. type: boolean + disableWait: + description: DisableWait disables waiting for all the resources + to be deleted after a Helm uninstall is performed. + type: boolean keepHistory: description: KeepHistory tells Helm to remove all associated resources and mark the release as deleted, but retain the release history. @@ -1913,12 +1924,12 @@ data: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: helmrepositories.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io @@ -2165,7 +2176,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: kustomizations.kustomize.toolkit.fluxcd.io spec: group: kustomize.toolkit.fluxcd.io @@ -3054,6 +3065,14 @@ data: maxLength: 253 minLength: 1 type: string + optional: + default: false + description: Optional indicates whether the referenced resource + must exist, or whether to tolerate its absence. If true + and the referenced resource is absent, proceed as if the + resource was present but empty, without any variables + defined. + type: boolean required: - kind - name @@ -3266,7 +3285,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: providers.notification.toolkit.fluxcd.io spec: group: notification.toolkit.fluxcd.io @@ -3363,6 +3382,7 @@ data: - matrix - opsgenie - alertmanager + - grafana type: string username: description: Bot username for this provider @@ -3470,7 +3490,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: receivers.notification.toolkit.fluxcd.io spec: group: notification.toolkit.fluxcd.io @@ -3539,6 +3559,15 @@ data: - ImagePolicy - ImageUpdateAutomation type: string + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object name: description: Name of the referent maxLength: 53 @@ -3687,7 +3716,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: helm-controller namespace: flux-system --- @@ -3697,7 +3726,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: kustomize-controller namespace: flux-system --- @@ -3707,7 +3736,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: notification-controller namespace: flux-system --- @@ -3717,7 +3746,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: source-controller namespace: flux-system --- @@ -3727,7 +3756,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: crd-controller-flux-system rules: - apiGroups: @@ -3808,7 +3837,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: cluster-reconciler-flux-system roleRef: apiGroup: rbac.authorization.k8s.io @@ -3828,7 +3857,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: crd-controller-flux-system roleRef: apiGroup: rbac.authorization.k8s.io @@ -3860,7 +3889,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: notification-controller namespace: flux-system @@ -3880,7 +3909,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: source-controller namespace: flux-system @@ -3900,7 +3929,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: webhook-receiver namespace: flux-system @@ -3920,7 +3949,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: helm-controller namespace: flux-system @@ -3949,7 +3978,7 @@ data: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/fluxcd/helm-controller:v0.15.0 + image: ghcr.io/fluxcd/helm-controller:v0.17.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -3959,6 +3988,7 @@ data: ports: - containerPort: 8080 name: http-prom + protocol: TCP - containerPort: 9440 name: healthz protocol: TCP @@ -3975,7 +4005,14 @@ data: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /tmp name: temp @@ -3993,7 +4030,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: kustomize-controller namespace: flux-system @@ -4022,7 +4059,7 @@ data: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/fluxcd/kustomize-controller:v0.19.1 + image: ghcr.io/fluxcd/kustomize-controller:v0.21.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -4032,6 +4069,7 @@ data: ports: - containerPort: 8080 name: http-prom + protocol: TCP - containerPort: 9440 name: healthz protocol: TCP @@ -4048,7 +4086,14 @@ data: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /tmp name: temp @@ -4068,7 +4113,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: notification-controller namespace: flux-system @@ -4096,7 +4141,7 @@ data: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/fluxcd/notification-controller:v0.20.1 + image: ghcr.io/fluxcd/notification-controller:v0.22.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -4106,10 +4151,13 @@ data: ports: - containerPort: 9090 name: http + protocol: TCP - containerPort: 9292 name: http-webhook + protocol: TCP - containerPort: 8080 name: http-prom + protocol: TCP - containerPort: 9440 name: healthz protocol: TCP @@ -4126,7 +4174,14 @@ data: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /tmp name: temp @@ -4144,7 +4199,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: source-controller namespace: flux-system @@ -4177,7 +4232,7 @@ data: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/fluxcd/source-controller:v0.20.1 + image: ghcr.io/fluxcd/source-controller:v0.21.2 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -4187,10 +4242,13 @@ data: ports: - containerPort: 9090 name: http + protocol: TCP - containerPort: 8080 name: http-prom + protocol: TCP - containerPort: 9440 name: healthz + protocol: TCP readinessProbe: httpGet: path: / @@ -4204,7 +4262,14 @@ data: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /data name: data @@ -4228,7 +4293,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: allow-egress namespace: flux-system spec: @@ -4248,7 +4313,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: allow-scraping namespace: flux-system spec: @@ -4268,7 +4333,7 @@ data: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: allow-webhooks namespace: flux-system spec: @@ -4280,6 +4345,20 @@ data: app: notification-controller policyTypes: - Ingress + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: psp:privileged:flux-system + namespace: flux-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:privileged + subjects: + - kind: Group + name: system:serviceaccounts:flux-system + apiGroup: rbac.authorization.k8s.io sync.yaml: | {{- if .Values.flux.decryptionSecret }} ---