From d63ac9f8de3b8fdfc2f0d122354e2f6f0ac5a063 Mon Sep 17 00:00:00 2001 From: Todd Malsbary Date: Wed, 9 Mar 2022 16:41:11 -0800 Subject: [PATCH] Use same Flux versions in chart and kustomization Signed-off-by: Todd Malsbary Change-Id: I8d55caadfec72998edb63083a0de1d5b5803e30a --- deploy/cluster/cluster.sh | 7 +- deploy/cluster/templates/flux-addon.yaml | 8 +- .../flux-system/gotk-components.yaml | 145 +++++++++++++++------ 3 files changed, 115 insertions(+), 45 deletions(-) diff --git a/deploy/cluster/cluster.sh b/deploy/cluster/cluster.sh index 397fc80..101e7bd 100755 --- a/deploy/cluster/cluster.sh +++ b/deploy/cluster/cluster.sh @@ -20,7 +20,12 @@ EOF } function build_source_flux { - flux install --export >${SCRIPTDIR}/addons/flux-system.yaml + # NOTE: This reaches outside this directory to + # deploy/site/cluster-addons/flux-system. This is to ensure that + # the day-0 config of a cluster using deploy/site/cluster-addons + # is in sync with the chart. + flux install --export >${SCRIPTDIR}/../site/cluster-addons/flux-system/gotk-components.yaml + kustomize build ${SCRIPTDIR}/../site/cluster-addons/flux-system >${SCRIPTDIR}/addons/flux-system.yaml cat <>${SCRIPTDIR}/addons/flux-system.yaml --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/deploy/cluster/templates/flux-addon.yaml b/deploy/cluster/templates/flux-addon.yaml index 83a420f..e3b1f59 100644 --- a/deploy/cluster/templates/flux-addon.yaml +++ b/deploy/cluster/templates/flux-addon.yaml @@ -3,10 +3,6 @@ apiVersion: v1 data: flux-system.yaml: | - --- - # This manifest was generated by flux. DO NOT EDIT. - # Flux Version: v0.27.0 - # Components: source-controller,kustomize-controller,helm-controller,notification-controller apiVersion: v1 kind: Namespace metadata: @@ -4014,6 +4010,7 @@ data: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + runAsUser: 65534 seccompProfile: type: RuntimeDefault volumeMounts: @@ -4094,6 +4091,7 @@ data: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + runAsUser: 65534 seccompProfile: type: RuntimeDefault volumeMounts: @@ -4181,6 +4179,7 @@ data: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + runAsUser: 65534 seccompProfile: type: RuntimeDefault volumeMounts: @@ -4268,6 +4267,7 @@ data: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + runAsUser: 65534 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/deploy/site/cluster-addons/flux-system/gotk-components.yaml b/deploy/site/cluster-addons/flux-system/gotk-components.yaml index acb71ef..44a810a 100644 --- a/deploy/site/cluster-addons/flux-system/gotk-components.yaml +++ b/deploy/site/cluster-addons/flux-system/gotk-components.yaml @@ -1,6 +1,6 @@ --- # This manifest was generated by flux. DO NOT EDIT. -# Flux Version: v0.25.3 +# Flux Version: v0.27.0 # Components: source-controller,kustomize-controller,helm-controller,notification-controller apiVersion: v1 kind: Namespace @@ -8,7 +8,9 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest name: flux-system --- apiVersion: apiextensions.k8s.io/v1 @@ -20,7 +22,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: alerts.notification.toolkit.fluxcd.io spec: group: notification.toolkit.fluxcd.io @@ -92,6 +94,15 @@ spec: - ImagePolicy - ImageUpdateAutomation type: string + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object name: description: Name of the referent maxLength: 53 @@ -227,12 +238,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: buckets.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io @@ -348,8 +359,8 @@ spec: of this source. type: boolean timeout: - default: 20s - description: The timeout for download operations, defaults to 20s. + default: 60s + description: The timeout for download operations, defaults to 60s. type: string required: - bucketName @@ -487,12 +498,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: gitrepositories.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io @@ -650,9 +661,9 @@ spec: of this source. type: boolean timeout: - default: 20s + default: 60s description: The timeout for remote Git operations like cloning, defaults - to 20s. + to 60s. type: string url: description: The repository URL, can be a HTTP/S or SSH address. @@ -846,12 +857,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: helmcharts.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io @@ -1135,7 +1146,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: helmreleases.helm.toolkit.fluxcd.io spec: group: helm.toolkit.fluxcd.io @@ -1627,6 +1638,10 @@ spec: description: DisableHooks prevents hooks from running during the Helm rollback action. type: boolean + disableWait: + description: DisableWait disables waiting for all the resources + to be deleted after a Helm uninstall is performed. + type: boolean keepHistory: description: KeepHistory tells Helm to remove all associated resources and mark the release as deleted, but retain the release history. @@ -1908,12 +1923,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: helmrepositories.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io @@ -2160,7 +2175,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: kustomizations.kustomize.toolkit.fluxcd.io spec: group: kustomize.toolkit.fluxcd.io @@ -3049,6 +3064,14 @@ spec: maxLength: 253 minLength: 1 type: string + optional: + default: false + description: Optional indicates whether the referenced resource + must exist, or whether to tolerate its absence. If true + and the referenced resource is absent, proceed as if the + resource was present but empty, without any variables + defined. + type: boolean required: - kind - name @@ -3261,7 +3284,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: providers.notification.toolkit.fluxcd.io spec: group: notification.toolkit.fluxcd.io @@ -3358,6 +3381,7 @@ spec: - matrix - opsgenie - alertmanager + - grafana type: string username: description: Bot username for this provider @@ -3465,7 +3489,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: receivers.notification.toolkit.fluxcd.io spec: group: notification.toolkit.fluxcd.io @@ -3534,6 +3558,15 @@ spec: - ImagePolicy - ImageUpdateAutomation type: string + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object name: description: Name of the referent maxLength: 53 @@ -3682,7 +3715,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: helm-controller namespace: flux-system --- @@ -3692,7 +3725,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: kustomize-controller namespace: flux-system --- @@ -3702,7 +3735,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: notification-controller namespace: flux-system --- @@ -3712,7 +3745,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: source-controller namespace: flux-system --- @@ -3722,7 +3755,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: crd-controller-flux-system rules: - apiGroups: @@ -3803,7 +3836,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: cluster-reconciler-flux-system roleRef: apiGroup: rbac.authorization.k8s.io @@ -3823,7 +3856,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: crd-controller-flux-system roleRef: apiGroup: rbac.authorization.k8s.io @@ -3855,7 +3888,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: notification-controller namespace: flux-system @@ -3875,7 +3908,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: source-controller namespace: flux-system @@ -3895,7 +3928,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: webhook-receiver namespace: flux-system @@ -3915,7 +3948,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: helm-controller namespace: flux-system @@ -3944,7 +3977,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/fluxcd/helm-controller:v0.15.0 + image: ghcr.io/fluxcd/helm-controller:v0.17.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -3954,6 +3987,7 @@ spec: ports: - containerPort: 8080 name: http-prom + protocol: TCP - containerPort: 9440 name: healthz protocol: TCP @@ -3970,7 +4004,13 @@ spec: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /tmp name: temp @@ -3988,7 +4028,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: kustomize-controller namespace: flux-system @@ -4017,7 +4057,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/fluxcd/kustomize-controller:v0.19.1 + image: ghcr.io/fluxcd/kustomize-controller:v0.21.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -4027,6 +4067,7 @@ spec: ports: - containerPort: 8080 name: http-prom + protocol: TCP - containerPort: 9440 name: healthz protocol: TCP @@ -4043,7 +4084,13 @@ spec: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /tmp name: temp @@ -4063,7 +4110,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: notification-controller namespace: flux-system @@ -4091,7 +4138,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/fluxcd/notification-controller:v0.20.1 + image: ghcr.io/fluxcd/notification-controller:v0.22.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -4101,10 +4148,13 @@ spec: ports: - containerPort: 9090 name: http + protocol: TCP - containerPort: 9292 name: http-webhook + protocol: TCP - containerPort: 8080 name: http-prom + protocol: TCP - containerPort: 9440 name: healthz protocol: TCP @@ -4121,7 +4171,13 @@ spec: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /tmp name: temp @@ -4139,7 +4195,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 control-plane: controller name: source-controller namespace: flux-system @@ -4172,7 +4228,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/fluxcd/source-controller:v0.20.1 + image: ghcr.io/fluxcd/source-controller:v0.21.2 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -4182,10 +4238,13 @@ spec: ports: - containerPort: 9090 name: http + protocol: TCP - containerPort: 8080 name: http-prom + protocol: TCP - containerPort: 9440 name: healthz + protocol: TCP readinessProbe: httpGet: path: / @@ -4199,7 +4258,13 @@ spec: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /data name: data @@ -4223,7 +4288,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: allow-egress namespace: flux-system spec: @@ -4243,7 +4308,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: allow-scraping namespace: flux-system spec: @@ -4263,7 +4328,7 @@ metadata: labels: app.kubernetes.io/instance: flux-system app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.25.3 + app.kubernetes.io/version: v0.27.0 name: allow-webhooks namespace: flux-system spec: -- 2.16.6