From 795216d989390013d370ae9091f8474f6f986786 Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Sun, 3 May 2026 14:52:53 -0400 Subject: [PATCH] Update flux and install the image automation controller. --- .../files/manifests/flux.yaml | 188 ++++++++++++++---- .../files/manifests/flux_instance.yaml | 10 +- .../keys/package/bootstrap-script/package.nix | 4 + .../mrmanager-repo-secrets/package.nix | 27 +++ 4 files changed, 193 insertions(+), 36 deletions(-) diff --git a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml index d521a2f0..e724debd 100644 --- a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml +++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml @@ -6,10 +6,10 @@ metadata: name: flux-operator-web namespace: flux-system labels: - helm.sh/chart: flux-operator-0.37.1 + helm.sh/chart: flux-operator-0.48.0 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator - app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/version: "v0.48.0" app.kubernetes.io/managed-by: Helm spec: policyTypes: @@ -32,10 +32,10 @@ metadata: name: flux-operator namespace: flux-system labels: - helm.sh/chart: flux-operator-0.37.1 + helm.sh/chart: flux-operator-0.48.0 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator - app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/version: "v0.48.0" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: true --- @@ -44,14 +44,14 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.19.0 + controller-gen.kubebuilder.io/version: v0.20.0 helm.sh/resource-policy: keep labels: app.kubernetes.io/instance: 'flux-operator' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'flux-operator' - app.kubernetes.io/version: 'v0.37.1' - helm.sh/chart: 'flux-operator-0.37.1' + app.kubernetes.io/version: 'v0.48.0' + helm.sh/chart: 'flux-operator-0.48.0' name: fluxinstances.fluxcd.controlplane.io spec: group: fluxcd.controlplane.io @@ -205,7 +205,11 @@ spec: components: description: |- Components is the list of controllers to install. - Defaults to a commonly used subset. + Defaults to the core Flux controllers: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller items: description: Component is the name of a controller to install. enum: @@ -661,14 +665,14 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.19.0 + controller-gen.kubebuilder.io/version: v0.20.0 helm.sh/resource-policy: keep labels: app.kubernetes.io/instance: 'flux-operator' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'flux-operator' - app.kubernetes.io/version: 'v0.37.1' - helm.sh/chart: 'flux-operator-0.37.1' + app.kubernetes.io/version: 'v0.48.0' + helm.sh/chart: 'flux-operator-0.48.0' name: fluxreports.fluxcd.controlplane.io spec: group: fluxcd.controlplane.io @@ -828,7 +832,7 @@ spec: failing: description: |- Failing is the number of reconciled - resources in the Failing state. + resources in the Failing state and not Suspended. type: integer running: description: |- @@ -965,14 +969,14 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.19.0 + controller-gen.kubebuilder.io/version: v0.20.0 helm.sh/resource-policy: keep labels: app.kubernetes.io/instance: 'flux-operator' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'flux-operator' - app.kubernetes.io/version: 'v0.37.1' - helm.sh/chart: 'flux-operator-0.37.1' + app.kubernetes.io/version: 'v0.48.0' + helm.sh/chart: 'flux-operator-0.48.0' name: resourcesetinputproviders.fluxcd.controlplane.io spec: group: fluxcd.controlplane.io @@ -1029,9 +1033,9 @@ spec: - a PEM-encoded CA certificate (`ca.crt`) - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`) - When connecting to a Git or OCI provider that uses self-signed certificates, the CA certificate - must be set in the Secret under the 'ca.crt' key to establish the trust relationship. - When connecting to an OCI provider that supports client certificates (mTLS), the client certificate + When connecting to a Git, OCI, or ExternalService provider that uses self-signed certificates, + the CA certificate must be set in the Secret under the 'ca.crt' key to establish the trust relationship. + When connecting to a provider that supports client certificates (mTLS), the client certificate and private key must be set in the Secret under the 'tls.crt' and 'tls.key' keys, respectively. properties: name: @@ -1102,6 +1106,11 @@ spec: Supported only for tags at the moment. type: string type: object + insecure: + description: |- + Insecure allows connecting to an ExternalService or OCIArtifactTag provider + over plain HTTP without TLS. When not set, the URL must use HTTPS. + type: boolean schedule: description: Schedule defines the schedules for the input provider to run. @@ -1129,13 +1138,16 @@ spec: type: array secretRef: description: |- - SecretRef specifies the Kubernetes Secret containing the basic-auth credentials + SecretRef specifies the Kubernetes Secret containing the credentials to access the input provider. When connecting to a Git provider, the secret must contain the keys 'username' and 'password', and the password should be a personal access token that grants read-only access to the repository. When connecting to an OCI provider, the secret must contain a Kubernetes Image Pull Secret, as if created by `kubectl create secret docker-registry`. + When connecting to an ExternalService provider, the secret must contain either + a 'token' key for bearer token authentication, or 'username' and 'password' + keys for basic authentication. properties: name: description: Name of the referent. @@ -1177,10 +1189,14 @@ spec: - AzureDevOpsBranch - AzureDevOpsTag - AzureDevOpsPullRequest + - GiteaBranch + - GiteaTag + - GiteaPullRequest - OCIArtifactTag - ACRArtifactTag - ECRArtifactTag - GARArtifactTag + - ExternalService type: string url: description: |- @@ -1206,6 +1222,16 @@ spec: - message: spec.url must start with 'oci://' when spec.type is an OCI provider rule: '!self.type.endsWith(''ArtifactTag'') || self.url.startsWith(''oci'')' + - message: spec.url must start with 'http://' or 'https://' when spec.type + is 'ExternalService' + rule: self.type != 'ExternalService' || self.url.startsWith('http') + - message: spec.insecure can only be set when spec.type is 'ExternalService' + or 'OCIArtifactTag' + rule: '!has(self.insecure) || !self.insecure || self.type == ''ExternalService'' + || self.type == ''OCIArtifactTag''' + - message: spec.url must use 'https://' unless spec.insecure is true + rule: self.type != 'ExternalService' || !self.url.startsWith('http://') + || (has(self.insecure) && self.insecure) - message: cannot specify spec.serviceAccountName when spec.type is not one of AzureDevOps* or *ArtifactTag rule: '!has(self.serviceAccountName) || self.type.startsWith(''AzureDevOps'') @@ -1345,14 +1371,14 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.19.0 + controller-gen.kubebuilder.io/version: v0.20.0 helm.sh/resource-policy: keep labels: app.kubernetes.io/instance: 'flux-operator' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'flux-operator' - app.kubernetes.io/version: 'v0.37.1' - helm.sh/chart: 'flux-operator-0.37.1' + app.kubernetes.io/version: 'v0.48.0' + helm.sh/chart: 'flux-operator-0.48.0' name: resourcesets.fluxcd.controlplane.io spec: group: fluxcd.controlplane.io @@ -1459,6 +1485,15 @@ spec: input provider objects are used. Defaults to flattening all inputs from all providers into a single list of input sets. properties: + includeEmptyProviders: + description: |- + IncludeEmptyProviders controls how input providers that export no + inputs are treated. Only applies when Name is Permute. When true, if + any provider has zero inputs the resulting permutation set is empty + (mathematically correct Cartesian product behavior). When false or + unset (default), providers with zero inputs are silently skipped and + the remaining providers still permute among themselves. + type: boolean name: description: |- Name defines how the inputs are combined when multiple @@ -1481,6 +1516,9 @@ spec: required: - name type: object + x-kubernetes-validations: + - message: includeEmptyProviders only applies when name is Permute + rule: '!has(self.includeEmptyProviders) || self.name == ''Permute''' inputs: description: Inputs contains the list of ResourceSet inputs. items: @@ -1659,6 +1697,16 @@ spec: - type type: object type: array + externalChecksumRefs: + description: |- + ExternalChecksumRefs lists the ConfigMap and Secret references + discovered in checksumFrom annotations on the last reconciliation + that point to objects not rendered by this ResourceSet. Each entry + has the form "Kind/namespace/name". It is used to trigger a + reconciliation when one of the referenced objects changes. + items: + type: string + type: array history: description: |- History contains the reconciliation history of the ResourceSet @@ -1764,10 +1812,10 @@ metadata: labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" - helm.sh/chart: flux-operator-0.37.1 + helm.sh/chart: flux-operator-0.48.0 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator - app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/version: "v0.48.0" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -1791,10 +1839,10 @@ metadata: rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-view: "true" - helm.sh/chart: flux-operator-0.37.1 + helm.sh/chart: flux-operator-0.48.0 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator - app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/version: "v0.48.0" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -1807,16 +1855,86 @@ rules: - list - watch --- +# Source: flux-operator/templates/web-standard-roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: flux-web-user + labels: + helm.sh/chart: flux-operator-0.48.0 + app.kubernetes.io/name: flux-operator + app.kubernetes.io/instance: flux-operator + app.kubernetes.io/version: "v0.48.0" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: ["*"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- +# Source: flux-operator/templates/web-standard-roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: flux-web-admin + labels: + helm.sh/chart: flux-operator-0.48.0 + app.kubernetes.io/name: flux-operator + app.kubernetes.io/instance: flux-operator + app.kubernetes.io/version: "v0.48.0" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: ["*"] + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: + - fluxcd.controlplane.io + - source.toolkit.fluxcd.io + - source.extensions.fluxcd.io + - kustomize.toolkit.fluxcd.io + - helm.toolkit.fluxcd.io + - image.toolkit.fluxcd.io + - notification.toolkit.fluxcd.io + resources: ["*"] + verbs: + - patch + - reconcile + - suspend + - resume + - download + - apiGroups: + - apps + resources: + - deployments + - statefulsets + - daemonsets + verbs: + - patch + - restart + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - create + - restart + - apiGroups: + - "" + resources: + - pods + verbs: + - delete +--- # Source: flux-operator/templates/admin-clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: flux-operator labels: - helm.sh/chart: flux-operator-0.37.1 + helm.sh/chart: flux-operator-0.48.0 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator - app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/version: "v0.48.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -1834,10 +1952,10 @@ metadata: name: flux-operator namespace: flux-system labels: - helm.sh/chart: flux-operator-0.37.1 + helm.sh/chart: flux-operator-0.48.0 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator - app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/version: "v0.48.0" app.kubernetes.io/managed-by: Helm spec: ports: @@ -1860,10 +1978,10 @@ metadata: name: flux-operator namespace: flux-system labels: - helm.sh/chart: flux-operator-0.37.1 + helm.sh/chart: flux-operator-0.48.0 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator - app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/version: "v0.48.0" app.kubernetes.io/managed-by: Helm spec: selector: @@ -1877,10 +1995,10 @@ spec: prometheus.io/port: "8080" prometheus.io/path: "/metrics" labels: - helm.sh/chart: flux-operator-0.37.1 + helm.sh/chart: flux-operator-0.48.0 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator - app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/version: "v0.48.0" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: flux-operator @@ -1906,7 +2024,7 @@ spec: runAsNonRoot: true seccompProfile: type: RuntimeDefault - image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.37.1" + image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.48.0" imagePullPolicy: "IfNotPresent" ports: - name: http-metrics diff --git a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_instance.yaml b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_instance.yaml index e0c756a6..211fd7c0 100644 --- a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_instance.yaml +++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_instance.yaml @@ -5,5 +5,13 @@ metadata: namespace: flux-system spec: distribution: - version: "2.7.x" + version: "2.8.x" registry: "ghcr.io/fluxcd" + components: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller + - image-automation-controller + - image-reflector-controller + # - source-watcher diff --git a/nix/kubernetes/keys/package/bootstrap-script/package.nix b/nix/kubernetes/keys/package/bootstrap-script/package.nix index 28647b75..c8d4cd99 100644 --- a/nix/kubernetes/keys/package/bootstrap-script/package.nix +++ b/nix/kubernetes/keys/package/bootstrap-script/package.nix @@ -35,6 +35,10 @@ let "${k8s.cilium-manifest}/cilium.yaml" "${k8s.coredns-manifest}/coredns.yaml" ./files/manifests/flux_namespace.yaml + + # + # Generate with: helm template --dry-run=server flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --namespace flux-system --create-namespace + # ./files/manifests/flux.yaml ./files/manifests/flux_instance.yaml ] diff --git a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix index 3663bc49..d0743d86 100644 --- a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix +++ b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix @@ -58,6 +58,17 @@ let }; }; "flux-system" = { + "registry-credentials" = + (generate_docker_secret { + username = builtins.readFile "${./secrets/flux-system/registry-credentials/username}"; + password = builtins.readFile "${./secrets/flux-system/registry-credentials/password}"; + email = builtins.readFile "${./secrets/flux-system/registry-credentials/email}"; + }) + // { + # "__annotations" = { + # "tekton.dev/docker-0" = "https://harbor.fizz.buzz"; + # }; + }; "webhook-token" = { "token" = generate_key 64 "flux-system.webhook-token.token"; }; @@ -140,6 +151,7 @@ let ## Utilities inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml; + inherit (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }) toBase64; generate_key = len: name: builtins.readFile ( @@ -174,6 +186,21 @@ let "\\}" ] json; + generate_docker_secret = + { + username, + password, + email, + }: + let + in + { + "__type" = "kubernetes.io/dockerconfigjson"; + ".dockerconfigjson" = builtins.toJSON { + inherit username password email; + "auth" = toBase64 "${username}:${password}"; + }; + }; ## dex get_dex_config = client_id: