talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Update flux and install the image automation controller.

Browse Source
This commit is contained in:
Tom Alexander
2026-05-03 14:52:53 -04:00
parent 26cbb79960
commit 795216d989
4 changed files with 193 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

188
nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml
View File

@@ -6,10 +6,10 @@ metadata:
name: flux-operator-web
namespace: flux-system
labels:
helm.sh/chart: flux-operator-0.37.1
helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm
spec:
policyTypes:
@@ -32,10 +32,10 @@ metadata:
name: flux-operator
namespace: flux-system
labels:
helm.sh/chart: flux-operator-0.37.1
helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm
automountServiceAccountToken: true
---
@@ -44,14 +44,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
controller-gen.kubebuilder.io/version: v0.20.0
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/instance: 'flux-operator'
app.kubernetes.io/managed-by: 'Helm'
app.kubernetes.io/name: 'flux-operator'
app.kubernetes.io/version: 'v0.37.1'
helm.sh/chart: 'flux-operator-0.37.1'
app.kubernetes.io/version: 'v0.48.0'
helm.sh/chart: 'flux-operator-0.48.0'
name: fluxinstances.fluxcd.controlplane.io
spec:
group: fluxcd.controlplane.io
@@ -205,7 +205,11 @@ spec:
components:
description: |-
Components is the list of controllers to install.
Defaults to a commonly used subset.
Defaults to the core Flux controllers:
- source-controller
- kustomize-controller
- helm-controller
- notification-controller
items:
description: Component is the name of a controller to install.
enum:
@@ -661,14 +665,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
controller-gen.kubebuilder.io/version: v0.20.0
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/instance: 'flux-operator'
app.kubernetes.io/managed-by: 'Helm'
app.kubernetes.io/name: 'flux-operator'
app.kubernetes.io/version: 'v0.37.1'
helm.sh/chart: 'flux-operator-0.37.1'
app.kubernetes.io/version: 'v0.48.0'
helm.sh/chart: 'flux-operator-0.48.0'
name: fluxreports.fluxcd.controlplane.io
spec:
group: fluxcd.controlplane.io
@@ -828,7 +832,7 @@ spec:
failing:
description: |-
Failing is the number of reconciled
resources in the Failing state.
resources in the Failing state and not Suspended.
type: integer
running:
description: |-
@@ -965,14 +969,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
controller-gen.kubebuilder.io/version: v0.20.0
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/instance: 'flux-operator'
app.kubernetes.io/managed-by: 'Helm'
app.kubernetes.io/name: 'flux-operator'
app.kubernetes.io/version: 'v0.37.1'
helm.sh/chart: 'flux-operator-0.37.1'
app.kubernetes.io/version: 'v0.48.0'
helm.sh/chart: 'flux-operator-0.48.0'
name: resourcesetinputproviders.fluxcd.controlplane.io
spec:
group: fluxcd.controlplane.io
@@ -1029,9 +1033,9 @@ spec:
- a PEM-encoded CA certificate (`ca.crt`)
- a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`)
When connecting to a Git or OCI provider that uses self-signed certificates, the CA certificate
must be set in the Secret under the 'ca.crt' key to establish the trust relationship.
When connecting to an OCI provider that supports client certificates (mTLS), the client certificate
When connecting to a Git, OCI, or ExternalService provider that uses self-signed certificates,
the CA certificate must be set in the Secret under the 'ca.crt' key to establish the trust relationship.
When connecting to a provider that supports client certificates (mTLS), the client certificate
and private key must be set in the Secret under the 'tls.crt' and 'tls.key' keys, respectively.
properties:
name:
@@ -1102,6 +1106,11 @@ spec:
Supported only for tags at the moment.
type: string
type: object
insecure:
description: |-
Insecure allows connecting to an ExternalService or OCIArtifactTag provider
over plain HTTP without TLS. When not set, the URL must use HTTPS.
type: boolean
schedule:
description: Schedule defines the schedules for the input provider
to run.
@@ -1129,13 +1138,16 @@ spec:
type: array
secretRef:
description: |-
SecretRef specifies the Kubernetes Secret containing the basic-auth credentials
SecretRef specifies the Kubernetes Secret containing the credentials
to access the input provider.
When connecting to a Git provider, the secret must contain the keys
'username' and 'password', and the password should be a personal access token
that grants read-only access to the repository.
When connecting to an OCI provider, the secret must contain a Kubernetes
Image Pull Secret, as if created by `kubectl create secret docker-registry`.
When connecting to an ExternalService provider, the secret must contain either
a 'token' key for bearer token authentication, or 'username' and 'password'
keys for basic authentication.
properties:
name:
description: Name of the referent.
@@ -1177,10 +1189,14 @@ spec:
- AzureDevOpsBranch
- AzureDevOpsTag
- AzureDevOpsPullRequest
- GiteaBranch
- GiteaTag
- GiteaPullRequest
- OCIArtifactTag
- ACRArtifactTag
- ECRArtifactTag
- GARArtifactTag
- ExternalService
type: string
url:
description: |-
@@ -1206,6 +1222,16 @@ spec:
- message: spec.url must start with 'oci://' when spec.type is an OCI
provider
rule: '!self.type.endsWith(''ArtifactTag'') || self.url.startsWith(''oci'')'
- message: spec.url must start with 'http://' or 'https://' when spec.type
is 'ExternalService'
rule: self.type != 'ExternalService' || self.url.startsWith('http')
- message: spec.insecure can only be set when spec.type is 'ExternalService'
or 'OCIArtifactTag'
rule: '!has(self.insecure) || !self.insecure || self.type == ''ExternalService''
|| self.type == ''OCIArtifactTag'''
- message: spec.url must use 'https://' unless spec.insecure is true
rule: self.type != 'ExternalService' || !self.url.startsWith('http://')
|| (has(self.insecure) && self.insecure)
- message: cannot specify spec.serviceAccountName when spec.type is not
one of AzureDevOps* or *ArtifactTag
rule: '!has(self.serviceAccountName) || self.type.startsWith(''AzureDevOps'')
@@ -1345,14 +1371,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
controller-gen.kubebuilder.io/version: v0.20.0
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/instance: 'flux-operator'
app.kubernetes.io/managed-by: 'Helm'
app.kubernetes.io/name: 'flux-operator'
app.kubernetes.io/version: 'v0.37.1'
helm.sh/chart: 'flux-operator-0.37.1'
app.kubernetes.io/version: 'v0.48.0'
helm.sh/chart: 'flux-operator-0.48.0'
name: resourcesets.fluxcd.controlplane.io
spec:
group: fluxcd.controlplane.io
@@ -1459,6 +1485,15 @@ spec:
input provider objects are used. Defaults to flattening all inputs
from all providers into a single list of input sets.
properties:
includeEmptyProviders:
description: |-
IncludeEmptyProviders controls how input providers that export no
inputs are treated. Only applies when Name is Permute. When true, if
any provider has zero inputs the resulting permutation set is empty
(mathematically correct Cartesian product behavior). When false or
unset (default), providers with zero inputs are silently skipped and
the remaining providers still permute among themselves.
type: boolean
name:
description: |-
Name defines how the inputs are combined when multiple
@@ -1481,6 +1516,9 @@ spec:
required:
- name
type: object
x-kubernetes-validations:
- message: includeEmptyProviders only applies when name is Permute
rule: '!has(self.includeEmptyProviders) || self.name == ''Permute'''
inputs:
description: Inputs contains the list of ResourceSet inputs.
items:
@@ -1659,6 +1697,16 @@ spec:
- type
type: object
type: array
externalChecksumRefs:
description: |-
ExternalChecksumRefs lists the ConfigMap and Secret references
discovered in checksumFrom annotations on the last reconciliation
that point to objects not rendered by this ResourceSet. Each entry
has the form "Kind/namespace/name". It is used to trigger a
reconciliation when one of the referenced objects changes.
items:
type: string
type: array
history:
description: |-
History contains the reconciliation history of the ResourceSet
@@ -1764,10 +1812,10 @@ metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
helm.sh/chart: flux-operator-0.37.1
helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
@@ -1791,10 +1839,10 @@ metadata:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
helm.sh/chart: flux-operator-0.37.1
helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
@@ -1807,16 +1855,86 @@ rules:
- list
- watch
---
# Source: flux-operator/templates/web-standard-roles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: flux-web-user
labels:
helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
---
# Source: flux-operator/templates/web-standard-roles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: flux-web-admin
labels:
helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups:
- fluxcd.controlplane.io
- source.toolkit.fluxcd.io
- source.extensions.fluxcd.io
- kustomize.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
- image.toolkit.fluxcd.io
- notification.toolkit.fluxcd.io
resources: ["*"]
verbs:
- patch
- reconcile
- suspend
- resume
- download
- apiGroups:
- apps
resources:
- deployments
- statefulsets
- daemonsets
verbs:
- patch
- restart
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- restart
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
---
# Source: flux-operator/templates/admin-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: flux-operator
labels:
helm.sh/chart: flux-operator-0.37.1
helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1834,10 +1952,10 @@ metadata:
name: flux-operator
namespace: flux-system
labels:
helm.sh/chart: flux-operator-0.37.1
helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm
spec:
ports:
@@ -1860,10 +1978,10 @@ metadata:
name: flux-operator
namespace: flux-system
labels:
helm.sh/chart: flux-operator-0.37.1
helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm
spec:
selector:
@@ -1877,10 +1995,10 @@ spec:
prometheus.io/port: "8080"
prometheus.io/path: "/metrics"
labels:
helm.sh/chart: flux-operator-0.37.1
helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm
spec:
serviceAccountName: flux-operator
@@ -1906,7 +2024,7 @@ spec:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.37.1"
image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.48.0"
imagePullPolicy: "IfNotPresent"
ports:
- name: http-metrics

10
nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_instance.yaml
View File

@@ -5,5 +5,13 @@ metadata:
namespace: flux-system
spec:
distribution:
version: "2.7.x"
version: "2.8.x"
registry: "ghcr.io/fluxcd"
components:
- source-controller
- kustomize-controller
- helm-controller
- notification-controller
- image-automation-controller
- image-reflector-controller
# - source-watcher