From c9450ff9fae9b2fd86ed237b1f98aef55f7ea910 Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Sat, 20 Dec 2025 23:01:19 -0500 Subject: [PATCH] Set up flux. --- nix/kubernetes/README.org | 96 + .../roles/bootstrap/files/flux.yaml | 1954 +++++++++++++++++ .../roles/bootstrap/files/flux_namespace.yaml | 4 + 3 files changed, 2054 insertions(+) create mode 100644 nix/kubernetes/roles/bootstrap/files/flux.yaml create mode 100644 nix/kubernetes/roles/bootstrap/files/flux_namespace.yaml diff --git a/nix/kubernetes/README.org b/nix/kubernetes/README.org index 8ea141a6..1662ba45 100644 --- a/nix/kubernetes/README.org +++ b/nix/kubernetes/README.org @@ -13,6 +13,9 @@ * Bootstrap ** Install cilium #+begin_src bash + # nix shell nixpkgs#cilium-cli + nix shell 'nixpkgs#kubernetes-helm' + helm repo add cilium https://helm.cilium.io/ helm template --dry-run=server cilium cilium/cilium --version 1.18.4 --namespace kube-system \ --set kubeProxyReplacement=true \ @@ -26,3 +29,96 @@ # --set hostFirewall.enabled=true # routingMode=native #+end_src +** Install flux +#+begin_src bash + nix shell 'nixpkgs#fluxcd' + + flux bootstrap git \ + --url=ssh://git@// \ + --branch=main \ + --private-key-file= \ + --password= \ + --path=clusters/my-cluster +#+end_src + +#+begin_src bash + nix shell 'nixpkgs#kubernetes-helm' + + helm template --dry-run=server flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator \ + --namespace flux-system \ + --create-namespace +#+end_src + +#+begin_src text + apiVersion: fluxcd.controlplane.io/v1 + kind: FluxInstance + metadata: + name: flux + namespace: flux-system + annotations: + fluxcd.controlplane.io/reconcileEvery: "1h" + fluxcd.controlplane.io/reconcileTimeout: "5m" + spec: + distribution: + version: "2.x" + registry: "ghcr.io/fluxcd" + artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests" + components: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller + - image-reflector-controller + - image-automation-controller + cluster: + type: kubernetes + size: medium + multitenant: false + networkPolicy: true + domain: "cluster.local" + kustomize: + patches: + - target: + kind: Deployment + patch: | + - op: replace + path: /spec/template/spec/nodeSelector + value: + kubernetes.io/os: linux + - op: add + path: /spec/template/spec/tolerations + value: + - key: "CriticalAddonsOnly" + operator: "Exists" + sync: + kind: OCIRepository + url: "oci://ghcr.io/my-org/my-fleet-manifests" + ref: "latest" + path: "clusters/my-cluster" + pullSecret: "ghcr-auth" +#+end_src + +#+begin_src text + apiVersion: fluxcd.controlplane.io/v1 + kind: FluxInstance + metadata: + name: flux + namespace: flux-system + spec: + distribution: + version: "2.7.x" + registry: "ghcr.io/fluxcd" + sync: + kind: GitRepository + url: "https://gitlab.com/my-org/my-fleet.git" + ref: "refs/heads/main" + path: "clusters/my-cluster" + pullSecret: "flux-system" +#+end_src + +#+begin_src bash + flux create secret git flux-system \ + --url=https://gitlab.com/my-org/my-fleet.git \ + --username=git \ + --password=$GITLAB_TOKEN +#+end_src diff --git a/nix/kubernetes/roles/bootstrap/files/flux.yaml b/nix/kubernetes/roles/bootstrap/files/flux.yaml new file mode 100644 index 00000000..d521a2f0 --- /dev/null +++ b/nix/kubernetes/roles/bootstrap/files/flux.yaml @@ -0,0 +1,1954 @@ +--- +# Source: flux-operator/templates/networkpolicy.yaml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: flux-operator-web + namespace: flux-system + labels: + helm.sh/chart: flux-operator-0.37.1 + app.kubernetes.io/name: flux-operator + app.kubernetes.io/instance: flux-operator + app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/managed-by: Helm +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + app.kubernetes.io/name: flux-operator + app.kubernetes.io/instance: flux-operator + ingress: + - from: + - namespaceSelector: {} + ports: + - protocol: TCP + port: 9080 +--- +# Source: flux-operator/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flux-operator + namespace: flux-system + labels: + helm.sh/chart: flux-operator-0.37.1 + app.kubernetes.io/name: flux-operator + app.kubernetes.io/instance: flux-operator + app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: true +--- +# Source: flux-operator/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: 'flux-operator' + app.kubernetes.io/managed-by: 'Helm' + app.kubernetes.io/name: 'flux-operator' + app.kubernetes.io/version: 'v0.37.1' + helm.sh/chart: 'flux-operator-0.37.1' + name: fluxinstances.fluxcd.controlplane.io +spec: + group: fluxcd.controlplane.io + names: + kind: FluxInstance + listKind: FluxInstanceList + plural: fluxinstances + singular: fluxinstance + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .status.lastAttemptedRevision + name: Revision + type: string + name: v1 + schema: + openAPIV3Schema: + description: FluxInstance is the Schema for the fluxinstances API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: FluxInstanceSpec defines the desired state of FluxInstance + properties: + cluster: + description: Cluster holds the specification of the Kubernetes cluster. + properties: + domain: + default: cluster.local + description: |- + Domain is the cluster domain used for generating the FQDN of services. + Defaults to 'cluster.local'. + type: string + multitenant: + default: false + description: Multitenant enables the multitenancy lockdown. Defaults + to false. + type: boolean + multitenantWorkloadIdentity: + default: false + description: |- + MultitenantWorkloadIdentity enables the multitenancy lockdown for + workload identity. Defaults to false. + type: boolean + networkPolicy: + default: true + description: |- + NetworkPolicy restricts network access to the current namespace. + Defaults to true. + type: boolean + objectLevelWorkloadIdentity: + description: |- + ObjectLevelWorkloadIdentity enables the feature gate + required for object-level workload identity. + This feature is only available in Flux v2.6.0 and later. + type: boolean + size: + description: |- + Size defines the vertical scaling profile of the Flux controllers. + The size is used to determine the concurrency and CPU/Memory limits for the Flux controllers. + Accepted values are: 'small', 'medium' and 'large'. + enum: + - small + - medium + - large + type: string + tenantDefaultDecryptionServiceAccount: + description: |- + TenantDefaultDecryptionServiceAccount is the name of the service account + to use as default for kustomize-controller SOPS decryption when the + multitenant lockdown for workload identity is enabled. Defaults to the + 'default' service account from the tenant namespace. + type: string + tenantDefaultKubeConfigServiceAccount: + description: |- + TenantDefaultKubeConfigServiceAccount is the name of the service account + to use as default for kustomize-controller and helm-controller remote + cluster access via spec.kubeConfig.configMapRef when the multitenant + lockdown for workload identity is enabled. Defaults to the 'default' + service account from the tenant namespace. + type: string + tenantDefaultServiceAccount: + description: |- + TenantDefaultServiceAccount is the name of the service account + to use as default when the multitenant lockdown is enabled, for + kustomize-controller and helm-controller. + This field will also be used for multitenant workload identity + lockdown for source-controller, notification-controller, + image-reflector-controller and image-automation-controller. + Defaults to the 'default' service account from the tenant namespace. + type: string + type: + default: kubernetes + description: |- + Type specifies the distro of the Kubernetes cluster. + Defaults to 'kubernetes'. + enum: + - kubernetes + - openshift + - aws + - azure + - gcp + type: string + type: object + x-kubernetes-validations: + - message: .objectLevelWorkloadIdentity must be set to true when .multitenantWorkloadIdentity + is set to true + rule: (has(self.objectLevelWorkloadIdentity) && self.objectLevelWorkloadIdentity) + || !has(self.multitenantWorkloadIdentity) || !self.multitenantWorkloadIdentity + commonMetadata: + description: |- + CommonMetadata specifies the common labels and annotations that are + applied to all resources. Any existing label or annotation will be + overridden if its key matches a common one. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to be added to the object's metadata. + type: object + labels: + additionalProperties: + type: string + description: Labels to be added to the object's metadata. + type: object + type: object + components: + description: |- + Components is the list of controllers to install. + Defaults to a commonly used subset. + items: + description: Component is the name of a controller to install. + enum: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller + - image-reflector-controller + - image-automation-controller + - source-watcher + type: string + type: array + distribution: + description: Distribution specifies the version and container registry + to pull images from. + properties: + artifact: + description: |- + Artifact is the URL to the OCI artifact containing + the latest Kubernetes manifests for the distribution, + e.g. 'oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests:latest'. + pattern: ^oci://.*$ + type: string + artifactPullSecret: + description: |- + ArtifactPullSecret is the name of the Kubernetes secret + to use for pulling the Kubernetes manifests for the distribution specified in the Artifact field. + type: string + imagePullSecret: + description: |- + ImagePullSecret is the name of the Kubernetes secret + to use for pulling images. + type: string + registry: + description: |- + Registry address to pull the distribution images from + e.g. 'ghcr.io/fluxcd'. + type: string + variant: + description: |- + Variant specifies the Flux distribution flavor stored + in the registry. + enum: + - upstream-alpine + - enterprise-alpine + - enterprise-distroless + - enterprise-distroless-fips + type: string + version: + description: Version semver expression e.g. '2.x', '2.3.x'. + type: string + required: + - registry + - version + type: object + kustomize: + description: |- + Kustomize holds a set of patches that can be applied to the + Flux installation, to customize the way Flux operates. + properties: + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the patch + document should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + type: object + migrateResources: + default: true + description: |- + MigrateResources instructs the controller to migrate the Flux custom resources + from the previous version to the latest API version specified in the CRD. + Defaults to true. + type: boolean + sharding: + description: Sharding holds the specification of the sharding configuration. + properties: + key: + default: sharding.fluxcd.io/key + description: Key is the label key used to shard the resources. + type: string + shards: + description: Shards is the list of shard names. + items: + type: string + minItems: 1 + type: array + storage: + description: |- + Storage defines if the source-controller shards + should use an emptyDir or a persistent volume claim for storage. + Accepted values are 'ephemeral' or 'persistent', defaults to 'ephemeral'. + For 'persistent' to take effect, the '.spec.storage' field must be set. + enum: + - ephemeral + - persistent + type: string + required: + - shards + type: object + storage: + description: |- + Storage holds the specification of the source-controller + persistent volume claim. + properties: + class: + description: Class is the storage class to use for the PVC. + type: string + size: + description: Size is the size of the PVC. + type: string + required: + - class + - size + type: object + sync: + description: |- + Sync specifies the source for the cluster sync operation. + When set, a Flux source (GitRepository, OCIRepository or Bucket) + and Flux Kustomization are created to sync the cluster state + with the source repository. + properties: + interval: + default: 1m + description: Interval is the time between syncs. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kind: + description: Kind is the kind of the source. + enum: + - OCIRepository + - GitRepository + - Bucket + type: string + name: + description: |- + Name is the name of the Flux source and kustomization resources. + When not specified, the name is set to the namespace name of the FluxInstance. + maxLength: 63 + type: string + x-kubernetes-validations: + - message: Sync name is immutable + rule: self == oldSelf + path: + description: |- + Path is the path to the source directory containing + the kustomize overlay or plain Kubernetes manifests. + type: string + provider: + description: |- + Provider specifies OIDC provider for source authentication. + For OCIRepository and Bucket the provider can be set to 'aws', 'azure' or 'gcp'. + for GitRepository the accepted value can be set to 'azure' or 'github'. + To disable OIDC authentication the provider can be set to 'generic' or left empty. + enum: + - generic + - aws + - azure + - gcp + - github + type: string + pullSecret: + description: |- + PullSecret specifies the Kubernetes Secret containing the + authentication credentials for the source. + For Git over HTTP/S sources, the secret must contain username and password fields. + For Git over SSH sources, the secret must contain known_hosts and identity fields. + For OCI sources, the secret must be of type kubernetes.io/dockerconfigjson. + For Bucket sources, the secret must contain accesskey and secretkey fields. + type: string + ref: + description: |- + Ref is the source reference, can be a Git ref name e.g. 'refs/heads/main', + an OCI tag e.g. 'latest' or a bucket name e.g. 'flux'. + type: string + url: + description: |- + URL is the source URL, can be a Git repository HTTP/S or SSH address, + an OCI repository address or a Bucket endpoint. + type: string + required: + - kind + - path + - ref + - url + type: object + wait: + default: true + description: |- + Wait instructs the controller to check the health of all the reconciled + resources. Defaults to true. + type: boolean + required: + - distribution + type: object + status: + description: FluxInstanceStatus defines the observed state of FluxInstance + properties: + components: + description: Components contains the container images used by the + components. + items: + description: ComponentImage represents a container image used by + a component. + properties: + digest: + description: Digest of the container image. + type: string + name: + description: Name of the component. + type: string + repository: + description: Repository address of the container image. + type: string + tag: + description: Tag of the container image. + type: string + required: + - name + - repository + - tag + type: object + type: array + conditions: + description: Conditions contains the readiness conditions of the object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + history: + description: |- + History contains the reconciliation history of the FluxInstance + as a list of snapshots ordered by the last reconciled time. + items: + description: |- + Snapshot represents a point-in-time record of a group of resources reconciliation, + including timing information, status, and a unique digest identifier. + properties: + digest: + description: Digest is the checksum in the format `:` + of the resources in this snapshot. + type: string + firstReconciled: + description: FirstReconciled is the time when this revision + was first reconciled to the cluster. + format: date-time + type: string + lastReconciled: + description: LastReconciled is the time when this revision was + last reconciled to the cluster. + format: date-time + type: string + lastReconciledDuration: + description: LastReconciledDuration is time it took to reconcile + the resources in this revision. + type: string + lastReconciledStatus: + description: LastReconciledStatus is the status of the last + reconciliation. + type: string + metadata: + additionalProperties: + type: string + description: Metadata contains additional information about + the snapshot. + type: object + totalReconciliations: + description: TotalReconciliations is the total number of reconciliations + that have occurred for this snapshot. + format: int64 + type: integer + required: + - digest + - firstReconciled + - lastReconciled + - lastReconciledDuration + - lastReconciledStatus + - totalReconciliations + type: object + type: array + inventory: + description: |- + Inventory contains a list of Kubernetes resource object references + last applied on the cluster. + properties: + entries: + description: Entries of Kubernetes resource object references. + items: + description: ResourceRef contains the information necessary + to locate a resource within a cluster. + properties: + id: + description: |- + ID is the string representation of the Kubernetes resource object's metadata, + in the format '___'. + type: string + v: + description: Version is the API version of the Kubernetes + resource object's kind. + type: string + required: + - id + - v + type: object + type: array + required: + - entries + type: object + lastAppliedRevision: + description: |- + LastAppliedRevision is the version and digest of the + distribution config that was last reconcile. + type: string + lastArtifactRevision: + description: |- + LastArtifactRevision is the digest of the last pulled + distribution artifact. + type: string + lastAttemptedRevision: + description: |- + LastAttemptedRevision is the version and digest of the + distribution config that was last attempted to reconcile. + type: string + lastHandledForceAt: + description: |- + LastHandledForceAt holds the value of the most recent + force request value, so a change of the annotation value + can be detected. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + type: object + type: object + x-kubernetes-validations: + - message: the only accepted name for a FluxInstance is 'flux' + rule: self.metadata.name == 'flux' + served: true + storage: true + subresources: + status: {} +--- +# Source: flux-operator/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: 'flux-operator' + app.kubernetes.io/managed-by: 'Helm' + app.kubernetes.io/name: 'flux-operator' + app.kubernetes.io/version: 'v0.37.1' + helm.sh/chart: 'flux-operator-0.37.1' + name: fluxreports.fluxcd.controlplane.io +spec: + group: fluxcd.controlplane.io + names: + kind: FluxReport + listKind: FluxReportList + plural: fluxreports + singular: fluxreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.distribution.entitlement + name: Entitlement + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].lastTransitionTime + name: LastUpdated + type: string + name: v1 + schema: + openAPIV3Schema: + description: FluxReport is the Schema for the fluxreports API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: FluxReportSpec defines the observed state of a Flux installation. + properties: + cluster: + description: Cluster is the version information of the Kubernetes + cluster. + properties: + nodes: + description: Nodes is the number of nodes in the Kubernetes cluster. + type: integer + platform: + description: Platform is the os/arch of the Kubernetes control + plane. + type: string + serverVersion: + description: ServerVersion is the version of the Kubernetes API + server. + type: string + required: + - platform + - serverVersion + type: object + components: + description: ComponentsStatus is the status of the Flux controller + deployments. + items: + description: FluxComponentStatus defines the observed state of a + Flux component. + properties: + image: + description: Image is the container image of the Flux component. + type: string + name: + description: Name is the name of the Flux component. + type: string + ready: + description: Ready is the readiness status of the Flux component. + type: boolean + status: + description: |- + Status is a human-readable message indicating details + about the Flux component observed state. + type: string + required: + - image + - name + - ready + - status + type: object + type: array + distribution: + description: Distribution is the version information of the Flux installation. + properties: + entitlement: + description: Entitlement is the entitlement verification status. + type: string + managedBy: + description: ManagedBy is the name of the operator managing the + Flux instance. + type: string + status: + description: |- + Status is a human-readable message indicating details + about the distribution observed state. + type: string + version: + description: Version is the version of the Flux instance. + type: string + required: + - entitlement + - status + type: object + operator: + description: Operator is the version information of the Flux Operator. + properties: + apiVersion: + description: APIVersion is the API version of the Flux Operator. + type: string + platform: + description: Platform is the os/arch of Flux Operator. + type: string + version: + description: Version is the version number of Flux Operator. + type: string + required: + - apiVersion + - platform + - version + type: object + reconcilers: + description: |- + ReconcilersStatus is the list of Flux reconcilers and + their statistics grouped by API kind. + items: + description: FluxReconcilerStatus defines the observed state of + a Flux reconciler. + properties: + apiVersion: + description: APIVersion is the API version of the Flux resource. + type: string + kind: + description: Kind is the kind of the Flux resource. + type: string + stats: + description: Stats is the reconcile statics of the Flux resource + kind. + properties: + failing: + description: |- + Failing is the number of reconciled + resources in the Failing state. + type: integer + running: + description: |- + Running is the number of reconciled + resources in the Running state. + type: integer + suspended: + description: |- + Suspended is the number of reconciled + resources in the Suspended state. + type: integer + totalSize: + description: TotalSize is the total size of the artifacts + in storage. + type: string + required: + - failing + - running + - suspended + type: object + required: + - apiVersion + - kind + type: object + type: array + sync: + description: |- + SyncStatus is the status of the cluster sync + Source and Kustomization resources. + properties: + id: + description: ID is the identifier of the sync. + type: string + path: + description: Path is the kustomize path of the sync. + type: string + ready: + description: Ready is the readiness status of the sync. + type: boolean + source: + description: Source is the URL of the source repository. + type: string + status: + description: |- + Status is a human-readable message indicating details + about the sync observed state. + type: string + required: + - id + - ready + - status + type: object + required: + - distribution + type: object + status: + description: FluxReportStatus defines the readiness of a FluxReport. + properties: + conditions: + description: Conditions contains the readiness conditions of the object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + type: object + type: object + x-kubernetes-validations: + - message: the only accepted name for a FluxReport is 'flux' + rule: self.metadata.name == 'flux' + served: true + storage: true + subresources: + status: {} +--- +# Source: flux-operator/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: 'flux-operator' + app.kubernetes.io/managed-by: 'Helm' + app.kubernetes.io/name: 'flux-operator' + app.kubernetes.io/version: 'v0.37.1' + helm.sh/chart: 'flux-operator-0.37.1' + name: resourcesetinputproviders.fluxcd.controlplane.io +spec: + group: fluxcd.controlplane.io + names: + kind: ResourceSetInputProvider + listKind: ResourceSetInputProviderList + plural: resourcesetinputproviders + shortNames: + - rsip + singular: resourcesetinputprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: ResourceSetInputProvider is the Schema for the ResourceSetInputProviders + API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourceSetInputProviderSpec defines the desired state of + ResourceSetInputProvider + properties: + certSecretRef: + description: |- + CertSecretRef specifies the Kubernetes Secret containing either or both of + + - a PEM-encoded CA certificate (`ca.crt`) + - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`) + + When connecting to a Git or OCI provider that uses self-signed certificates, the CA certificate + must be set in the Secret under the 'ca.crt' key to establish the trust relationship. + When connecting to an OCI provider that supports client certificates (mTLS), the client certificate + and private key must be set in the Secret under the 'tls.crt' and 'tls.key' keys, respectively. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + defaultValues: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: |- + DefaultValues contains the default values for the inputs. + These values are used to populate the inputs when the provider + response does not contain them. + type: object + filter: + description: Filter defines the filter to apply to the input provider + response. + properties: + excludeBranch: + description: |- + ExcludeBranch specifies the regular expression to filter the branches + that the input provider should exclude. + type: string + excludeEnvironment: + description: |- + ExcludeEnvironment specifies the regular expression to filter the environments + that the input provider should exclude. + type: string + excludeTag: + description: |- + ExcludeTag specifies the regular expression to filter the tags + that the input provider should exclude. + type: string + includeBranch: + description: |- + IncludeBranch specifies the regular expression to filter the branches + that the input provider should include. + type: string + includeEnvironment: + description: |- + IncludeEnvironment specifies the regular expression to filter the environments + that the input provider should include. + type: string + includeTag: + description: |- + IncludeTag specifies the regular expression to filter the tags + that the input provider should include. + type: string + labels: + description: Labels specifies the list of labels to filter the + input provider response. + items: + type: string + type: array + limit: + default: 100 + description: |- + Limit specifies the maximum number of input sets to return. + When not set, the default limit is 100. + type: integer + semver: + description: |- + Semver specifies a semantic version range to filter and sort the tags. + If this field is not specified, the tags will be sorted in reverse + alphabetical order. + Supported only for tags at the moment. + type: string + type: object + schedule: + description: Schedule defines the schedules for the input provider + to run. + items: + description: Schedule defines a schedule for something to run. + properties: + cron: + description: Cron specifies the cron expression for the schedule. + type: string + timeZone: + default: UTC + description: TimeZone specifies the time zone for the cron schedule. + Defaults to UTC. + type: string + window: + default: 0s + description: |- + Window defines the time window during which the execution is allowed. + Defaults to 0s, meaning no window is applied. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + required: + - cron + type: object + type: array + secretRef: + description: |- + SecretRef specifies the Kubernetes Secret containing the basic-auth credentials + to access the input provider. + When connecting to a Git provider, the secret must contain the keys + 'username' and 'password', and the password should be a personal access token + that grants read-only access to the repository. + When connecting to an OCI provider, the secret must contain a Kubernetes + Image Pull Secret, as if created by `kubectl create secret docker-registry`. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + serviceAccountName: + description: |- + ServiceAccountName specifies the name of the Kubernetes ServiceAccount + used for authentication with AWS, Azure or GCP services through + workload identity federation features. If not specified, the + authentication for these cloud providers will use the ServiceAccount + of the operator (or any other environment authentication configuration). + type: string + skip: + description: Skip defines whether we need to skip input provider response + updates. + properties: + labels: + description: |- + Labels specifies list of labels to skip input provider response when any of the label conditions matched. + When prefixed with !, input provider response will be skipped if it does not have this label. + items: + type: string + type: array + type: object + type: + description: Type specifies the type of the input provider. + enum: + - Static + - GitHubBranch + - GitHubTag + - GitHubPullRequest + - GitLabBranch + - GitLabTag + - GitLabMergeRequest + - GitLabEnvironment + - AzureDevOpsBranch + - AzureDevOpsTag + - AzureDevOpsPullRequest + - OCIArtifactTag + - ACRArtifactTag + - ECRArtifactTag + - GARArtifactTag + type: string + url: + description: |- + URL specifies the HTTP/S or OCI address of the input provider API. + When connecting to a Git provider, the URL should point to the repository address. + When connecting to an OCI provider, the URL should point to the OCI repository address. + pattern: ^((http|https|oci)://.*){0,1}$ + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: spec.url must be empty when spec.type is 'Static' + rule: self.type != 'Static' || !has(self.url) + - message: spec.url must not be empty when spec.type is not 'Static' + rule: self.type == 'Static' || has(self.url) + - message: spec.url must start with 'http://' or 'https://' when spec.type + is a Git provider + rule: '!self.type.startsWith(''Git'') || self.url.startsWith(''http'')' + - message: spec.url must start with 'http://' or 'https://' when spec.type + is a Git provider + rule: '!self.type.startsWith(''AzureDevOps'') || self.url.startsWith(''http'')' + - message: spec.url must start with 'oci://' when spec.type is an OCI + provider + rule: '!self.type.endsWith(''ArtifactTag'') || self.url.startsWith(''oci'')' + - message: cannot specify spec.serviceAccountName when spec.type is not + one of AzureDevOps* or *ArtifactTag + rule: '!has(self.serviceAccountName) || self.type.startsWith(''AzureDevOps'') + || self.type.endsWith(''ArtifactTag'')' + - message: cannot specify spec.certSecretRef when spec.type is one of + Static, AzureDevOps*, ACRArtifactTag, ECRArtifactTag or GARArtifactTag + rule: '!has(self.certSecretRef) || !(self.url == ''Static'' || self.type.startsWith(''AzureDevOps'') + || (self.type.endsWith(''ArtifactTag'') && self.type != ''OCIArtifactTag''))' + - message: cannot specify spec.secretRef when spec.type is one of Static, + ACRArtifactTag, ECRArtifactTag or GARArtifactTag + rule: '!has(self.secretRef) || !(self.url == ''Static'' || (self.type.endsWith(''ArtifactTag'') + && self.type != ''OCIArtifactTag''))' + status: + description: ResourceSetInputProviderStatus defines the observed state + of ResourceSetInputProvider. + properties: + conditions: + description: Conditions contains the readiness conditions of the object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + exportedInputs: + description: ExportedInputs contains the list of inputs exported by + the provider. + items: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: ResourceSetInput defines the key-value pairs of the + ResourceSet input. + type: object + type: array + lastExportedRevision: + description: |- + LastExportedRevision is the digest of the + inputs that were last reconcile. + type: string + lastHandledForceAt: + description: |- + LastHandledForceAt holds the value of the most recent + force request value, so a change of the annotation value + can be detected. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + nextSchedule: + description: NextSchedule is the next schedule when the input provider + will run. + properties: + cron: + description: Cron specifies the cron expression for the schedule. + type: string + timeZone: + default: UTC + description: TimeZone specifies the time zone for the cron schedule. + Defaults to UTC. + type: string + when: + description: When is the next time the schedule will run. + format: date-time + type: string + window: + default: 0s + description: |- + Window defines the time window during which the execution is allowed. + Defaults to 0s, meaning no window is applied. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + required: + - cron + - when + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +# Source: flux-operator/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: 'flux-operator' + app.kubernetes.io/managed-by: 'Helm' + app.kubernetes.io/name: 'flux-operator' + app.kubernetes.io/version: 'v0.37.1' + helm.sh/chart: 'flux-operator-0.37.1' + name: resourcesets.fluxcd.controlplane.io +spec: + group: fluxcd.controlplane.io + names: + kind: ResourceSet + listKind: ResourceSetList + plural: resourcesets + shortNames: + - rset + singular: resourceset + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: ResourceSet is the Schema for the ResourceSets API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourceSetSpec defines the desired state of ResourceSet + properties: + commonMetadata: + description: |- + CommonMetadata specifies the common labels and annotations that are + applied to all resources. Any existing label or annotation will be + overridden if its key matches a common one. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to be added to the object's metadata. + type: object + labels: + additionalProperties: + type: string + description: Labels to be added to the object's metadata. + type: object + type: object + dependsOn: + description: |- + DependsOn specifies the list of Kubernetes resources that must + exist on the cluster before the reconciliation process starts. + items: + description: Dependency defines a ResourceSet dependency on a Kubernetes + resource. + properties: + apiVersion: + description: APIVersion of the resource to depend on. + type: string + kind: + description: Kind of the resource to depend on. + type: string + name: + description: Name of the resource to depend on. + type: string + namespace: + description: Namespace of the resource to depend on. + type: string + ready: + description: Ready checks if the resource Ready status condition + is true. + type: boolean + readyExpr: + description: |- + ReadyExpr checks if the resource satisfies the given CEL expression. + The expression replaces the default readiness check and + is only evaluated if Ready is set to 'true'. + type: string + required: + - apiVersion + - kind + - name + type: object + type: array + inputStrategy: + description: |- + InputStrategy defines how the inputs are combined when multiple + input provider objects are used. Defaults to flattening all inputs + from all providers into a single list of input sets. + properties: + name: + description: |- + Name defines how the inputs are combined when multiple + input provider objects are used. Supported values are: + - Flatten: all inputs sets from all input provider objects are + flattened into a single list of input sets. + - Permute: all inputs sets from all input provider objects are + combined using a Cartesian product, resulting in a list of input sets + that contains every possible combination of input values. + For example, if provider A has inputs [{x: 1}, {x: 2}] and provider B has + inputs [{y: "a"}, {y: "b"}], the resulting input sets will be: + [{x: 1, y: "a"}, {x: 1, y: "b"}, {x: 2, y: "a"}, {x: 2, y: "b"}]. + This strategy can lead to a large number of input sets and should be + used with caution. Users should use filtering features from + ResourceSetInputProvider to limit the amount of exported inputs. + enum: + - Flatten + - Permute + type: string + required: + - name + type: object + inputs: + description: Inputs contains the list of ResourceSet inputs. + items: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: ResourceSetInput defines the key-value pairs of the + ResourceSet input. + type: object + type: array + inputsFrom: + description: |- + InputsFrom contains the list of references to input providers. + When set, the inputs are fetched from the providers and concatenated + with the in-line inputs defined in the ResourceSet. + items: + description: |- + InputProviderReference defines a reference to an input provider resource + in the same namespace as the ResourceSet. + properties: + apiVersion: + description: |- + APIVersion of the input provider resource. + When not set, the APIVersion of the ResourceSet is used. + enum: + - fluxcd.controlplane.io/v1 + type: string + kind: + description: Kind of the input provider resource. + enum: + - ResourceSetInputProvider + type: string + name: + description: |- + Name of the input provider resource. Cannot be set + when the Selector field is set. + type: string + selector: + description: |- + Selector is a label selector to filter the input provider resources + as an alternative to the Name field. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-validations: + - message: at least one of name or selector must be set for input + provider references + rule: has(self.name) || has(self.selector) + - message: cannot set both name and selector for input provider + references + rule: '!has(self.name) || !has(self.selector)' + type: array + resources: + description: Resources contains the list of Kubernetes resources to + reconcile. + items: + x-kubernetes-preserve-unknown-fields: true + type: array + resourcesTemplate: + description: |- + ResourcesTemplate is a Go template that generates the list of + Kubernetes resources to reconcile. The template is rendered + as multi-document YAML, the resources should be separated by '---'. + When both Resources and ResourcesTemplate are set, the resulting + objects are merged and deduplicated, with the ones from Resources taking precedence. + type: string + serviceAccountName: + description: |- + The name of the Kubernetes service account to impersonate + when reconciling the generated resources. + type: string + wait: + description: |- + Wait instructs the controller to check the health + of all the reconciled resources. + type: boolean + type: object + status: + description: ResourceSetStatus defines the observed state of ResourceSet. + properties: + conditions: + description: Conditions contains the readiness conditions of the object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + history: + description: |- + History contains the reconciliation history of the ResourceSet + as a list of snapshots ordered by the last reconciled time. + items: + description: |- + Snapshot represents a point-in-time record of a group of resources reconciliation, + including timing information, status, and a unique digest identifier. + properties: + digest: + description: Digest is the checksum in the format `:` + of the resources in this snapshot. + type: string + firstReconciled: + description: FirstReconciled is the time when this revision + was first reconciled to the cluster. + format: date-time + type: string + lastReconciled: + description: LastReconciled is the time when this revision was + last reconciled to the cluster. + format: date-time + type: string + lastReconciledDuration: + description: LastReconciledDuration is time it took to reconcile + the resources in this revision. + type: string + lastReconciledStatus: + description: LastReconciledStatus is the status of the last + reconciliation. + type: string + metadata: + additionalProperties: + type: string + description: Metadata contains additional information about + the snapshot. + type: object + totalReconciliations: + description: TotalReconciliations is the total number of reconciliations + that have occurred for this snapshot. + format: int64 + type: integer + required: + - digest + - firstReconciled + - lastReconciled + - lastReconciledDuration + - lastReconciledStatus + - totalReconciliations + type: object + type: array + inventory: + description: |- + Inventory contains a list of Kubernetes resource object references + last applied on the cluster. + properties: + entries: + description: Entries of Kubernetes resource object references. + items: + description: ResourceRef contains the information necessary + to locate a resource within a cluster. + properties: + id: + description: |- + ID is the string representation of the Kubernetes resource object's metadata, + in the format '___'. + type: string + v: + description: Version is the API version of the Kubernetes + resource object's kind. + type: string + required: + - id + - v + type: object + type: array + required: + - entries + type: object + lastAppliedRevision: + description: |- + LastAppliedRevision is the digest of the + generated resources that were last reconcile. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +# Source: flux-operator/templates/aggregate-clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: flux-operator-edit + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + helm.sh/chart: flux-operator-0.37.1 + app.kubernetes.io/name: flux-operator + app.kubernetes.io/instance: flux-operator + app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - fluxcd.controlplane.io + resources: + - resourcesets + - resourcesetinputproviders + verbs: + - create + - delete + - deletecollection + - patch + - update +--- +# Source: flux-operator/templates/aggregate-clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: flux-operator-view + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" + helm.sh/chart: flux-operator-0.37.1 + app.kubernetes.io/name: flux-operator + app.kubernetes.io/instance: flux-operator + app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - fluxcd.controlplane.io + resources: + - resourcesets + - resourcesetinputproviders + verbs: + - get + - list + - watch +--- +# Source: flux-operator/templates/admin-clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: flux-operator + labels: + helm.sh/chart: flux-operator-0.37.1 + app.kubernetes.io/name: flux-operator + app.kubernetes.io/instance: flux-operator + app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: flux-operator + namespace: flux-system +--- +# Source: flux-operator/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: flux-operator + namespace: flux-system + labels: + helm.sh/chart: flux-operator-0.37.1 + app.kubernetes.io/name: flux-operator + app.kubernetes.io/instance: flux-operator + app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/managed-by: Helm +spec: + ports: + - port: 8080 + targetPort: http-metrics + protocol: TCP + name: http + - port: 9080 + targetPort: http-web + protocol: TCP + name: http-web + selector: + app.kubernetes.io/name: flux-operator + app.kubernetes.io/instance: flux-operator +--- +# Source: flux-operator/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: flux-operator + namespace: flux-system + labels: + helm.sh/chart: flux-operator-0.37.1 + app.kubernetes.io/name: flux-operator + app.kubernetes.io/instance: flux-operator + app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + app.kubernetes.io/name: flux-operator + app.kubernetes.io/instance: flux-operator + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8080" + prometheus.io/path: "/metrics" + labels: + helm.sh/chart: flux-operator-0.37.1 + app.kubernetes.io/name: flux-operator + app.kubernetes.io/instance: flux-operator + app.kubernetes.io/version: "v0.37.1" + app.kubernetes.io/managed-by: Helm + spec: + serviceAccountName: flux-operator + containers: + - name: manager + args: + - --log-level=info + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: REPORTING_INTERVAL + value: 5m + - name: WEB_SERVER_PORT + value: "9080" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.37.1" + imagePullPolicy: "IfNotPresent" + ports: + - name: http-metrics + containerPort: 8080 + protocol: TCP + - name: http + containerPort: 8081 + protocol: TCP + - name: http-web + containerPort: 9080 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 2000m + memory: 1Gi + requests: + cpu: 100m + memory: 64Mi + volumeMounts: + - name: temp + mountPath: /tmp + volumes: + - name: temp + emptyDir: {} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux diff --git a/nix/kubernetes/roles/bootstrap/files/flux_namespace.yaml b/nix/kubernetes/roles/bootstrap/files/flux_namespace.yaml new file mode 100644 index 00000000..c00a4321 --- /dev/null +++ b/nix/kubernetes/roles/bootstrap/files/flux_namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: flux-system