Delete images after 24 hours of being unused.

1.5 came out recently, so no gateway providers support it.

nix/configuration/hosts/odo/default.nix

@@ -164,7 +164,7 @@
     me.zsh.enable = true;
 
     me.sm64ex.enable = true;
-    me.shipwright.enable = false;
+    me.shipwright.enable = true;
     me.ship2harkinian.enable = true;
   };
 }

nix/configuration/hosts/quark/default.nix

@@ -159,7 +159,7 @@
     me.zsh.enable = true;
 
     me.sm64ex.enable = true;
-    me.shipwright.enable = false;
+    me.shipwright.enable = true;
     me.ship2harkinian.enable = true;
   };
 }

nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml

@@ -6,10 +6,10 @@ metadata:
   name: flux-operator-web
   namespace: flux-system
   labels:
-    helm.sh/chart: flux-operator-0.48.0
+    helm.sh/chart: flux-operator-0.37.1
     app.kubernetes.io/name: flux-operator
     app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.48.0"
+    app.kubernetes.io/version: "v0.37.1"
     app.kubernetes.io/managed-by: Helm
 spec:
   policyTypes:
@@ -32,10 +32,10 @@ metadata:
   name: flux-operator
   namespace: flux-system
   labels:
-    helm.sh/chart: flux-operator-0.48.0
+    helm.sh/chart: flux-operator-0.37.1
     app.kubernetes.io/name: flux-operator
     app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.48.0"
+    app.kubernetes.io/version: "v0.37.1"
     app.kubernetes.io/managed-by: Helm
 automountServiceAccountToken: true
 ---
@@ -44,14 +44,14 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.19.0
     helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'flux-operator'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'flux-operator'
-    app.kubernetes.io/version: 'v0.48.0'
+    app.kubernetes.io/version: 'v0.37.1'
-    helm.sh/chart: 'flux-operator-0.48.0'
+    helm.sh/chart: 'flux-operator-0.37.1'
   name: fluxinstances.fluxcd.controlplane.io
 spec:
   group: fluxcd.controlplane.io
@@ -205,11 +205,7 @@ spec:
               components:
                 description: |-
                   Components is the list of controllers to install.
-                  Defaults to the core Flux controllers:
+                  Defaults to a commonly used subset.
-                    - source-controller
-                    - kustomize-controller
-                    - helm-controller
-                    - notification-controller
                 items:
                   description: Component is the name of a controller to install.
                   enum:
@@ -665,14 +661,14 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.19.0
     helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'flux-operator'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'flux-operator'
-    app.kubernetes.io/version: 'v0.48.0'
+    app.kubernetes.io/version: 'v0.37.1'
-    helm.sh/chart: 'flux-operator-0.48.0'
+    helm.sh/chart: 'flux-operator-0.37.1'
   name: fluxreports.fluxcd.controlplane.io
 spec:
   group: fluxcd.controlplane.io
@@ -832,7 +828,7 @@ spec:
                         failing:
                           description: |-
                             Failing is the number of reconciled
-                            resources in the Failing state and not Suspended.
+                            resources in the Failing state.
                           type: integer
                         running:
                           description: |-
@@ -969,14 +965,14 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.19.0
     helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'flux-operator'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'flux-operator'
-    app.kubernetes.io/version: 'v0.48.0'
+    app.kubernetes.io/version: 'v0.37.1'
-    helm.sh/chart: 'flux-operator-0.48.0'
+    helm.sh/chart: 'flux-operator-0.37.1'
   name: resourcesetinputproviders.fluxcd.controlplane.io
 spec:
   group: fluxcd.controlplane.io
@@ -1033,9 +1029,9 @@ spec:
                   - a PEM-encoded CA certificate (`ca.crt`)
                   - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`)
 
-                  When connecting to a Git, OCI, or ExternalService provider that uses self-signed certificates,
+                  When connecting to a Git or OCI provider that uses self-signed certificates, the CA certificate
-                  the CA certificate must be set in the Secret under the 'ca.crt' key to establish the trust relationship.
+                  must be set in the Secret under the 'ca.crt' key to establish the trust relationship.
-                  When connecting to a provider that supports client certificates (mTLS), the client certificate
+                  When connecting to an OCI provider that supports client certificates (mTLS), the client certificate
                   and private key must be set in the Secret under the 'tls.crt' and 'tls.key' keys, respectively.
                 properties:
                   name:
@@ -1106,11 +1102,6 @@ spec:
                       Supported only for tags at the moment.
                     type: string
                 type: object
-              insecure:
-                description: |-
-                  Insecure allows connecting to an ExternalService or OCIArtifactTag provider
-                  over plain HTTP without TLS. When not set, the URL must use HTTPS.
-                type: boolean
               schedule:
                 description: Schedule defines the schedules for the input provider
                   to run.
@@ -1138,16 +1129,13 @@ spec:
                 type: array
               secretRef:
                 description: |-
-                  SecretRef specifies the Kubernetes Secret containing the credentials
+                  SecretRef specifies the Kubernetes Secret containing the basic-auth credentials
                   to access the input provider.
                   When connecting to a Git provider, the secret must contain the keys
                   'username' and 'password', and the password should be a personal access token
                   that grants read-only access to the repository.
                   When connecting to an OCI provider, the secret must contain a Kubernetes
                   Image Pull Secret, as if created by `kubectl create secret docker-registry`.
-                  When connecting to an ExternalService provider, the secret must contain either
-                  a 'token' key for bearer token authentication, or 'username' and 'password'
-                  keys for basic authentication.
                 properties:
                   name:
                     description: Name of the referent.
@@ -1189,14 +1177,10 @@ spec:
                 - AzureDevOpsBranch
                 - AzureDevOpsTag
                 - AzureDevOpsPullRequest
-                - GiteaBranch
-                - GiteaTag
-                - GiteaPullRequest
                 - OCIArtifactTag
                 - ACRArtifactTag
                 - ECRArtifactTag
                 - GARArtifactTag
-                - ExternalService
                 type: string
               url:
                 description: |-
@@ -1222,16 +1206,6 @@ spec:
             - message: spec.url must start with 'oci://' when spec.type is an OCI
                 provider
               rule: '!self.type.endsWith(''ArtifactTag'') || self.url.startsWith(''oci'')'
-            - message: spec.url must start with 'http://' or 'https://' when spec.type
-                is 'ExternalService'
-              rule: self.type != 'ExternalService' || self.url.startsWith('http')
-            - message: spec.insecure can only be set when spec.type is 'ExternalService'
-                or 'OCIArtifactTag'
-              rule: '!has(self.insecure) || !self.insecure || self.type == ''ExternalService''
-                || self.type == ''OCIArtifactTag'''
-            - message: spec.url must use 'https://' unless spec.insecure is true
-              rule: self.type != 'ExternalService' || !self.url.startsWith('http://')
-                || (has(self.insecure) && self.insecure)
             - message: cannot specify spec.serviceAccountName when spec.type is not
                 one of AzureDevOps* or *ArtifactTag
               rule: '!has(self.serviceAccountName) || self.type.startsWith(''AzureDevOps'')
@@ -1371,14 +1345,14 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.19.0
     helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'flux-operator'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'flux-operator'
-    app.kubernetes.io/version: 'v0.48.0'
+    app.kubernetes.io/version: 'v0.37.1'
-    helm.sh/chart: 'flux-operator-0.48.0'
+    helm.sh/chart: 'flux-operator-0.37.1'
   name: resourcesets.fluxcd.controlplane.io
 spec:
   group: fluxcd.controlplane.io
@@ -1485,15 +1459,6 @@ spec:
                   input provider objects are used. Defaults to flattening all inputs
                   from all providers into a single list of input sets.
                 properties:
-                  includeEmptyProviders:
-                    description: |-
-                      IncludeEmptyProviders controls how input providers that export no
-                      inputs are treated. Only applies when Name is Permute. When true, if
-                      any provider has zero inputs the resulting permutation set is empty
-                      (mathematically correct Cartesian product behavior). When false or
-                      unset (default), providers with zero inputs are silently skipped and
-                      the remaining providers still permute among themselves.
-                    type: boolean
                   name:
                     description: |-
                       Name defines how the inputs are combined when multiple
@@ -1516,9 +1481,6 @@ spec:
                 required:
                 - name
                 type: object
-                x-kubernetes-validations:
-                - message: includeEmptyProviders only applies when name is Permute
-                  rule: '!has(self.includeEmptyProviders) || self.name == ''Permute'''
               inputs:
                 description: Inputs contains the list of ResourceSet inputs.
                 items:
@@ -1697,16 +1659,6 @@ spec:
                   - type
                   type: object
                 type: array
-              externalChecksumRefs:
-                description: |-
-                  ExternalChecksumRefs lists the ConfigMap and Secret references
-                  discovered in checksumFrom annotations on the last reconciliation
-                  that point to objects not rendered by this ResourceSet. Each entry
-                  has the form "Kind/namespace/name". It is used to trigger a
-                  reconciliation when one of the referenced objects changes.
-                items:
-                  type: string
-                type: array
               history:
                 description: |-
                   History contains the reconciliation history of the ResourceSet
@@ -1812,10 +1764,10 @@ metadata:
   labels:
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    helm.sh/chart: flux-operator-0.48.0
+    helm.sh/chart: flux-operator-0.37.1
     app.kubernetes.io/name: flux-operator
     app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.48.0"
+    app.kubernetes.io/version: "v0.37.1"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -1839,10 +1791,10 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
-    helm.sh/chart: flux-operator-0.48.0
+    helm.sh/chart: flux-operator-0.37.1
     app.kubernetes.io/name: flux-operator
     app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.48.0"
+    app.kubernetes.io/version: "v0.37.1"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -1855,86 +1807,16 @@ rules:
       - list
       - watch
 ---
-# Source: flux-operator/templates/web-standard-roles.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: flux-web-user
-  labels:
-    helm.sh/chart: flux-operator-0.48.0
-    app.kubernetes.io/name: flux-operator
-    app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.48.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["get", "list", "watch"]
----
-# Source: flux-operator/templates/web-standard-roles.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: flux-web-admin
-  labels:
-    helm.sh/chart: flux-operator-0.48.0
-    app.kubernetes.io/name: flux-operator
-    app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.48.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups:
-      - fluxcd.controlplane.io
-      - source.toolkit.fluxcd.io
-      - source.extensions.fluxcd.io
-      - kustomize.toolkit.fluxcd.io
-      - helm.toolkit.fluxcd.io
-      - image.toolkit.fluxcd.io
-      - notification.toolkit.fluxcd.io
-    resources: ["*"]
-    verbs:
-      - patch
-      - reconcile
-      - suspend
-      - resume
-      - download
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-      - statefulsets
-      - daemonsets
-    verbs:
-      - patch
-      - restart
-  - apiGroups:
-      - batch
-    resources:
-      - cronjobs
-      - jobs
-    verbs:
-      - create
-      - restart
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-    verbs:
-      - delete
----
 # Source: flux-operator/templates/admin-clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: flux-operator
   labels:
-    helm.sh/chart: flux-operator-0.48.0
+    helm.sh/chart: flux-operator-0.37.1
     app.kubernetes.io/name: flux-operator
     app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.48.0"
+    app.kubernetes.io/version: "v0.37.1"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -1952,10 +1834,10 @@ metadata:
   name: flux-operator
   namespace: flux-system
   labels:
-    helm.sh/chart: flux-operator-0.48.0
+    helm.sh/chart: flux-operator-0.37.1
     app.kubernetes.io/name: flux-operator
     app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.48.0"
+    app.kubernetes.io/version: "v0.37.1"
     app.kubernetes.io/managed-by: Helm
 spec:
   ports:
@@ -1978,10 +1860,10 @@ metadata:
   name: flux-operator
   namespace: flux-system
   labels:
-    helm.sh/chart: flux-operator-0.48.0
+    helm.sh/chart: flux-operator-0.37.1
     app.kubernetes.io/name: flux-operator
     app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.48.0"
+    app.kubernetes.io/version: "v0.37.1"
     app.kubernetes.io/managed-by: Helm
 spec:
   selector:
@@ -1995,10 +1877,10 @@ spec:
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics"
       labels:
-        helm.sh/chart: flux-operator-0.48.0
+        helm.sh/chart: flux-operator-0.37.1
         app.kubernetes.io/name: flux-operator
         app.kubernetes.io/instance: flux-operator
-        app.kubernetes.io/version: "v0.48.0"
+        app.kubernetes.io/version: "v0.37.1"
         app.kubernetes.io/managed-by: Helm
     spec:
       serviceAccountName: flux-operator
@@ -2024,7 +1906,7 @@ spec:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.48.0"
+          image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.37.1"
           imagePullPolicy: "IfNotPresent"
           ports:
             - name: http-metrics

nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_instance.yaml

@@ -5,13 +5,5 @@ metadata:
   namespace: flux-system
 spec:
   distribution:
-    version: "2.8.x"
+    version: "2.7.x"
     registry: "ghcr.io/fluxcd"
-  components:
-    - source-controller
-    - kustomize-controller
-    - helm-controller
-    - notification-controller
-    - image-automation-controller
-    - image-reflector-controller
-    # - source-watcher

nix/kubernetes/keys/package/bootstrap-script/package.nix

@@ -35,10 +35,6 @@ let
         "${k8s.cilium-manifest}/cilium.yaml"
         "${k8s.coredns-manifest}/coredns.yaml"
         ./files/manifests/flux_namespace.yaml
-
-        #
-        # Generate with: helm template --dry-run=server flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --namespace flux-system --create-namespace
-        #
         ./files/manifests/flux.yaml
         ./files/manifests/flux_instance.yaml
       ]

nix/kubernetes/keys/package/k8s-ca/files/client-ca.conf

@@ -120,7 +120,7 @@ extendedKeyUsage     = clientAuth, serverAuth
 keyUsage             = critical, digitalSignature, keyEncipherment
 nsCertType           = client
 nsComment            = "worker0 Certificate"
-subjectAltName       = DNS:worker0, IP:127.0.0.1, IP:10.215.1.224, IP:2620:11f:7001:7:ffff:ffff:ad7:1e0
+subjectAltName       = DNS:worker0, IP:127.0.0.1
 subjectKeyIdentifier = hash
 
 [worker0_distinguished_name]
@@ -141,7 +141,7 @@ extendedKeyUsage     = clientAuth, serverAuth
 keyUsage             = critical, digitalSignature, keyEncipherment
 nsCertType           = client
 nsComment            = "worker1 Certificate"
-subjectAltName       = DNS:worker1, IP:127.0.0.1, IP:10.215.1.225, IP:2620:11f:7001:7:ffff:ffff:ad7:1e1
+subjectAltName       = DNS:worker1, IP:127.0.0.1
 subjectKeyIdentifier = hash
 
 [worker1_distinguished_name]
@@ -162,7 +162,7 @@ extendedKeyUsage     = clientAuth, serverAuth
 keyUsage             = critical, digitalSignature, keyEncipherment
 nsCertType           = client
 nsComment            = "worker2 Certificate"
-subjectAltName       = DNS:worker2, IP:127.0.0.1, IP:10.215.1.226, IP:2620:11f:7001:7:ffff:ffff:ad7:1e2
+subjectAltName       = DNS:worker2, IP:127.0.0.1
 subjectKeyIdentifier = hash
 
 [worker2_distinguished_name]

nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix

@@ -58,25 +58,9 @@ let
           };
         };
         "flux-system" = {
-          "registry-credentials" =
-            (generate_docker_secret {
-              username = builtins.readFile "${./secrets/flux-system/registry-credentials/username}";
-              password = builtins.readFile "${./secrets/flux-system/registry-credentials/password}";
-              email = builtins.readFile "${./secrets/flux-system/registry-credentials/email}";
-            })
-            // {
-              # "__annotations" = {
-              #   "tekton.dev/docker-0" = "https://harbor.fizz.buzz";
-              # };
-            };
           "webhook-token" = {
-            # This token is used for gitea webhooks
             "token" = generate_key 64 "flux-system.webhook-token.token";
           };
-          "harbor-webhook-token" = {
-            # This token is used for harbor webhooks
-            "token" = generate_key 64 "flux-system.harbor-webhook-token.token";
-          };
         };
         "gitea" = {
           "gitea-env" = {
@@ -100,9 +84,6 @@ let
             );
           };
         };
-        "homepage-staging" = {
-          "oauth2-env" = oauth2_env { dex_id = "homepage-staging"; };
-        };
         "tekton-gateway" = {
           "oauth2-env" = oauth2_env { dex_id = "tekton"; };
         };
@@ -119,12 +100,6 @@ let
             "ssh-privatekey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-privatekey}");
             "ssh-publickey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-publickey}");
           };
-          "gitea" = {
-            "token" = (builtins.readFile "${./secrets/webhook-bridge/gitea/token}");
-          };
-          "harbor-plain" = {
-            "config.json" = (builtins.readFile "${./secrets/webhook-bridge/harbor-plain/config.json}");
-          };
         };
       };
   encrypted_secrets = (
@@ -159,7 +134,6 @@ let
 
   ## Utilities
   inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml;
-  inherit (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }) toBase64;
   generate_key =
     len: name:
     builtins.readFile (
@@ -194,21 +168,6 @@ let
         "\\}"
       ]
       json;
-  generate_docker_secret =
-    {
-      username,
-      password,
-      email,
-    }:
-    let
-    in
-    {
-      "__type" = "kubernetes.io/dockerconfigjson";
-      ".dockerconfigjson" = builtins.toJSON {
-        inherit username password email;
-        "auth" = toBase64 "${username}:${password}";
-      };
-    };
   ## dex
   get_dex_config =
     client_id: