Upgrade FluxCD Helm and Source Controllers.

This change updates the FluxCD release v2.0.1. The
release was obtained from the location referenced
below, and the file was modified to conform to
the current bootstrap process.  The install.yaml
file is split into four files; Custom Resource
Definitions (CRDs), Deployments, RBAC, and Service.

The Deployments file is modified to use an Ansible
parameter for the images, and the RBAC is modified
such that the ClusterRoleBindings use the default
service account on the system.  For all files,
only objects related to the Helm and Source
controllers are kept.  All others are discarded.

[1] Upgrade helm-controller from v0.27.0 to v0.35.0
[2] Upgrade source-controller from v0.32.1 to v1.0.1
[3] Update FluxCD Custom Resource Definitions, and other
    slight modifications to deployment files.

Reference:
- The YAML files that make up the release come from
  https://github.com/fluxcd/flux2/releases/tag/v2.0.1.
  On the webpage, find the assets list and the
  install.yaml file has everything inside.
- NOTE - Future upgrades would source the install.yaml
  from the same location.

Test Plan:
PASS: build-pkgs -a && build-image
PASS: AIO-SX full install with clean bootstrap
PASS: Upload & Apply every app in /usr/local/share/applications
PASS: Upgrade installation from stx-8 to current development
      state.

Story: 2010876
Task: 48587
Change-Id: I58a02d84164e653f25470edc05bb60275fc8334b
Signed-off-by: Joshua Reed <joshua.reed@windriver.com>

playbookconfig/src/playbooks/roles/common/fluxcd-controllers/templates/fluxcd-deployments.yaml.j2

@@ -20,8 +20,8 @@ spec:
     spec:
       containers:
       - name: manager
-        command: ["/sbin/tini"]
-        args: ["--", "/bin/sh", "-c", "helm-controller --watch-all-namespaces --log-level=debug --log-encoding=console --enable-leader-election 2>&1 | tee -a /var/log/helm-controller.log"]
+        command: ["/bin/sh"]
+        args: ["-c", "helm-controller --watch-all-namespaces --log-level=debug --log-encoding=console --enable-leader-election 2>&1 | tee -a /var/log/helm-controller.log"]
         env:
         - name: RUNTIME_NAMESPACE
           valueFrom:
@@ -53,7 +53,13 @@ spec:
             memory: 64Mi
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
           readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - mountPath: /tmp
           name: temp
@@ -141,7 +147,13 @@ spec:
             memory: 64Mi
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
           readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - mountPath: /data
           name: data

playbookconfig/src/playbooks/roles/common/fluxcd-controllers/templates/fluxcd-rbac.yaml.j2

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -36,7 +35,7 @@ rules:
   verbs:
   - '*'
 - apiGroups:
-  - ""
+  - ''
   resources:
   - namespaces
   - secrets
@@ -47,14 +46,14 @@ rules:
   - list
   - watch
 - apiGroups:
-  - ""
+  - ''
   resources:
   - events
   verbs:
   - create
   - patch
 - apiGroups:
-  - ""
+  - ''
   resources:
   - configmaps
   verbs:
@@ -66,7 +65,7 @@ rules:
   - patch
   - delete
 - apiGroups:
-  - ""
+  - ''
   resources:
   - configmaps/status
   verbs:
@@ -87,6 +86,46 @@ rules:
   - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flux-edit
+  namespace: flux-helm
+rules:
+- apiGroups:
+  - notification.toolkit.fluxcd.io
+  - source.toolkit.fluxcd.io
+  - helm.toolkit.fluxcd.io
+  - image.toolkit.fluxcd.io
+  - kustomize.toolkit.fluxcd.io
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flux-view
+  namespace: flux-helm
+rules:
+- apiGroups:
+  - notification.toolkit.fluxcd.io
+  - source.toolkit.fluxcd.io
+  - helm.toolkit.fluxcd.io
+  - image.toolkit.fluxcd.io
+  - kustomize.toolkit.fluxcd.io
+  resources:
+  - '*'
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: crd-controller

playbookconfig/src/playbooks/roles/common/fluxcd-controllers/vars/main.yml

@@ -2,8 +2,8 @@
 fluxcd_namespace: flux-helm
 fluxcd_secret_name: default-registry-key
 fluxcd_resource_dir: /tmp/fluxcd
-flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.27.0
-flux_source_controller_img: docker.io/fluxcd/source-controller:v0.32.1
+flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.35.0
+flux_source_controller_img: docker.io/fluxcd/source-controller:v1.0.1
 local_registry: registry.local:9001
 async_timeout: 240
 async_retries: 80

playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.21.8/system-images.yml

@@ -33,5 +33,5 @@ cert_manager_webhook_img_2112: quay.io/jetstack/cert-manager-webhook:v0.15.0
 snapshot_controller_img: quay.io/k8scsi/snapshot-controller:v2.0.0-rc2
 rvmc_img: docker.io/starlingx/rvmc:stx.8.0-v1.0.1
 pause_img: k8s.gcr.io/pause:3.4.1
-flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.27.0
-flux_source_controller_img: docker.io/fluxcd/source-controller:v0.32.1
+flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.35.0
+flux_source_controller_img: docker.io/fluxcd/source-controller:v1.0.1

playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.22.5/system-images.yml

@@ -29,5 +29,5 @@ cert_manager_ctl_img: quay.io/jetstack/cert-manager-ctl:v1.7.1
 snapshot_controller_img: quay.io/k8scsi/snapshot-controller:v2.0.0-rc2
 rvmc_img: docker.io/starlingx/rvmc:stx.8.0-v1.0.1
 pause_img: k8s.gcr.io/pause:3.4.1
-flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.27.0
-flux_source_controller_img: docker.io/fluxcd/source-controller:v0.32.1
+flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.35.0
+flux_source_controller_img: docker.io/fluxcd/source-controller:v1.0.1

playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.24.4/system-images.yml

@@ -29,5 +29,5 @@ cert_manager_ctl_img: quay.io/jetstack/cert-manager-ctl:v1.11.1
 snapshot_controller_img: quay.io/k8scsi/snapshot-controller:v2.0.0-rc2
 rvmc_img: docker.io/starlingx/rvmc:stx.8.0-v1.0.1
 pause_img: k8s.gcr.io/pause:3.4.1
-flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.27.0
-flux_source_controller_img: docker.io/fluxcd/source-controller:v0.32.1
+flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.35.0
+flux_source_controller_img: docker.io/fluxcd/source-controller:v1.0.1

playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.26.1/system-images.yml

@@ -29,5 +29,5 @@ cert_manager_ctl_img: quay.io/jetstack/cert-manager-ctl:v1.7.1
 snapshot_controller_img: quay.io/k8scsi/snapshot-controller:v2.0.0-rc2
 rvmc_img: docker.io/starlingx/rvmc:stx.8.0-v1.0.1
 pause_img: k8s.gcr.io/pause:3.4.1
-flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.27.0
-flux_source_controller_img: docker.io/fluxcd/source-controller:v0.32.1
+flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.35.0
+flux_source_controller_img: docker.io/fluxcd/source-controller:v1.0.1