Merge "Upgrade FluxCD Helm and Source Controllers."

2023-08-30 21:08:22 +00:00
parent 4625f05ede 506c7c3999
commit 8e52618cba
8 changed files with 5853 additions and 1057 deletions
--- a/playbookconfig/src/playbooks/roles/common/fluxcd-controllers/templates/fluxcd-crds.yaml.j2
+++ b/playbookconfig/src/playbooks/roles/common/fluxcd-controllers/templates/fluxcd-crds.yaml.j2
--- a/playbookconfig/src/playbooks/roles/common/fluxcd-controllers/templates/fluxcd-deployments.yaml.j2
+++ b/playbookconfig/src/playbooks/roles/common/fluxcd-controllers/templates/fluxcd-deployments.yaml.j2
@@ -20,8 +20,8 @@ spec:
    spec:
      containers:
      - name: manager
-        command: ["/sbin/tini"]
-        args: ["--", "/bin/sh", "-c", "helm-controller --watch-all-namespaces --log-level=debug --log-encoding=console --enable-leader-election 2>&1 | tee -a /var/log/helm-controller.log"]
+        command: ["/bin/sh"]
+        args: ["-c", "helm-controller --watch-all-namespaces --log-level=debug --log-encoding=console --enable-leader-election 2>&1 | tee -a /var/log/helm-controller.log"]
        env:
        - name: RUNTIME_NAMESPACE
          valueFrom:
@@ -53,7 +53,13 @@ spec:
            memory: 64Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
        volumeMounts:
        - mountPath: /tmp
          name: temp
@@ -141,7 +147,13 @@ spec:
            memory: 64Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
        volumeMounts:
        - mountPath: /data
          name: data
--- a/playbookconfig/src/playbooks/roles/common/fluxcd-controllers/templates/fluxcd-rbac.yaml.j2
+++ b/playbookconfig/src/playbooks/roles/common/fluxcd-controllers/templates/fluxcd-rbac.yaml.j2
@@ -1,4 +1,3 @@
---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -36,7 +35,7 @@ rules:
  verbs:
  - '*'
 - apiGroups:
-  - ""
+  - ''
  resources:
  - namespaces
  - secrets
@@ -47,14 +46,14 @@ rules:
  - list
  - watch
 - apiGroups:
-  - ""
+  - ''
  resources:
  - events
  verbs:
  - create
  - patch
 - apiGroups:
-  - ""
+  - ''
  resources:
  - configmaps
  verbs:
@@ -66,7 +65,7 @@ rules:
  - patch
  - delete
 - apiGroups:
-  - ""
+  - ''
  resources:
  - configmaps/status
  verbs:
@@ -87,6 +86,46 @@ rules:
  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flux-edit
+  namespace: flux-helm
+rules:
+- apiGroups:
+  - notification.toolkit.fluxcd.io
+  - source.toolkit.fluxcd.io
+  - helm.toolkit.fluxcd.io
+  - image.toolkit.fluxcd.io
+  - kustomize.toolkit.fluxcd.io
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flux-view
+  namespace: flux-helm
+rules:
+- apiGroups:
+  - notification.toolkit.fluxcd.io
+  - source.toolkit.fluxcd.io
+  - helm.toolkit.fluxcd.io
+  - image.toolkit.fluxcd.io
+  - kustomize.toolkit.fluxcd.io
+  resources:
+  - '*'
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: crd-controller
--- a/playbookconfig/src/playbooks/roles/common/fluxcd-controllers/vars/main.yml
+++ b/playbookconfig/src/playbooks/roles/common/fluxcd-controllers/vars/main.yml
@@ -2,8 +2,8 @@
 fluxcd_namespace: flux-helm
 fluxcd_secret_name: default-registry-key
 fluxcd_resource_dir: /tmp/fluxcd
-flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.27.0
-flux_source_controller_img: docker.io/fluxcd/source-controller:v0.32.1
+flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.35.0
+flux_source_controller_img: docker.io/fluxcd/source-controller:v1.0.1
 local_registry: registry.local:9001
 async_timeout: 240
 async_retries: 80
--- a/playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.21.8/system-images.yml
+++ b/playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.21.8/system-images.yml
@@ -30,5 +30,5 @@ cert_manager_ctl_img: quay.io/jetstack/cert-manager-ctl:v1.7.1
 snapshot_controller_img: quay.io/k8scsi/snapshot-controller:v2.0.0-rc2
 rvmc_img: docker.io/starlingx/rvmc:stx.8.0-v1.0.1
 pause_img: k8s.gcr.io/pause:3.4.1
-flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.27.0
-flux_source_controller_img: docker.io/fluxcd/source-controller:v0.32.1
+flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.35.0
+flux_source_controller_img: docker.io/fluxcd/source-controller:v1.0.1
--- a/playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.22.5/system-images.yml
+++ b/playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.22.5/system-images.yml
@@ -29,5 +29,5 @@ cert_manager_ctl_img: quay.io/jetstack/cert-manager-ctl:v1.7.1
 snapshot_controller_img: quay.io/k8scsi/snapshot-controller:v2.0.0-rc2
 rvmc_img: docker.io/starlingx/rvmc:stx.8.0-v1.0.1
 pause_img: k8s.gcr.io/pause:3.4.1
-flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.27.0
-flux_source_controller_img: docker.io/fluxcd/source-controller:v0.32.1
+flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.35.0
+flux_source_controller_img: docker.io/fluxcd/source-controller:v1.0.1
--- a/playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.24.4/system-images.yml
+++ b/playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.24.4/system-images.yml
@@ -34,5 +34,5 @@ cert_manager_webhook_img_171: quay.io/jetstack/cert-manager-webhook:v1.7.1
 snapshot_controller_img: quay.io/k8scsi/snapshot-controller:v2.0.0-rc2
 rvmc_img: docker.io/starlingx/rvmc:stx.8.0-v1.0.1
 pause_img: k8s.gcr.io/pause:3.4.1
-flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.27.0
-flux_source_controller_img: docker.io/fluxcd/source-controller:v0.32.1
+flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.35.0
+flux_source_controller_img: docker.io/fluxcd/source-controller:v1.0.1
--- a/playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.26.1/system-images.yml
+++ b/playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.26.1/system-images.yml
@@ -29,5 +29,5 @@ cert_manager_ctl_img: quay.io/jetstack/cert-manager-ctl:v1.7.1
 snapshot_controller_img: quay.io/k8scsi/snapshot-controller:v2.0.0-rc2
 rvmc_img: docker.io/starlingx/rvmc:stx.8.0-v1.0.1
 pause_img: k8s.gcr.io/pause:3.4.1
-flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.27.0
-flux_source_controller_img: docker.io/fluxcd/source-controller:v0.32.1
+flux_helm_controller_img: docker.io/fluxcd/helm-controller:v0.35.0
+flux_source_controller_img: docker.io/fluxcd/source-controller:v1.0.1