Introduce flux2-charts package

Add FluxCD charts package in replacement to the manifests available
under the ansible-playbooks repository.

The existing manifests will be removed by the following review:
https://review.opendev.org/c/starlingx/ansible-playbooks/+/940832

This is part of a larger effort to move the FluxCD installation method
from a pure Ansible approach to a Helm-based method. This will ensure
tighter control over StarlingX required customizations via overrides
and make FluxCD uprev tasks simpler.

Test plan:
PASS: SX fresh install
PASS: DX fresh install
PASS: SX platform upgrade from previous version
PASS: DX platform upgrade from previous version
PASS: SX backup and restore
PASS: DX backup and restore

Story: 2011354
Task: 51691

Change-Id: Ib2da283a071b9dfb1de11aaf06446e30acf815d6
Signed-off-by: Igor Soares <Igor.PiresSoares@windriver.com>

debian_iso_image.inc

@@ -101,6 +101,9 @@ etcd-server
 facter
 libfacter3.14.12
 
+#flux
+flux2-charts
+
 #gpu-operator
 #gpu-operator
 

debian_pkg_dirs

@@ -68,6 +68,7 @@ kubernetes/crictl
 kubernetes/docker-distribution
 kubernetes/etcd
 kubernetes/flux2
+kubernetes/flux2-charts
 kubernetes/helm
 kubernetes/k8s-cni-cache-cleanup
 kubernetes/k8s-pod-recovery

kubernetes/flux2-charts/debian/deb_folder/changelog

@@ -0,0 +1,5 @@
+flux2-charts (2.13.0-1) stable; urgency=medium
+
+  * Initial release
+
+ -- Igor Pires Soares <igor.piressoares@windriver.com>  Web, 12 Feb 2025 15:40:22 +0000

kubernetes/flux2-charts/debian/deb_folder/control

@@ -0,0 +1,15 @@
+Source: flux2-charts
+Section: admin
+Priority: optional
+Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
+Build-Depends: debhelper-compat (= 13), helm
+Standards-Version: 4.5.1
+Homepage: https://www.starlingx.io
+
+Package: flux2-charts
+Architecture: any
+Depends:  ${misc:Depends}
+Description: A Helm chart for flux2.
+ Flux is a tool for keeping Kubernetes clusters in sync with sources of
+ configuration (like Git repositories), and automating updates to
+ configuration. This package provides the Helm charts for deploying Flux.

kubernetes/flux2-charts/debian/deb_folder/copyright

@@ -0,0 +1,31 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+
+Upstream-Name: flux2
+Upstream-Contact: cncf-flux-dev@lists.cncf.io
+Source: https://github.com/fluxcd-community/helm-charts
+Files: *
+Copyright: (C) Copyright 2025 The FluxCD Community All Rights Reserved
+License: Apache-2
+
+Upstream-Name: flux2
+Upstream-Contact: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
+Source: https://opendev.org/starlingx/integ/src/branch/master/kubernetes/flux2-charts
+Files: debian/*
+Copyright: (c) 2025 Wind River Systems, Inc.
+License: Apache-2
+
+License: Apache-2
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+    http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian-based systems the full text of the Apache version 2.0 license
+ can be found in `/usr/share/common-licenses/Apache-2.0'.

kubernetes/flux2-charts/debian/deb_folder/flux2-charts.install

@@ -0,0 +1 @@
+usr/local/share/flux2-charts/*

kubernetes/flux2-charts/debian/deb_folder/flux2-charts.lintian-overrides

@@ -0,0 +1 @@
+description-starts-with-package-name

kubernetes/flux2-charts/debian/deb_folder/rules

@@ -0,0 +1,28 @@
+#!/usr/bin/make -f
+# export DH_VERBOSE = 1
+
+export ROOT = debian/tmp
+
+export FLUX_CHARTS_VERSION = 2.13.0
+export FLUX_CHARTS_PKG = flux2-$(FLUX_CHARTS_VERSION).tar.gz
+export TARGET_DIR = $(ROOT)/usr/local/share/flux2-charts
+
+%:
+	dh $@
+
+override_dh_auto_build:
+	mkdir -p build
+
+	# Copy flux2 charts
+	cp -r charts/flux2 build/
+
+	cp Makefile build
+
+	cd build && make
+
+override_dh_auto_install:
+	install -d -m 755 $(TARGET_DIR)
+	install -p -D -m 755 build/flux2-$(FLUX_CHARTS_VERSION).tgz $(TARGET_DIR)
+
+override_dh_usrlocal:
+	# Do Nothing

kubernetes/flux2-charts/debian/deb_folder/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

kubernetes/flux2-charts/debian/meta_data.yaml

@@ -0,0 +1,13 @@
+---
+debname: flux2-charts
+debver: 2.13.0-1
+src_path: files
+dl_path:
+  name: flux2-2.13.0.tar.gz
+  url: https://github.com/fluxcd-community/helm-charts/archive/refs/tags/flux2-2.13.0.tar.gz
+  sha256sum: d620d63c2730b6979c9e89e2a8b690e18fc569555f2a6b6ec2399611524b6e77
+src_files:
+  - files/Makefile
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: true

kubernetes/flux2-charts/debian/patches/0001-Include-more-template-options-for-helm-and-source-co.patch

@@ -0,0 +1,135 @@
+From 84b2ec2215807f522a6069fc12da519b2fe75ffd Mon Sep 17 00:00:00 2001
+From: Igor Soares <Igor.PiresSoares@windriver.com>
+Date: Wed, 19 Feb 2025 09:26:17 -0300
+Subject: [PATCH 1/2] Include more template options for helm and source
+ controllers
+
+Options added to the helm-controller deployment:
+
+* readinessProbe.timeoutSeconds
+* livenessProbe.timeoutSeconds
+* terminationGracePeriodSeconds
+
+Options added to the source-controller deployment:
+
+* readinessProbe.timeoutSeconds
+* livenessProbe.timeoutSeconds
+
+Added as a global option and included in both controllers:
+* logEncoding
+
+In addition, the container.additionalArgs option was modified
+to allow output redirection for both controllers.
+
+Signed-off-by: Igor Soares <Igor.PiresSoares@windriver.com>
+---
+ charts/flux2/templates/helm-controller.yaml   | 25 +++++++------------
+ charts/flux2/templates/source-controller.yaml | 21 ++++++----------
+ 2 files changed, 17 insertions(+), 29 deletions(-)
+
+diff --git a/charts/flux2/templates/helm-controller.yaml b/charts/flux2/templates/helm-controller.yaml
+index 0811c15..85c4c15 100644
+--- a/charts/flux2/templates/helm-controller.yaml
++++ b/charts/flux2/templates/helm-controller.yaml
+@@ -38,21 +38,8 @@ spec:
+         {{- toYaml .Values.helmController.initContainers | nindent 8}}
+     {{- end}}
+       containers:
+-      - args:
+-        {{- if .Values.multitenancy.enabled }}
+-        - --no-cross-namespace-refs=true
+-        - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default"  }}
+-        {{- end}}
+-        {{- if .Values.notificationController.create }}
+-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+-        {{- end}}
+-        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
+-        - --log-level={{ .Values.logLevel | default "info" }}
+-        - --log-encoding=json
+-        - --enable-leader-election
+-        {{- range .Values.helmController.container.additionalArgs }}
+-        - {{ . }}
+-        {{- end}}
++      - command: ["/bin/sh"]
++        args: ["-c", "helm-controller {{- if .Values.multitenancy.enabled }} --no-cross-namespace-refs=true --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default"  }} {{- end}} {{- if .Values.notificationController.create }} --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. {{- end}} --watch-all-namespaces={{ .Values.watchAllNamespaces }} --log-level={{ .Values.logLevel | default "info" }} --log-encoding={{ .Values.logEncoding | default "json" }} --enable-leader-election {{ .Values.helmController.container.additionalArgs }}"]
+         env:
+         - name: RUNTIME_NAMESPACE
+           valueFrom:
+@@ -71,6 +58,9 @@ spec:
+           httpGet:
+             path: /healthz
+             port: healthz
++          {{- if and .Values.helmController.livenessProbe .Values.helmController.livenessProbe.timeoutSeconds }}
++          timeoutSeconds: {{ .Values.helmController.livenessProbe.timeoutSeconds }}
++          {{- end }}
+         name: manager
+         ports:
+         - containerPort: 8080
+@@ -82,6 +72,9 @@ spec:
+           httpGet:
+             path: /readyz
+             port: healthz
++          {{- if and .Values.helmController.readinessProbe .Values.helmController.readinessProbe.timeoutSeconds }}
++          timeoutSeconds: {{ .Values.helmController.readinessProbe.timeoutSeconds }}
++          {{- end }}
+         {{- with .Values.helmController.resources }}
+         resources: {{ toYaml . | nindent 10 }}
+         {{- end }}
+@@ -114,7 +107,7 @@ spec:
+       {{- if .Values.imagePullSecrets }}
+       imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
+       {{- end }}
+-      terminationGracePeriodSeconds: 600
++      terminationGracePeriodSeconds: {{ .Values.helmController.terminationGracePeriodSeconds | default 600 }}
+       volumes:
+       - emptyDir: {}
+         name: temp
+diff --git a/charts/flux2/templates/source-controller.yaml b/charts/flux2/templates/source-controller.yaml
+index 46c7cfe..2bd2eea 100644
+--- a/charts/flux2/templates/source-controller.yaml
++++ b/charts/flux2/templates/source-controller.yaml
+@@ -36,19 +36,8 @@ spec:
+         {{- toYaml .Values.sourceController.initContainers | nindent 8}}
+       {{- end}}
+       containers:
+-      - args:
+-        {{- if .Values.notificationController.create }}
+-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+-        {{- end}}
+-        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
+-        - --log-level={{ .Values.logLevel | default "info" }}
+-        - --log-encoding=json
+-        - --enable-leader-election
+-        - --storage-path=/data
+-        - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+-        {{- range .Values.sourceController.container.additionalArgs }}
+-        - {{ . }}
+-        {{- end}}
++      - command: ["/bin/sh"]
++        args: ["-c", "source-controller {{- if .Values.notificationController.create }} --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. {{- end}} --watch-all-namespaces={{ .Values.watchAllNamespaces }} --log-level={{ .Values.logLevel | default "info" }} --log-encoding={{ .Values.logEncoding | default "json" }} --enable-leader-election --storage-path=/data --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. {{ .Values.sourceController.container.additionalArgs }}"]
+         env:
+         - name: RUNTIME_NAMESPACE
+           valueFrom:
+@@ -67,6 +56,9 @@ spec:
+           httpGet:
+             path: /healthz
+             port: healthz
++          {{- if and .Values.sourceController.livenessProbe .Values.sourceController.livenessProbe.timeoutSeconds }}
++          timeoutSeconds: {{ .Values.sourceController.livenessProbe.timeoutSeconds }}
++          {{- end }}
+         name: manager
+         ports:
+         - containerPort: 9090
+@@ -82,6 +74,9 @@ spec:
+           httpGet:
+             path: /
+             port: http
++          {{- if and .Values.sourceController.readinessProbe .Values.sourceController.readinessProbe.timeoutSeconds }}
++          timeoutSeconds: {{ .Values.sourceController.readinessProbe.timeoutSeconds }}
++          {{- end }}
+         {{- with .Values.sourceController.resources }}
+         resources: {{ toYaml . | nindent 10 }}
+         {{- end }}
+-- 
+2.34.1
+

kubernetes/flux2-charts/debian/patches/0002-Add-template-option-to-allow-enabling-disabling-the-.patch

@@ -0,0 +1,66 @@
+From 4d2eb3b9f265bcb4b80ff7d335a430560a29b234 Mon Sep 17 00:00:00 2001
+From: Igor Soares <Igor.PiresSoares@windriver.com>
+Date: Wed, 19 Feb 2025 10:19:02 -0300
+Subject: [PATCH 2/2] Add template option to allow enabling/disabling the
+ pre-install job
+
+Add the .Values.preInstallJob.create option to allow enabling/disabling
+the pre-install job.
+
+The service account related to the pre-install job will be
+enabled/disabled accordingly as well.
+
+This is required because in certain scenarios, such as platform
+upgrades, we need to skip the Kubernetes version check.
+
+Signed-off-by: Igor Soares <Igor.PiresSoares@windriver.com>
+---
+ charts/flux2/templates/pre-install-job-serviceaccount.yaml | 2 ++
+ charts/flux2/templates/pre-install-job.yaml                | 2 ++
+ charts/flux2/values.yaml                                   | 3 +++
+ 3 files changed, 7 insertions(+)
+
+diff --git a/charts/flux2/templates/pre-install-job-serviceaccount.yaml b/charts/flux2/templates/pre-install-job-serviceaccount.yaml
+index f634869..14b35fd 100644
+--- a/charts/flux2/templates/pre-install-job-serviceaccount.yaml
++++ b/charts/flux2/templates/pre-install-job-serviceaccount.yaml
+@@ -1,3 +1,4 @@
++{{- if and .Values.preInstallJob.create}}
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+@@ -12,3 +13,4 @@ metadata:
+     "helm.sh/hook": pre-install
+     "helm.sh/hook-weight": "-10"
+     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
++{{- end }}
+\ No newline at end of file
+diff --git a/charts/flux2/templates/pre-install-job.yaml b/charts/flux2/templates/pre-install-job.yaml
+index 2c2541f..59bfa32 100644
+--- a/charts/flux2/templates/pre-install-job.yaml
++++ b/charts/flux2/templates/pre-install-job.yaml
+@@ -1,3 +1,4 @@
++{{- if and .Values.preInstallJob.create}}
+ apiVersion: batch/v1
+ kind: Job
+ metadata:
+@@ -70,3 +71,4 @@ spec:
+       {{- with .Values.cli.tolerations }}
+       tolerations: {{ toYaml . | nindent 8 }}
+       {{- end }}
++{{- end }}
+\ No newline at end of file
+diff --git a/charts/flux2/values.yaml b/charts/flux2/values.yaml
+index 6a023c7..9277f13 100644
+--- a/charts/flux2/values.yaml
++++ b/charts/flux2/values.yaml
+@@ -325,3 +325,6 @@ prometheus:
+           - sourceLabels: [__meta_kubernetes_pod_phase]
+             action: keep
+             regex: Running
++
++preInstallJob:
++  create: true
+-- 
+2.34.1
+

kubernetes/flux2-charts/debian/patches/series

@@ -0,0 +1,2 @@
+0001-Include-more-template-options-for-helm-and-source-co.patch
+0002-Add-template-option-to-allow-enabling-disabling-the-.patch

kubernetes/flux2-charts/files/Makefile

@@ -0,0 +1,19 @@
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# It's necessary to set this because some environments don't link sh -> bash.
+SHELL := /bin/bash
+
+all: build clean
+
+lint:
+	helm lint flux2/
+
+build: lint
+	helm package flux2
+
+clean:
+	@echo "Clean all build artifacts"
+	rm -f flux2/templates/_partials.tpl flux2/templates/_globals.tpl
+	rm -rf flux2/charts