Introduce the flag `--default-service-account` for allowing cluster admins to enforce impersonation for resources reconciliation.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
When ExternalEventRecorder is nil, the helm release reference is not used
therefore the function can safely return early.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
Add `values.yaml` to the supported kubeconfig secret key names in order for SOPS to correctly detect the storage format based on the file extension.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Before:
{"level":"info","ts":"2021-03-03T12:45:41.305Z","logger":"controller.helmrelease","msg":"could not find optional %s '%s'","reconciler group":"helm.toolkit.fluxcd.io","reconciler kind":"HelmRelease","name":"cert-manager","namespace":"kommander","ConfigMap":{"namespace":"kommander","name":"cert-manager-overrides"}}
After:
{"level":"info","ts":"2021-03-03T13:56:46.365+0100","logger":"controller.helmrelease","msg":"could not find optional ConfigMap 'kommander/cert-manager-overrides'","reconciler group":"helm.toolkit.fluxcd.io","reconciler kind":"HelmRelease","name":"cert-manager","namespace":"kommander"}
Signed-off-by: Max Jonas Werner <mwerner@d2iq.com>
To include a bug fix to the `ReconcilateAtChangedPredicate`
and renaming to `ReconcileRequestedPredicate`.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit upgrades the `controller-runtime` dependency to `v0.7.0`,
including all changes required to make all wiring work again.
- Upgrade `runtime` to v0.6.0 to include `controller-runtime` changes.
- Loggers have been removed from the reconcilers and are now retrieved
from the `context.Context` passed to the `Reconcile` method and
downwards functions.
- Logger configuration flags are now bound to the flag set using
`BindFlags` from `runtime/logger`, ensuring the same contract across
GitOps Toolkit controllers, and the `--log-json` flag has been
deprecated in favour of the `--log-encoding=json` default.
- The `ChangePredicate` from `runtime` has changed to a
`ReconcilateAtChangedPredicate`, and is now chained with the
`GenerationChangedPredicate` from `controller-runtime` using
`predicate.Or`.
- Signatures that made use of `runtime.Object` have changed to
`client.Object`, removing the requirement to e.g. call
`runtime.Object#Object`.
- The `leader-election-role` was changed, as leader election now works
via the `coordination/v1` API.
Other notable changes:
- `util.ObjectKey` was added to easily construct a `client.ObjectKey` /
`types.NamespacedName` from a `metav1.Object`.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This prevents the resource hanging forever if the release does not exist
in the Helm storage because it was either never created, or because it
was already removed by e.g. Kubernetes due to a namespace deletion.
Signed-off-by: Hidde Beydals <hello@hidde.co>
If a resource is marked as suspended we should not perform any
reconciliation action for the resource at all.
This includes updating the status of the resource to a
`Ready==False` state, as this is not an accurate representation of
the resource's state: we have been told to no longer look at it
and with that our last observation freezes in time.
Resource deletions are the sole exception to actions (not) being
performed, as we are duty-bound to remove our finalizer from the
resource to make a deletion succeed.
To make the suspend state still visible to the user, a column has
been added to the Custom Resource Definition which prints the
`.spec.suspend` of every HelmRelease.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Changes the condition type to the one introduced in k8s 1.19, including
the newly introduced helpers in place of the old pkg/apis/meta types.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This is a regression bug fix due to the introduction of the default
values in the source-controller CRDs.
Signed-off-by: Hidde Beydals <hello@hidde.co>
The reason for this is the `EnqueueRequestsFromMapFunc` calling the
enqueuer for _both_ the old and the new object, and we only want to act
on the ones that contain a revision different from the one that we have
recorded in the status object of the `HelmRelease`.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This prevents the resources from getting annotated, and instead uses
the `handler.EnqueueRequestsFromMapFunc` to queue requests based on
changes to the source objects.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This is an initial implementation for cross-cluster Helm release
support that relies on a KubeConfig secret, and a reference to it in
the HelmRelease resource.
If set, all actions taken by the Helm runner are executed using the
KubeConfig from the secret. The Helm storage is stored on the remote
cluster in a namespace that equals to the namespace of the HelmRelease
in the managing cluster, the release itself is made in either this
namespace, or the configured TargetNamespace. In any case, both are
expected to exist and/or created beforehand.
Other references to Kubernetes resources in the HelmRelease, like
ValuesReference resources, are expected to exist on the managing
cluster.
By confirming the observed generation is up-to-date before checking
the `Ready` condition state after chart reconciliation, we guarantee
the chart we use for the release always is on par with the state of
the `HelmRelease`.
In addition, we requeue to prevent the `HelmRelease` getting stuck
in a "HelmChart is not ready" state. Previously triggered by a no-op
chart update without a revision change that caused the watcher to
not request a reconciliation for the `HelmRelease`.
As `ParseInto` expects the destination to be initialized, which led
to an `unable to parse key: assignment to entry in nil map` error in
configurations where the first `ValuesReference` had a `targetPath`
defined.
As the existing logic relied on other conditions that caused the
`released` to never be nil, but this may not be true for future
iterations, which makes this a case of better safe than sorry.
This makes it possible for e.g. the GOTK CLI to observe if the
controller has handled the resource since the manual reconciliation
request was made. It replaces the `LastObservedTime` status field,
as this was prone to time skew issues and does not offer much additional
value over the timestamps of the conditions.
We were logging the spec interval duration, which was incorrect:
1. On failures, which use exponential backoff
2. On dependency not ready, which uses a separately defined static interval.
This changes to log result.RequeueAfter directly when set.
Stefan Prodan
Somtochi Onyekwere
Kingdon Barrett
Aurel Canciu
Paulo Gomes
Sunny
Zhongcheng Lao
Hidde Beydals
Hidde Beydals
Max Jonas Werner
Dylan Arbour
Will Salt
gtracer
Michael Bridgen
Sean Eagan