This allows install and upgrade actions to use DNS lookups while
rendering Helm templates after it got disabled in Helm due to possible
security risks.
It is enabled (globally) on the controller by configuring
`--feature-gates=AllowDNSLookups=true`.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
As there are currently no other utilities to properly see what change
the controller detected, this allows people to have an insight into
the observed changes by configuring the controller with
`--log-level=debug`.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This allows a specific object from a release manifest to be excluded
from drift detection by labeling or annotating it with:
`helm.toolkit.fluxcd.io/diff: disabled`.
Using a Kustomize post renderer definition in a HelmRelease, this can
be used to ignore any object from an arbitrary chart.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This enables experimental drift detection of cluster state compared to
the current manifest data from the Helm storage's manifest blob.
Drift detection works based on the already proven approach of the
kustomize-controller's SSA package, and utilizes the managed field
configured by the controller since `v0.12.2`.
This feature is planned to go out of experimental once the further
controller rewrite has been finished, and the state of the Helm storage
itself is more fault tolerant.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This allows the applied CRDs to be traced using the same labels as
currently applied to resources using a Kustomize post-render.
Kustomize is not used here as the apply logic for CRDs is different
from the approach used during releasing, where we inject the labels
in such a way that they are written back to the Helm storage in the
rendered manifest. This to match Helm's logic from which our present
code is already derived (buth with support for policies).
This also moves the full responsibility of dealing with the install
of CRDs to ourselves, as we no longer fall back to Helm's logic when
`Create` is configured as a policy during a Helm install. As this
would not allow us to add the labels.
Signed-off-by: Hidde Beydals <hello@hidde.co>
You can re-enabled caching of secrets by starting the
controller with the argument '--feature-gates=CacheSecretsAndConfigMaps=true'
Signed-off-by: Mac Chaffee <machaffe@renci.org>
Fixing a regression introduced in #480 which would always pick the
namespace of the release. In addition, historically seen the
configuration of the impersonation username while making use of a
KubeConfig has never worked correctly, this has been adressed as well.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This is a partial cherry-pick of commit ae4f499e87, including
changes around `kube`. This to include some of the changes around the
construction of the ConfigFlags RESTClientGetter, as an attempt to
solve token refresh issues.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Two new flags were added to allow users to enable the
use of user.Exec and InsecureTLS in the kubeconfigs
provided remote apply reconciliations.
Breaking change: both functionalities are no longer
enabled by default.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
This commit changes the default behavior of the Helm uninstall action
to wait for all resources to be deleted, and introduces a
`.spec.uninstall.disableWait` flag to disable this behavior.
Signed-off-by: Samuel Torres <samuelpirestorres@gmail.com>
Introduce the flag `--default-service-account` for allowing cluster admins to enforce impersonation for resources reconciliation.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Controller-runtime has been updated to `v0.9.0`, K8s dependencies to
`v0.21.1`, and all `fluxcd/pkg` and other dependencies to the versions
that have matching dependencies and/or build constraints.
This includes an update of Helm to `v3.6.0`, and an update of the
Kustomize API to match `v4.1.x`.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This gives the in the previous MINOR release introduced CRD policy
precedence, avoiding `skipCRDs is set to false and crds is set to
Skip` errors when the `skipCRDs` field is omitted.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Changed in a6cc150aa6 without a clear
reason, may be restored in the future but this depends on
a6cc150aa6 (r617706942)
Signed-off-by: Hidde Beydals <hello@hidde.co>
This provides richer debugging information for wait timeouts, e.g.
```
wait.go:225: [debug] Service does not have load balancer ingress IP
address: deis/deis-builder
wait.go:225: [debug] Service does not have load balancer ingress IP
address: deis/deis-builder
```
Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit adds a new post renderer that labels all resources with
`helm.toolkit.fluxcd.io/name` and `helm.toolkit.fluxcd.io/namespace`
so their source of origin can be traced back by e.g. the Flux UI.
The post renderer makes use of the Kustomize API without running
a full Kustomize build, by making directly use of the builtin
`LabelTransformerPlugin` on a `ResMap` that has been constructed
from the bytes of the `bytes.Buffer` given by Helm.
Signed-off-by: Hidde Beydals <hello@hidde.co>
* Use constants for APIVersion and Kind in Kustomization config
* Remove redundant JSON marshal of strategic merge patches
* Factor out Kustomization build wrapper and add notes about settings
Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit upgrades the `controller-runtime` dependency to `v0.7.0`,
including all changes required to make all wiring work again.
- Upgrade `runtime` to v0.6.0 to include `controller-runtime` changes.
- Loggers have been removed from the reconcilers and are now retrieved
from the `context.Context` passed to the `Reconcile` method and
downwards functions.
- Logger configuration flags are now bound to the flag set using
`BindFlags` from `runtime/logger`, ensuring the same contract across
GitOps Toolkit controllers, and the `--log-json` flag has been
deprecated in favour of the `--log-encoding=json` default.
- The `ChangePredicate` from `runtime` has changed to a
`ReconcilateAtChangedPredicate`, and is now chained with the
`GenerationChangedPredicate` from `controller-runtime` using
`predicate.Or`.
- Signatures that made use of `runtime.Object` have changed to
`client.Object`, removing the requirement to e.g. call
`runtime.Object#Object`.
- The `leader-election-role` was changed, as leader election now works
via the `coordination/v1` API.
Other notable changes:
- `util.ObjectKey` was added to easily construct a `client.ObjectKey` /
`types.NamespacedName` from a `metav1.Object`.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This adds support for creating the target release namespace if it is not
present which can be be useful in certain scenarios.
Note that when the release is uninstalled, the namespace is not removed
and remains on the cluster, and managing your namespace _outside_ of
the HelmRelease is advised.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This is an initial implementation for cross-cluster Helm release
support that relies on a KubeConfig secret, and a reference to it in
the HelmRelease resource.
If set, all actions taken by the Helm runner are executed using the
KubeConfig from the secret. The Helm storage is stored on the remote
cluster in a namespace that equals to the namespace of the HelmRelease
in the managing cluster, the release itself is made in either this
namespace, or the configured TargetNamespace. In any case, both are
expected to exist and/or created beforehand.
Other references to Kubernetes resources in the HelmRelease, like
ValuesReference resources, are expected to exist on the managing
cluster.
* Move `ReleaseRevision` function to util
* Rename `release` method to `reconileRelease` to match
`reconcileChart`
* Refactor chart artifact download to make use of a temporary file,
which is removed as soon as the tarbal has been loaded into memory
Hidde Beydals