From 7931c12aa2b8a4e5888d7442ffb7cbb1f0e04e02 Mon Sep 17 00:00:00 2001
From: Michael Bridgen <mikeb@squaremobius.net>
Date: Mon, 27 Jul 2020 13:22:21 +0100
Subject: [PATCH 1/5] Use fluxcd/pkg definition for github action

(they have all been collected in fluxcd/pkg)
---
 .github/workflows/build.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 4caf46a..59cb86a 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -25,7 +25,7 @@ jobs:
         go-version: 1.14.x
     - name: Set up kubebuilder
       # TODO replace with ../pkg/.. when that's merged
-      uses: fluxcd/kustomize-controller/.github/actions/kubebuilder@master
+      uses: fluxcd/pkg/actions/kubebuilder@master
     - name: Run tests
       run: make test
       env:

From ddf988b9749b2bf097d7cf5f5c3fd79195e21002 Mon Sep 17 00:00:00 2001
From: Michael Bridgen <mikeb@squaremobius.net>
Date: Mon, 27 Jul 2020 13:36:28 +0100
Subject: [PATCH 2/5] Line up default config

 - create the namespace that's part of the kustomization
 - get names right in the patches
 - don't use a name prefix, it just confuses things
---
 config/default/kustomization.yaml            | 10 +++-------
 config/default/manager_auth_proxy_patch.yaml |  4 ++--
 config/default/manager_webhook_patch.yaml    |  4 ++--
 config/default/namespace.yaml                |  6 ++++++
 4 files changed, 13 insertions(+), 11 deletions(-)
 create mode 100644 config/default/namespace.yaml

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
index 0cb0101..e2d9bc3 100644
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -1,13 +1,6 @@
 # Adds namespace to all resources.
 namespace: image-automation-system
 
-# Value of this field is prepended to the
-# names of all resources, e.g. a deployment named
-# "wordpress" becomes "alices-wordpress".
-# Note that it should also match with the prefix (text before '-') of the namespace
-# field above.
-namePrefix: image-automation-
-
 # Labels to add to all resources and selectors.
 #commonLabels:
 #  someName: someValue
@@ -24,6 +17,9 @@ bases:
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. 
 #- ../prometheus
 
+resources:
+- namespace.yaml
+
 patchesStrategicMerge:
   # Protect the /metrics endpoint by putting it behind auth.
   # If you want your controller-manager to expose the /metrics
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
index 77e743d..545606d 100644
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -3,8 +3,8 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: controller-manager
-  namespace: system
+  name: image-automation-controller
+  namespace: image-automation-system
 spec:
   template:
     spec:
diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml
index 738de35..7757a6d 100644
--- a/config/default/manager_webhook_patch.yaml
+++ b/config/default/manager_webhook_patch.yaml
@@ -1,8 +1,8 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: controller-manager
-  namespace: system
+  name: image-automation-controller
+  namespace: image-automation-system
 spec:
   template:
     spec:
diff --git a/config/default/namespace.yaml b/config/default/namespace.yaml
new file mode 100644
index 0000000..dd8e75e
--- /dev/null
+++ b/config/default/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: image-automation-system
+  labels:
+    control-plane: controller-manager

From 8449e727026cd4e9fa24aa7dd1a7c8b4ecf1fef9 Mon Sep 17 00:00:00 2001
From: Michael Bridgen <mikeb@squaremobius.net>
Date: Mon, 27 Jul 2020 16:06:00 +0100
Subject: [PATCH 3/5] Make patches work with kustomize build

kustomize build ./config/default hiccoughs on the patches (due to a
mismatch of namespace), while `kubectl apply -k` doesn't. I think this
change will make both work.
---
 config/default/manager_auth_proxy_patch.yaml | 6 +++---
 config/default/manager_webhook_patch.yaml    | 1 -
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
index 545606d..6b11b8d 100644
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -1,10 +1,10 @@
-# This patch inject a sidecar container which is a HTTP proxy for the 
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+# This patch inject a sidecar container which is a HTTP proxy for the
+# controller manager, it performs RBAC authorization against the
+# Kubernetes API using SubjectAccessReviews.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: image-automation-controller
-  namespace: image-automation-system
 spec:
   template:
     spec:
diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml
index 7757a6d..9968311 100644
--- a/config/default/manager_webhook_patch.yaml
+++ b/config/default/manager_webhook_patch.yaml
@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: image-automation-controller
-  namespace: image-automation-system
 spec:
   template:
     spec:

From 36e5d709ed2ebc13bc20058341d60725d25baee3 Mon Sep 17 00:00:00 2001
From: Michael Bridgen <mikeb@squaremobius.net>
Date: Mon, 27 Jul 2020 16:12:41 +0100
Subject: [PATCH 4/5] Installation instructions

---
 README.md | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/README.md b/README.md
index 20edec6..d563420 100644
--- a/README.md
+++ b/README.md
@@ -10,3 +10,52 @@ Its sibling repository
 implements the image metadata reflection controller (scans container
 image repositories and reflects the metadata in Kubernetes resources);
 this repository implements the image update automation controller.
+
+## How to install it
+
+### Prerequisites
+
+At present this works with GitRepository custom resources as defined
+in the [`source-controller`][source-controller] types; and, the
+[`image-reflector-controller`][image-reflector]. GitRepository
+resources are used to describe how to access the git repository to
+update. The image reflector scans container image metadata, and
+reflects it into the cluster as resources which this controller uses
+as input to make updates; for example, by changing deployments so they
+use the most recent version of an image.
+
+**To install the GitRepository CRD**
+
+This controller only needs the custom resource definition (CRD) for
+the GitRepository kind, and doesn't need the source-controller itself.
+
+If you're not already using the [GitOps toolkit][gotk], you can just
+install the custom resource definition for GitRepository:
+
+    kubectl apply -f https://raw.githubusercontent.com/fluxcd/source-controller/master/config/crd/bases/source.fluxcd.io_gitrepositories.yaml
+
+**To install the image reflector controller**
+
+This controller relies on the image reflector controller. A working
+configuration for the latter can be applied straight from the GitHub
+repository (NB `-k`):
+
+    kubectl apply -k github.com/squaremo/image-reflector-controller/config/default
+
+### Installing the automation controller
+
+You can apply a working configuration directly from GitHub:
+
+    kubectl apply -k github.com/squaremo/image-automation-controller/config/default
+
+or, in a clone of this repository,
+
+    make docker-build deploy
+
+## How to use it
+
+ TODO
+
+[source-controller]: https://github.com/fluxcd/source-controller
+[image-reflector]: https://github.com/squaremo/image-reflector-controller
+[gotk]: https://toolkit.fluxcd.io

From 292d457124b677029b8268efb66ba5b52ef79fe2 Mon Sep 17 00:00:00 2001
From: Michael Bridgen <mikeb@squaremobius.net>
Date: Tue, 28 Jul 2020 07:54:00 +0100
Subject: [PATCH 5/5] Fill out run-through in README.md

The README now gives a full run-through, starting with installing the
controllers, and ending with the automation making a commit.
---
 README.md | 168 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 167 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index d563420..61af7ad 100644
--- a/README.md
+++ b/README.md
@@ -54,8 +54,174 @@ or, in a clone of this repository,
 
 ## How to use it
 
- TODO
+Here is a quick example of configuring an automation. I'm going to use
+[cuttlefacts-app][cuttlefacts-app-repo] because it's minimal and
+thereby, easy to follow.
+
+### Image policy
+
+[The deployment][cuttlefacts-app-deployment] in cuttlefacts-app uses
+the image `cuttlefacts/cuttlefacts-app`. We'll automate that so it
+gets updated when there's a semver-tagged image, e.g.,
+`cuttlefacts/cuttlefacts-app:v1.0.0`.
+
+Keeping track of the most recent image takes two resources: an
+`ImageRepository`, to scan DockerHub for the image's tags, and an
+`ImagePolicy`, to give the particular policy for selecting an image
+(here, a semver range).
+
+The `ImageRepository`:
+
+```bash
+$ cat > image.yaml <<EOF
+apiVersion: image.fluxcd.io/v1alpha1
+kind: ImageRepository
+metadata:
+  name: app-image
+spec:
+  image: cuttlefacts/cuttlefacts-app
+EOF
+```
+
+... and the policy:
+
+```bash
+$ cat > policy.yaml <<EOF
+apiVersion: image.fluxcd.io/v1alpha1
+kind: ImagePolicy
+metadata:
+  name: app-policy
+spec:
+  imageRepository:
+    name: app-image
+  policy:
+    semver:
+      range: 1.0.x
+EOF
+```
+
+Apply these into the cluster, and the image reflector controller
+(installed as a prerequisite, above) will scan for the tags of the
+image and figure out which one to use. You can see this by asking for
+the status of the image policy:
+
+```bash
+$ kubectl get imagepolicy app-policy
+NAME         LATESTIMAGE
+app-policy   cuttlefacts/cuttlefacts-app:1.0.0
+```
+
+### Git repository and automation
+
+You need a writable git repository, so fork
+[`cuttlefacts-app`][cuttlefacts-app-repo] to your own account, and
+copy the SSH URL. For me that's
+`ssh://git@github.com/squaremo/cuttlefacts-app` (when you see that git
+URL, substitute your own fork -- it's the "squaremo" that will
+differ).
+
+First, I'll set up a `GitRepository` giving access to the git
+repo. For read/write access, I need a deploy key (or some other means
+of authenticating, but a deploy key will be easiest). To make a key
+(give an empty passphrase):
+
+    ssh-keygen -f identity
+
+You also need the host keys from github. To get the host keys and
+verify them:
+
+    ssh-keyscan github.com > known_hosts
+    ssh-keygen -l -f known_hosts
+
+Check that the fingerprint matches one [published by
+GitHub][github-fingerprints].
+
+Now you can make a secret with the deploy key and known_hosts file:
+
+    kubectl create secret generic cuttlefacts-deploy --from-file=identity --from-file=known_hosts
+
+Those two filenames -- `identity` and `known_hosts` -- are what the
+source controller library code expects, which makes it easier for the
+automation controller to use the `GitRepository` type.
+
+You also need to install the deploy key in GitHub. Copy it from
+`identity.pub` (that's the _public_ part of the key):
+
+```bash
+$ cat identity.pub
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKM2wTSz5VyL2UCLh3ke9XUO1WUmAf
+[...]w2FFnV24AGhWdP5lPOS/Jv64+OfMSF5E/e4dwVs= mikeb@laptop.lan
+```
+
+... and add under `Settings / Deploy keys` for your fork on GitHub,
+giving it write access.
+
+Now you can create a `GitRepository` which will provide access to the
+git repository within the cluster. Remember to change the URL; it's
+probably easiest, if you're copying & pasting, to run the following
+then edit `repo.yaml` afterwards.
+
+```bash
+$ cat > repo.yaml <<EOF
+apiVersion: source.fluxcd.io/v1alpha1
+kind: GitRepository
+metadata:
+  name: cuttlefacts-repo
+spec:
+  url: ssh://git@github.com/squaremo/cuttlefacts-app
+  interval: 1m
+  secretRef:
+    name: cuttlefacts-deploy
+EOF
+$ $EDITOR repo.yaml
+```
+
+Create the repository; be aware that unless you're running the full
+GitOps toolkit suite, there will be no controller acting on it (and
+doesn't need to be, for the purpose of this run-through).
+
+```bash
+$ kubectl apply -f repo.yaml
+gitrepository.source.fluxcd.io/cuttlefacts-repo created
+$ kubectl get gitrepository
+NAME               URL                                             READY   STATUS   AGE
+cuttlefacts-repo   ssh://git@github.com/squaremo/cuttlefacts-app                    9s
+```
+
+Now we have an image policy, which calculates the most recent image,
+and a git repository to update -- the last ingredient is to tie them
+together with an `ImageUpdateAutomation` resource:
+
+```
+$ cat > update.yaml <<EOF
+apiVersion: image.fluxcd.io/v1alpha1
+kind: ImageUpdateAutomation
+metadata:
+  name: update-app
+spec:
+  gitRepository:
+    name: cuttlefacts-repo
+  update:
+    imagePolicy:
+      name: app-policy
+  commit:
+    authorName: UpdateBot
+    authorEmail: bot@example.com
+EOF
+```
+
+Note that the image policy you created earlier, and the git
+repository, are both mentioned.
+
+Once that's created, it should quickly commit a change to the git
+repository, to make the image in the deployment match the most recent
+given by the image policy. Here's an example, [from my own
+repository][squaremo-auto-commit].
 
 [source-controller]: https://github.com/fluxcd/source-controller
 [image-reflector]: https://github.com/squaremo/image-reflector-controller
 [gotk]: https://toolkit.fluxcd.io
+[cuttlefacts-app-repo]: https://github.com/cuttlefacts/cuttlefacts-app
+[github-fingerprints]: https://docs.github.com/en/github/authenticating-to-github/githubs-ssh-key-fingerprints
+[cuttlefacts-app-deployment]: https://github.com/cuttlefacts/cuttlefacts-app/blob/master/deploy/deployment.yaml
+[squaremo-auto-commit]: https://github.com/squaremo/cuttlefacts-app-automated/commit/ad445a6cbd938be4b93116990954104f5730177e