Commit Graph

179 Commits

Author SHA1 Message Date
Stefan Prodan 65aaa1d69a
Ensure object are finalized under impersonation
If the service account used for impersonation has been deleted, skip pruning, log the error and continue with finalization to allow tenants removals from clusters.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2022-01-31 13:20:12 +02:00
Stefan Prodan f353ba44a7
Introduce a dedicated manager for status updates to avoid conflicts
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2022-01-31 11:29:54 +02:00
Stefan Prodan 38541078fa
Revoke kubectl managed fields ownership
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2022-01-31 11:25:11 +02:00
Stefan Prodan 4d7cba91b0
Allow setting a default service account for impersonation
Introduce the flag `--default-service-account` for allowing cluster admins to enforce impersonation for resources reconciliation.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2022-01-27 18:25:02 +02:00
Stefan Prodan 518c8a021b
Allow disabling cross-namespace references
Introduce the flag `--no-cross-namespace-refs` (defaults to false) for allowing cluster admins to disable cross-namespace references to sources.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2022-01-26 22:50:10 +02:00
Stefan Prodan 4ee01a2db0
Fix preflight validation
Validate that the resources built with kustomize conform to the Kubernetes API conventions before passing them to the server-side apply engine.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2022-01-21 13:05:40 +02:00
Stefan Prodan b18584a652
Merge pull request #535 from kingdonb/patch-finalizers
Use patch instead of update when adding finalizers
2022-01-14 08:24:26 +02:00
Kingdon Barrett 441b48aeef Use patch instead of update when adding finalizers
Signed-off-by: Kingdon Barrett <kingdon@weave.works>
2022-01-13 19:44:10 -05:00
Florian Fl Bauer 8435a5ba41 If applied, this commit will solve race condition when using two Kustomizations with the same SourceRef
Signed-off-by: Florian Fl Bauer <florian.fl.bauer@deutschebahn.com>
2022-01-07 14:17:40 +01:00
Stefan Prodan 00257e0cc9
Merge pull request #478 from fluxcd/go-v1.17
Update Go to v1.17 and controller-runtime to v0.11
2022-01-05 18:08:38 +02:00
Paulo Gomes facda8b422
Check EventRecorder is not nil
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
2021-12-21 21:10:43 +00:00
Aurel Canciu ec9fdb1550
Update flux pkg components
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
2021-12-20 14:50:41 +01:00
Stefan Prodan 1badc828b4
Replace deprecated dependencies
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-11-23 14:21:21 +02:00
Stefan Prodan bedb53e0fa
Verify artifacts integrity
After downloading an artifact, compute its checksum and verify that it matches the original checksum advertised by source-controller.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-11-12 14:03:58 +02:00
Stefan Prodan 0ce7c1267e
Allow disabling the reconciliation of in-cluster resources
Introduce `kustomize.toolkit.fluxcd.io/reconcile` annotation. When set to `disabled`, the controller will no longer apply changes from source, nor it will prune the annotated resource.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-11-09 10:50:52 +02:00
Stefan Prodan 4958b9c8ce
Warn when secrets are not decrypted before apply
If decryption is not enabled, SOPS encrypted secrets will fail to apply with a validation error that doesn't give any hints. It's better to exit early and throw an error that tells users to enable decryption.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-11-08 15:58:27 +02:00
Stefan Prodan f2715a74c8
Set delete propagation policy to background
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-11-08 15:02:12 +02:00
Rishabh Bohra b8cebd3838
chore: remove deprecated io/ioutil
Signed-off-by: Rishabh Bohra <rishabhbohra01@gmail.com>
2021-10-29 20:28:25 +05:30
Stefan Prodan 7a26305dc8
Fix cluster scope detection of applied objects
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-10-19 09:34:18 +03:00
Somtochi Onyekwere 84a88d5878 Decrypt dotenv files
Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
2021-10-17 15:27:04 +01:00
Stefan Prodan a292f28699
Fix drift detection in Secrets and ConfigMaps
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-10-11 16:26:01 +03:00
Stefan Prodan 7282308883
Fix SSA upstream bugs for Kubernetes < 1.22
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-10-10 15:28:12 +03:00
Stefan Prodan cd5b6930b3
Fix inventory panic for v1beta1 objects
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-10-08 17:48:05 +03:00
Stefan Prodan 652da7f1e4
Guard against waiting deadlock
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-10-08 10:04:23 +03:00
Stefan Prodan 6346591f02
Use ssa package from fluxcd/pkg
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-10-01 10:21:15 +03:00
Stefan Prodan d0222867e6
Skip pruning for objects with a different owner
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-09-30 18:35:40 +03:00
Stefan Prodan 64084ea03b
Add test for reconciling an empty source
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-09-30 18:35:40 +03:00
Stefan Prodan 9c8f284b7f
Add `spec.wait` usage to the API docs
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-09-30 18:35:40 +03:00
Stefan Prodan 468f00e416
Implement health checking for all resources
- Add `.spec.wait` optional boolean field to API
- Wait for all applied resources to become ready when `.spec.wait` is set to `true`

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-09-30 18:35:39 +03:00
Stefan Prodan 8baead9b2e
Add e2e test for CRDs+CRs reconciliation using cert-manager
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-09-30 18:35:39 +03:00
Stefan Prodan 97bbc59eb6
Skip finalizer pruning when impersonation fails
When impersonation fails, emit an event with the stale objects and continue with the finalization as this is not a retryable error.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-09-30 18:35:39 +03:00
Stefan Prodan 69069c3ab3
Refactor reconciliation into actions
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-09-30 18:35:39 +03:00
Stefan Prodan b33e3b3449
Update the status when health checking starts
Set the healthiness status to progressing and specify the health check timeout in the condition message.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-09-30 18:35:39 +03:00
Stefan Prodan 1e01d800c5
Implement reconciliation using server-side apply
Reconciler behaviour:
- Creates an inventory of objects to be applied (persisted in-cluster under `.status.inventory`).
- Applies first custom resource definitions (CRDs) and namespaces, waits for them to register and only then applies the custom resources.
- Validates all resources with server-side dry-run apply (namespaced objects must contain `metadata.namespace`, defaulting to the `default` namespace is no longer supported).
- Reconciles only the resources that drifted.
- Prunes the objects that were previously applied but are missing from the current inventory.
- Emits events for only the resources that where created, configured or deleted.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-09-30 18:34:40 +03:00
Michal Schott 72bc54477a
Filter dryrun errors for senstive data.
Signed-off-by: Michal Schott <michal.schott@onegini.com>
2021-09-08 16:32:18 +02:00
Michal Schott cb93667050
Redact secret data.
Signed-off-by: Michal Schott <michal.schott@onegini.com>
2021-09-03 21:52:22 +02:00
Jodok Batlogg d7c45de5ca fixed typo
Signed-off-by: Jodok Batlogg <jodok@batlogg.com>
2021-07-03 00:08:11 +02:00
Stefan Prodan f8cac4a35d
Add missing ConfigMap RBAC
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-06-14 13:41:14 +03:00
Hidehito Yabuuchi 871c2a14bf Fix validation and application timeout handling
Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>
2021-05-18 17:47:58 +09:00
Chanwit Kaewkasi 147df26298 replace redundant indexers code with high-order functions
Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>
2021-04-14 22:51:35 +07:00
Allen Porter 63d6c8c802 Make log level info for 'Dependencies do not meet ready condition'
Reduce the log level from error to info to match the level of the event.

Signed-off-by: Allen Porter <allen.porter@gmail.com>
Signed-off-by: Allen Porter <allen@thebends.org>
2021-04-07 23:33:08 -07:00
Hidde Beydals 32363048f4 Detect and replace empty err output on apply
This should give users some guidance when `kubectl apply` itself does
not give any useful output back itself, till date only observed when
it times out waiting.

Signed-off-by: Hidde Beydals <hello@hidde.co>
2021-04-01 17:05:25 +02:00
Stefan Prodan 446545c71f
Expose suspended status as Prometheus metric
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-03-17 11:27:21 +02:00
Florian Richter 8312a2574c Fixed small typos
Signed-off-by: Florian Richter <floririchte@gmail.com>
2021-03-05 21:35:00 +01:00
Stefan Prodan 8708205edc
Do not override the artifact fetch timeout
Use the timeout set by the http client when retrying with exponential backoff

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-03-05 08:46:52 +02:00
Stefan Prodan 9d48b6299d
Retry with exponential backoff when fetching artifacts
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-02-26 12:29:14 +02:00
Aurel Canciu 729dc9770e
Support recreating objects on immutable field updates
Allow passing --force to kubectl apply. Useful when dealing with
immutable field changes in resources.

Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
2021-02-22 16:59:01 +02:00
Laszlo Fogas 48ab6a0205 Extracting validation error from apply dry run output
Signed-off-by: Laszlo Fogas <laszlo@laszlo.cloud>
2021-02-19 16:28:09 +01:00
Stefan Prodan 401fec6c8d
Allow disabling var substitution for certain resources
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-02-16 10:40:01 +02:00
Stefan Prodan 0ac1f9e631
Implement var substitution from ConfigMaps and Secrets
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-02-16 09:20:00 +02:00