If the service account used for impersonation has been deleted, skip pruning, log the error and continue with finalization to allow tenants removals from clusters.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Introduce the flag `--default-service-account` for allowing cluster admins to enforce impersonation for resources reconciliation.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Introduce the flag `--no-cross-namespace-refs` (defaults to false) for allowing cluster admins to disable cross-namespace references to sources.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Validate that the resources built with kustomize conform to the Kubernetes API conventions before passing them to the server-side apply engine.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
After downloading an artifact, compute its checksum and verify that it matches the original checksum advertised by source-controller.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Introduce `kustomize.toolkit.fluxcd.io/reconcile` annotation. When set to `disabled`, the controller will no longer apply changes from source, nor it will prune the annotated resource.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
If decryption is not enabled, SOPS encrypted secrets will fail to apply with a validation error that doesn't give any hints. It's better to exit early and throw an error that tells users to enable decryption.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
- Add `.spec.wait` optional boolean field to API
- Wait for all applied resources to become ready when `.spec.wait` is set to `true`
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
When impersonation fails, emit an event with the stale objects and continue with the finalization as this is not a retryable error.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Set the healthiness status to progressing and specify the health check timeout in the condition message.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Reconciler behaviour:
- Creates an inventory of objects to be applied (persisted in-cluster under `.status.inventory`).
- Applies first custom resource definitions (CRDs) and namespaces, waits for them to register and only then applies the custom resources.
- Validates all resources with server-side dry-run apply (namespaced objects must contain `metadata.namespace`, defaulting to the `default` namespace is no longer supported).
- Reconciles only the resources that drifted.
- Prunes the objects that were previously applied but are missing from the current inventory.
- Emits events for only the resources that where created, configured or deleted.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Reduce the log level from error to info to match the level of the event.
Signed-off-by: Allen Porter <allen.porter@gmail.com>
Signed-off-by: Allen Porter <allen@thebends.org>
This should give users some guidance when `kubectl apply` itself does
not give any useful output back itself, till date only observed when
it times out waiting.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Allow passing --force to kubectl apply. Useful when dealing with
immutable field changes in resources.
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
Stefan Prodan
Kingdon Barrett
Florian Fl Bauer
Paulo Gomes
Aurel Canciu
Rishabh Bohra
Somtochi Onyekwere
Michal Schott
Jodok Batlogg
Hidehito Yabuuchi
Chanwit Kaewkasi
Allen Porter
Hidde Beydals
Florian Richter
Laszlo Fogas