diff --git a/flux/.flux.yaml b/flux/.flux.yaml new file mode 100644 index 00000000..49434d52 --- /dev/null +++ b/flux/.flux.yaml @@ -0,0 +1,5 @@ +version: 1 +patchUpdated: + generators: + - command: kustomize build . + patchFile: flux-patch.yaml \ No newline at end of file diff --git a/flux/flux-account.yaml b/flux/flux-account.yaml deleted file mode 100644 index 12c2fd66..00000000 --- a/flux/flux-account.yaml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# The service account, cluster roles, and cluster role binding are -# only needed for Kubernetes with role-based access control (RBAC). -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - name: flux - name: flux - namespace: flux ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - labels: - name: flux - name: flux -rules: - - apiGroups: ['*'] - resources: ['*'] - verbs: ['*'] - - nonResourceURLs: ['*'] - verbs: ['*'] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - labels: - name: flux - name: flux -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: flux -subjects: - - kind: ServiceAccount - name: flux - namespace: flux diff --git a/flux/flux-deployment.yaml b/flux/flux-deployment.yaml deleted file mode 100644 index 3806d1bd..00000000 --- a/flux/flux-deployment.yaml +++ /dev/null @@ -1,189 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: flux - namespace: flux -spec: - replicas: 1 - selector: - matchLabels: - name: flux - strategy: - type: Recreate - template: - metadata: - annotations: - prometheus.io/port: "3031" # tell prometheus to scrape /metrics endpoint's port. - labels: - name: flux - spec: - nodeSelector: - beta.kubernetes.io/os: linux - serviceAccountName: flux - volumes: - - name: git-key - secret: - secretName: flux-git-deploy - defaultMode: 0400 # when mounted read-only, we won't be able to chmod - - # This is a tmpfs used for generating SSH keys. In K8s >= 1.10, - # mounted secrets are read-only, so we need a separate volume we - # can write to. - - name: git-keygen - emptyDir: - medium: Memory - - # The following volume is for using a customised known_hosts - # file, which you will need to do if you host your own git - # repo rather than using github or the like. You'll also need to - # mount it into the container, below. See - # https://docs.fluxcd.io/en/latest/guides/use-private-git-host.html - # - name: ssh-config - # configMap: - # name: flux-ssh-config - - # The following volume is for using a customised .kube/config, - # which you will need to do if you wish to have a different - # default namespace. You will also need to provide the configmap - # with an entry for `config`, and uncomment the volumeMount and - # env entries below. - # - name: kubeconfig - # configMap: - # name: flux-kubeconfig - - # The following volume is used to import GPG keys (for signing - # and verification purposes). You will also need to provide the - # secret with the keys, and uncomment the volumeMount and args - # below. - # - name: gpg-keys - # secret: - # secretName: flux-gpg-keys - # defaultMode: 0400 - - containers: - - name: flux - # There are no ":latest" images for flux. Find the most recent - # release or image version at https://hub.docker.com/r/fluxcd/flux/tags - # and replace the tag here. - image: docker.io/fluxcd/flux:1.18.0 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 64Mi - ports: - - containerPort: 3030 # informational - livenessProbe: - httpGet: - port: 3030 - path: /api/flux/v6/identity.pub - initialDelaySeconds: 5 - timeoutSeconds: 5 - readinessProbe: - httpGet: - port: 3030 - path: /api/flux/v6/identity.pub - initialDelaySeconds: 5 - timeoutSeconds: 5 - volumeMounts: - - name: git-key - mountPath: /etc/fluxd/ssh # to match location given in image's /etc/ssh/config - readOnly: true # this will be the case perforce in K8s >=1.10 - - name: git-keygen - mountPath: /var/fluxd/keygen # to match location given in image's /etc/ssh/config - - # Include this if you need to mount a customised known_hosts - # file; you'll also need the volume declared above. - # - name: ssh-config - # mountPath: /root/.ssh - - # Include this and the volume "kubeconfig" above, and the - # environment entry "KUBECONFIG" below, to override the config - # used by kubectl. - # - name: kubeconfig - # mountPath: /etc/fluxd/kube - - # Include this to point kubectl at a different config; you - # will need to do this if you have mounted an alternate config - # from a configmap, as in commented blocks above. - # env: - # - name: KUBECONFIG - # value: /etc/fluxd/kube/config - - # Include this and the volume "gpg-keys" above, and the - # args below. - # - name: gpg-keys - # mountPath: /root/gpg-import - # readOnly: true - - # Include this if you want to supply HTTP basic auth credentials for git - # via the `GIT_AUTHUSER` and `GIT_AUTHKEY` environment variables using a - # secret. - # envFrom: - # - secretRef: - # name: flux-git-auth - - args: - - # If you deployed memcached in a different namespace to flux, - # or with a different service name, you can supply these - # following two arguments to tell fluxd how to connect to it. - # - --memcached-hostname=memcached.default.svc.cluster.local - - # Use the memcached ClusterIP service name by setting the - # memcached-service to string empty - - --memcached-service= - - # This must be supplied, and be in the tmpfs (emptyDir) - # mounted above, for K8s >= 1.10 - - --ssh-keygen-dir=/var/fluxd/keygen - - # Replace the following URL to change the Git repository used by Flux. - # HTTP basic auth credentials can be supplied using environment variables: - # https://$(GIT_AUTHUSER):$(GIT_AUTHKEY)@github.com/user/repository.git - - --git-url=git@github.com:HRZNStudio/playhrzn-k8s.git - - --git-branch=master - # Include this if you want to restrict the manifests considered by flux - # to those under the following relative paths in the git repository - # - --git-path=subdir1,subdir2 - - --git-label=flux - - --git-user=Flux - - --git-email=accounts@hrznstudio.com - - --git-poll-interval=30s - - # Include these two to enable git commit signing - # - --git-gpg-key-import=/root/gpg-import - # - --git-signing-key= - - # Include this to enable git signature verification - # - --git-verify-signatures - - # Tell flux it has readonly access to the repo (default `false`) - # - --git-readonly - - # Instruct flux where to put sync bookkeeping (default "git", meaning use a tag in the upstream git repo) - # - --sync-state=git - - # Include these next two to connect to an "upstream" service - # (e.g., Weave Cloud). The token is particular to the service. - # - --connect=wss://cloud.weave.works/api/flux - # - --token=abc123abc123abc123abc123 - - # Enable manifest generation (default `false`) - - --manifest-generation=true - - # Serve /metrics endpoint at different port; - # make sure to set prometheus' annotation to scrape the port value. - - --listen-metrics=:3031 - - # Additional arguments - - --sync-garbage-collection - - # Optional DNS settings, configuring the ndots option may resolve - # nslookup issues on some Kubernetes setups. - # dnsPolicy: "None" - # dnsConfig: - # options: - # - name: ndots - # value: "1" diff --git a/flux/flux-helm-operator-account.yaml b/flux/flux-helm-operator-account.yaml index 0b589654..a1a62acd 100644 --- a/flux/flux-helm-operator-account.yaml +++ b/flux/flux-helm-operator-account.yaml @@ -35,4 +35,4 @@ roleRef: subjects: - kind: ServiceAccount name: flux-helm-operator - namespace: flux + namespace: flux \ No newline at end of file diff --git a/flux/flux-helm-release-crd.yaml b/flux/flux-helm-release-crd.yaml index ac5509bb..1caaeacc 100644 --- a/flux/flux-helm-release-crd.yaml +++ b/flux/flux-helm-release-crd.yaml @@ -214,4 +214,4 @@ spec: properties: name: description: Helm repository basic auth (not implemented) - type: string + type: string \ No newline at end of file diff --git a/flux/flux-namespace.yaml b/flux/flux-namespace.yaml deleted file mode 100644 index 30c9c580..00000000 --- a/flux/flux-namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: {name: flux} \ No newline at end of file diff --git a/flux/flux-secret.yaml b/flux/flux-secret.yaml deleted file mode 100644 index dde0d9ce..00000000 --- a/flux/flux-secret.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: flux-git-deploy - namespace: flux -type: Opaque diff --git a/flux/helm-operator-deployment.yaml b/flux/helm-operator-deployment.yaml index db389016..f72b187a 100644 --- a/flux/helm-operator-deployment.yaml +++ b/flux/helm-operator-deployment.yaml @@ -20,57 +20,16 @@ spec: spec: serviceAccountName: flux-helm-operator volumes: - # - # You will need these two volumes if you want to establish validated TLS - # connections against Tiller - # - # - name: helm-tls-ca - # configMap: - # name: flux-helm-tls-ca-config - # defaultMode: 0600 - # Secret type kubernetes.io/tls - # - name: flux-helm-tls-cert - # secret: - # secretName: flux-helm-tls-cert - # defaultMode: 0400 - # - # The following volume is for using a customised known_hosts file, - # which you will need to do if you host your own git repo rather - # than using github or the like. You'll also need to mount it - # into the container, below. - # - # You may also wish to provide an ssh_config file, - # mentioning more than one `IdentityFile`; for instance, if you're - # using more than one GitHub repo. NB the entry key should be - # "config" rather than "ssh_config" if mounted in ~/.ssh/. - # - # - name: sshdir - # configMap: - # name: flux-ssh-config - # defaultMode: 0400 - - # SSH key to access the Git repository - name: git-key secret: secretName: flux-git-deploy - defaultMode: 0400 # when mounted read-only, we won't be able to chmod - - # These two volumes are for mounting a repositories.yaml file, - # and providing a cache directory. The latter is needed because - # mounting the former will make the cache/ directory read-only. - # - # - name: repositories-yaml - # secret: - # secretName: flux-helm-repositories - # - name: repositories-cache - # emptyDir: {} - + defaultMode: 0400 containers: - name: flux-helm-operator # There are no ":latest" images for helm-operator. Find the most recent - # release or image version at https://hub.docker.com/r/weaveworks/helm-operator/tags + # release or image version at https://hub.docker.com/r/fluxcd/helm-operator/tags # and replace the tag here. - image: docker.io/fluxcd/helm-operator:1.0.0-rc9 + image: docker.io/fluxcd/helm-operator:1.0.1 imagePullPolicy: IfNotPresent ports: - name: http @@ -92,36 +51,8 @@ spec: cpu: 50m memory: 64Mi volumeMounts: - # Include this if you need to mount a customised known_hosts or ssh_config - # file; you'll also need the volume declared above. - # - name: sshdir - # mountPath: /root/.ssh - # readOnly: true - - name: git-key mountPath: /etc/fluxd/ssh - - # - name: repositories-yaml - # mountPath: /var/fluxd/helm/repository - # - name: repositories-cache - # mountPath: /var/fluxd/helm/repository/cache - # - name: helm-tls-certs - # mountPath: /etc/fluxd/helm - # readOnly: true - # - name: helm-tls-ca - # mountPath: /etc/fluxd/helm-ca - # readOnly: true args: - # How to find Tiller - --tiller-namespace=kube-system - # Comment out to to establish validated TLS connections against Tiller - # - --tiller-tls-ca-cert-path=/etc/fluxd/helm-ca/ca.crt - # - --tiller-tls-enable=true - # - --tiller-tls-key-path=/etc/fluxd/helm/tls.key - # - --tiller-tls-cert-path=/etc/fluxd/helm/tls.crt - # - --tiller-tls-verify=true - # - --tiller-tls-ca-cert-path=/etc/fluxd/helm-ca/ca.crt - - - --enabled-helm-versions=v3 - - + - --enabled-helm-versions=v3 \ No newline at end of file diff --git a/flux/kustomization.yaml b/flux/kustomization.yaml new file mode 100644 index 00000000..2e5bd7d5 --- /dev/null +++ b/flux/kustomization.yaml @@ -0,0 +1,5 @@ +bases: +- github.com/fluxcd/flux/deploy?ref=1.19.0 +#- github.com/fluxcd/helm-operator/deploy?ref=v1.0.1 +patchesStrategicMerge: +- patch.yaml \ No newline at end of file diff --git a/flux/memcache-dep.yaml b/flux/memcache-dep.yaml deleted file mode 100644 index ef208c54..00000000 --- a/flux/memcache-dep.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -# memcached deployment used by Flux to cache -# container image metadata. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: memcached - namespace: flux -spec: - replicas: 1 - selector: - matchLabels: - name: memcached - template: - metadata: - labels: - name: memcached - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - name: memcached - image: memcached:1.5.20 - imagePullPolicy: IfNotPresent - args: - - -m 512 # Maximum memory to use, in megabytes - - -I 5m # Maximum size for one item - - -p 11211 # Default port - # - -vv # Uncomment to get logs of each request and response. - ports: - - name: clients - containerPort: 11211 diff --git a/flux/memcache-svc.yaml b/flux/memcache-svc.yaml deleted file mode 100644 index 37da8566..00000000 --- a/flux/memcache-svc.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: memcached - namespace: flux -spec: - ports: - - name: memcached - port: 11211 - selector: - name: memcached diff --git a/flux/patch.yaml b/flux/patch.yaml new file mode 100644 index 00000000..0970ce77 --- /dev/null +++ b/flux/patch.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: flux + namespace: flux +spec: + template: + spec: + containers: + - name: flux + args: + - --ssh-keygen-dir=/var/fluxd/keygen + - --git-url=git@github.com:HRZNStudio/playhrzn-k8s.git + - --git-label=flux-sync + - --git-email=accounts@hrznstudio.com + - --git-poll-interval=30s + - --git-poll-interval=30s + - --sync-garbage-collection + - --manifest-generation=true + - --listen-metrics=:3031 \ No newline at end of file