mirror of
https://github.com/fluxcd/flux2.git
synced 2026-02-10 09:47:28 +00:00
Merge pull request #1469 from stealthybox/integrations-fixes
Fix and Refactor integrations
This commit is contained in:
Stefan Prodan
GitHub
commit
e12db14d1e
38 changed files with 77 additions and 198 deletions
14
manifests/integrations/Makefile
Normal file
14
manifests/integrations/Makefile
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
|
||||
bases := $(shell dirname $(shell find | grep kustomization.yaml | sort))
|
||||
|
||||
all: $(bases)
|
||||
|
||||
permutations := $(bases) $(addsuffix /,$(bases))
|
||||
.PHONY: $(permutations)
|
||||
$(permutations):
|
||||
@echo $@
|
||||
@warnings=$$(kustomize build $@ -o /dev/null 2>&1); \
|
||||
if [ "$$warnings" ]; then \
|
||||
echo "$$warnings"; \
|
||||
false; \
|
||||
fi
|
||||
|
|
@ -7,6 +7,9 @@ commonLabels:
|
|||
resources:
|
||||
- sync.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- kubectl-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: KUBE_SECRET
|
||||
objref:
|
||||
|
|
@ -15,13 +18,6 @@ vars:
|
|||
apiVersion: v1
|
||||
fieldref:
|
||||
fieldpath: data.KUBE_SECRET
|
||||
- name: ADDRESS
|
||||
objref:
|
||||
kind: ConfigMap
|
||||
name: credentials-sync-eventhub
|
||||
apiVersion: v1
|
||||
fieldref:
|
||||
fieldpath: data.ADDRESS
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
|
|
|
|||
|
|
@ -109,9 +109,9 @@ rules:
|
|||
- create
|
||||
- update
|
||||
- patch
|
||||
# # Lock this down to the specific Secret name (Optional)
|
||||
#resourceNames:
|
||||
# - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
||||
# Lock this down to the specific Secret name (Optional)
|
||||
resourceNames:
|
||||
- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
jobTemplate:
|
||||
|
|
@ -7,6 +7,9 @@ commonLabels:
|
|||
resources:
|
||||
- sync.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- kubectl-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: KUBE_SECRET
|
||||
objref:
|
||||
|
|
@ -15,13 +18,6 @@ vars:
|
|||
apiVersion: v1
|
||||
fieldref:
|
||||
fieldpath: data.KUBE_SECRET
|
||||
- name: ADDRESS
|
||||
objref:
|
||||
kind: ConfigMap
|
||||
name: credentials-sync-eventhub
|
||||
apiVersion: v1
|
||||
fieldref:
|
||||
fieldpath: data.ADDRESS
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
|
|
|
|||
|
|
@ -85,9 +85,9 @@ rules:
|
|||
- create
|
||||
- update
|
||||
- patch
|
||||
# # Lock this down to the specific Secret name (Optional)
|
||||
#resourceNames:
|
||||
# - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
||||
# Lock this down to the specific Secret name (Optional)
|
||||
resourceNames:
|
||||
- $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
|
|||
|
|
@ -12,5 +12,5 @@ metadata:
|
|||
name: lab
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: lab
|
||||
selector: lab
|
||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
|
|
|
|||
|
|
@ -23,15 +23,6 @@ spec:
|
|||
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
|
||||
resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
|
||||
type: 0
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: lab
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: jwt-lab
|
||||
selector: jwt-lab
|
||||
|
||||
# Set the reconcile period + specify the pod-identity via the aadpodidbinding label
|
||||
---
|
||||
|
|
|
|||
|
|
@ -1,34 +0,0 @@
|
|||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
initContainers:
|
||||
- image: bitnami/kubectl
|
||||
securityContext:
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
name: copy-kubectl
|
||||
# it's okay to do this because kubectl is a statically linked binary
|
||||
command:
|
||||
- sh
|
||||
- -ceu
|
||||
- cp $(which kubectl) /kbin/
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
containers:
|
||||
- name: sync
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
volumes:
|
||||
- name: kbin
|
||||
emptyDir: {}
|
||||
|
|
@ -14,7 +14,6 @@ resources:
|
|||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
vars:
|
||||
|
|
|
|||
|
|
@ -1,3 +1,7 @@
|
|||
varReference:
|
||||
- path: spec/jobTemplate/spec/template/metadata/labels
|
||||
kind: CronJob
|
||||
- path: spec/jobTemplate/spec/template/metadata/labels
|
||||
kind: CronJob
|
||||
- path: spec/azureIdentity
|
||||
kind: AzureIdentityBinding
|
||||
- path: spec/selector
|
||||
kind: AzureIdentityBinding
|
||||
|
|
|
|||
|
|
@ -3,7 +3,6 @@ apiVersion: v1
|
|||
kind: ConfigMap
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
data:
|
||||
KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
|
||||
ADDRESS: "fluxv2" # the Azure Event Hub name
|
||||
|
|
|
|||
|
|
@ -1,34 +0,0 @@
|
|||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
initContainers:
|
||||
- image: bitnami/kubectl
|
||||
securityContext:
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
name: copy-kubectl
|
||||
# it's okay to do this because kubectl is a statically linked binary
|
||||
command:
|
||||
- sh
|
||||
- -ceu
|
||||
- cp $(which kubectl) /kbin/
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
containers:
|
||||
- name: sync
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
volumes:
|
||||
- name: kbin
|
||||
emptyDir: {}
|
||||
|
|
@ -14,8 +14,4 @@ resources:
|
|||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
varReference:
|
||||
- path: spec/jobTemplate/spec/template/metadata/labels
|
||||
kind: CronJob
|
||||
|
|
@ -9,8 +9,8 @@ metadata:
|
|||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: lab
|
||||
name: lab # this can have a different name, but it's nice to keep them the same
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: lab
|
||||
selector: lab
|
||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
|
|
|
|||
|
|
@ -24,15 +24,6 @@ spec:
|
|||
clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
|
||||
resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
|
||||
type: 0
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: lab
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: jwt-lab
|
||||
selector: jwt-lab
|
||||
|
||||
# Specify the pod-identity via the aadpodidbinding label
|
||||
---
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ resources:
|
|||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
vars:
|
||||
|
|
|
|||
|
|
@ -1,3 +1,7 @@
|
|||
varReference:
|
||||
- path: spec/template/metadata/labels
|
||||
kind: Deployment
|
||||
- path: spec/azureIdentity
|
||||
kind: AzureIdentityBinding
|
||||
- path: spec/selector
|
||||
kind: AzureIdentityBinding
|
||||
|
|
|
|||
|
|
@ -1,32 +0,0 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync-eventhub
|
||||
namespace: flux-system
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
initContainers:
|
||||
- image: bitnami/kubectl
|
||||
securityContext:
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
name: copy-kubectl
|
||||
# it's okay to do this because kubectl is a statically linked binary
|
||||
command:
|
||||
- sh
|
||||
- -ceu
|
||||
- cp $(which kubectl) /kbin/
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
containers:
|
||||
- name: sync
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
volumes:
|
||||
- name: kbin
|
||||
emptyDir: {}
|
||||
|
|
@ -14,8 +14,4 @@ resources:
|
|||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
varReference:
|
||||
- path: spec/template/metadata/labels
|
||||
kind: Deployment
|
||||
|
|
@ -7,6 +7,9 @@ commonLabels:
|
|||
resources:
|
||||
- sync.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- kubectl-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: KUBE_SECRET
|
||||
objref:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ commonLabels:
|
|||
resources:
|
||||
- sync.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- kubectl-patch.yaml
|
||||
|
||||
vars:
|
||||
- name: KUBE_SECRET
|
||||
objref:
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ bases:
|
|||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
## uncomment if using encrypted-secret.yaml
|
||||
|
|
|
|||
|
|
@ -5,3 +5,12 @@ kind: AzureIdentity
|
|||
metadata:
|
||||
name: credentials-sync # if this is changed, also change in config-patches.yaml
|
||||
namespace: flux-system
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: credentials-sync # this can have a different name, but it's nice to keep them the same
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ resources:
|
|||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
vars:
|
||||
|
|
|
|||
|
|
@ -1,3 +1,7 @@
|
|||
varReference:
|
||||
- path: spec/jobTemplate/spec/template/metadata/labels
|
||||
kind: Deployment
|
||||
kind: CronJob
|
||||
- path: spec/azureIdentity
|
||||
kind: AzureIdentityBinding
|
||||
- path: spec/selector
|
||||
kind: AzureIdentityBinding
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ spec:
|
|||
spec:
|
||||
containers:
|
||||
- name: sync
|
||||
image: aws/aws-cli
|
||||
image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
|
||||
env:
|
||||
- name: RECONCILE_SH
|
||||
value: |-
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ bases:
|
|||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
## uncomment if using encrypted-secret.yaml
|
||||
|
|
|
|||
|
|
@ -5,3 +5,12 @@ kind: AzureIdentity
|
|||
metadata:
|
||||
name: credentials-sync # if this is changed, also change in config-patches.yaml
|
||||
namespace: flux-system
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: credentials-sync # this can have a different name, but it's nice to keep them the same
|
||||
namespace: flux-system
|
||||
spec:
|
||||
azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
|
||||
|
|
|
|||
|
|
@ -1,28 +0,0 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: credentials-sync
|
||||
namespace: flux-system
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
initContainers:
|
||||
- image: bitnami/kubectl
|
||||
name: copy-kubectl
|
||||
# it's okay to do this because kubectl is a statically linked binary
|
||||
command:
|
||||
- sh
|
||||
- -ceu
|
||||
- cp $(which kubectl) /kbin/
|
||||
resources: {}
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
containers:
|
||||
- name: sync
|
||||
volumeMounts:
|
||||
- name: kbin
|
||||
mountPath: /kbin
|
||||
volumes:
|
||||
- name: kbin
|
||||
emptyDir: {}
|
||||
|
|
@ -14,7 +14,6 @@ resources:
|
|||
|
||||
patchesStrategicMerge:
|
||||
- config-patches.yaml
|
||||
- kubectl-patch.yaml
|
||||
- reconcile-patch.yaml
|
||||
|
||||
vars:
|
||||
|
|
|
|||
|
|
@ -1,3 +1,7 @@
|
|||
varReference:
|
||||
- path: spec/template/metadata/labels
|
||||
kind: Deployment
|
||||
- path: spec/azureIdentity
|
||||
kind: AzureIdentityBinding
|
||||
- path: spec/selector
|
||||
kind: AzureIdentityBinding
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ spec:
|
|||
spec:
|
||||
containers:
|
||||
- name: sync
|
||||
image: aws/aws-cli
|
||||
image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
|
||||
env:
|
||||
- name: RECONCILE_SH
|
||||
value: |-
|
||||
|
|
|
|||
Loading…
Reference in a new issue