diff --git a/charts/flux2/Chart.yaml b/charts/flux2/Chart.yaml index 8f95ab3..dd49f81 100644 --- a/charts/flux2/Chart.yaml +++ b/charts/flux2/Chart.yaml @@ -1,6 +1,6 @@ annotations: artifacthub.io/changes: | - - "feat: add ingress resource for notificationController's receiver webhook service" + - "feat: adding CRD and RBAC annotation option" apiVersion: v2 appVersion: 2.1.2 description: A Helm chart for flux2 @@ -8,4 +8,4 @@ name: flux2 sources: - https://github.com/fluxcd-community/helm-charts type: application -version: 2.11.0 +version: 2.11.1 diff --git a/charts/flux2/README.md b/charts/flux2/README.md index 0828685..88b4d0e 100644 --- a/charts/flux2/README.md +++ b/charts/flux2/README.md @@ -22,6 +22,7 @@ This helm chart is maintained and released by the fluxcd-community on a best eff | cli.tag | string | `"v2.1.2"` | | | cli.tolerations | list | `[]` | | | clusterDomain | string | `"cluster.local"` | | +| crds.annotations | object | `{}` | Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep | | extraObjects | list | `[]` | Array of extra K8s manifests to deploy | | helmController.affinity | object | `{}` | | | helmController.annotations."prometheus.io/port" | string | `"8080"` | | @@ -146,6 +147,7 @@ This helm chart is maintained and released by the fluxcd-community on a best eff | prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].action | string | `"keep"` | | | prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].regex | string | `"Running"` | | | prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_phase"` | | +| rbac.annotations | object | `{}` | Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep | | rbac.create | bool | `true` | | | rbac.createAggregation | bool | `true` | Grant the Kubernetes view, edit and admin roles access to Flux custom resources | | sourceController.affinity | object | `{}` | | diff --git a/charts/flux2/templates/aggregate-clusterroles.yaml b/charts/flux2/templates/aggregate-clusterroles.yaml index cd381e8..432895b 100644 --- a/charts/flux2/templates/aggregate-clusterroles.yaml +++ b/charts/flux2/templates/aggregate-clusterroles.yaml @@ -2,6 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + {{- with .Values.rbac.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} name: flux-edit labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" diff --git a/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml b/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml index b0a9138..0228c1b 100644 --- a/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml +++ b/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml @@ -2,6 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + {{- with .Values.rbac.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/instance: {{ .Release.Namespace | quote }} app.kubernetes.io/managed-by: {{ .Release.Service | quote }} diff --git a/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml b/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml index ef756cf..e77c13e 100644 --- a/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml +++ b/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml @@ -2,6 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + {{- with .Values.rbac.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} name: cluster-reconciler-impersonator labels: app.kubernetes.io/instance: {{ .Release.Namespace | quote }} diff --git a/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml b/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml index 9b07043..588c7d4 100644 --- a/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml +++ b/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml @@ -2,6 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + {{- with .Values.rbac.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/instance: {{ .Release.Namespace | quote }} app.kubernetes.io/managed-by: {{ .Release.Service | quote }} diff --git a/charts/flux2/templates/crd-controller-clusterrole.yaml b/charts/flux2/templates/crd-controller-clusterrole.yaml index 50171cb..cea0a1c 100644 --- a/charts/flux2/templates/crd-controller-clusterrole.yaml +++ b/charts/flux2/templates/crd-controller-clusterrole.yaml @@ -2,6 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + {{- with .Values.rbac.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} name: crd-controller labels: app.kubernetes.io/instance: {{ .Release.Namespace | quote }} diff --git a/charts/flux2/templates/crd-controller-clusterrolebinding.yaml b/charts/flux2/templates/crd-controller-clusterrolebinding.yaml index a9c7cbc..51e716f 100644 --- a/charts/flux2/templates/crd-controller-clusterrolebinding.yaml +++ b/charts/flux2/templates/crd-controller-clusterrolebinding.yaml @@ -2,6 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + {{- with .Values.rbac.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} name: crd-controller labels: app.kubernetes.io/instance: {{ .Release.Namespace | quote }} diff --git a/charts/flux2/templates/helm-controller.crds.yaml b/charts/flux2/templates/helm-controller.crds.yaml index 751745a..7dde6cc 100644 --- a/charts/flux2/templates/helm-controller.crds.yaml +++ b/charts/flux2/templates/helm-controller.crds.yaml @@ -4,6 +4,9 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + {{- with .Values.crds.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} labels: app.kubernetes.io/component: helm-controller app.kubernetes.io/instance: '{{ .Release.Namespace }}' diff --git a/charts/flux2/templates/image-automation-controller.crds.yaml b/charts/flux2/templates/image-automation-controller.crds.yaml index a8031f4..53b711e 100644 --- a/charts/flux2/templates/image-automation-controller.crds.yaml +++ b/charts/flux2/templates/image-automation-controller.crds.yaml @@ -4,6 +4,9 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + {{- with .Values.crds.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} labels: app.kubernetes.io/component: image-automation-controller app.kubernetes.io/instance: '{{ .Release.Namespace }}' diff --git a/charts/flux2/templates/image-reflector-controller.crds.yaml b/charts/flux2/templates/image-reflector-controller.crds.yaml index b87376c..fb30088 100644 --- a/charts/flux2/templates/image-reflector-controller.crds.yaml +++ b/charts/flux2/templates/image-reflector-controller.crds.yaml @@ -4,6 +4,9 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + {{- with .Values.crds.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} labels: app.kubernetes.io/component: image-reflector-controller app.kubernetes.io/instance: '{{ .Release.Namespace }}' @@ -413,6 +416,9 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + {{- with .Values.crds.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} labels: app.kubernetes.io/component: image-reflector-controller app.kubernetes.io/instance: '{{ .Release.Namespace }}' diff --git a/charts/flux2/templates/kustomize-controller.crds.yaml b/charts/flux2/templates/kustomize-controller.crds.yaml index b3f2035..433cce6 100644 --- a/charts/flux2/templates/kustomize-controller.crds.yaml +++ b/charts/flux2/templates/kustomize-controller.crds.yaml @@ -4,6 +4,9 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + {{- with .Values.crds.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} labels: app.kubernetes.io/component: kustomize-controller app.kubernetes.io/instance: '{{ .Release.Namespace }}' diff --git a/charts/flux2/templates/notification-controller.crds.yaml b/charts/flux2/templates/notification-controller.crds.yaml index b2d7077..732422b 100644 --- a/charts/flux2/templates/notification-controller.crds.yaml +++ b/charts/flux2/templates/notification-controller.crds.yaml @@ -4,6 +4,9 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + {{- with .Values.crds.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} labels: app.kubernetes.io/instance: '{{ .Release.Namespace }}' app.kubernetes.io/managed-by: '{{ .Release.Service }}' @@ -442,6 +445,9 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + {{- with .Values.crds.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} labels: app.kubernetes.io/instance: '{{ .Release.Namespace }}' app.kubernetes.io/managed-by: '{{ .Release.Service }}' @@ -854,6 +860,9 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + {{- with .Values.crds.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} labels: app.kubernetes.io/instance: '{{ .Release.Namespace }}' app.kubernetes.io/managed-by: '{{ .Release.Service }}' diff --git a/charts/flux2/templates/source-controller.crds.yaml b/charts/flux2/templates/source-controller.crds.yaml index bb1fdda..40f0e7c 100644 --- a/charts/flux2/templates/source-controller.crds.yaml +++ b/charts/flux2/templates/source-controller.crds.yaml @@ -4,6 +4,9 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + {{- with .Values.crds.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} labels: app.kubernetes.io/component: source-controller app.kubernetes.io/instance: '{{ .Release.Namespace }}' @@ -524,6 +527,9 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + {{- with .Values.crds.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} labels: app.kubernetes.io/component: source-controller app.kubernetes.io/instance: '{{ .Release.Namespace }}' @@ -1727,6 +1733,9 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + {{- with .Values.crds.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} labels: app.kubernetes.io/component: source-controller app.kubernetes.io/instance: '{{ .Release.Namespace }}' @@ -2325,6 +2334,9 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + {{- with .Values.crds.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} labels: app.kubernetes.io/component: source-controller app.kubernetes.io/instance: '{{ .Release.Namespace }}' @@ -2851,6 +2863,9 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + {{- with .Values.crds.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} labels: app.kubernetes.io/component: source-controller app.kubernetes.io/instance: '{{ .Release.Namespace }}' diff --git a/charts/flux2/tests/__snapshot__/helm-controller_test.yaml.snap b/charts/flux2/tests/__snapshot__/helm-controller_test.yaml.snap index cc574a3..5e003e4 100644 --- a/charts/flux2/tests/__snapshot__/helm-controller_test.yaml.snap +++ b/charts/flux2/tests/__snapshot__/helm-controller_test.yaml.snap @@ -10,7 +10,7 @@ should match snapshot of default values: app.kubernetes.io/part-of: flux app.kubernetes.io/version: 2.1.2 control-plane: controller - helm.sh/chart: flux2-2.11.0 + helm.sh/chart: flux2-2.11.1 labeltestkey: labeltestvalue labeltestkey2: labeltestvalue2 name: helm-controller diff --git a/charts/flux2/tests/__snapshot__/image-automation-controller_test.yaml.snap b/charts/flux2/tests/__snapshot__/image-automation-controller_test.yaml.snap index a1be71c..b1cde2a 100644 --- a/charts/flux2/tests/__snapshot__/image-automation-controller_test.yaml.snap +++ b/charts/flux2/tests/__snapshot__/image-automation-controller_test.yaml.snap @@ -10,7 +10,7 @@ should match snapshot of default values: app.kubernetes.io/part-of: flux app.kubernetes.io/version: 2.1.2 control-plane: controller - helm.sh/chart: flux2-2.11.0 + helm.sh/chart: flux2-2.11.1 name: image-automation-controller spec: replicas: 1 diff --git a/charts/flux2/tests/__snapshot__/image-reflector-controller_test.yaml.snap b/charts/flux2/tests/__snapshot__/image-reflector-controller_test.yaml.snap index 943c503..5bfc5de 100644 --- a/charts/flux2/tests/__snapshot__/image-reflector-controller_test.yaml.snap +++ b/charts/flux2/tests/__snapshot__/image-reflector-controller_test.yaml.snap @@ -10,7 +10,7 @@ should match snapshot of default values: app.kubernetes.io/part-of: flux app.kubernetes.io/version: 2.1.2 control-plane: controller - helm.sh/chart: flux2-2.11.0 + helm.sh/chart: flux2-2.11.1 name: image-reflector-controller spec: replicas: 1 diff --git a/charts/flux2/tests/__snapshot__/kustomize-controller-secret_test.yaml.snap b/charts/flux2/tests/__snapshot__/kustomize-controller-secret_test.yaml.snap index ab911ea..b991696 100644 --- a/charts/flux2/tests/__snapshot__/kustomize-controller-secret_test.yaml.snap +++ b/charts/flux2/tests/__snapshot__/kustomize-controller-secret_test.yaml.snap @@ -10,7 +10,7 @@ should match snapshot of default values: app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: flux app.kubernetes.io/version: 2.1.2 - helm.sh/chart: flux2-2.11.0 + helm.sh/chart: flux2-2.11.1 name: test1 namespace: NAMESPACE type: Opaque diff --git a/charts/flux2/tests/__snapshot__/kustomize-controller_test.yaml.snap b/charts/flux2/tests/__snapshot__/kustomize-controller_test.yaml.snap index 0395972..893b6b5 100644 --- a/charts/flux2/tests/__snapshot__/kustomize-controller_test.yaml.snap +++ b/charts/flux2/tests/__snapshot__/kustomize-controller_test.yaml.snap @@ -10,7 +10,7 @@ should match snapshot of default values: app.kubernetes.io/part-of: flux app.kubernetes.io/version: 2.1.2 control-plane: controller - helm.sh/chart: flux2-2.11.0 + helm.sh/chart: flux2-2.11.1 name: kustomize-controller spec: replicas: 1 diff --git a/charts/flux2/tests/__snapshot__/notification-controller_test.yaml.snap b/charts/flux2/tests/__snapshot__/notification-controller_test.yaml.snap index a332a24..7f6412e 100644 --- a/charts/flux2/tests/__snapshot__/notification-controller_test.yaml.snap +++ b/charts/flux2/tests/__snapshot__/notification-controller_test.yaml.snap @@ -10,7 +10,7 @@ should match snapshot of default values: app.kubernetes.io/part-of: flux app.kubernetes.io/version: 2.1.2 control-plane: controller - helm.sh/chart: flux2-2.11.0 + helm.sh/chart: flux2-2.11.1 name: notification-controller spec: replicas: 1 diff --git a/charts/flux2/tests/__snapshot__/pre-install-job_test.yaml.snap b/charts/flux2/tests/__snapshot__/pre-install-job_test.yaml.snap index e3cddba..7806cf8 100644 --- a/charts/flux2/tests/__snapshot__/pre-install-job_test.yaml.snap +++ b/charts/flux2/tests/__snapshot__/pre-install-job_test.yaml.snap @@ -12,7 +12,7 @@ should match snapshot of default values: app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: flux app.kubernetes.io/version: 2.1.2 - helm.sh/chart: flux2-2.11.0 + helm.sh/chart: flux2-2.11.1 name: RELEASE-NAME-flux-check spec: backoffLimit: 1 @@ -23,7 +23,7 @@ should match snapshot of default values: app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: flux app.kubernetes.io/version: 2.1.2 - helm.sh/chart: flux2-2.11.0 + helm.sh/chart: flux2-2.11.1 name: RELEASE-NAME spec: automountServiceAccountToken: true diff --git a/charts/flux2/tests/__snapshot__/source-controller_test.yaml.snap b/charts/flux2/tests/__snapshot__/source-controller_test.yaml.snap index 196457c..de3035c 100644 --- a/charts/flux2/tests/__snapshot__/source-controller_test.yaml.snap +++ b/charts/flux2/tests/__snapshot__/source-controller_test.yaml.snap @@ -10,7 +10,7 @@ should match snapshot of default values: app.kubernetes.io/part-of: flux app.kubernetes.io/version: 2.1.2 control-plane: controller - helm.sh/chart: flux2-2.11.0 + helm.sh/chart: flux2-2.11.1 name: source-controller spec: replicas: 1 diff --git a/charts/flux2/tests/cluster-reconciler-clusterrolebinding_test.yaml b/charts/flux2/tests/cluster-reconciler-clusterrolebinding_test.yaml index 41b1338..184b900 100644 --- a/charts/flux2/tests/cluster-reconciler-clusterrolebinding_test.yaml +++ b/charts/flux2/tests/cluster-reconciler-clusterrolebinding_test.yaml @@ -28,4 +28,13 @@ tests: multitenancy.privileged: false asserts: - hasDocuments: - count: 1 \ No newline at end of file + count: 1 + - it: should add annotations to the resource + set: + rbac.annotations: + "helm.sh/resource-policy": keep + asserts: + - equal: + path: metadata.annotations + value: + helm.sh/resource-policy: keep \ No newline at end of file diff --git a/charts/flux2/tests/cluster-reconciler-impersonator-clusterrole_test.yaml b/charts/flux2/tests/cluster-reconciler-impersonator-clusterrole_test.yaml index c75128a..d79d35e 100644 --- a/charts/flux2/tests/cluster-reconciler-impersonator-clusterrole_test.yaml +++ b/charts/flux2/tests/cluster-reconciler-impersonator-clusterrole_test.yaml @@ -28,4 +28,15 @@ tests: multitenancy.privileged: false asserts: - hasDocuments: - count: 1 \ No newline at end of file + count: 1 + - it: should add annotations to the resource + set: + multitenancy.enabled: true + multitenancy.privileged: false + rbac.annotations: + "helm.sh/resource-policy": keep + asserts: + - equal: + path: metadata.annotations + value: + helm.sh/resource-policy: keep diff --git a/charts/flux2/tests/cluster-reconciler-impersonator-clusterrolebinding.yaml b/charts/flux2/tests/cluster-reconciler-impersonator-clusterrolebinding.yaml index 7c62582..a7bb06c 100644 --- a/charts/flux2/tests/cluster-reconciler-impersonator-clusterrolebinding.yaml +++ b/charts/flux2/tests/cluster-reconciler-impersonator-clusterrolebinding.yaml @@ -28,4 +28,15 @@ tests: multitenancy.privileged: false asserts: - hasDocuments: - count: 1 \ No newline at end of file + count: 1 + - it: should add annotations to the resource + set: + multitenancy.enabled: true + multitenancy.privileged: false + rbac.annotations: + "helm.sh/resource-policy": keep + asserts: + - equal: + path: metadata.annotations + value: + helm.sh/resource-policy: keep diff --git a/charts/flux2/values.yaml b/charts/flux2/values.yaml index 1e02c24..3815b41 100644 --- a/charts/flux2/values.yaml +++ b/charts/flux2/values.yaml @@ -1,6 +1,9 @@ # global installCRDs: true +crds: + # -- Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep + annotations: {} multitenancy: # -- Implement the patches for Multi-tenancy lockdown. @@ -273,6 +276,8 @@ rbac: create: true # -- Grant the Kubernetes view, edit and admin roles access to Flux custom resources createAggregation: true + # -- Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep + annotations: {} logLevel: info watchAllNamespaces: true