Added support for Flux with self-managed CRDs (#1811)

elastisys · Oct 10, 2023 · de2875d · de2875d
1 parent 11d02fd
commit de2875d
Show file tree

Hide file tree

Showing 6 changed files with 103 additions and 0 deletions.
diff --git a/WIP-CHANGELOG.md b/WIP-CHANGELOG.md
@@ -4,6 +4,7 @@
 
 - Add support for self-managed CRDs (preview)
  - Add support for SealedSecrets and MongoDB
+ - Add support for Flux
 - Add application developer service account kube-config for devs
  - Enabled developers to easily create a kube-config to act as an application developer
 - Dashboard showing how spread out pods are across nodes or zones

diff --git a/config/config/wc-config.yaml b/config/config/wc-config.yaml
@@ -56,6 +56,10 @@ user:
  # Requires that gatekeeper.allowUserCRDs.enabled is enabled.
  mongodb:
  enabled: false
+ # Installs required cluster resources needed to install fluxv2
+ # Requires that gatekeeper.allowUserCRDs.enabled is enabled.
+ fluxv2:
+ enabled: false
 falco:
  ## Falco alerting configuration.
  alerts:

diff --git a/helmfile/50-applications.yaml b/helmfile/50-applications.yaml
@@ -684,6 +684,7 @@ releases:
  - values/userCRDs/common.yaml.gotmpl
  - values/userCRDs/bitnami/sealedsecrets.yaml.gotmpl
  - values/userCRDs/mongodbcommunity/mongodb.yaml.gotmpl
+ - values/userCRDs/flux/fluxv2.yaml.gotmpl
 
 # hierarchical namespace controller
 - name: hnc-controller

diff --git a/helmfile/values/user-rbac.yaml.gotmpl b/helmfile/values/user-rbac.yaml.gotmpl
@@ -27,6 +27,21 @@ userCRDs:
  {{- if .Values.user.mongodb.enabled }}
  - mongodbcommunity.mongodbcommunity.mongodb.com
  {{- end }}
+ {{- if .Values.user.fluxv2.enabled }}
+ - helmreleases.helm.toolkit.fluxcd.io
+ - imageupdateautomations.image.toolkit.fluxcd.io
+ - imagepolicies.image.toolkit.fluxcd.io
+ - imagerepositories.image.toolkit.fluxcd.io
+ - kustomizations.kustomize.toolkit.fluxcd.io
+ - alerts.notification.toolkit.fluxcd.io
+ - providers.notification.toolkit.fluxcd.io
+ - receivers.notification.toolkit.fluxcd.io
+ - buckets.source.toolkit.fluxcd.io
+ - gitrepositories.source.toolkit.fluxcd.io
+ - helmcharts.source.toolkit.fluxcd.io
+ - helmrepositories.source.toolkit.fluxcd.io
+ - ocirepositories.source.toolkit.fluxcd.io
+ {{- end }}
  {{- range .Values.gatekeeper.allowUserCRDs.extraCRDs }}
  {{- toYaml .names | nindent 4 }}
  {{- end }}
diff --git a/helmfile/values/userCRDs/flux/fluxv2.yaml.gotmpl b/helmfile/values/userCRDs/flux/fluxv2.yaml.gotmpl
@@ -0,0 +1,57 @@
+{{- if .Values.user.fluxv2.enabled }}
+clusterRoles:
+ crd-controller:
+ rules:
+ - apiGroups:
+ - source.toolkit.fluxcd.io
+ - kustomize.toolkit.fluxcd.io
+ - helm.toolkit.fluxcd.io
+ - notification.toolkit.fluxcd.io
+ - image.toolkit.fluxcd.io
+ resources:
+ - '*'
+ verbs:
+ - '*'
+clusterRoleBindings:
+ crd-controller:
+ roleRef:
+ name: crd-controller
+ subjects:
+ - kind: ServiceAccount
+ name: kustomize-controller
+ namespace: flux-system
+ - kind: ServiceAccount
+ name: helm-controller
+ namespace: flux-system
+ - kind: ServiceAccount
+ name: source-controller
+ namespace: flux-system
+ - kind: ServiceAccount
+ name: notification-controller
+ namespace: flux-system
+ - kind: ServiceAccount
+ name: image-reflector-controller
+ namespace: flux-system
+ - kind: ServiceAccount
+ name: image-automation-controller
+ namespace: flux-system
+ flux-admin:
+ roleRef:
+ name: crd-controller
+ subjects:
+ {{- range $user := .Values.user.adminUsers }}
+ - apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: {{ $user }}
+ {{- end }}
+ {{- range $group := $.Values.user.adminGroups }}
+ - apiGroup: rbac.authorization.k8s.io
+ kind: Group
+ name: {{ $group }}
+ {{- end }}
+ {{- range $serviceAccount := .Values.user.serviceAccounts }}
+ - kind: ServiceAccount
+ name: {{ $serviceAccount }}
+ namespace: default
+ {{- end }}
+{{- end }}
diff --git a/helmfile/values/userCRDs/userCRDs.yaml.gotmpl b/helmfile/values/userCRDs/userCRDs.yaml.gotmpl
@@ -22,6 +22,31 @@ userCRDs:
  - mongodbcommunity.mongodbcommunity.mongodb.com
  group: mongodbcommunity.mongodb.com
  {{- end }}
+ {{- if .Values.user.fluxv2.enabled }}
+ - names:
+ - helmreleases.helm.toolkit.fluxcd.io
+ group: helm.toolkit.fluxcd.io
+ - names:
+ - imageupdateautomations.image.toolkit.fluxcd.io
+ - imagepolicies.image.toolkit.fluxcd.io
+ - imagerepositories.image.toolkit.fluxcd.io
+ group: image.toolkit.fluxcd.io
+ - names:
+ - kustomizations.kustomize.toolkit.fluxcd.io
+ group: kustomize.toolkit.fluxcd.io
+ - names:
+ - alerts.notification.toolkit.fluxcd.io
+ - providers.notification.toolkit.fluxcd.io
+ - receivers.notification.toolkit.fluxcd.io
+ group: notification.toolkit.fluxcd.io
+ - names:
+ - buckets.source.toolkit.fluxcd.io
+ - gitrepositories.source.toolkit.fluxcd.io
+ - helmcharts.source.toolkit.fluxcd.io
+ - helmrepositories.source.toolkit.fluxcd.io
+ - ocirepositories.source.toolkit.fluxcd.io
+ group: source.toolkit.fluxcd.io
+ {{- end }}
  {{- if .Values.gatekeeper.allowUserCRDs.extraCRDs }}
  {{- toYaml .Values.gatekeeper.allowUserCRDs.extraCRDs | nindent 4 }}
  {{- end }}