Merge pull request #124 from stefanprodan/flux-2.7

Update Flux to v2.7.3

Author: stefanprodan

.github/workflows/e2e.yaml

@@ -27,7 +27,7 @@ jobs:
           - 5000:5000
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
       - name: Set up Homebrew
         uses: Homebrew/actions/setup-homebrew@master
       - name: Install tools
@@ -74,6 +74,7 @@ jobs:
       - name: Debug failure
         if: failure()
         run: |
+          kubectl -n kube-system get pods
           kubectl -n flux-system get pods
           kubectl -n flux-system get gitrepository -oyaml
           kubectl -n flux-system get kustomization -oyaml

.github/workflows/push.yaml

@@ -15,15 +15,17 @@ jobs:
       packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
       - name: Setup Timoni
         uses: stefanprodan/timoni/actions/setup@main
       - name: Setup Flux CLI
         uses: fluxcd/flux2/action@main
       - name: Setup Cosign
         uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: v2.6.1
       - name: Login to GHCR
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/test.yaml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
       - name: Set up Homebrew
         uses: Homebrew/actions/setup-homebrew@master
       - name: Install tools

Makefile

@@ -96,14 +96,55 @@ import-crds: ## Update Flux API CUE definitions
 	@rm crds.yaml
 
 .PHONY: vendor-crds
-vendor-crds: ## Update Flux CRDs for Git sync
+vendor-crds: vendor-crds-git vendor-crds-oci vendor-crds-helm  ## Update CRDs for all modules
+
+.PHONY: vendor-crds-git
+vendor-crds-git: ## Update CRDs for flux-git-sync module
 	@cd modules/flux-git-sync
 	@timoni mod vendor crds -f https://github.com/fluxcd/flux2/releases/download/$(VERSION)/install.yaml
 	@cd cue.mod/gen
-	@rm -rf image.toolkit.fluxcd.io helm.toolkit.fluxcd.io notification.toolkit.fluxcd.io
-	@rm -rf kustomize.toolkit.fluxcd.io/kustomization/v1beta1 kustomize.toolkit.fluxcd.io/kustomization/v1beta2
-	@rm -rf source.toolkit.fluxcd.io/gitrepository/v1beta1 source.toolkit.fluxcd.io/gitrepository/v1beta2
-	@rm -rf source.toolkit.fluxcd.io/bucket source.toolkit.fluxcd.io/ocirepository source.toolkit.fluxcd.io/helmrepository source.toolkit.fluxcd.io/helmchart
+	@rm -rf image.toolkit.fluxcd.io \
+	helm.toolkit.fluxcd.io \
+	notification.toolkit.fluxcd.io \
+	kustomize.toolkit.fluxcd.io/kustomization/v1beta2 \
+	source.toolkit.fluxcd.io/gitrepository/v1beta2 \
+	source.toolkit.fluxcd.io/bucket \
+	source.toolkit.fluxcd.io/ocirepository \
+	source.toolkit.fluxcd.io/helmrepository \
+	source.toolkit.fluxcd.io/helmchart \
+	source.toolkit.fluxcd.io/externalartifact
+
+.PHONY: vendor-crds-oci
+vendor-crds-oci: ## Update CRDs for flux-oci-sync module
+	@cd modules/flux-oci-sync
+	@timoni mod vendor crds -f https://github.com/fluxcd/flux2/releases/download/$(VERSION)/install.yaml
+	@cd cue.mod/gen
+	@rm -rf image.toolkit.fluxcd.io \
+	helm.toolkit.fluxcd.io \
+	notification.toolkit.fluxcd.io \
+	kustomize.toolkit.fluxcd.io/kustomization/v1beta2 \
+	source.toolkit.fluxcd.io/ocirepository/v1beta2 \
+	source.toolkit.fluxcd.io/bucket \
+	source.toolkit.fluxcd.io/gitrepository \
+	source.toolkit.fluxcd.io/helmrepository \
+	source.toolkit.fluxcd.io/helmchart \
+	source.toolkit.fluxcd.io/externalartifact
+
+.PHONY: vendor-crds-helm
+vendor-crds-helm: ## Update CRDs for flux-helm-release module
+	@cd modules/flux-helm-release
+	@timoni mod vendor crds -f https://github.com/fluxcd/flux2/releases/download/$(VERSION)/install.yaml
+	@cd cue.mod/gen
+	@rm -rf image.toolkit.fluxcd.io \
+	kustomize.toolkit.fluxcd.io \
+	notification.toolkit.fluxcd.io \
+	helm.toolkit.fluxcd.io/helmrelease/v2beta2 \
+	source.toolkit.fluxcd.io/ocirepository/v1beta2 \
+	source.toolkit.fluxcd.io/helmrepository/v1beta2 \
+	source.toolkit.fluxcd.io/helmchart/v1beta2 \
+	source.toolkit.fluxcd.io/bucket \
+	source.toolkit.fluxcd.io/gitrepository \
+	source.toolkit.fluxcd.io/externalartifact
 
 .PHONY: list-images
 list-images:

README.md

@@ -1,6 +1,6 @@
 # flux-aio
 
-[![flux](https://img.shields.io/badge/flux-v2.6.4-9cf)](https://fluxcd.io)
+[![flux](https://img.shields.io/badge/flux-v2.7.3-9cf)](https://fluxcd.io)
 [![test](https://github.com/stefanprodan/flux-aio/workflows/test/badge.svg)](https://github.com/stefanprodan/flux-aio/actions)
 [![license](https://img.shields.io/github/license/stefanprodan/flux-aio.svg)](https://github.com/stefanprodan/flux-aio/blob/main/LICENSE)
 [![release](https://img.shields.io/github/release/stefanprodan/flux-aio/all.svg)](https://github.com/stefanprodan/flux-aio/releases)
@@ -18,7 +18,7 @@ This distribution is optimized for running [Flux](https://fluxcd.io) on:
 - Serverless clusters for cost optimisation (EKS Fargate)
 
 The versioning of this distribution follows semver with the following format:
-`<flux version>-<distribution release number>`, e.g. `2.6.4-0`.
+`<flux version>-<distribution release number>`, e.g. `2.7.3-0`.
 
 ## Documentation
 

modules/flux-aio/README.md

@@ -9,6 +9,14 @@ The communication between controllers happens on the loopback interface, hence
 Flux can function on clusters which don't have a CNI plugin installed.
 This allows Kubernetes operators to setup their clusters networking in a GitOps way.
 
+When running Flux AIO on the host network, the following ports must be available:
+
+- **Source Controller**: 9790-9792 (artifacts, metrics, health)
+- **Source Watcher**: 9691-9693 (artifacts, metrics, health)
+- **Kustomize Controller**: 9793-9794 (metrics, health)
+- **Helm Controller**: 9795-9796 (metrics, health)
+- **Notification Controller**: 9690, 9797-9799 (events, webhook, metrics, health)
+
 ### Prerequisites
 
 Install the Timoni CLI with:
@@ -100,15 +108,19 @@ flux -n flux-system uninstall
 | `controllers: helm: enabled`              | `bool`                         | `true`                                                 | Include the `helm-controller` component                                                                                                                         |
 | `controllers: helm: image:`               | `timoniv1.#Image`              | `repository: "ghcr.io/fluxcd/source-controller"`       | Container image, tag and digest                                                                                                                                 |
 | `controllers: helm: resources`            | `corev1.#ResourceRequirements` | `null`                                                 | Set resource requests and limits specific for the `helm-controller` container                                                                                   |
-| `controllers: helm: featureGates`         | `string`                       | `""`                                                   | Set controller [feature gates](https://fluxcd.io/flux/components/helm/options/#feature-gates) e.g. `DisableChartDigestTracking=true,OOMWatch=true`              |
+| `controllers: helm: featureGates`         | `string`                       | `"ExternalArtifact=true"`                              | Set controller [feature gates](https://fluxcd.io/flux/components/helm/options/#feature-gates) e.g. `DisableChartDigestTracking=true,OOMWatch=true`              |
 | `controllers: kustomize: enabled`         | `bool`                         | `true`                                                 | Include the `kustomize-controller` component                                                                                                                    |
 | `controllers: kustomize: image:`          | `timoniv1.#Image`              | `repository: "ghcr.io/fluxcd/kustomize-controller"`    | Container image, tag and digest                                                                                                                                 |
 | `controllers: kustomize: resources`       | `corev1.#ResourceRequirements` | `null`                                                 | Set resource requests and limits specific for the `kustomize-controller` container                                                                              |
-| `controllers: kustomize: featureGates`    | `string`                       | `""`                                                   | Set controller [feature gates](https://fluxcd.io/flux/components/kustomize/options/#feature-gates) e.g. `StrictPostBuildSubstitutions=true,GroupChangeLog=true` |
+| `controllers: kustomize: featureGates`    | `string`                       | `"ExternalArtifact=true"`                              | Set controller [feature gates](https://fluxcd.io/flux/components/kustomize/options/#feature-gates) e.g. `StrictPostBuildSubstitutions=true,GroupChangeLog=true` |
 | `controllers: notification: enabled`      | `bool`                         | `true`                                                 | Include the `notification-controller` component                                                                                                                 |
 | `controllers: notification: image:`       | `timoniv1.#Image`              | `repository: "ghcr.io/fluxcd/notification-controller"` | Container image, tag and digest                                                                                                                                 |
 | `controllers: notification: resources`    | `corev1.#ResourceRequirements` | `null`                                                 | Set resource requests and limits specific for the `notification-controller` container                                                                           |
 | `controllers: notification: featureGates` | `string`                       | `""`                                                   | Set controller [feature gates](https://fluxcd.io/flux/components/notification/options/#feature-gates) e.g. `ObjectLevelWorkloadIdentity=true`                   |
+| `controllers: watcher: enabled`           | `bool`                         | `true`                                                 | Include the `source-watcher` component                                                                                                                          |
+| `controllers: watcher: image:`            | `timoniv1.#Image`              | `repository: "ghcr.io/fluxcd/source-watcher"`          | Container image, tag and digest                                                                                                                                 |
+| `controllers: watcher: resources`         | `corev1.#ResourceRequirements` | `null`                                                 | Set resource requests and limits specific for the `source-watcher` container                                                                                    |
+| `controllers: watcher: featureGates`      | `string`                       | `""`                                                   | Set controller [feature gates](https://fluxcd.io/flux/components/source/options/)                                                                               |
 | `expose: webhookReceiver:`                | `bool`                         | `false`                                                | Create the `webhook-reciver` Kubernetes Service                                                                                                                 |
 | `expose: notificationServer:`             | `bool`                         | `false`                                                | Create the `notification-controller` Kubernetes Service                                                                                                         |
 | `expose: sourceServer:`                   | `bool`                         | `false`                                                | Create the `source-controller` Kubernetes Service                                                                                                               |

modules/flux-aio/cue.mod/pkg/timoni.sh/core/v1alpha1/image.cue

@@ -19,11 +19,11 @@ import (
 	// Tag identifies an image in the repository.
 	// A tag name may contain lowercase and uppercase characters, digits, underscores, periods and dashes.
 	// A tag name may not start with a period or a dash and may contain a maximum of 128 characters.
-	tag!: string & strings.MaxRunes(128)
+	tag: *"" | string & strings.MaxRunes(128)
 
 	// Digest uniquely and immutably identifies an image in the repository.
 	// Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests.
-	digest!: string
+	digest: *"" | string
 
 	// PullPolicy defines the pull policy for the image.
 	// By default, it is set to IfNotPresent.

modules/flux-aio/debug_values.cue

@@ -6,12 +6,12 @@ package main
 // Eval example:
 // cue -t debug -t name=flux -t namespace=flux-system -t mv=2.0.0 -t kv=1.28.0 eval -c -e timoni.instance.objects.deployment
 values: {
-	version: "v2.3.0"
+	version: "v2.7.3"
 	controllers: {
 		source: {
 			image: {
 				repository: "ghcr.io/fluxcd/source-controller"
-				tag:        "v1.3.0"
+				tag:        "v1.7.3"
 				digest:     ""
 			}
 			resources: {
@@ -29,7 +29,7 @@ values: {
 		kustomize: {
 			image: {
 				repository: "ghcr.io/fluxcd/kustomize-controller"
-				tag:        "v1.3.0"
+				tag:        "v1.7.2"
 				digest:     ""
 			}
 			resources: limits: {
@@ -40,7 +40,7 @@ values: {
 		notification: {
 			image: {
 				repository: "ghcr.io/fluxcd/notification-controller"
-				tag:        "v1.3.0"
+				tag:        "v1.7.4"
 				digest:     ""
 			}
 			resources: limits: {
@@ -52,14 +52,20 @@ values: {
 		helm: {
 			image: {
 				repository: "ghcr.io/fluxcd/helm-controller"
-				tag:        "v1.0.1"
+				tag:        "v1.4.3"
 				digest:     ""
 			}
 			resources: limits: {
 				cpu:    "2000m"
 				memory: "1Gi"
 			}
-			featureGates: "DisableChartDigestTracking=true,OOMWatch=true"
+			featureGates: "DisableChartDigestTracking=true,OOMWatch=true,ExternalArtifact=true"
+		}
+		watcher: {
+			image: {
+				repository: "ghcr.io/fluxcd/source-watcher"
+				tag:        "v2.0.2"
+			}
 		}
 	}
 	workload: {

modules/flux-aio/templates/config.cue

@@ -36,20 +36,26 @@ import (
 			enabled:      *true | bool
 			image:        timoniv1.#Image
 			resources?:   timoniv1.#ResourceRequirements
-			featureGates: *"" | string
+			featureGates: *"ExternalArtifact=true" | string
 		}
 		helm: {
 			enabled:      *true | bool
 			image:        timoniv1.#Image
 			resources?:   timoniv1.#ResourceRequirements
-			featureGates: *"" | string
+			featureGates: *"ExternalArtifact=true" | string
 		}
 		notification: {
 			enabled:      *true | bool
 			image:        timoniv1.#Image
 			resources?:   timoniv1.#ResourceRequirements
 			featureGates: *"" | string
 		}
+		watcher: {
+			enabled:      *true | bool
+			image:        timoniv1.#Image
+			resources?:   timoniv1.#ResourceRequirements
+			featureGates: *"" | string
+		}
 	}
 
 	expose: {
@@ -162,6 +168,9 @@ import (
 		if config.controllers.notification.enabled {
 			#NotificationController & {#config: config, _env: containerEnv}
 		},
+		if config.controllers.watcher.enabled {
+			#SourceWatcher & {#config: config, _env: containerEnv}
+		},
 	]
 
 	objects: [ID=_]: runtime.#Object