From 16d5f96c847f3d199669123426214e25c37e2836 Mon Sep 17 00:00:00 2001 From: serboctor Date: Sun, 30 Apr 2023 15:11:15 +0300 Subject: [PATCH 1/9] Upgrade Flux resources to work with Flux v2.0.0-rc.1 --- .../external-secrets/Bootstrapping-Guide.md | 24 +++++++++---------- .../secret-stores-kustomization.yaml | 5 ++-- .../templates/policy-library.yaml | 5 ++-- charts/weave-policy-agent/values.yaml | 10 ++++---- 4 files changed, 20 insertions(+), 24 deletions(-) diff --git a/charts/external-secrets/Bootstrapping-Guide.md b/charts/external-secrets/Bootstrapping-Guide.md index 6d941801..bc12d28d 100644 --- a/charts/external-secrets/Bootstrapping-Guide.md +++ b/charts/external-secrets/Bootstrapping-Guide.md @@ -10,9 +10,9 @@ In Flux, we can't have dependencies between Flux Kustomization and HelmRelease, Both controllers manage the resources independently, at different moments, with no possibility to wait for each other. This means that we have a wonderful race condition where sometimes the CRs (`SecretStore`,`ClusterSecretStore`...) tries to be deployed before than the CRDs needed to recognize them. -Reference: [https://external-secrets.io/v0.6.1/examples/gitops-using-fluxcd/](https://external-secrets.io/v0.6.1/examples/gitops-using-fluxcd/) +Reference: [https://external-secrets.io/v0.6.1/examples/gitops-using-fluxcd/](https://external-secrets.io/v0.6.1/examples/gitops-using-fluxcd/) + - ## The solution @@ -53,7 +53,7 @@ Let's see the conditions to start working on a solution: - ***cluster-secrets/cluster-secrets.yaml*** -This file will contain the main configurations and requirements to install secret management operator and all its dependencies +This file will contain the main configurations and requirements to install secret management operator and all its dependencies **Contents:** @@ -63,7 +63,7 @@ We will getting them from `external-secrets` repository ```yaml # GitRepository -apiVersion: source.toolkit.fluxcd.io/v1beta1 +apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: external-secrets @@ -93,7 +93,7 @@ We will getting them from `external-secrets` repository as well ```yaml --- # external secrets crds -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: external-secrets-crds @@ -144,14 +144,14 @@ spec: --- ``` -4- External Secrets Secrets (CRs) +4- External Secrets Secrets (CRs) In this guide the secrets are in the same repository you can create as many CRs as you need, this is one secret for elaboration ```yaml --- # external secrets secrets -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: external-secrets-secrets @@ -166,7 +166,6 @@ spec: name: flux-system path: ./secrets prune: true - validation: client ``` - ***clusters/my-cluster/cluster-secrets*** @@ -176,7 +175,7 @@ This is the Kustomization file, the manifest of external secrets resources **Contents:** ```yaml -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: cluster-secrets @@ -188,7 +187,6 @@ spec: name: flux-system path: ../cluster-secrets prune: true - validation: client ``` - ***secrets/aws-secret-store.yaml*** @@ -330,7 +328,7 @@ kubectl create secret generic ssh-credentials --from-file=./identity --from-file **Goal**: To bootstrap the leaf cluster with flux installed & secret to authenticate ESO -**Structure** +**Structure** ```yaml ➜ wge-dev git:(main) tree @@ -364,7 +362,7 @@ kubectl create secret generic ssh-credentials --from-file=./identity --from-file └── prod ``` -**1- How to create the secret** +**1- How to create the secret** - First when creating the management cluster we will need to create manually a secret for authenticating the SecretStore also we need to create`ClusterResourceSet` for the AWS secret to be able to bootstrap it to leaf cluster. This will be copied for bootstrap location as shown before. @@ -433,7 +431,7 @@ For the cluster template we will need to add 2 labels i) `weave.works/flux: bootstrap` to match the booting clusters with the `**ClusterBootstrapConfig`** job -ii) `secretmanager: aws` to match the the booting clusters with the `ClusterResourceSet` for the AWS secret +ii) `secretmanager: aws` to match the the booting clusters with the `ClusterResourceSet` for the AWS secret Example for the template diff --git a/charts/external-secrets/templates/secret-stores-kustomization.yaml b/charts/external-secrets/templates/secret-stores-kustomization.yaml index 86afcb05..96ee9da1 100644 --- a/charts/external-secrets/templates/secret-stores-kustomization.yaml +++ b/charts/external-secrets/templates/secret-stores-kustomization.yaml @@ -1,6 +1,6 @@ {{- if .Values.secretStores.enabled }} {{- if not .Values.secretStores.sourceRef }} -apiVersion: source.toolkit.fluxcd.io/v1beta1 +apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: external-secrets @@ -23,7 +23,7 @@ spec: {{- end }} {{- end }} --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: external-secrets @@ -41,5 +41,4 @@ spec: {{- end }} path: {{ .Values.secretStores.path }} prune: true - validation: client {{- end }} diff --git a/charts/weave-policy-agent/templates/policy-library.yaml b/charts/weave-policy-agent/templates/policy-library.yaml index 116ca105..afd06893 100644 --- a/charts/weave-policy-agent/templates/policy-library.yaml +++ b/charts/weave-policy-agent/templates/policy-library.yaml @@ -1,6 +1,6 @@ {{- if .Values.policySource.enabled }} {{- if not .Values.policySource.sourceRef }} -apiVersion: source.toolkit.fluxcd.io/v1beta1 +apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: policy-library @@ -23,7 +23,7 @@ spec: {{- end }} {{- end }} --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: policy-library @@ -41,5 +41,4 @@ spec: {{- end }} path: {{ .Values.policySource.path }} prune: true - validation: client {{- end }} diff --git a/charts/weave-policy-agent/values.yaml b/charts/weave-policy-agent/values.yaml index 8e9210b1..1c939a25 100644 --- a/charts/weave-policy-agent/values.yaml +++ b/charts/weave-policy-agent/values.yaml @@ -36,12 +36,12 @@ policy-agent: policySource: - enabled: false - # url: ssh://git@github.com/weaveworks/policy-library - # tag: v1.0.0 + enabled: true + url: ssh://git@github.com/weaveworks/policy-library + tag: v1.0.0 # branch: - # path: ./ # Could be a path to the policies dir or a kustomization.yaml file - # secretRef: policy-library-auth # (Optional): Name of the K8s secret with private repo auth credentials + path: ./ # Could be a path to the policies dir or a kustomization.yaml file + secretRef: policy-library-auth # (Optional): Name of the K8s secret with private repo auth credentials # sourceRef: # Could specify a name for an existing GitSource reference instead of creating a new one # kind: GitRepository # name: policy-library From fe35fc18c6065ee40d5005e162b33cee5403bc99 Mon Sep 17 00:00:00 2001 From: serboctor Date: Sun, 30 Apr 2023 15:26:35 +0300 Subject: [PATCH 2/9] Undo wrong commit --- charts/weave-policy-agent/values.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/weave-policy-agent/values.yaml b/charts/weave-policy-agent/values.yaml index 1c939a25..8e9210b1 100644 --- a/charts/weave-policy-agent/values.yaml +++ b/charts/weave-policy-agent/values.yaml @@ -36,12 +36,12 @@ policy-agent: policySource: - enabled: true - url: ssh://git@github.com/weaveworks/policy-library - tag: v1.0.0 + enabled: false + # url: ssh://git@github.com/weaveworks/policy-library + # tag: v1.0.0 # branch: - path: ./ # Could be a path to the policies dir or a kustomization.yaml file - secretRef: policy-library-auth # (Optional): Name of the K8s secret with private repo auth credentials + # path: ./ # Could be a path to the policies dir or a kustomization.yaml file + # secretRef: policy-library-auth # (Optional): Name of the K8s secret with private repo auth credentials # sourceRef: # Could specify a name for an existing GitSource reference instead of creating a new one # kind: GitRepository # name: policy-library From 92481e6bd1184045c1d4d8b177547b5108504884 Mon Sep 17 00:00:00 2001 From: serboctor Date: Sun, 14 May 2023 18:30:27 +0300 Subject: [PATCH 3/9] Upgrade agent and chart version --- charts/weave-policy-agent/Chart.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/weave-policy-agent/Chart.yaml b/charts/weave-policy-agent/Chart.yaml index 650bdbbc..c2a3e69c 100644 --- a/charts/weave-policy-agent/Chart.yaml +++ b/charts/weave-policy-agent/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 description: A Weaveworks Helm chart for Kubernetes to configure the policy agent name: weave-policy-agent -appVersion: "2.3.0" -version: 0.6.7 +appVersion: "2.4.0" +version: 0.6.8 kubeVersion: ">=1.16.0-0" icon: https://www.magalix.com/hubfs/Imported%20images/logo-02.png%3Fwidth=560%26name=logo-02-Dec-18-2020-11-24-41-75-AM.png type: application @@ -28,5 +28,5 @@ annotations: dependencies: - name: policy-agent - version: "2.3.0" + version: "2.4.0" repository: "https://weaveworks.github.io/policy-agent" From a061fd8a16f111e2e6b3d2071ffcff609af2b212 Mon Sep 17 00:00:00 2001 From: serboctor Date: Sun, 14 May 2023 19:41:46 +0300 Subject: [PATCH 4/9] Upgrade external secrets chart version --- charts/external-secrets/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/external-secrets/Chart.yaml b/charts/external-secrets/Chart.yaml index 04aac2e6..f55f6aaa 100644 --- a/charts/external-secrets/Chart.yaml +++ b/charts/external-secrets/Chart.yaml @@ -3,7 +3,7 @@ name: external-secrets icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-round-logo.svg description: A Weaveworks Helm chart for the External Secrets Operator type: application -version: 0.6.1 +version: 0.6.2 dependencies: - name: external-secrets version: "0.6.1" From 2795f7b6ab145fca76df5e2d5dfe61637c2deda8 Mon Sep 17 00:00:00 2001 From: serboctor Date: Wed, 31 May 2023 13:39:04 +0300 Subject: [PATCH 5/9] Update chart.lock --- charts/weave-policy-agent/Chart.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/weave-policy-agent/Chart.lock b/charts/weave-policy-agent/Chart.lock index 716d187c..4a7ea29d 100644 --- a/charts/weave-policy-agent/Chart.lock +++ b/charts/weave-policy-agent/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: policy-agent repository: https://weaveworks.github.io/policy-agent - version: 2.3.0 -digest: sha256:cd5b8802d4cd48cc47c6436a3248f912cabc9a79bf777c19400199000da16380 -generated: "2023-02-19T16:42:00.796036351+02:00" + version: 2.4.0 +digest: sha256:63bbeef8a270e044ed55e6a4655cfffbfa926f7ceb1875f8e4a0fec5a37930ab +generated: "2023-05-31T13:38:48.782795865+03:00" From dc99d5e8219b21f82cf6327a8c0f04b6e1909519 Mon Sep 17 00:00:00 2001 From: serboctor Date: Tue, 6 Jun 2023 16:05:39 +0300 Subject: [PATCH 6/9] Increment major version to indicate breaking changes in agent and external secrets --- charts/external-secrets/Chart.yaml | 2 +- charts/weave-policy-agent/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/external-secrets/Chart.yaml b/charts/external-secrets/Chart.yaml index f55f6aaa..1b76cbe0 100644 --- a/charts/external-secrets/Chart.yaml +++ b/charts/external-secrets/Chart.yaml @@ -3,7 +3,7 @@ name: external-secrets icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-round-logo.svg description: A Weaveworks Helm chart for the External Secrets Operator type: application -version: 0.6.2 +version: 1.0.0 dependencies: - name: external-secrets version: "0.6.1" diff --git a/charts/weave-policy-agent/Chart.yaml b/charts/weave-policy-agent/Chart.yaml index c2a3e69c..a662f003 100644 --- a/charts/weave-policy-agent/Chart.yaml +++ b/charts/weave-policy-agent/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 description: A Weaveworks Helm chart for Kubernetes to configure the policy agent name: weave-policy-agent appVersion: "2.4.0" -version: 0.6.8 +version: 1.0.0 kubeVersion: ">=1.16.0-0" icon: https://www.magalix.com/hubfs/Imported%20images/logo-02.png%3Fwidth=560%26name=logo-02-Dec-18-2020-11-24-41-75-AM.png type: application From 02677a68ade52d248c0af7f90bca8aa1fce1357c Mon Sep 17 00:00:00 2001 From: serboctor Date: Tue, 6 Jun 2023 16:31:33 +0300 Subject: [PATCH 7/9] Enable testing on kind for agent helm chart --- charts/weave-policy-agent/Chart.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/weave-policy-agent/Chart.yaml b/charts/weave-policy-agent/Chart.yaml index a662f003..a8d9bb16 100644 --- a/charts/weave-policy-agent/Chart.yaml +++ b/charts/weave-policy-agent/Chart.yaml @@ -19,6 +19,8 @@ maintainers: annotations: "weave.works/profile": weave-policy + "weave.works/profile-ci": | + - "kind" "weave.works/layer": layer-1 "weave.works/category": Policy "weave.works/operator": "true" From e12c54b23e4a131dc022eead97dc6e41c5e4d380 Mon Sep 17 00:00:00 2001 From: Waleed Hammam Date: Sun, 18 Jun 2023 17:34:01 +0300 Subject: [PATCH 8/9] bump policy-agent version to v2.5.0 --- charts/weave-policy-agent/Chart.lock | 6 +++--- charts/weave-policy-agent/Chart.yaml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/weave-policy-agent/Chart.lock b/charts/weave-policy-agent/Chart.lock index 4a7ea29d..91571480 100644 --- a/charts/weave-policy-agent/Chart.lock +++ b/charts/weave-policy-agent/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: policy-agent repository: https://weaveworks.github.io/policy-agent - version: 2.4.0 -digest: sha256:63bbeef8a270e044ed55e6a4655cfffbfa926f7ceb1875f8e4a0fec5a37930ab -generated: "2023-05-31T13:38:48.782795865+03:00" + version: 2.5.0 +digest: sha256:2c8e91250a08f5d899643aeead53548322fba11b526628a581d95c322e7fb2c7 +generated: "2023-06-18T17:33:42.300971762+03:00" diff --git a/charts/weave-policy-agent/Chart.yaml b/charts/weave-policy-agent/Chart.yaml index a8d9bb16..b668c4b2 100644 --- a/charts/weave-policy-agent/Chart.yaml +++ b/charts/weave-policy-agent/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: A Weaveworks Helm chart for Kubernetes to configure the policy agent name: weave-policy-agent -appVersion: "2.4.0" +appVersion: "2.5.0" version: 1.0.0 kubeVersion: ">=1.16.0-0" icon: https://www.magalix.com/hubfs/Imported%20images/logo-02.png%3Fwidth=560%26name=logo-02-Dec-18-2020-11-24-41-75-AM.png @@ -30,5 +30,5 @@ annotations: dependencies: - name: policy-agent - version: "2.4.0" + version: "2.5.0" repository: "https://weaveworks.github.io/policy-agent" From 86059112fa910454c3695d0abb0ef410f7af5732 Mon Sep 17 00:00:00 2001 From: serboctor Date: Mon, 26 Jun 2023 14:48:08 +0300 Subject: [PATCH 9/9] Regernate chart.lock --- charts/weave-policy-agent/Chart.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/weave-policy-agent/Chart.lock b/charts/weave-policy-agent/Chart.lock index 91571480..e5779eac 100644 --- a/charts/weave-policy-agent/Chart.lock +++ b/charts/weave-policy-agent/Chart.lock @@ -3,4 +3,4 @@ dependencies: repository: https://weaveworks.github.io/policy-agent version: 2.5.0 digest: sha256:2c8e91250a08f5d899643aeead53548322fba11b526628a581d95c322e7fb2c7 -generated: "2023-06-18T17:33:42.300971762+03:00" +generated: "2023-06-26T14:47:54.260827988+03:00"