Merge branch 'main' into renovate/kyak-democratic-csi-0.x

coolguy1771 · Dec 23, 2023 · 5e42c72 · 5e42c72
2 parents 3585874 + 055e5f6
commit 5e42c72
Show file tree

Hide file tree

Showing 58 changed files with 162 additions and 205 deletions.
diff --git a/.github/scripts/extract-images.mjs b/.github/scripts/extract-images.mjs
@@ -0,0 +1,96 @@
+#!/usr/bin/env zx
+$.verbose = false
+
+/**
+ * * extract-images.mjs
+ * * Extracts all container images from a HelmRelease and renders them as a JSON object
+ * @param --helmrelease    : The source Flux HelmRelease to compare against the target
+ * @param --kubernetes-dir : The directory containing your Flux manifests including the HelmRepository manifests
+ */
+const HelmRelease   = argv['helmrelease']
+const KubernetesDir = argv['kubernetes-dir']
+
+const helm      = await which('helm')
+const kustomize = await which('kustomize')
+
+function extractImageValues(data) {
+  const imageValues = [];
+  function extractValues(obj) {
+    for (const key in obj) {
+      if (typeof obj[key] === 'object') {
+        extractValues(obj[key]);
+      } else if (key === 'image') {
+        imageValues.push(obj[key]);
+      }
+    }
+  }
+  extractValues(data);
+  return imageValues;
+}
+
+async function parseHelmRelease(releaseFile) {
+  const helmRelease = await fs.readFile(releaseFile, 'utf8')
+  const doc = YAML.parseAllDocuments(helmRelease).map((item) => item.toJS())
+  const release = doc.filter((item) =>
+    item.apiVersion === 'helm.toolkit.fluxcd.io/v2beta2'
+      && item.kind === 'HelmRelease'
+  )
+  return release[0]
+}
+
+async function parseHelmRepository(kubernetesDir, releaseName) {
+  const files = await globby([`${kubernetesDir}/**/*.yaml`])
+  for await (const file of files) {
+    const contents = await fs.readFile(file, 'utf8')
+    const repository = YAML.parseAllDocuments(contents).map((item) => item.toJS())
+    if (repository[0] && 'apiVersion' in repository[0] && repository[0].apiVersion === 'source.toolkit.fluxcd.io/v1beta2'
+        && 'kind' in repository[0] && repository[0].kind === 'HelmRepository'
+        && 'metadata' in repository[0] && 'name' in repository[0].metadata && repository[0].metadata.name === releaseName)
+    {
+      return repository[0]
+    }
+  }
+}
+
+async function renderKustomize(releaseBaseDir, releaseName) {
+  const build = await $`${kustomize} build --load-restrictor=LoadRestrictionsNone ${releaseBaseDir}`
+  const docs = YAML.parseAllDocuments(build.stdout).map((item) => item.toJS())
+  const release = docs.filter((item) =>
+    item.apiVersion === 'helm.toolkit.fluxcd.io/v2beta2'
+      && item.kind === 'HelmRelease'
+        && item.metadata.name === releaseName
+  )
+  return release[0]
+}
+
+async function helmTemplate(release, repository) {
+  const values = new YAML.Document()
+  values.contents = release.spec.values
+  const valuesFile = await $`mktemp`
+  await fs.writeFile(valuesFile.stdout.trim(), values.toString())
+
+  // Template out helm values into Kubernetes manifests
+  let manifests
+  if ('type' in repository.spec && repository.spec.type == 'oci') {
+    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false --skip-tests ${repository.spec.url}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
+  } else {
+    await $`${helm} repo add ${release.spec.chart.spec.sourceRef.name} ${repository.spec.url}`
+    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false --skip-tests ${release.spec.chart.spec.sourceRef.name}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
+  }
+
+  let documents = YAML.parseAllDocuments(manifests.stdout.trim()).map((item) => item.toJS())
+
+  const images = [];
+  documents.forEach((doc) => {
+    const docImageValues = extractImageValues(doc);
+    images.push(...docImageValues);
+  });
+  return images;
+}
+
+const helmRelease    = await parseHelmRelease(HelmRelease)
+const kustomizeBuild = await renderKustomize(path.dirname(HelmRelease), helmRelease.metadata.name)
+const helmRepository = await parseHelmRepository(KubernetesDir, kustomizeBuild.spec.chart.spec.sourceRef.name)
+const images         = await helmTemplate(kustomizeBuild, helmRepository)
+
+echo(JSON.stringify(images))
diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
@@ -33,7 +33,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v40
+        uses: tj-actions/changed-files@v41
         with:
           files: kubernetes/**
           dir_names: true
@@ -83,7 +83,7 @@ jobs:
           path: pull
 
       - name: Diff Resources
-        uses: docker://ghcr.io/allenporter/flux-local:v4.2.0
+        uses: docker://ghcr.io/allenporter/flux-local:main
         with:
           args: >-
             --log-level DEBUG

diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
@@ -36,7 +36,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v40
+        uses: tj-actions/changed-files@v41
         with:
           files: kubernetes/**/helmrelease.yaml
           json: true

diff --git a/.github/workflows/flux-hr-sync.yaml b/.github/workflows/flux-hr-sync.yaml
@@ -62,7 +62,7 @@ jobs:
       - if: ${{ github.event.inputs.clusterName == '' && github.event.inputs.helmRepoNamespace == '' && github.event.inputs.helmRepoName == '' }}
         name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v40
+        uses: tj-actions/changed-files@v41
         with:
           files: kubernetes/**/helmrelease.yaml
 

diff --git a/.github/workflows/resources/nix/flake.nix b/.github/workflows/resources/nix/flake.nix
diff --git a/kubernetes/kyak/apps/external-secrets-system/external-secrets/app/helmrelease.yaml b/kubernetes/kyak/apps/external-secrets-system/external-secrets/app/helmrelease.yaml
@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:

diff --git a/...ak/apps/external-secrets-system/external-secrets/app/onepassword-connect.secret.sops.yaml b/...ak/apps/external-secrets-system/external-secrets/app/onepassword-connect.secret.sops.yaml
@@ -21,8 +21,8 @@ sops:
             R0dyYWZkUDBnWnFvL3Jnc0pHc1hQRzAKWK87utiEoGUpygwAUZeHPJEl/kClJMef
             6QLVKHpVfCU60HHXn0QP+dSDvZirPg5LH4Kzr/mBrXRKDoaqXF9/6g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-17T16:19:28Z"
-    mac: ENC[AES256_GCM,data:JSVzvbpuLAZax8YW/u0Zg67YPAtuAYEOeytgl2KKB4SySzZqQ9Pu8Ck5MW8y7SZjHhOE5gWfa0u+VtsvmUzE+RkMVXzAu+sAa0Jaqw9FLTozAYGScwjapOMfVc/z7sBk1Q3Af4NDrmAvivltHRNxv026KkW3FwEuwuPzmnfAeXE=,iv:KJNQhMNKTyaJVihZ1NYIkK97QwwEk835hvVsQOYdTls=,tag:s1BIlFAWjfgI2UVkDC1FEw==,type:str]
+    lastmodified: "2023-12-23T01:40:07Z"
+    mac: ENC[AES256_GCM,data:1PA1ZWHZs0KePkUvFsFUOLvI83MXEGVTmHgyTpc/iYKNNyCOpd5Ht0EaP6yV8saaJJ+Y3lNhIieXcwLS97avArWoO5MwarDNiO2g7NAVbGWp0eQhA2M/XhQqSGW/9dfk3oRin6Ac7nD7GvVzixBQ/FV+rwkosKUX7rKU8YfVAdo=,iv:19VHCxJDa2Q0ctF725bsoLk3MjNoLKg9EBWU2+t8UIg=,tag:SylQ3Oz3EbH+qBBAxDAwFg==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.8.1
diff --git a/kubernetes/kyak/apps/external-secrets-system/external-secrets/ks.yaml b/kubernetes/kyak/apps/external-secrets-system/external-secrets/ks.yaml
@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
@@ -20,7 +20,7 @@ spec:
   retryInterval: 1m
   timeout: 5m
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:

diff --git a/.../apps/external-secrets-system/external-secrets/stores/onepassword/clustersecretstore.yaml b/.../apps/external-secrets-system/external-secrets/stores/onepassword/clustersecretstore.yaml
@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/clustersecretstore_v1beta1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//external-secrets.io/clustersecretstore_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
@@ -16,4 +16,4 @@ spec:
           connectTokenSecretRef:
             name: onepassword-connect-secret
             key: token
-            namespace: external-secrets
+            namespace: external-secrets-system
diff --git a/...es/kyak/apps/external-secrets-system/external-secrets/stores/onepassword/helmrelease.yaml b/...es/kyak/apps/external-secrets-system/external-secrets/stores/onepassword/helmrelease.yaml
@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:

diff --git a/kubernetes/kyak/apps/flux-system/addons/app/monitoring/podmonitor.yaml b/kubernetes/kyak/apps/flux-system/addons/app/monitoring/podmonitor.yaml
@@ -1,10 +1,9 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/monitoring.coreos.com/podmonitor_v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//monitoring.coreos.com/podmonitor_v1.json
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
   name: flux-system
-  namespace: flux-system
   labels:
     app.kubernetes.io/part-of: flux
     app.kubernetes.io/component: monitoring

diff --git a/kubernetes/kyak/apps/flux-system/addons/app/monitoring/prometheusrule.yaml b/kubernetes/kyak/apps/flux-system/addons/app/monitoring/prometheusrule.yaml
@@ -1,10 +1,9 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/monitoring.coreos.com/prometheusrule_v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//monitoring.coreos.com/prometheusrule_v1.json
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
   name: flux-rules
-  namespace: flux-system
 spec:
   groups:
     - name: flux.rules

diff --git a/kubernetes/kyak/apps/flux-system/addons/app/notifications/alert-manager/notification.yaml b/kubernetes/kyak/apps/flux-system/addons/app/notifications/alert-manager/notification.yaml
@@ -1,20 +1,18 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/notification.toolkit.fluxcd.io/provider_v1beta3.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//notification.toolkit.fluxcd.io/provider_v1beta3.json
 apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Provider
 metadata:
   name: alert-manager
-  namespace: flux-system
 spec:
   type: alertmanager
   address: http://alertmanager-operated.monitoring.svc.cluster.local:9093/api/v2/alerts/
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/notification.toolkit.fluxcd.io/alert_v1beta3.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//notification.toolkit.fluxcd.io/alert_v1beta3.json
 apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Alert
 metadata:
   name: alert-manager
-  namespace: flux-system
 spec:
   providerRef:
     name: alert-manager
@@ -30,8 +28,6 @@ spec:
       name: "*"
     - kind: OCIRepository
       name: "*"
-    - kind: Terraform
-      name: "*"
   exclusionList:
     - "error.*lookup github\\.com"
     - "error.*lookup raw\\.githubusercontent\\.com"

diff --git a/kubernetes/kyak/apps/flux-system/addons/app/notifications/github/externalsecret.yaml b/kubernetes/kyak/apps/flux-system/addons/app/notifications/github/externalsecret.yaml
@@ -1,10 +1,9 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: github-token
-  namespace: flux-system
 spec:
   secretStoreRef:
     kind: ClusterSecretStore

diff --git a/kubernetes/kyak/apps/flux-system/addons/app/notifications/github/notification.yaml b/kubernetes/kyak/apps/flux-system/addons/app/notifications/github/notification.yaml
@@ -1,22 +1,20 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/notification.toolkit.fluxcd.io/provider_v1beta3.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//notification.toolkit.fluxcd.io/provider_v1beta3.json
 apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Provider
 metadata:
   name: github
-  namespace: flux-system
 spec:
   type: github
   address: https://github.com/coolguy1771/home-ops
   secretRef:
     name: github-token-secret
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/notification.toolkit.fluxcd.io/alert_v1beta3.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//notification.toolkit.fluxcd.io/alert_v1beta3.json
 apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Alert
 metadata:
   name: github
-  namespace: flux-system
 spec:
   providerRef:
     name: github

diff --git a/kubernetes/kyak/apps/flux-system/addons/app/webhooks/github/externalsecret.yaml b/kubernetes/kyak/apps/flux-system/addons/app/webhooks/github/externalsecret.yaml
@@ -1,10 +1,9 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: github-webhook-token
-  namespace: flux-system
 spec:
   secretStoreRef:
     kind: ClusterSecretStore

diff --git a/kubernetes/kyak/apps/flux-system/addons/app/webhooks/github/ingress.yaml b/kubernetes/kyak/apps/flux-system/addons/app/webhooks/github/ingress.yaml
@@ -3,7 +3,6 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: webhook-receiver
-  namespace: flux-system
   annotations:
     external-dns.alpha.kubernetes.io/target: external.${SECRET_PUBLIC_DOMAIN}
     cert-manager.io/cluster-issuer: "letsencrypt-production"

diff --git a/kubernetes/kyak/apps/flux-system/addons/app/webhooks/github/receiver.yaml b/kubernetes/kyak/apps/flux-system/addons/app/webhooks/github/receiver.yaml
@@ -1,10 +1,9 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/notification.toolkit.fluxcd.io/receiver_v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//notification.toolkit.fluxcd.io/receiver_v1.json
 apiVersion: notification.toolkit.fluxcd.io/v1
 kind: Receiver
 metadata:
   name: home-ops
-  namespace: flux-system
 spec:
   type: github
   events:

diff --git a/kubernetes/kyak/apps/flux-system/addons/ks.yaml b/kubernetes/kyak/apps/flux-system/addons/ks.yaml
@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:

diff --git a/kubernetes/kyak/apps/gpu-system/intel-device-plugin/app/helmrelease.yaml b/kubernetes/kyak/apps/gpu-system/intel-device-plugin/app/helmrelease.yaml
@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
@@ -28,4 +28,4 @@ spec:
     keepHistory: false
   dependsOn:
     - name: node-feature-discovery
-      namespace: kube-system
+      namespace: tools
diff --git a/kubernetes/kyak/apps/gpu-system/intel-device-plugin/gpu/helmrelease.yaml b/kubernetes/kyak/apps/gpu-system/intel-device-plugin/gpu/helmrelease.yaml
@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:

diff --git a/kubernetes/kyak/apps/gpu-system/intel-device-plugin/ks.yaml b/kubernetes/kyak/apps/gpu-system/intel-device-plugin/ks.yaml
@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
@@ -20,7 +20,7 @@ spec:
   retryInterval: 1m
   timeout: 5m
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:

diff --git a/kubernetes/kyak/apps/media/autobrr/app/externalsecret.yaml b/kubernetes/kyak/apps/media/autobrr/app/externalsecret.yaml
@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:

diff --git a/kubernetes/kyak/apps/media/autobrr/app/helmrelease.yaml b/kubernetes/kyak/apps/media/autobrr/app/helmrelease.yaml
@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev//helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata: