weaveworks / flux2-openshift Goto Github PK
View Code? Open in Web Editor NEWOperatorHub submission repo for Flux2
License: Apache License 2.0
OperatorHub submission repo for Flux2
License: Apache License 2.0
Tasks:
Following the OperatorHub instructions literally results in the flux operator going in the operators
namespace
https://operatorhub.io/operator/flux
The ClusterRoleBindings have hardcoded references to flux-system
for the service accounts that should be used as the default SA for Flux reconcilers. The result is some ineffective ClusterRoleBindings that do not grant any permission to any extant service accounts.
I mentioned this in:
but wanted to open a separate issue to track it here, since it is definitely not a flux
CLI problem.
Enable multi-tenancy lockdown as described in the doc.
Trying to build new Operator and with the latest version of 0.34.0, I get the following error:
make release
./release.sh
Flux version: 0.34.0
Generating the manifests using the built CLI ...
Exporting gotk-components.yaml ...
make: *** [Makefile:2: release] Error 1
I also tried version 0.33.0 with no success. I went back to version 0.32 and this worked fine.
Looks like there were some changes after version 0.32.0, that is causing this issue.
Comparing the result of kubectl describe ns flux-system
after flux bootstrap
on a Kind cluster:
app.kubernetes.io/instance=flux-system
app.kubernetes.io/part-of=flux
app.kubernetes.io/version=v0.31.2
kubernetes.io/metadata.name=flux-system
kustomize.toolkit.fluxcd.io/name=flux-system
kustomize.toolkit.fluxcd.io/namespace=flux-system
pod-security.kubernetes.io/warn=restricted
pod-security.kubernetes.io/warn-version=latest
and install via the operator:
kubernetes.io/metadata.name=flux-system
This results in the Flux Runtime view in Weave GitOps failing to display any controllers. Which can be resolved by manually adding the part-of
label i.e. kubectl label ns flux-system app.kubernetes.io/part-of='flux'
A few days ago, Flux started trying to update itself from 0.36 to 0.37. It then began failing. The 0.37 version is stuck in a Pending
state due to a RequirementsNotMet: one or more requirements couldn't be found
error. 0.36 was in a Failing
state.
OLM Logs:
I1128 02:12:22.717658 1 event.go:282] Event(v1.ObjectReference{Kind:"Namespace", Namespace:"", Name:"flux-system", UID:"203c94e7-1df1-4a48-a2e2-d882dd13c68d", APIVersion:"v1", ResourceVersion:"539695358", FieldPath:""}): type: 'Warning' reason: 'ResolutionFailed' constraints not satisfiable: clusterserviceversion flux.v0.36.0 exists and is not referenced by a subscription, subscription flux exists, subscription flux requires @existing/flux-system//flux.v0.37.0, @existing/flux-system//flux.v0.37.0 and @existing/flux-system//flux.v0.36.0 provide HelmRelease (helm.toolkit.fluxcd.io/v2beta1)
time="2022-11-28T02:12:23Z" level=info msg=syncing event=update reconciling="*v1alpha1.Subscription" selflink=
I1128 02:12:23.716878 1 event.go:282] Event(v1.ObjectReference{Kind:"Namespace", Namespace:"", Name:"flux-system", UID:"203c94e7-1df1-4a48-a2e2-d882dd13c68d", APIVersion:"v1", ResourceVersion:"539695358", FieldPath:""}): type: 'Warning' reason: 'ResolutionFailed' constraints not satisfiable: @existing/flux-system//flux.v0.37.0 and @existing/flux-system//flux.v0.36.0 originate from package flux, clusterserviceversion flux.v0.36.0 exists and is not referenced by a subscription, subscription flux exists, subscription flux requires @existing/flux-system//flux.v0.37.0
time="2022-11-28T02:12:24Z" level=info msg=syncing event=update reconciling="*v1alpha1.Subscription" selflink=
I1128 02:12:24.717529 1 event.go:282] Event(v1.ObjectReference{Kind:"Namespace", Namespace:"", Name:"flux-system", UID:"203c94e7-1df1-4a48-a2e2-d882dd13c68d", APIVersion:"v1", ResourceVersion:"539695358", FieldPath:""}): type: 'Warning' reason: 'ResolutionFailed' constraints not satisfiable: subscription flux requires @existing/flux-system//flux.v0.37.0, @existing/flux-system//flux.v0.37.0 and @existing/flux-system//flux.v0.36.0 provide Kustomization (kustomize.toolkit.fluxcd.io/v1beta2), clusterserviceversion flux.v0.36.0 exists and is not referenced by a subscription, subscription flux exists
time="2022-11-28T02:12:25Z" level=info msg=syncing event=update reconciling="*v1alpha1.Subscription" selflink=
I1128 02:12:25.716471 1 event.go:282] Event(v1.ObjectReference{Kind:"Namespace", Namespace:"", Name:"flux-system", UID:"203c94e7-1df1-4a48-a2e2-d882dd13c68d", APIVersion:"v1", ResourceVersion:"539695358", FieldPath:""}): type: 'Warning' reason: 'ResolutionFailed' constraints not satisfiable: subscription flux exists, clusterserviceversion flux.v0.36.0 exists and is not referenced by a subscription, @existing/flux-system//flux.v0.37.0 and @existing/flux-system//flux.v0.36.0 provide Bucket (source.toolkit.fluxcd.io/v1beta1), subscription flux requires @existing/flux-system//flux.v0.37.0
time="2022-11-28T02:12:26Z" level=info msg=syncing event=update reconciling="*v1alpha1.Subscription" selflink=
I1128 02:12:26.717348 1 event.go:282] Event(v1.ObjectReference{Kind:"Namespace", Namespace:"", Name:"flux-system", UID:"203c94e7-1df1-4a48-a2e2-d882dd13c68d", APIVersion:"v1", ResourceVersion:"539695358", FieldPath:""}): type: 'Warning' reason: 'ResolutionFailed' constraints not satisfiable: @existing/flux-system//flux.v0.37.0 and @existing/flux-system//flux.v0.36.0 provide ImagePolicy (image.toolkit.fluxcd.io/v1beta1), clusterserviceversion flux.v0.36.0 exists and is not referenced by a subscription, subscription flux exists, subscription flux requires @existing/flux-system//flux.v0.37.0
time="2022-11-28T02:12:27Z" level=info msg=syncing event=update reconciling="*v1alpha1.Subscription" selflink=
I1128 02:12:27.718395 1 event.go:282] Event(v1.ObjectReference{Kind:"Namespace", Namespace:"", Name:"flux-system", UID:"203c94e7-1df1-4a48-a2e2-d882dd13c68d", APIVersion:"v1", ResourceVersion:"539695358", FieldPath:""}): type: 'Warning' reason: 'ResolutionFailed' constraints not satisfiable: subscription flux exists, @existing/flux-system//flux.v0.36.0 and @existing/flux-system//flux.v0.37.0 originate from package flux, clusterserviceversion flux.v0.36.0 exists and is not referenced by a subscription, subscription flux requires @existing/flux-system//flux.v0.37.0
time="2022-11-28T02:12:28Z" level=info msg=syncing event=update reconciling="*v1alpha1.Subscription" selflink=
I1128 02:12:28.718722 1 event.go:282] Event(v1.ObjectReference{Kind:"Namespace", Namespace:"", Name:"flux-system", UID:"203c94e7-1df1-4a48-a2e2-d882dd13c68d", APIVersion:"v1", ResourceVersion:"539695358", FieldPath:""}): type: 'Warning' reason: 'ResolutionFailed' constraints not satisfiable: subscription flux exists, clusterserviceversion flux.v0.36.0 exists and is not referenced by a subscription, @existing/flux-system//flux.v0.36.0 and @existing/flux-system//flux.v0.37.0 provide ImageRepository (image.toolkit.fluxcd.io/v1beta1), subscription flux requires @existing/flux-system//flux.v0.37.0
time="2022-11-28T02:12:29Z" level=info msg=syncing event=update reconciling="*v1alpha1.Subscription" selflink=
I1128 02:12:29.718087 1 event.go:282] Event(v1.ObjectReference{Kind:"Namespace", Namespace:"", Name:"flux-system", UID:"203c94e7-1df1-4a48-a2e2-d882dd13c68d", APIVersion:"v1", ResourceVersion:"539695358", FieldPath:""}): type: 'Warning' reason: 'ResolutionFailed' constraints not satisfiable: subscription flux exists, clusterserviceversion flux.v0.36.0 exists and is not referenced by a subscription, @existing/flux-system//flux.v0.36.0 and @existing/flux-system//flux.v0.37.0 provide Provider (notification.toolkit.fluxcd.io/v1beta1), subscription flux requires @existing/flux-system//flux.v0.37.0
time="2022-11-28T02:12:30Z" level=info msg=syncing event=update reconciling="*v1alpha1.Subscription" selflink=
I1128 02:12:30.717538 1 event.go:282] Event(v1.ObjectReference{Kind:"Namespace", Namespace:"", Name:"flux-system", UID:"203c94e7-1df1-4a48-a2e2-d882dd13c68d", APIVersion:"v1", ResourceVersion:"539695358", FieldPath:""}): type: 'Warning' reason: 'ResolutionFailed' constraints not satisfiable: subscription flux requires @existing/flux-system//flux.v0.37.0, subscription flux exists, @existing/flux-system//flux.v0.37.0 and @existing/flux-system//flux.v0.36.0 provide HelmChart (source.toolkit.fluxcd.io/v1beta2), clusterserviceversion flux.v0.36.0 exists and is not referenced by a subscription
time="2022-11-28T02:12:31Z" level=info msg=syncing event=update reconciling="*v1alpha1.Subscription" selflink=
I1128 02:12:31.717771 1 event.go:282] Event(v1.ObjectReference{Kind:"Namespace", Namespace:"", Name:"flux-system", UID:"203c94e7-1df1-4a48-a2e2-d882dd13c68d", APIVersion:"v1", ResourceVersion:"539695358", FieldPath:""}): type: 'Warning' reason: 'ResolutionFailed' constraints not satisfiable: subscription flux exists, subscription flux requires @existing/flux-system//flux.v0.37.0, clusterserviceversion flux.v0.36.0 exists and is not referenced by a subscription, @existing/flux-system//flux.v0.37.0 and @existing/flux-system//flux.v0.36.0 provide HelmChart (source.toolkit.fluxcd.io/v1beta1)
I attempted to perform the steps in this RedHat article, but they didn't work (Delete the Subscription and CSVs, re-install).
Logs post re-install
time="2022-11-28T02:24:22Z" level=info msg=syncing event=update reconciling="*v1alpha1.Subscription" selflink=
time="2022-11-28T02:24:22Z" level=info msg=syncing id=b/zWa ip=install-k8vlf namespace=flux-system phase=Installing
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=CustomResourceDefinition" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=ocirepository.crd.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=Service" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=webhook-receiver.service.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=ClusterRole" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=crd-controller-flux-system.clusterrole.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=CustomResourceDefinition" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=kustomization.crd.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=ClusterRoleBinding" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=cluster-reconciler-flux-system.clusterrolebinding.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=CustomResourceDefinition" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=receiver.crd.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=CustomResourceDefinition" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=provider.crd.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=Service" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=source-controller.service.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=CustomResourceDefinition" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=helmrelease.crd.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=CustomResourceDefinition" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=imageupdateautomation.crd.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=CustomResourceDefinition" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=imagepolicy.crd.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=CustomResourceDefinition" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=gitrepository.crd.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=CustomResourceDefinition" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=helmrepository.crd.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=CustomResourceDefinition" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=helmchart.crd.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=CustomResourceDefinition" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=imagerepository.crd.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=CustomResourceDefinition" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=bucket.crd.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=ClusterServiceVersion" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=flux.v0.37.0.clusterserviceversion.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=CustomResourceDefinition" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=alert.crd.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=ClusterRoleBinding" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=crd-controller-flux-system.clusterrolebinding.yaml
time="2022-11-28T02:24:23Z" level=info msg="added to bundle, Kind=Service" configmap=openshift-marketplace/117acbb8c3636cc0e69f7d4db4f352bb74df05c0154698c1603646f69a7a6d8 key=notification-controller.service.yaml
time="2022-11-28T02:24:23Z" level=error msg="risk of data loss updating \"imagepolicies.image.toolkit.fluxcd.io\": new CRD removes version v1alpha1 that is listed as a stored version on the existing CRD"
Anyone seen this issue before? I must admit, I'm not all that familiar with how operators work, so any help or advice would be appreciated.
We are rolling out a few security related changes in flux2 that may impact flux2-openshift
.
Here's a summary of them:
securityContext.runAsNonRoot
.I will link the PRs here to keep track of progress.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.