Fixing Flux Logic
Package Merge Request
Package Changes
Changing the logic behind flux so it only changes the flux values for the specified package I.E .values.tempo.flux.timeout will only change the timeout for flux and not the timeout for ALL packages
This is what occured when starting out the value of 5m would be specified in .values.packages.crossplane.flux.timeout but it would affect any package that did not have a timeout specified. This was not intended behavior
After the changes. I set the values.packages.crossplane.flux.timeout to 25m and it only affected crossplane and not the other packages.
K3d override values used tested it with both making sure 2 .values.packages.$pkg.flux.x did not interfere with eachother as well as setting flux settings for twistlock to use Serviceaccountname: Junge2 Kiali to use serviceAccountName: Junge and timeout: 20m
# comments: |
# This example values override file is provided FOR DEVELOPMENT/DEMO/TEST PURPOSES ONLY
domain: bigbang.dev
sso:
# -- Name of the identity provider. This is used by some packages as the SSO login label.
name: SSO
# -- Base URL for the identity provider. For OIDC, this is the issuer. For SAML this is the entityID.
url: https://keycloak.bigbang.dev/auth/realms/baby-yoda
flux:
interval: 1m
rollback:
cleanupOnFail: false
## to enable pass through gateway
istio:
enabled: true
ingressGateways:
passthrough-ingressgateway:
type: "LoadBalancer"
gateways:
passthrough:
ingressGateway: "passthrough-ingressgateway"
hosts:
- "*.{{ .Values.domain }}"
tls:
mode: "PASSTHROUGH"
promtail:
enabled: false
kyverno:
# -- Toggle deployment of Kyverno.
enabled: false
networkPolicies:
enabled: true
controlPlaneCidr: 172.16.0.0/12
kyvernoPolicies:
# -- Toggle deployment of Kyverno policies
enabled: false
kyvernoReporter:
# -- Toggle deployment of Kyverno Reporter
enabled: false
clusterAuditor:
# -- Toggle deployment of Cluster Auditor.
enabled: false
git:
tag: ""
branch: "84-refactor-cluster-auditor-to-gluon-0-4-7"
values:
networkpolicies:
enabled: true
bbtests:
enabled: true
cypress:
artifacts: true
envs:
##cypress_grafana_url: http://grafana.monitoring.svc.cluster.local
cypress_grafana_url: 'https://grafana.bigbang.dev'
cypress_prometheus_url: 'https://prometheus.bigbang.dev'
cypress_url: 'https://grafana.bigbang.dev/d/YBgRZG6Mz/opa-violations?orgId=1'
cypress_table_bar_allownodata: '1'
# violations over time graph
cypress_graph_allownodata: '2'
cypress_reporter_ns: cluster-auditor
gatekeeper:
enabled: false
loki:
enabled: true
values:
bbtests:
enabled: true
cypress:
envs:
cypress_check_datasource: 'true'
cypress_grafana_url: 'http://grafana.bigbang.dev'
scripts:
envs:
LOKI_URL: 'http://logging-loki-write.logging.svc:3100'
monitoring:
values:
bbtests:
enabled: true
enabled: true
twistlock:
enabled: true
flux:
serviceAccountName: Junge2
sso:
enabled: false
client_id: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-twistlock"
values:
bbtests:
enabled: true
imagePullSecrets:
- name: private-registry
console:
license: "mkHgMhVTiaBi7PtpDJhrzw61DTAMpkwHqWBonqiDXaRaKaEZYSZAPaVWXWiKasJKAznWAmeKboGz03cgDkwb5RBxldwPt99Z4KnvL5oa4chIIt51/xpl37h6m8xuyB9MhIsEutI0Mu0sYHdeWBWpDloTZnE9TtH2SZ2m45mo0a4W/8XpPNHDkDYrltIDL+rlRDSdasoc3pVK4n5CteQH8RBhvWOFVF6ktWx14fBH+qfG0DMIzIJxQzyWBeh9y2S0twPPer9+ze9WdXt6eNpJffpt/wtMILcjQI3NfMWt4km17eXAnHHQ6ZmY+dv7znlfjPuq6yLycEQek1+vCxyT2KZDX3arzEwKZ9EG5J3iS5d9CHUjh+xgq0HmPB3INUdt25WxyGlpLLMWGpPKS+TLtbCd+ojnykMhUnkyvUJVsTHCCD04v4vmEkkzzPAJbh4Rs6mP4RPCCYZU02zgYvYDNFHUQt2Qu4aEmmeDT4FLrJQTUgth/BsLJTPzZoM+r8uN7IDurJAm/XeLEG3M0gck6tGxNJpFquPNEooTGL0LHdSqMTPB6NEO01OoIgEtyM+ar+b1B4L94oPfUR9U3hkWwHa/GbefEEbjVIJKTrGDuf6x+TTmqx0PKL4EIxpAxUdUIBVEqxE1MR7WBmKtvh++utIake47FWVDl5Al7VJXF+M="
credentials:
password: "admin"
additionalUsers:
- username: foo
authType: basic
password: bar
role: admin
defender:
enabled: true
dockerSocket: "/run/k3s/containerd/containerd.sock"
selinux: false
istioOperator:
enabled: true
jaeger:
enabled: false
kiali:
enabled: true
flux:
timeout: 20m
serviceAccountName: Junge
fluentbit:
enabled: false
neuvector:
enabled: false
tempo:
enabled: true
values:
networkPolicies:
additionalPolicies:
- name: egress-test-job
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 172.20.0.0/12
elasticsearchKibana:
enabled: false
grafana:
enabled: true
values:
bbtests:
enabled: true
addons:
sonarqube:
enabled: false
argocd:
enabled: false
gitlab:
enabled: false
minioOperator:
enabled: false
# sourceType: "git"
# git:
# repo: https://repo1.dso.mil/big-bang/product/packages/minio-operator.git
# path: "./chart"
# tag: null
# branch: "renovate/ironbank"
minio:
enabled: false
metricsServer:
enabled: false
keycloak:
enabled: false
values:
replicas: 1
resources:
requests:
cpu: 250m
memory: 250Mi
limits: {}
bbtests:
enabled: true
cypress:
envs:
cypress_url: "https://keycloak.bigbang.dev"
command:
- "/opt/keycloak/bin/kc.sh"
args:
- "start"
- "--import-realm"
extraEnv: |-
- name: KC_HTTPS_CERTIFICATE_FILE
value: /opt/keycloak/conf/tls.crt
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
value: /opt/keycloak/conf/tls.key
- name: KC_HTTP_ENABLED
value: "true"
- name: KC_HTTP_RELATIVE_PATH
value: /auth
- name: KC_HTTPS_CLIENT_AUTH
value: request
- name: KC_PROXY
value: passthrough
- name: KC_HTTPS_TRUST_STORE_FILE
value: /opt/keycloak/conf/truststore.jks
- name: KC_HTTPS_TRUST_STORE_PASSWORD
value: password
- name: KC_HOSTNAME
value: keycloak.bigbang.dev
- name: KC_HOSTNAME_STRICT
value: "true"
- name: KC_HOSTNAME_STRICT_HTTPS
value: "true"
- name: KC_LOG_LEVEL
value: "org.keycloak.events:DEBUG,org.infinispan:INFO,org.jgroups:INFO"
- name: KC_CACHE
value: ispn
- name: KC_CACHE_STACK
value: kubernetes
secrets:
env:
stringData:
CUSTOM_REGISTRATION_CONFIG: /opt/keycloak/conf/customreg.yaml
customreg:
stringData:
customreg.yaml: '{{ .Files.Get "resources/dev/baby-yoda.yaml" }}'
realm:
stringData:
realm.json: '{{ .Files.Get "resources/dev/baby-yoda-bb-ci.json" }}'
truststore:
data:
truststore.jks: |-
{{ .Files.Get "resources/dev/truststore.jks" | b64enc }}
quarkusproperties:
stringData:
quarkus.properties: '{{ .Files.Get "resources/dev/quarkus.properties" }}'
extraInitContainers: |-
- name: plugin
image: registry1.dso.mil/ironbank/big-bang/p1-keycloak-plugin:3.2.0
imagePullPolicy: Always
command:
- sh
- -c
- |
cp /app/p1-keycloak-plugin.jar /init
ls -l /init
volumeMounts:
- name: plugin
mountPath: "/init"
extraVolumes: |-
- name: customreg
secret:
secretName: {{ include "keycloak.fullname" . }}-customreg
- name: realm
secret:
secretName: {{ include "keycloak.fullname" . }}-realm
- name: plugin
emptyDir: {}
- name: truststore
secret:
secretName: {{ include "keycloak.fullname" . }}-truststore
- name: quarkusproperties
secret:
secretName: {{ include "keycloak.fullname" . }}-quarkusproperties
defaultMode: 0777
extraVolumeMounts: |-
- name: customreg
mountPath: /opt/keycloak/conf/customreg.yaml
subPath: customreg.yaml
readOnly: true
- name: realm
mountPath: /opt/keycloak/data/import/realm.json
subPath: realm.json
- name: plugin
mountPath: /opt/keycloak/providers/p1-keycloak-plugin.jar
subPath: p1-keycloak-plugin.jar
- name: truststore
mountPath: /opt/keycloak/conf/truststore.jks
subPath: truststore.jks
- name: quarkusproperties
mountPath: /opt/keycloak/conf/quarkus.properties
subPath: quarkus.properties
# -- Wrapper chart for integrating Big Bang components alongside a package
wrapper:
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
helmRepo:
# -- Repository holding OCI chart, corresponding to `helmRepositories` name
repoName: "registry1"
# -- Name of the OCI chart in `repo`
chartName: wrapper
# -- Tag of the OCI chart in `repo`
tag: "0.4.7"
git:
# -- Git repo holding the wrapper helm chart, example: https://repo1.dso.mil/big-bang/product/packages/wrapper
repo: "https://repo1.dso.mil/big-bang/product/packages/wrapper.git"
# -- Path inside of the git repo to find the helm chart, example: chart
path: "chart"
# -- Git tag to check out. Takes precedence over branch. [More info](https://fluxcd.io/flux/components/source/gitrepositories/#reference), example: 0.0.2
tag: "0.4.7"
# -- Packages to deploy with Big Bang
# @default - '{}'
packages:
crossplane:
enabled: true
wrapper:
enabled: true
#flux: {}
flux:
timeout: 15m
serviceAccountName: Junge5
namespace:
name: crossplane-system
# helmRepo:
# repoName: registry1
# chartName: crossplane
# tag: 1.12.0-bb.0
git:
repo: "https://repo1.dso.mil/big-bang/product/community/crossplane.git"
tag: "1.12.2-bb.0"
path: "./chart"
values:
resourcesCrossplane:
limits:
# -- CPU resource limits for Crossplane.
cpu: 1
# -- Memory resource limits for Crossplane.
memory: 1Gi
requests:
# -- CPU resource requests for Crossplane.
cpu: 100m
# -- Memory resource requests for Crossplane.
memory: 256Mi
provider:
packages:
- registry1.dso.mil/bigbang-ci/crossplane/provider-aws-iam:v0.37.0
- registry1.dso.mil/bigbang-ci/crossplane/provider-aws-ec2:v0.37.0
- registry1.dso.mil/bigbang-ci/crossplane/provider-aws-eks:v0.37.0
- registry1.dso.mil/bigbang-ci/crossplane/provider-family-aws:v0.37.0
- registry1.dso.mil/bigbang-ci/crossplane/provider-kubernetes:v0.9.0
crossplane2:
enabled: true
wrapper:
enabled: true
#flux: {}
flux:
timeout: 40m
serviceAccountName: Junge10
namespace:
name: crossplane-system
# helmRepo:
# repoName: registry1
# chartName: crossplane
# tag: 1.12.0-bb.0
git:
repo: "https://repo1.dso.mil/big-bang/product/community/crossplane.git"
tag: "1.12.2-bb.0"
path: "./chart"
values:
resourcesCrossplane:
limits:
# -- CPU resource limits for Crossplane.
cpu: 1
# -- Memory resource limits for Crossplane.
memory: 1Gi
requests:
# -- CPU resource requests for Crossplane.
cpu: 100m
# -- Memory resource requests for Crossplane.
memory: 256Mi
provider:
packages:
- registry1.dso.mil/bigbang-ci/crossplane/provider-aws-iam:v0.37.0
- registry1.dso.mil/bigbang-ci/crossplane/provider-aws-ec2:v0.37.0
- registry1.dso.mil/bigbang-ci/crossplane/provider-aws-eks:v0.37.0
- registry1.dso.mil/bigbang-ci/crossplane/provider-family-aws:v0.37.0
- registry1.dso.mil/bigbang-ci/crossplane/provider-kubernetes:v0.9.0
Package MR
(Link to Package MR here)
For Issue
Closes (big-bang/product/packages/wrapper#31 (closed))
Upgrade Notices
This will fundamentally change how people may have used Flux in the past as it currently stands if as much as 1 package deviates from the defaults of flux, it propagates that change to ALL packages. This was a bug not a feature. But people may have adapted to the buggy approach. There is potential for issues in consumers environments due to this.
Edited by Jeffrey Victor