Release 1.0.0-rc2 (#59)

Release 1.0.0-rc2

Author: hiddeco

.circleci/config.yml

@@ -77,7 +77,7 @@ jobs:
       - deploy:
           name: Maybe push release image
           command: |
-            if echo "${CIRCLE_TAG}" | grep -Eq "^[0-9]+(\.[0-9]+)*(-[a-z]+)?$"; then
+            if echo "${CIRCLE_TAG}" | grep -Eq "^[0-9]+(\.[0-9]+)*(-[a-z0-9]+)?$"; then
               echo "$DOCKER_FLUXCD_PASSWORD" | docker login --username "$DOCKER_FLUXCD_USER" --password-stdin
               docker push "docker.io/fluxcd/helm-operator:${CIRCLE_TAG}"
             fi

CHANGELOG.md

@@ -1,3 +1,59 @@
+## 1.0.0-rc2 (2019-10-02)
+
+> **Notice:** upgrading to this version from `<=0.10.x` by just
+> updating your Helm Operator image tag is not possible as the
+> CRD domain and version have changed. An upgrade guide can be
+> found [here](./docs/guides/upgrading-to-ga.md).
+
+This is the second release candidate.
+
+### Bug fixes
+
+ - Fix permissions on chart directory creation for non-root users
+   [fluxcd/helm-operator#31][#31]
+ - Filter out `nil` resources during parsing of released resources,
+   as it caused confusion due to a harmless `Object 'Kind' is missing
+   in 'null'` error being logged
+   [fluxcd/helm-operator#47][#47]
+ - Make `OwnedByHelmRelease` default to `true`, to work around some
+   edge case scenarios where no resources are present for the release,
+   or they are all skipped
+   [fluxcd/helm-operator#56][#56]
+
+### Improvements
+
+ - Add `--status-update-interval` flag, for configuring the interval
+   at which the operator consults Tiller for the status of a release
+   [fluxcd/helm-operator#44][#44]
+ - Expand the list of public Helm repositories in the default config
+   [fluxcd/helm-operator#53][#53]
+
+### Maintenance and documentation
+
+ - Build: avoid spurious diffs in generated files by fixing their
+   modtimes to Unix epoch [fluxcd/helm-operator#50][#50]
+ - Build: update Flux dependency to `v1.15.0`
+   [fluxcd/helm-operator#58][#58]
+ - Documentation: Kustomize installation tutorial and various fixes
+   [fluxcd/helm-operator#32][#32]
+ - Documentation: add Helm v3 (alpha) workshop to `README.md`
+   [fluxcd/helm-operator#52][#52]
+   
+### Thanks
+
+Many thanks to @knackaron, @stefanprodan, @hiddeco, @swade1987
+for contributions to this release.
+
+[#31]: https://github.com/fluxcd/helm-operator/pull/31
+[#32]: https://github.com/fluxcd/helm-operator/pull/32
+[#44]: https://github.com/fluxcd/helm-operator/pull/44
+[#47]: https://github.com/fluxcd/helm-operator/pull/47
+[#50]: https://github.com/fluxcd/helm-operator/pull/50
+[#52]: https://github.com/fluxcd/helm-operator/pull/52
+[#53]: https://github.com/fluxcd/helm-operator/pull/53
+[#56]: https://github.com/fluxcd/helm-operator/pull/56
+[#58]: https://github.com/fluxcd/helm-operator/pull/58
+
 ## 1.0.0-rc1 (2019-08-14)
 
 > **Notice:** upgrading to this version by just updating your Helm

README.md

@@ -2,7 +2,7 @@
 
 [![CircleCI](https://circleci.com/gh/fluxcd/helm-operator.svg?style=svg)](https://circleci.com/gh/fluxcd/helm-operator)
 [![GoDoc](https://godoc.org/github.com/fluxcd/helm-operator?status.svg)](https://godoc.org/github.com/fluxcd/helm-operator)
-[![Documentation](https://img.shields.io/badge/latest-documentation-informational)](https://docs.fluxcd.io/en/latest/)
+[![Documentation](https://img.shields.io/badge/latest-documentation-informational)](https://docs.fluxcd.io/projects/helm-operator/en/latest/)
 
 The Helm Operator provides an extension to [Flux](https://github.com/fluxcd/flux)
 that automates Helm Chart releases in a GitOps manner.
@@ -25,13 +25,14 @@ and the Helm Operator makes sure Helm charts are released as specified in the re
 ## Get started with the Helm Operator
 
 Get started [installing the Helm operator](/chart/helm-operator/README.md)
-or just [browse through the documentation](https://docs.fluxcd.io/en/latest/helm-operator/).
+or just [browse through the documentation](https://docs.fluxcd.io/projects/helm-operator/en/latest/).
 
 ### Integrations
 
 As Flux Helm Operator is Open Source, integrations are very straight-forward. Here are
 a few popular ones you might want to check out:
 
+- [Progressive Delivery workshop (Helm v3 alpha)](https://helm.workshop.flagger.dev/)
 - [Managing Helm releases the GitOps way](https://github.com/fluxcd/helm-operator-get-started)
 - [GitOps for Istio Canary deployments](https://github.com/stefanprodan/gitops-istio)
 

chart/helm-operator/CHANGELOG.md

@@ -0,0 +1,19 @@
+## 0.1.1 (2019-09-15)
+
+### Improvements
+
+ - Restart operator on helm repositories changes
+   [fluxcd/helm-operator#30](https://github.com/fluxcd/helm-operator/pull/30)
+ - Add liveness and readiness probes
+   [fluxcd/helm-operator#30](https://github.com/fluxcd/helm-operator/pull/30)
+ - Add `HelmRelease` example to chart notes
+   [fluxcd/helm-operator#30](https://github.com/fluxcd/helm-operator/pull/30)
+
+### Bug fixes
+
+ - Fix SSH key mapping
+   [fluxcd/helm-operator#30](https://github.com/fluxcd/helm-operator/pull/30)
+
+## 0.1.0 (2019-09-14)
+
+Initial chart release with Helm Operator [1.0.0-rc1](https://github.com/fluxcd/helm-operator/blob/master/CHANGELOG.md#100-rc1-2019-08-14)

chart/helm-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "1.0.0-rc1"
-version: 1.0.0
+appVersion: "1.0.0-rc2"
+version: 0.1.1
 kubeVersion: ">=1.11.0-0"
 name: helm-operator
 description: Flux Helm Operator is a CRD controller for declarative helming

chart/helm-operator/README.md

@@ -39,7 +39,7 @@ helm upgrade -i helm-operator fluxcd/helm-operator \
 --namespace fluxcd \
 --set configureRepositories.enable=true \
 --set configureRepositories.repositories[0].name=stable \
---set configureRepositories.repositories[0].url=ttps://kubernetes-charts.storage.googleapis.com \
+--set configureRepositories.repositories[0].url=https://kubernetes-charts.storage.googleapis.com \
 --set configureRepositories.repositories[1].name=podinfo \
 --set configureRepositories.repositories[1].url=https://stefanprodan.github.io/podinfo
 ```
@@ -134,6 +134,28 @@ spec:
     replicaCount: 1
 ```
 
+## Use Flux's Git deploy key
+
+You can configure the Helm Operator to use the Git SSH key generated by Flux. 
+
+Assuming you've installed Flux with:
+
+```sh
+helm upgrade -i flux fluxcd/flux \
+--namespace fluxcd \
+--set [email protected]:org/repo
+```
+
+when installing Helm Operator, you can refer the Flux deploy key by its Kubernetes Secret name:
+
+```sh
+helm -i helm-operator fluxcd/helm-operator \
+--namespace fluxcd \
+--set git.ssh.secret=flux-git-deploy
+```
+
+The deploy key naming convention is `<Flux Release Name>-git-deploy`.
+
 ## Uninstall
 
 To uninstall/delete the `helm-operator` deployment:
@@ -142,7 +164,10 @@ To uninstall/delete the `helm-operator` deployment:
 helm delete --purge helm-operator
 ```
 
-The command removes all the Kubernetes components associated with the chart and deletes the release.
+The command removes all the Kubernetes components associated with the chart and deletes the release. 
+
+Note that `helm delete` will not remove the `HelmRelease` CRD.
+Deleting the CRD will trigger a cascade delete of all Helm release objects.
 
 ## Configuration
 
@@ -167,14 +192,17 @@ The following tables lists the configurable parameters of the Flux chart and the
 | `serviceAccount.create`                           | `true`                                               | If `true`, create a new service account
 | `serviceAccount.name`                             | `flux`                                               | Service account to be used
 | `clusterRole.create`                              | `true`                                               | If `false`, Helm Operator will be restricted to the namespace where is deployed
-| `createCRD`                                       | `true`                                               | Create the HelmRelease CRD
+| `createCRD`                                       | `false`                                              | Create the HelmRelease CRD
 | `updateChartDeps`                                 | `true`                                               | Update dependencies for charts
 | `git.pollInterval`                                | `git.pollInterval`                                   | Period on which to poll git chart sources for changes
 | `git.timeout`                                     | `git.timeout`                                        | Duration after which git operations time out
 | `git.ssh.secretName`                              | `None`                                               | The name of the kubernetes secret with the SSH private key, supercedes `git.secretName`
 | `git.ssh.known_hosts`                             | `None`                                               | The contents of an SSH `known_hosts` file, if you need to supply host key(s)
-| `chartsSyncInterval`                              | `3m`                                                 | Interval at which to check for changed charts
-| `workers`                                         | `None`                                               | (Experimental) amount of workers processing releases
+| `git.ssh.configMapName`                           | `None`                                               | The name of a kubernetes config map containing the ssh config
+| `git.ssh.configMapKey`                            | `config`                                             | The name of the key in the kubernetes config map specified above
+| `chartsSyncInterval`                              | `3m`                                                 | Period on which to reconcile the Helm releases with `HelmRelease` resources
+| `statusUpdateInterval`                            | `None`                                               | Period on which to update the Helm release status in `HelmRelease` resources
+| `workers`                                         | `None`                                               | Amount of workers processing releases
 | `logFormat`                                       | `fmt`                                                | Log format (fmt or json)
 | `logReleaseDiffs`                                 | `false`                                              | Helm operator should log the diff when a chart release diverges (possibly insecure)
 | `allowNamespace`                                  | `None`                                               | If set, this limits the scope to a single namespace. If not specified, all namespaces will be watched

chart/helm-operator/templates/NOTES.txt

@@ -1,2 +1,41 @@
 Flux Helm Operator docs https://docs.fluxcd.io
 
+Example:
+
+AUTH_VALUES=$(cat <<-END
+usePassword: true
+password: "redis_pass"
+usePasswordFile: true
+END
+)
+
+kubectl create secret generic redis-auth --from-literal=values.yaml="$AUTH_VALUES"
+
+cat <<EOF | kubectl apply -f -
+apiVersion: helm.fluxcd.io/v1
+kind: HelmRelease
+metadata:
+  name: redis
+  namespace: default
+spec:
+  releaseName: redis
+  chart:
+    repository: https://kubernetes-charts.storage.googleapis.com
+    name: redis
+    version: 9.0.2
+  valuesFrom:
+  - secretKeyRef:
+      name: redis-auth
+  values:
+    master:
+      persistence:
+        enabled: false
+    volumePermissions:
+      enabled: true
+    metrics:
+      enabled: true
+    cluster:
+      enabled: false
+EOF
+
+watch kubectl get hr

chart/helm-operator/templates/deployment.yaml

@@ -16,6 +16,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/repositories: {{ include (print $.Template.BasePath "/helm-repositories.yaml") . | sha256sum | quote }}
       {{- if .Values.prometheus.enabled }}
         prometheus.io/scrape: "true"
       {{- end }}
@@ -33,7 +34,7 @@ spec:
       {{- end }}
       volumes:
       {{- if .Values.git.ssh.known_hosts }}
-      - name: sshdir
+      - name: sshknownhosts
         configMap:
           name: {{ template "helm-operator.fullname" . }}-ssh-config
           defaultMode: 0600
@@ -44,10 +45,19 @@ spec:
           secretName: {{ include "git.config.secretName" . }}
           defaultMode: 0400
       {{- end }}
+      {{- if .Values.git.ssh.configMapName }}
+      - name: sshconfig
+        configMap:
+          name: {{ .Values.git.ssh.configMapName }}
+          items:
+            - key: {{ .Values.git.ssh.configMapKey | default "config" }}
+              path: config
+          defaultMode: 0400
+      {{- end }}
       - name: git-key
         secret:
-          {{- if .Values.git.secretName }}
-          secretName: {{ .Values.git.secretName }}
+          {{- if .Values.git.ssh.secretName }}
+          secretName: {{ .Values.git.ssh.secretName }}
           {{- else }}
           secretName: {{ template "helm-operator.fullname" . }}-git-deploy
           {{- end }}
@@ -78,13 +88,30 @@ spec:
         ports:
         - name: http
           containerPort: 3030
+        livenessProbe:
+          httpGet:
+            port: 3030
+            path: /healthz
+          initialDelaySeconds: 1
+          timeoutSeconds: 5
+        readinessProbe:
+          httpGet:
+            port: 3030
+            path: /healthz
+          initialDelaySeconds: 1
+          timeoutSeconds: 5
         volumeMounts:
         {{- if .Values.git.ssh.known_hosts }}
-        - name: sshdir
+        - name: sshknownhosts
           mountPath: /root/.ssh/known_hosts
           subPath: known_hosts
           readOnly: true
         {{- end }}
+        {{- if .Values.git.ssh.configMapName }}
+        - name: sshconfig
+          mountPath: /root/.ssh/
+          readOnly: true
+        {{- end }}
         {{- if .Values.git.config.enabled }}
         - name: git-config
           mountPath: /root/.gitconfig
@@ -115,10 +142,13 @@ spec:
         args:
         {{- if .Values.logFormat }}
         - --log-format={{ .Values.logFormat }}
-        {{end}}
+        {{- end }}
         - --git-timeout={{ .Values.git.timeout }}
         - --git-poll-interval={{ .Values.git.pollInterval }}
         - --charts-sync-interval={{ .Values.chartsSyncInterval }}
+        {{- if .Values.statusUpdateInterval }}
+        - --status-update-interval={{ .Values.statusUpdateInterval }}
+        {{- end }}
         - --update-chart-deps={{ .Values.updateChartDeps }}
         - --log-release-diffs={{ .Values.logReleaseDiffs }}
         {{- if .Values.workers }}

chart/helm-operator/templates/git-secret.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.git.secretName -}}
+{{- if not .Values.git.ssh.secretName -}}
 apiVersion: v1
 kind: Secret
 metadata:

chart/helm-operator/values.yaml

@@ -5,7 +5,7 @@ fullnameOverride: ""
 
 image:
   repository: docker.io/fluxcd/helm-operator
-  tag: 1.0.0-rc1
+  tag: 1.0.0-rc2
   pullPolicy: IfNotPresent
   pullSecret:
 
@@ -19,8 +19,10 @@ updateChartDeps: true
 logFormat: fmt
 # Log the diff when a chart release diverges
 logReleaseDiffs: false
-# Interval at which to check for changed charts
+# Period on which to reconcile the Helm releases with `HelmRelease` resources
 chartsSyncInterval: "3m"
+# Period on which to update the Helm release status in `HelmRelease` resources
+statusUpdateInterval:
 # Amount of workers processing releases
 workers: 2
 
@@ -55,6 +57,7 @@ configureRepositories:
 
 # For charts stored in Git repos set the SSH private key secret
 git:
+  # Period on which to poll git chart sources for changes
   pollInterval: "5m"
   timeout: "20s"
   # Overrides for git over SSH. If you use your own git server, you
@@ -67,6 +70,23 @@ git:
     # set the secret name (helm-ssh) below
     secretName: ""
     known_hosts: ""
+    # You may want to configure access to multiple repositories via multiple deploy keys
+    # flux-helm-operator is configured in /etc/ssh/ssh_config to use for all hosts the file /etc/fluxd/ssh/identity
+    # this file is mounted from the above secret
+    # all entries in the secret are mounted in the same place /etc/fluxd/ssh/
+    # so we can add more entries by providing this config map with a key of config that refer to other files in /etc/fluxd/ssh/
+    # e.g. in the above secret create another key for example myprivatehelmrepo
+    # in the below config map create a key config and input the following
+    #
+    # Host *
+    # StrictHostKeyChecking yes
+    # IdentityFile /etc/fluxd/ssh/identity
+    # IdentityFile /var/fluxd/keygen/identity
+    # IdentityFile /var/fluxd/keygen/myprivatehelmrepo
+    # LogLevel error
+    #
+    # add the public key to the other repository as a deploy key and enjoy
+    configMapName: ""
   # Global Git configuration See https://git-scm.com/docs/git-config for more details.
   config:
     enabled: false