From 1dfc35495a7feae5dffa39f1ce5b8674158998d1 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 26 Sep 2019 18:39:42 +0200 Subject: [PATCH 1/3] De-experimental-ise garbage collection feature --- chart/flux/README.md | 4 ++-- cmd/fluxd/main.go | 4 ++-- docs/faq.md | 10 ++++------ docs/references/daemon.md | 5 +++-- 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/chart/flux/README.md b/chart/flux/README.md index 5e4d15faf..3af74de4d 100755 --- a/chart/flux/README.md +++ b/chart/flux/README.md @@ -330,8 +330,8 @@ The following tables lists the configurable parameters of the Flux chart and the | `helmOperator.affinity` | `{}` | Affinity properties for the helmOperator deployment | `kube.config` | [See values.yaml](/chart/flux/values.yaml#L151-L165) | Override for kubectl default config in the Flux pod(s). | `prometheus.enabled` | `false` | If enabled, adds prometheus annotations to Flux and helmOperator pod(s) -| `syncGarbageCollection.enabled` | `false` | If enabled, fluxd will delete resources that it created, but are no longer present in git (experimental, see [garbage collection](/docs/references/garbagecollection.md)) -| `syncGarbageCollection.dry` | `false` | If enabled, fluxd won't delete any resources, but log the garbage collection output (experimental, see [garbage collection](/docs/references/garbagecollection.md)) +| `syncGarbageCollection.enabled` | `false` | If enabled, fluxd will delete resources that it created, but are no longer present in git (see [garbage collection](/docs/references/garbagecollection.md)) +| `syncGarbageCollection.dry` | `false` | If enabled, fluxd won't delete any resources, but log the garbage collection output (see [garbage collection](/docs/references/garbagecollection.md)) | `manifestGeneration` | `false` | If enabled, fluxd will look for `.flux.yaml` and run Kustomize or other manifest generators Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example: diff --git a/cmd/fluxd/main.go b/cmd/fluxd/main.go index 9036ed882..45954d1c7 100644 --- a/cmd/fluxd/main.go +++ b/cmd/fluxd/main.go @@ -137,8 +137,8 @@ func main() { // syncing syncInterval = fs.Duration("sync-interval", 5*time.Minute, "apply config in git to cluster at least this often, even if there are no new commits") syncTimeout = fs.Duration("sync-timeout", 1*time.Minute, "duration after which sync operations time out") - syncGC = fs.Bool("sync-garbage-collection", false, "experimental; delete resources that were created by fluxd, but are no longer in the git repo") - dryGC = fs.Bool("sync-garbage-collection-dry", false, "experimental; only log what would be garbage collected, rather than deleting. Implies --sync-garbage-collection") + syncGC = fs.Bool("sync-garbage-collection", false, "delete resources that were created by fluxd, but are no longer in the git repo") + dryGC = fs.Bool("sync-garbage-collection-dry", false, "only log what would be garbage collected, rather than deleting. Implies --sync-garbage-collection") syncState = fs.String("sync-state", fluxsync.GitTagStateMode, fmt.Sprintf("method used by flux for storing state (one of {%s})", strings.Join([]string{fluxsync.GitTagStateMode, fluxsync.NativeStateMode}, ","))) // registry diff --git a/docs/faq.md b/docs/faq.md index 855f22329..d8ea7d856 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -122,15 +122,13 @@ No. It applies changes to git only when a Flux command or API call makes them. ### Will Flux delete resources when I remove them from git? -Flux has an experimental (for now) garbage collection feature, -enabled by passing the command-line flag `--sync-garbage-collection` -to `fluxd`. +Flux has an garbage collection feature, enabled by passing the command-line +flag `--sync-garbage-collection` to `fluxd`. The garbage collection is conservative: it is designed to not delete resources that were not created by `fluxd`. This means it will sometimes -_not_ delete resources that _were_ created by `fluxd`, when -reconfigured. Read more about garbage collection -[here](references/garbagecollection.md). +_not_ delete resources that _were_ created by `fluxd`, when reconfigured. +Read more about garbage collection [here](references/garbagecollection.md). ### How do I give Flux access to an image registry? diff --git a/docs/references/daemon.md b/docs/references/daemon.md index a559ee612..e4a6b2fec 100644 --- a/docs/references/daemon.md +++ b/docs/references/daemon.md @@ -59,8 +59,9 @@ Version controlling of cluster manifests provides reproducibility and a historic | --git-timeout | `20s` | duration after which git operations time out | **syncing:** control over how config is applied to the cluster | --sync-interval | `5m` | apply the git config to the cluster at least this often. New commits may provoke more frequent syncs -| --sync-timeout | `1m` | duration after which sync operations time out -| --sync-garbage-collection | `false` | experimental: when set, fluxd will delete resources that it created, but are no longer present in git +| --sync-timeout | `1m` | duration after which sync operations time out +| --sync-garbage-collection | `false` | when set, fluxd will delete resources that it created, but are no longer present in git +| --sync-garbage-collection-dry | `false` | only log what would be garbage collected, rather than deleting. Implies --sync-garbage-collection | **registry cache:** (none of these need overriding, usually) | --memcached-hostname | `memcached` | hostname for memcached service to use for caching image metadata | --memcached-timeout | `1s` | maximum time to wait before giving up on memcached requests From f9aca7d0234d3bbfc52f962cfed62baae17e24b9 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 26 Sep 2019 18:45:39 +0200 Subject: [PATCH 2/3] De-experimental-ise namespace scope feature --- cmd/fluxd/main.go | 7 +++++-- docs/faq.md | 7 ++----- docs/references/daemon.md | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cmd/fluxd/main.go b/cmd/fluxd/main.go index 45954d1c7..81b030e9e 100644 --- a/cmd/fluxd/main.go +++ b/cmd/fluxd/main.go @@ -168,8 +168,11 @@ func main() { k8sSecretName = fs.String("k8s-secret-name", "flux-git-deploy", "name of the k8s secret used to store the private SSH key") k8sSecretVolumeMountPath = fs.String("k8s-secret-volume-mount-path", "/etc/fluxd/ssh", "mount location of the k8s secret storing the private SSH key") k8sSecretDataKey = fs.String("k8s-secret-data-key", "identity", "data key holding the private SSH key within the k8s secret") - k8sNamespaceWhitelist = fs.StringSlice("k8s-namespace-whitelist", []string{}, "experimental, optional: restrict the view of the cluster to the namespaces listed. All namespaces are included if this is not set") - k8sAllowNamespace = fs.StringSlice("k8s-allow-namespace", []string{}, "experimental: restrict all operations to the provided namespaces") + + // k8s-scope settings + k8sNamespaceWhitelist = fs.StringSlice("k8s-namespace-whitelist", []string{}, "restrict the view of the cluster to the namespaces listed. All namespaces are included if this is not set") + k8sAllowNamespace = fs.StringSlice("k8s-allow-namespace", []string{}, "restrict all operations to the provided namespaces") + k8sVerbosity = fs.Int("k8s-verbosity", 0, "klog verbosity level") // SSH key generation diff --git a/docs/faq.md b/docs/faq.md index d8ea7d856..0c43d3335 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -269,8 +269,6 @@ Here's the relevant docs for some common CI systems: ### Can I restrict the namespaces that Flux can see or operate on? -Yes, though support for this is experimental at the minute. - Flux will only operate on the namespaces that its service account has access to; so the most effective way to restrict it to certain namespaces is to use Kubernetes' role-based access control (RBAC) to @@ -278,9 +276,8 @@ make a service account that has restricted access itself. You may need to experiment to find the most restrictive permissions that work for your case. -You will need to use the (experimental) command-line flag -`--k8s-allow-namespace` to enumerate the namespaces that Flux -attempts to scan for workloads. +You will need to use the command-line flag `--k8s-allow-namespace` +to enumerate the namespaces that Flux attempts to scan for workloads. ### Can I change the namespace Flux puts things in by default? diff --git a/docs/references/daemon.md b/docs/references/daemon.md index e4a6b2fec..754124894 100644 --- a/docs/references/daemon.md +++ b/docs/references/daemon.md @@ -82,7 +82,7 @@ Version controlling of cluster manifests provides reproducibility and a historic | --k8s-secret-volume-mount-path | `/etc/fluxd/ssh` | mount location of the k8s secret storing the private SSH key | --k8s-secret-data-key | `identity` | data key holding the private SSH key within the k8s secret | **k8s configuration** -| --k8s-allow-namespace | | experimental: restrict all operations to the provided namespaces +| --k8s-allow-namespace | | restrict all operations to the provided namespaces | **upstream service** | --connect | | connect to an upstream service e.g., Weave Cloud, at this base address | --token | | authentication token for upstream service From 516e27a9ddd3bc43a29aa6b2e95dd72e729628f0 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 26 Sep 2019 18:48:20 +0200 Subject: [PATCH 3/3] De-experimental-ise manifest generation --- cmd/fluxd/main.go | 2 +- docs/faq.md | 6 +++--- docs/references/daemon.md | 2 +- docs/references/fluxyaml-config-files.md | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cmd/fluxd/main.go b/cmd/fluxd/main.go index 81b030e9e..8e9885f12 100644 --- a/cmd/fluxd/main.go +++ b/cmd/fluxd/main.go @@ -181,7 +181,7 @@ func main() { sshKeygenDir = fs.String("ssh-keygen-dir", "", "directory, ideally on a tmpfs volume, in which to generate new SSH keys when necessary") // manifest generation - manifestGeneration = fs.Bool("manifest-generation", false, "experimental; search for .flux.yaml files to generate manifests") + manifestGeneration = fs.Bool("manifest-generation", false, "search for .flux.yaml files to generate manifests") // upstream connection settings upstreamURL = fs.String("connect", "", "connect to an upstream service e.g., Weave Cloud, at this base address") diff --git a/docs/faq.md b/docs/faq.md index 0c43d3335..656983dc2 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -384,9 +384,9 @@ Disable image scanning for all images: Yes! -Flux experimentally supports technology-agnostic manifest factorization through -`.flux.yaml` configuration files placed in the Git repository. To enable this -feature please supply `fluxd` with flag `--manifest-generation=true`. +Flux supports technology-agnostic manifest factorization through `.flux.yaml` configuration +files placed in the Git repository. To enable it supply the command-line flag +`--manifest-generation=true` to `fluxd`. See [`.flux.yaml` configuration files documentation](references/fluxyaml-config-files.md) for further details. diff --git a/docs/references/daemon.md b/docs/references/daemon.md index 754124894..a71670cee 100644 --- a/docs/references/daemon.md +++ b/docs/references/daemon.md @@ -90,7 +90,7 @@ Version controlling of cluster manifests provides reproducibility and a historic | --ssh-keygen-bits | | -b argument to ssh-keygen (default unspecified) | --ssh-keygen-type | | -t argument to ssh-keygen (default unspecified) | **manifest generation** -| --manifest-generation | false | experimental; search for .flux.yaml files to generate manifests +| --manifest-generation | false | search for .flux.yaml files to generate manifests ## More information diff --git a/docs/references/fluxyaml-config-files.md b/docs/references/fluxyaml-config-files.md index 690a9c4c5..c42849aae 100644 --- a/docs/references/fluxyaml-config-files.md +++ b/docs/references/fluxyaml-config-files.md @@ -2,7 +2,7 @@ ## Enabling search of `.flux.yaml` files -This feature is still experimental. To enable it please supply `fluxd` with flag `--manifest-generation=true`. +To enable it supply the command-line flag `--manifest-generation=true` to `fluxd`. ## Goal