feature: add flux install for ocm controller

deploy/Chart.yaml

@@ -9,9 +9,3 @@ keywords:
   - ocm
   - open-component-model
   - kubernetes
-
-dependencies:
-  - name: cert-manager
-    version: v1.14.5
-    repository: https://charts.jetstack.io
-    condition: cert-manager.enabled

deploy/flux/cert-manager/cert-manager.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    toolkit.fluxcd.io/tenant: sre-team
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 24h
+  url: https://charts.jetstack.io
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cert-manager
+      version: "1.x"
+      sourceRef:
+        kind: HelmRepository
+        name: cert-manager
+        namespace: cert-manager
+      interval: 12h
+  values:
+    installCRDs: true

deploy/flux/cert-manager/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cert-manager.yaml

deploy/flux/config/cluster_issuer.yaml

@@ -0,0 +1,42 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ocm-bootstrap-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ocm-bootstrap-certificate
+  namespace: cert-manager
+spec:
+  # this is discouraged but required by ios
+  commonName: cert-manager-ocm-tls
+  isCA: true
+  secretName: ocm-registry-tls-certs
+  subject:
+    organizations:
+      - ocm.software
+  dnsNames:
+    - registry.ocm-system.svc.cluster.local
+    - localhost
+  ipAddresses:
+    - 127.0.0.1
+    - ::1
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+  issuerRef:
+    name: ocm-bootstrap-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ocm-certificate-issuer
+spec:
+  ca:
+    secretName: ocm-registry-tls-certs

deploy/flux/config/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster_issuer.yaml
+  - ocm-system_certificate.yaml

deploy/flux/config/ocm-system_certificate.yaml

@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ocm-registry-tls-certs
+  namespace: ocm-system
+spec:
+  secretName: ocm-registry-tls-certs
+  dnsNames:
+    - registry.ocm-system.svc.cluster.local
+    - localhost
+  ipAddresses:
+    - 127.0.0.1
+    - ::1
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+  issuerRef:
+    name: ocm-certificate-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io

deploy/flux/controller_kustomization.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: ocm-controllers
+  namespace: flux-system
+spec:
+  interval: 1h
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./deploy/flux/ocm-controller
+  prune: true
+  wait: true
+  dependsOn:
+    - name: cert-manager
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: cert-manager-config
+  interval: 1h
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./deploy/flux/cert-manager
+  prune: true
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager-config
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: infra-controllers
+  interval: 1h
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./deploy/flux/config
+  prune: true

deploy/flux/ocm-controller/controller.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ocm-system
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: ocm-controller
+  namespace: ocm-system
+spec:
+  interval: 5m
+  url: oci://ghcr.io/open-component-model/helm/ocm-controller
+  ref:
+    semver: "v0.24.0"
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ocm
+  namespace: ocm-system
+spec:
+  interval: 30m
+  chartRef:
+    kind: OCIRepository
+    name: ocm-controller
+  releaseName: ocm-controller
+  values:
+    cert-manager:
+      enabled: true

deploy/flux/ocm-controller/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - controller.yaml

deploy/flux/script.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+# setup flux cluster reconilication
+
+flux create source git flux-system \
+  --url=https://github.com/open-component-model/ocm-controller \
+  --branch=${BRANCH} \
+  --username=${GITHUB_USER} \
+  --password=${GITHUB_TOKEN} \
+  --ignore-paths="clusters/**/flux-system/"
+flux create kustomization flux-system \
+  --source=flux-system \
+  --path=./deploy/flux/

deploy/values.yaml

@@ -5,10 +5,6 @@ global:
 
 cert-manager:
   enabled: false
-  namespace: cert-manager
-  installCRDs: true
-  fullnameOverride: "cert-manager" # this is needed for the certificate issuer to not throw an unknown authority error
-  nameOverride: "cert-manager" # needed because otherwise it will call it `certManager`
 
 registry:
   address: registry.ocm-system.svc.cluster.local:5000