diff --git a/CHANGELOG-helmop.md b/CHANGELOG-helmop.md index 568b53850..7f33dffe6 100644 --- a/CHANGELOG-helmop.md +++ b/CHANGELOG-helmop.md @@ -1,3 +1,10 @@ +## 0.5.4 (TBA) + +### Improvements + + - Add option to limit the Helm operator to a single namespace + [weaveworks/flux#1664](https://github.com/weaveworks/flux/pull/1664) + ## 0.5.3 (2019-01-14) ### Improvements diff --git a/chart/flux/CHANGELOG.md b/chart/flux/CHANGELOG.md index a80080e34..1c579a7f7 100644 --- a/chart/flux/CHANGELOG.md +++ b/chart/flux/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.6.1 (TBA) + +### Improvements + + - Add option to limit the Helm operator to a single namespace + [weaveworks/flux#1664](https://github.com/weaveworks/flux/pull/1664) + ## 0.6.0 (2019-01-14) **Note** To fix the connectivity problems between Flux and memcached we've changed the diff --git a/chart/flux/README.md b/chart/flux/README.md index a62306418..69d9de830 100755 --- a/chart/flux/README.md +++ b/chart/flux/README.md @@ -238,6 +238,7 @@ The following tables lists the configurable parameters of the Weave Flux chart a | `helmOperator.chartsSyncInterval` | Interval at which to check for changed charts | `3m` | `helmOperator.extraEnvs` | Extra environment variables for the Helm operator pod | `[]` | `helmOperator.logReleaseDiffs` | Helm operator should log the diff when a chart release diverges (possibly insecure) | `false` +| `helmOperator.allowNamespace` | If set, this limits the scope to a single namespace. If not specified, all namespaces will be watched | `None` | `helmOperator.tillerNamespace` | Namespace in which the Tiller server can be found | `kube-system` | `helmOperator.tls.enable` | Enable TLS for communicating with Tiller | `false` | `helmOperator.tls.verify` | Verify the Tiller certificate, also enables TLS when set to true | `false` diff --git a/chart/flux/templates/helm-operator-deployment.yaml b/chart/flux/templates/helm-operator-deployment.yaml index 97ca69de9..8c14cc4d2 100644 --- a/chart/flux/templates/helm-operator-deployment.yaml +++ b/chart/flux/templates/helm-operator-deployment.yaml @@ -87,6 +87,9 @@ spec: - --charts-sync-interval={{ .Values.helmOperator.chartsSyncInterval }} - --update-chart-deps={{ .Values.helmOperator.updateChartDeps }} - --log-release-diffs={{ .Values.helmOperator.logReleaseDiffs }} + {{- if .Values.helmOperator.namespace }} + - --allow-namespace={{ .Values.helmOperator.allowNamespace }} + {{- end }} - --tiller-namespace={{ .Values.helmOperator.tillerNamespace }} {{- if .Values.helmOperator.tls.enable }} - --tiller-tls-enable={{ .Values.helmOperator.tls.enable }} diff --git a/chart/flux/values.yaml b/chart/flux/values.yaml index 7576256f3..4722c94ca 100644 --- a/chart/flux/values.yaml +++ b/chart/flux/values.yaml @@ -21,6 +21,8 @@ helmOperator: repository: quay.io/weaveworks/helm-operator tag: 0.5.3 pullPolicy: IfNotPresent + # Limit the operator scope to a single namespace + allowNamespace: # Update dependencies for charts updateChartDeps: true # Log the diff when a chart release diverges diff --git a/cmd/helm-operator/main.go b/cmd/helm-operator/main.go index 64bf052ba..79e863f17 100644 --- a/cmd/helm-operator/main.go +++ b/cmd/helm-operator/main.go @@ -33,6 +33,7 @@ var ( kubeconfig *string master *string + namespace *string tillerIP *string tillerPort *string @@ -76,6 +77,7 @@ func init() { kubeconfig = fs.String("kubeconfig", "", "path to a kubeconfig; required if out-of-cluster") master = fs.String("master", "", "address of the Kubernetes API server; overrides any value in kubeconfig; required if out-of-cluster") + namespace = fs.String("allow-namespace", "", "if set, this limits the scope to a single namespace; if not specified, all namespaces will be watched") listenAddr = fs.StringP("listen", "l", ":3030", "Listen address where /metrics and API will be served") @@ -92,7 +94,7 @@ func init() { chartsSyncInterval = fs.Duration("charts-sync-interval", 3*time.Minute, "period on which to reconcile the Helm releases with HelmRelease resources") logReleaseDiffs = fs.Bool("log-release-diffs", false, "log the diff when a chart release diverges; potentially insecure") - updateDependencies = fs.Bool("update-chart-deps", true, "Update chart dependencies before installing/upgrading a release") + updateDependencies = fs.Bool("update-chart-deps", true, "update chart dependencies before installing/upgrading a release") _ = fs.Duration("git-poll-interval", 0, "") gitTimeout = fs.Duration("git-timeout", 20*time.Second, "duration after which git operations time out") @@ -171,7 +173,7 @@ func main() { // The status updater, to keep track the release status for each // HelmRelease. It runs as a separate loop for now. - statusUpdater := status.New(ifClient, kubeClient, helmClient) + statusUpdater := status.New(ifClient, kubeClient, helmClient, *namespace) go statusUpdater.Loop(shutdown, log.With(logger, "component", "annotator")) // release instance is needed during the sync of Charts changes and during the sync of HelmRelease changes @@ -179,10 +181,11 @@ func main() { chartSync := chartsync.New(log.With(logger, "component", "chartsync"), chartsync.Polling{Interval: *chartsSyncInterval}, chartsync.Clients{KubeClient: *kubeClient, IfClient: *ifClient}, - rel, chartsync.Config{LogDiffs: *logReleaseDiffs, UpdateDeps: *updateDependencies, GitTimeout: *gitTimeout}) + rel, chartsync.Config{LogDiffs: *logReleaseDiffs, UpdateDeps: *updateDependencies, GitTimeout: *gitTimeout}, *namespace) chartSync.Run(shutdown, errc, shutdownWg) - ifInformerFactory := ifinformers.NewSharedInformerFactory(ifClient, 30*time.Second) + nsOpt := ifinformers.WithNamespace(*namespace) + ifInformerFactory := ifinformers.NewSharedInformerFactoryWithOptions(ifClient, 30*time.Second, nsOpt) fhrInformer := ifInformerFactory.Flux().V1beta1().HelmReleases() // start FluxRelease informer diff --git a/integrations/helm/chartsync/chartsync.go b/integrations/helm/chartsync/chartsync.go index ec8063747..590e6a0bc 100644 --- a/integrations/helm/chartsync/chartsync.go +++ b/integrations/helm/chartsync/chartsync.go @@ -106,8 +106,8 @@ type clone struct { } type ChartChangeSync struct { - logger log.Logger Polling + logger log.Logger kubeClient kubernetes.Clientset ifClient ifclientset.Clientset release *release.Release @@ -117,9 +117,11 @@ type ChartChangeSync struct { clonesMu sync.Mutex clones map[string]clone + + namespace string } -func New(logger log.Logger, polling Polling, clients Clients, release *release.Release, config Config) *ChartChangeSync { +func New(logger log.Logger, polling Polling, clients Clients, release *release.Release, config Config, namespace string) *ChartChangeSync { return &ChartChangeSync{ logger: logger, Polling: polling, @@ -129,6 +131,7 @@ func New(logger log.Logger, polling Polling, clients Clients, release *release.R config: config.WithDefaults(), mirrors: git.NewMirrors(), clones: make(map[string]clone), + namespace: namespace, } } @@ -399,28 +402,20 @@ func (chs *ChartChangeSync) DeleteRelease(fhr fluxv1beta1.HelmRelease) { } } -// --- - -// getNamespaces gets current kubernetes cluster namespaces -func (chs *ChartChangeSync) getNamespaces() ([]string, error) { - var ns []string - nso, err := chs.kubeClient.CoreV1().Namespaces().List(metav1.ListOptions{}) - if err != nil { - return nil, fmt.Errorf("Failure while retrieving kubernetes namespaces: %s", err) - } - - for _, n := range nso.Items { - ns = append(ns, n.GetName()) - } - - return ns, nil -} - // getCustomResources assembles all custom resources in all namespaces +// or in the allowed namespace if specified func (chs *ChartChangeSync) getCustomResources() ([]fluxv1beta1.HelmRelease, error) { - namespaces, err := chs.getNamespaces() - if err != nil { - return nil, err + var namespaces []string + if chs.namespace != "" { + namespaces = append(namespaces, chs.namespace) + } else { + nso, err := chs.kubeClient.CoreV1().Namespaces().List(metav1.ListOptions{}) + if err != nil { + return nil, fmt.Errorf("Failure while retrieving kubernetes namespaces: %s", err) + } + for _, n := range nso.Items { + namespaces = append(namespaces, n.GetName()) + } } var fhrs []fluxv1beta1.HelmRelease diff --git a/integrations/helm/status/status.go b/integrations/helm/status/status.go index f609385da..40abbc26a 100644 --- a/integrations/helm/status/status.go +++ b/integrations/helm/status/status.go @@ -35,13 +35,15 @@ type Updater struct { fluxhelm fluxclientset.Interface kube kube.Interface helmClient *helm.Client + namespace string } -func New(fhrClient fluxclientset.Interface, kubeClient kube.Interface, helmClient *helm.Client) *Updater { +func New(fhrClient fluxclientset.Interface, kubeClient kube.Interface, helmClient *helm.Client, namespace string) *Updater { return &Updater{ fluxhelm: fhrClient, kube: kubeClient, helmClient: helmClient, + namespace: namespace, } } @@ -56,14 +58,23 @@ bail: break bail case <-ticker.C: } - // Look up HelmReleases - namespaces, err := a.kube.CoreV1().Namespaces().List(metav1.ListOptions{}) - if err != nil { - logErr = err - break bail + var namespaces []string + if a.namespace != "" { + namespaces = append(namespaces, a.namespace) + } else { + all, err := a.kube.CoreV1().Namespaces().List(metav1.ListOptions{}) + if err != nil { + logErr = err + break bail + } + for _, ns := range all.Items { + namespaces = append(namespaces, ns.Name) + } } - for _, ns := range namespaces.Items { - fhrClient := a.fluxhelm.FluxV1beta1().HelmReleases(ns.Name) + + // Look up HelmReleases + for _, ns := range namespaces { + fhrClient := a.fluxhelm.FluxV1beta1().HelmReleases(ns) fhrs, err := fhrClient.List(metav1.ListOptions{}) if err != nil { logErr = err @@ -80,7 +91,7 @@ bail: if status.GetCode().String() != fhr.Status.ReleaseStatus { err := UpdateReleaseStatus(fhrClient, fhr, releaseName, status.GetCode().String()) if err != nil { - logger.Log("namespace", ns.Name, "resource", fhr.Name, "err", err) + logger.Log("namespace", ns, "resource", fhr.Name, "err", err) continue } } diff --git a/site/helm-operator.md b/site/helm-operator.md index d5ff2b587..cd0cfd4a1 100644 --- a/site/helm-operator.md +++ b/site/helm-operator.md @@ -12,6 +12,7 @@ helm-operator requires setup and offers customization though a multitude of flag |------------------------------|-------------------------------|---------| |--kubeconfig | | Path to a kubeconfig. Only required if out-of-cluster. | |--master | | The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster. | +|--allow-namespace | | If set, this limits the scope to a single namespace. if not specified, all namespaces will be watched. | | | | **Tiller options** | |--tiller-ip | | Tiller IP address. Only required if out-of-cluster. | |--tiller-port | | Tiller port. |