From 70ddb80e4755658b98de64c6e0399a4e82f03446 Mon Sep 17 00:00:00 2001 From: stefanprodan Date: Tue, 15 Jan 2019 11:32:30 +0200 Subject: [PATCH 1/7] Add option to limit helm-op to a single namespace - add namespace restriction to Kubernetes informer and chart sync component --- cmd/helm-operator/main.go | 9 ++++++--- integrations/helm/chartsync/chartsync.go | 12 ++++++++++-- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/cmd/helm-operator/main.go b/cmd/helm-operator/main.go index 64bf052ba..b72f604ea 100644 --- a/cmd/helm-operator/main.go +++ b/cmd/helm-operator/main.go @@ -33,6 +33,7 @@ var ( kubeconfig *string master *string + namespace *string tillerIP *string tillerPort *string @@ -76,6 +77,7 @@ func init() { kubeconfig = fs.String("kubeconfig", "", "path to a kubeconfig; required if out-of-cluster") master = fs.String("master", "", "address of the Kubernetes API server; overrides any value in kubeconfig; required if out-of-cluster") + namespace = fs.String("namespace", "", "if set, this limits the scope to a single namespace; if not specified, all namespaces will be watched") listenAddr = fs.StringP("listen", "l", ":3030", "Listen address where /metrics and API will be served") @@ -92,7 +94,7 @@ func init() { chartsSyncInterval = fs.Duration("charts-sync-interval", 3*time.Minute, "period on which to reconcile the Helm releases with HelmRelease resources") logReleaseDiffs = fs.Bool("log-release-diffs", false, "log the diff when a chart release diverges; potentially insecure") - updateDependencies = fs.Bool("update-chart-deps", true, "Update chart dependencies before installing/upgrading a release") + updateDependencies = fs.Bool("update-chart-deps", true, "update chart dependencies before installing/upgrading a release") _ = fs.Duration("git-poll-interval", 0, "") gitTimeout = fs.Duration("git-timeout", 20*time.Second, "duration after which git operations time out") @@ -179,10 +181,11 @@ func main() { chartSync := chartsync.New(log.With(logger, "component", "chartsync"), chartsync.Polling{Interval: *chartsSyncInterval}, chartsync.Clients{KubeClient: *kubeClient, IfClient: *ifClient}, - rel, chartsync.Config{LogDiffs: *logReleaseDiffs, UpdateDeps: *updateDependencies, GitTimeout: *gitTimeout}) + rel, chartsync.Config{LogDiffs: *logReleaseDiffs, UpdateDeps: *updateDependencies, GitTimeout: *gitTimeout}, *namespace) chartSync.Run(shutdown, errc, shutdownWg) - ifInformerFactory := ifinformers.NewSharedInformerFactory(ifClient, 30*time.Second) + nsOpt := ifinformers.WithNamespace(*namespace) + ifInformerFactory := ifinformers.NewSharedInformerFactoryWithOptions(ifClient, 30*time.Second, nsOpt) fhrInformer := ifInformerFactory.Flux().V1beta1().HelmReleases() // start FluxRelease informer diff --git a/integrations/helm/chartsync/chartsync.go b/integrations/helm/chartsync/chartsync.go index ec8063747..e34074a22 100644 --- a/integrations/helm/chartsync/chartsync.go +++ b/integrations/helm/chartsync/chartsync.go @@ -106,8 +106,8 @@ type clone struct { } type ChartChangeSync struct { - logger log.Logger Polling + logger log.Logger kubeClient kubernetes.Clientset ifClient ifclientset.Clientset release *release.Release @@ -117,9 +117,11 @@ type ChartChangeSync struct { clonesMu sync.Mutex clones map[string]clone + + namespace string } -func New(logger log.Logger, polling Polling, clients Clients, release *release.Release, config Config) *ChartChangeSync { +func New(logger log.Logger, polling Polling, clients Clients, release *release.Release, config Config, namespace string) *ChartChangeSync { return &ChartChangeSync{ logger: logger, Polling: polling, @@ -129,6 +131,7 @@ func New(logger log.Logger, polling Polling, clients Clients, release *release.R config: config.WithDefaults(), mirrors: git.NewMirrors(), clones: make(map[string]clone), + namespace: namespace, } } @@ -403,6 +406,11 @@ func (chs *ChartChangeSync) DeleteRelease(fhr fluxv1beta1.HelmRelease) { // getNamespaces gets current kubernetes cluster namespaces func (chs *ChartChangeSync) getNamespaces() ([]string, error) { + if chs.namespace != "" { + return []string{chs.namespace}, nil + } + + // if no namespace scope is set then get all namespaces in the cluster var ns []string nso, err := chs.kubeClient.CoreV1().Namespaces().List(metav1.ListOptions{}) if err != nil { From 641891e7000d981671c6904f23eee89e8834cc9e Mon Sep 17 00:00:00 2001 From: stefanprodan Date: Tue, 15 Jan 2019 11:45:57 +0200 Subject: [PATCH 2/7] Add helm-op namespace flag to docs --- site/helm-operator.md | 1 + 1 file changed, 1 insertion(+) diff --git a/site/helm-operator.md b/site/helm-operator.md index d5ff2b587..f0ad701c3 100644 --- a/site/helm-operator.md +++ b/site/helm-operator.md @@ -12,6 +12,7 @@ helm-operator requires setup and offers customization though a multitude of flag |------------------------------|-------------------------------|---------| |--kubeconfig | | Path to a kubeconfig. Only required if out-of-cluster. | |--master | | The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster. | +|--namespace | | If set, this limits the scope to a single namespace. if not specified, all namespaces will be watched. | | | | **Tiller options** | |--tiller-ip | | Tiller IP address. Only required if out-of-cluster. | |--tiller-port | | Tiller port. | From b7e545a8fa1c1ff25dc4cecbe41bccc8ff9c160b Mon Sep 17 00:00:00 2001 From: stefanprodan Date: Tue, 15 Jan 2019 11:50:11 +0200 Subject: [PATCH 3/7] Add helm-op namespace flag to Helm chart --- chart/flux/README.md | 1 + chart/flux/templates/helm-operator-deployment.yaml | 3 +++ chart/flux/values.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/chart/flux/README.md b/chart/flux/README.md index a62306418..98713b82e 100755 --- a/chart/flux/README.md +++ b/chart/flux/README.md @@ -238,6 +238,7 @@ The following tables lists the configurable parameters of the Weave Flux chart a | `helmOperator.chartsSyncInterval` | Interval at which to check for changed charts | `3m` | `helmOperator.extraEnvs` | Extra environment variables for the Helm operator pod | `[]` | `helmOperator.logReleaseDiffs` | Helm operator should log the diff when a chart release diverges (possibly insecure) | `false` +| `helmOperator.namespace` | If set, this limits the scope to a single namespace. If not specified, all namespaces will be watched | `None` | `helmOperator.tillerNamespace` | Namespace in which the Tiller server can be found | `kube-system` | `helmOperator.tls.enable` | Enable TLS for communicating with Tiller | `false` | `helmOperator.tls.verify` | Verify the Tiller certificate, also enables TLS when set to true | `false` diff --git a/chart/flux/templates/helm-operator-deployment.yaml b/chart/flux/templates/helm-operator-deployment.yaml index 97ca69de9..0fb605828 100644 --- a/chart/flux/templates/helm-operator-deployment.yaml +++ b/chart/flux/templates/helm-operator-deployment.yaml @@ -87,6 +87,9 @@ spec: - --charts-sync-interval={{ .Values.helmOperator.chartsSyncInterval }} - --update-chart-deps={{ .Values.helmOperator.updateChartDeps }} - --log-release-diffs={{ .Values.helmOperator.logReleaseDiffs }} + {{- if .Values.helmOperator.namespace }} + - --namespace={{ .Values.helmOperator.namespace }} + {{- end }} - --tiller-namespace={{ .Values.helmOperator.tillerNamespace }} {{- if .Values.helmOperator.tls.enable }} - --tiller-tls-enable={{ .Values.helmOperator.tls.enable }} diff --git a/chart/flux/values.yaml b/chart/flux/values.yaml index 7576256f3..2cbfb1152 100644 --- a/chart/flux/values.yaml +++ b/chart/flux/values.yaml @@ -21,6 +21,8 @@ helmOperator: repository: quay.io/weaveworks/helm-operator tag: 0.5.3 pullPolicy: IfNotPresent + # Limit the operator scope to a single namespace + namespace: # Update dependencies for charts updateChartDeps: true # Log the diff when a chart release diverges From 819dc45702603de7e8a0c410a96f2cea11e163d4 Mon Sep 17 00:00:00 2001 From: stefanprodan Date: Tue, 15 Jan 2019 11:53:07 +0200 Subject: [PATCH 4/7] Add helm-op namespace PR to change logs --- CHANGELOG-helmop.md | 7 +++++++ chart/flux/CHANGELOG.md | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/CHANGELOG-helmop.md b/CHANGELOG-helmop.md index 568b53850..7f33dffe6 100644 --- a/CHANGELOG-helmop.md +++ b/CHANGELOG-helmop.md @@ -1,3 +1,10 @@ +## 0.5.4 (TBA) + +### Improvements + + - Add option to limit the Helm operator to a single namespace + [weaveworks/flux#1664](https://github.com/weaveworks/flux/pull/1664) + ## 0.5.3 (2019-01-14) ### Improvements diff --git a/chart/flux/CHANGELOG.md b/chart/flux/CHANGELOG.md index a80080e34..1c579a7f7 100644 --- a/chart/flux/CHANGELOG.md +++ b/chart/flux/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.6.1 (TBA) + +### Improvements + + - Add option to limit the Helm operator to a single namespace + [weaveworks/flux#1664](https://github.com/weaveworks/flux/pull/1664) + ## 0.6.0 (2019-01-14) **Note** To fix the connectivity problems between Flux and memcached we've changed the From 2630f738e655ca2003a92c30d21945066604c03e Mon Sep 17 00:00:00 2001 From: stefanprodan Date: Tue, 15 Jan 2019 19:32:29 +0200 Subject: [PATCH 5/7] Add namespace restriction to status updater --- cmd/helm-operator/main.go | 2 +- integrations/helm/status/status.go | 29 ++++++++++++++++++++--------- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/cmd/helm-operator/main.go b/cmd/helm-operator/main.go index b72f604ea..8b7bf7625 100644 --- a/cmd/helm-operator/main.go +++ b/cmd/helm-operator/main.go @@ -173,7 +173,7 @@ func main() { // The status updater, to keep track the release status for each // HelmRelease. It runs as a separate loop for now. - statusUpdater := status.New(ifClient, kubeClient, helmClient) + statusUpdater := status.New(ifClient, kubeClient, helmClient, *namespace) go statusUpdater.Loop(shutdown, log.With(logger, "component", "annotator")) // release instance is needed during the sync of Charts changes and during the sync of HelmRelease changes diff --git a/integrations/helm/status/status.go b/integrations/helm/status/status.go index f609385da..1a8fcce96 100644 --- a/integrations/helm/status/status.go +++ b/integrations/helm/status/status.go @@ -35,13 +35,15 @@ type Updater struct { fluxhelm fluxclientset.Interface kube kube.Interface helmClient *helm.Client + namespace string } -func New(fhrClient fluxclientset.Interface, kubeClient kube.Interface, helmClient *helm.Client) *Updater { +func New(fhrClient fluxclientset.Interface, kubeClient kube.Interface, helmClient *helm.Client, namespace string) *Updater { return &Updater{ fluxhelm: fhrClient, kube: kubeClient, helmClient: helmClient, + namespace: namespace, } } @@ -56,14 +58,23 @@ bail: break bail case <-ticker.C: } - // Look up HelmReleases - namespaces, err := a.kube.CoreV1().Namespaces().List(metav1.ListOptions{}) - if err != nil { - logErr = err - break bail + namespaces := []string{} + if a.namespace != "" { + namespaces = append(namespaces, a.namespace) + } else { + all, err := a.kube.CoreV1().Namespaces().List(metav1.ListOptions{}) + if err != nil { + logErr = err + break bail + } + for _, ns := range all.Items { + namespaces = append(namespaces, ns.Name) + } } - for _, ns := range namespaces.Items { - fhrClient := a.fluxhelm.FluxV1beta1().HelmReleases(ns.Name) + + // Look up HelmReleases + for _, ns := range namespaces { + fhrClient := a.fluxhelm.FluxV1beta1().HelmReleases(ns) fhrs, err := fhrClient.List(metav1.ListOptions{}) if err != nil { logErr = err @@ -80,7 +91,7 @@ bail: if status.GetCode().String() != fhr.Status.ReleaseStatus { err := UpdateReleaseStatus(fhrClient, fhr, releaseName, status.GetCode().String()) if err != nil { - logger.Log("namespace", ns.Name, "resource", fhr.Name, "err", err) + logger.Log("namespace", ns, "resource", fhr.Name, "err", err) continue } } From 3249d998047385e4f8754ae148e237b80520666d Mon Sep 17 00:00:00 2001 From: stefanprodan Date: Fri, 18 Jan 2019 14:29:38 +0200 Subject: [PATCH 6/7] Rename namespace restriction flag to allow-namespace --- chart/flux/README.md | 2 +- chart/flux/templates/helm-operator-deployment.yaml | 2 +- chart/flux/values.yaml | 2 +- cmd/helm-operator/main.go | 2 +- integrations/helm/status/status.go | 2 +- site/helm-operator.md | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/chart/flux/README.md b/chart/flux/README.md index 98713b82e..69d9de830 100755 --- a/chart/flux/README.md +++ b/chart/flux/README.md @@ -238,7 +238,7 @@ The following tables lists the configurable parameters of the Weave Flux chart a | `helmOperator.chartsSyncInterval` | Interval at which to check for changed charts | `3m` | `helmOperator.extraEnvs` | Extra environment variables for the Helm operator pod | `[]` | `helmOperator.logReleaseDiffs` | Helm operator should log the diff when a chart release diverges (possibly insecure) | `false` -| `helmOperator.namespace` | If set, this limits the scope to a single namespace. If not specified, all namespaces will be watched | `None` +| `helmOperator.allowNamespace` | If set, this limits the scope to a single namespace. If not specified, all namespaces will be watched | `None` | `helmOperator.tillerNamespace` | Namespace in which the Tiller server can be found | `kube-system` | `helmOperator.tls.enable` | Enable TLS for communicating with Tiller | `false` | `helmOperator.tls.verify` | Verify the Tiller certificate, also enables TLS when set to true | `false` diff --git a/chart/flux/templates/helm-operator-deployment.yaml b/chart/flux/templates/helm-operator-deployment.yaml index 0fb605828..8c14cc4d2 100644 --- a/chart/flux/templates/helm-operator-deployment.yaml +++ b/chart/flux/templates/helm-operator-deployment.yaml @@ -88,7 +88,7 @@ spec: - --update-chart-deps={{ .Values.helmOperator.updateChartDeps }} - --log-release-diffs={{ .Values.helmOperator.logReleaseDiffs }} {{- if .Values.helmOperator.namespace }} - - --namespace={{ .Values.helmOperator.namespace }} + - --allow-namespace={{ .Values.helmOperator.allowNamespace }} {{- end }} - --tiller-namespace={{ .Values.helmOperator.tillerNamespace }} {{- if .Values.helmOperator.tls.enable }} diff --git a/chart/flux/values.yaml b/chart/flux/values.yaml index 2cbfb1152..4722c94ca 100644 --- a/chart/flux/values.yaml +++ b/chart/flux/values.yaml @@ -22,7 +22,7 @@ helmOperator: tag: 0.5.3 pullPolicy: IfNotPresent # Limit the operator scope to a single namespace - namespace: + allowNamespace: # Update dependencies for charts updateChartDeps: true # Log the diff when a chart release diverges diff --git a/cmd/helm-operator/main.go b/cmd/helm-operator/main.go index 8b7bf7625..79e863f17 100644 --- a/cmd/helm-operator/main.go +++ b/cmd/helm-operator/main.go @@ -77,7 +77,7 @@ func init() { kubeconfig = fs.String("kubeconfig", "", "path to a kubeconfig; required if out-of-cluster") master = fs.String("master", "", "address of the Kubernetes API server; overrides any value in kubeconfig; required if out-of-cluster") - namespace = fs.String("namespace", "", "if set, this limits the scope to a single namespace; if not specified, all namespaces will be watched") + namespace = fs.String("allow-namespace", "", "if set, this limits the scope to a single namespace; if not specified, all namespaces will be watched") listenAddr = fs.StringP("listen", "l", ":3030", "Listen address where /metrics and API will be served") diff --git a/integrations/helm/status/status.go b/integrations/helm/status/status.go index 1a8fcce96..40abbc26a 100644 --- a/integrations/helm/status/status.go +++ b/integrations/helm/status/status.go @@ -58,7 +58,7 @@ bail: break bail case <-ticker.C: } - namespaces := []string{} + var namespaces []string if a.namespace != "" { namespaces = append(namespaces, a.namespace) } else { diff --git a/site/helm-operator.md b/site/helm-operator.md index f0ad701c3..cd0cfd4a1 100644 --- a/site/helm-operator.md +++ b/site/helm-operator.md @@ -12,7 +12,7 @@ helm-operator requires setup and offers customization though a multitude of flag |------------------------------|-------------------------------|---------| |--kubeconfig | | Path to a kubeconfig. Only required if out-of-cluster. | |--master | | The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster. | -|--namespace | | If set, this limits the scope to a single namespace. if not specified, all namespaces will be watched. | +|--allow-namespace | | If set, this limits the scope to a single namespace. if not specified, all namespaces will be watched. | | | | **Tiller options** | |--tiller-ip | | Tiller IP address. Only required if out-of-cluster. | |--tiller-port | | Tiller port. | From 2dc8392a6fc471accbecac3b21744ea967a1e0b5 Mon Sep 17 00:00:00 2001 From: stefanprodan Date: Wed, 23 Jan 2019 10:50:18 +0200 Subject: [PATCH 7/7] Move namespace query to getCustomResources - delete getNamespaces func from chart sync --- integrations/helm/chartsync/chartsync.go | 37 ++++++++---------------- 1 file changed, 12 insertions(+), 25 deletions(-) diff --git a/integrations/helm/chartsync/chartsync.go b/integrations/helm/chartsync/chartsync.go index e34074a22..590e6a0bc 100644 --- a/integrations/helm/chartsync/chartsync.go +++ b/integrations/helm/chartsync/chartsync.go @@ -402,33 +402,20 @@ func (chs *ChartChangeSync) DeleteRelease(fhr fluxv1beta1.HelmRelease) { } } -// --- - -// getNamespaces gets current kubernetes cluster namespaces -func (chs *ChartChangeSync) getNamespaces() ([]string, error) { - if chs.namespace != "" { - return []string{chs.namespace}, nil - } - - // if no namespace scope is set then get all namespaces in the cluster - var ns []string - nso, err := chs.kubeClient.CoreV1().Namespaces().List(metav1.ListOptions{}) - if err != nil { - return nil, fmt.Errorf("Failure while retrieving kubernetes namespaces: %s", err) - } - - for _, n := range nso.Items { - ns = append(ns, n.GetName()) - } - - return ns, nil -} - // getCustomResources assembles all custom resources in all namespaces +// or in the allowed namespace if specified func (chs *ChartChangeSync) getCustomResources() ([]fluxv1beta1.HelmRelease, error) { - namespaces, err := chs.getNamespaces() - if err != nil { - return nil, err + var namespaces []string + if chs.namespace != "" { + namespaces = append(namespaces, chs.namespace) + } else { + nso, err := chs.kubeClient.CoreV1().Namespaces().List(metav1.ListOptions{}) + if err != nil { + return nil, fmt.Errorf("Failure while retrieving kubernetes namespaces: %s", err) + } + for _, n := range nso.Items { + namespaces = append(namespaces, n.GetName()) + } } var fhrs []fluxv1beta1.HelmRelease