diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml new file mode 100644 index 0000000..0a25dd0 --- /dev/null +++ b/.github/workflows/docs.yaml @@ -0,0 +1,26 @@ +name: docs + +on: + workflow_dispatch: + push: + branches: [ 'docs*' ] + tags: [ 'v*' ] + +permissions: + contents: read + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + - name: Run mkdocs + uses: mhausenblas/mkdocs-deploy-gh-pages@e55ecab6718b449a90ebd4313f1320f9327f1386 # master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + #CUSTOM_DOMAIN: timoni.sh + CONFIG_FILE: mkdocs.yml + REQUIREMENTS: docs/.mkdocs/requirements.txt diff --git a/docs/.mkdocs/requirements.txt b/docs/.mkdocs/requirements.txt new file mode 100644 index 0000000..0508010 --- /dev/null +++ b/docs/.mkdocs/requirements.txt @@ -0,0 +1,16 @@ +# Requirements for mkdocs +jinja2~=3.0 +markdown~=3.2 +mkdocs~=1.5,>=1.5.3 +mkdocs-material~=9.4 +mkdocs-material-extensions~=1.3 +pygments~=2.16 +pymdown-extensions~=10.2 + +# Requirements for mkdocs plugins +babel~=2.10 +colorama~=0.4 +mkdocs-redirects~=1.2 +paginate~=0.5 +regex>=2022.4 +requests~=2.26 diff --git a/docs/distribution/install.md b/docs/distribution/install.md new file mode 100644 index 0000000..2f005d5 --- /dev/null +++ b/docs/distribution/install.md @@ -0,0 +1,49 @@ +# Flux Distribution Installation + +ControlPlane offers a seamless transition from CNCF Flux to the enterprise distribution with no +impact to Flux availability. The hardened container images provided by ControlPlane are fully +compatible with the upstream Flux installation and bootstrap procedure. + +## Bootstrap + +Customers can bootstrap Flux with the enterprise distribution using the Flux CLI or the Flux Terraform provider. +To access the ControlPlane registry, customers need to provide their credentials using the +`--registry-creds` flag. + +Example of bootstrapping Flux with the FIPS-compliant distribution: + +```bash +flux bootstrap github \ + --owner=customer-org \ + --repository=customer-repo \ + --branch=main \ + --path=clusters/production \ + --image-pull-secret=flux-enterprise-auth \ + --registry-creds=flux:$ENTERPRISE_TOKEN \ + --registry=ghcr.io/controlplaneio-fluxcd/distroless +``` + +Running the bootstrap command for a cluster with an existing Flux installation will trigger +an in-place upgrade of the Flux controllers to the ControlPlane distribution. + +## Automated Updates to Bootstrap Repositories + +For keeping the Flux controllers images digests +and manifests up-to-date with the latest version of the Enterprise Distribution, ControlPlane +provides Kustomize images patches for the Flux manifests, which can be found in the +[distribution repository](https://github.com/controlplaneio-fluxcd/distribution/tree/main/images). + +Customers using GitHub can leverage the ControlPlane GitHub Actions to automate the +update of the Flux manifests in their bootstrap repositories. For more information, see the +[Update Flux GitHub Action](actions/update/README.md) documentation. + +For customers using other Git providers, ControlPlane provides support for configuring +automated updates for the Flux enterprise distribution. + +## Flux Operator + +The ControlPlane distribution includes the [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator), +which provides a declarative API for the installation and upgrade of the Flux controllers. The operator +automates the patching of hotfixes and CVEs affecting the Flux container images. + +For more information, see the Flux Operator [documentation](../operator/introduction.md). diff --git a/docs/distribution/introduction.md b/docs/distribution/introduction.md new file mode 100644 index 0000000..bd233a2 --- /dev/null +++ b/docs/distribution/introduction.md @@ -0,0 +1,45 @@ +# Flux Distribution Introduction + +The [ControlPlane](https://control-plane.io) distribution for [Flux CD](https://fluxcd.io) +comes with enterprise-hardened Flux controllers including: + +- Hardened container images and SBOMs in-sync with upstream Flux releases. +- Continuous scanning and CVE patching for Flux container base images. +- SLAs for remediation of critical vulnerabilities affecting Flux functionality. +- FIPS-compliant Flux builds based on FIPS 140-2 validated BoringSSL. +- Extended compatibility of Flux controllers for the latest six minor releases of Kubernetes. +- Assured compatibility with OpenShift and Kubernetes LTS versions provided by cloud vendors. + +The ControlPlane distribution is offered on a +[yearly subscription basis](https://control-plane.io/enterprise-for-flux-cd/) and includes +enterprise-grade support services for running Flux in production. + +## Distribution Channels + +ControlPlane offers two distribution channels for the Flux controllers: + +- [FIPS-compliant](#fips-compliant) images hosted at `ghcr.io/controlplaneio-fluxcd/distroless`. +- [Mainline](#mainline) images hosted at `ghcr.io/controlplaneio-fluxcd/alpine`. + +The ControlPlane container images are continuously scanned for vulnerabilities and patched accordingly. + +### FIPS-compliant + +The ControlPlane distribution offers hardened +[Google Distrosless](https://github.com/GoogleContainerTools/distroless)-based Flux images +to organizations that must comply with NIST FIPS-140-2 standards. + +The Flux controller binaries are statically linked against the +[Google BoringSSL](https://boringssl.googlesource.com/boringssl/) libraries, +and the Go runtime restricts all TLS configuration to FIPS-approved settings +by importing the `crypto/tls/fipsonly` package. + +### Mainline + +The mainline distribution channel offers +[Alpine Linux](https://www.alpinelinux.org/)-based +images fully compatible with the upstream Flux feature set. + +The major difference between the Flux upstream images and mainline images is the +continuous scanning and CVE patching for the container base images, OS packages, +and Go dependencies. diff --git a/docs/distribution/security.md b/docs/distribution/security.md new file mode 100644 index 0000000..fb26846 --- /dev/null +++ b/docs/distribution/security.md @@ -0,0 +1,91 @@ +# Supply Chain Security + +The build, release and provenance portions of the ControlPlane distribution supply chain meet +[SLSA Build Level 3](https://slsa.dev/spec/v1.0/levels). + +## Software Bill of Materials + +The ControlPlane images come with SBOMs in SPDX format for each CPU architecture. + +Example of extracting the SBOM from the source-controller image: + +```shell +docker buildx imagetools inspect \ + /source-controller:v1.3.0 \ + --format "{{ json (index .SBOM \"linux/amd64\").SPDX}}" +``` + +## Signature Verification + +The ControlPlane images are signed using Sigstore Cosign and GitHub OIDC. + +Example of verifying the signature of the source-controller image: + +```shell +cosign verify /source-controller:v1.3.0 \ + --certificate-identity-regexp=^https://github\\.com/controlplaneio-fluxcd/.*$ \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com +``` + +## SLSA Provenance Verification + +The provenance attestations are generated at build time with Docker Buildkit and +include facts about the build process such as: + +- Build timestamps +- Build parameters and environment +- Version control metadata +- Source code details +- Materials (files, scripts) consumed during the build + +Example of extracting the SLSA provenance JSON for the source-controller image: + +```shell +docker buildx imagetools inspect \ + /source-controller:v1.3.0 \ + --format "{{ json (index .Provenance \"linux/amd64\").SLSA}}" +``` + +The provenance of the build artifacts is generated with the official +[SLSA GitHub Generator](https://github.com/slsa-framework/slsa-github-generator). + +Example of verifying the provenance of the source-controller image: + +```shell +cosign verify-attestation --type slsaprovenance \ + --certificate-identity-regexp=^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml.*$ \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + /source-controller:v1.3.0 +``` + +## Vulnerability Exploitability eXchange + +The Flux controllers (source code, binaries and container images) are continuously +scanned for CVEs. Once a CVE is detected, the ControlPlane team assesses +the exploitability of the vulnerability. If the vulnerability is proven to be exploitable, +the ControlPlane team provides a patch within the agreed SLA and issues +a security bulletin to customers containing the CVE details and the container images +digests that include the fix. + +There are cases where the vulnerability is not exploitable in the context of the Flux +controllers, and in such cases, the ControlPlane team issues a CVE exception in the +[OpenVEX](https://github.com/openvex/spec/blob/v0.2.0/OPENVEX-SPEC.md) format. + +For each Flux minor release, the ControlPlane team maintains a VEX document with the +list of vulnerabilities that do not affect the Flux controllers. The VEX documents +are available in the enterprise distribution repository under the `vex` directory. + +Example of scanning the source-controller image with [Trivy](https://github.com/aquasecurity/trivy) +using the VEX document: + +```console +$ trivy image /source-controller:v1.2.2 --vex ./vex/v2.2.json --show-suppressed + +Suppressed Vulnerabilities (Total: 1) + +┌─────────────────┬────────────────┬──────────┬──────────────┬─────────────────────────────┬─────────┐ +│ Library │ Vulnerability │ Severity │ Status │ Statement │ Source │ +├─────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────────┼─────────┤ +│ helm.sh/helm/v3 │ CVE-2019-25210 │ MEDIUM │ not_affected │ vulnerable_code_not_present │ OpenVEX │ +└─────────────────┴────────────────┴──────────┴──────────────┴─────────────────────────────┴─────────┘ +``` diff --git a/docs/images/flux-ee-white.png b/docs/images/flux-ee-white.png new file mode 100644 index 0000000..9df58b5 Binary files /dev/null and b/docs/images/flux-ee-white.png differ diff --git a/docs/images/flux-logo.png b/docs/images/flux-logo.png new file mode 100644 index 0000000..1efd6f8 Binary files /dev/null and b/docs/images/flux-logo.png differ diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 0000000..c1af09d --- /dev/null +++ b/docs/index.md @@ -0,0 +1,4 @@ +--- +template: home.html +title: Home +--- diff --git a/docs/operator/fluxinstance.md b/docs/operator/fluxinstance.md new file mode 100644 index 0000000..ba8c77a --- /dev/null +++ b/docs/operator/fluxinstance.md @@ -0,0 +1,466 @@ +# FluxInstance + +**FluxInstance** is a declarative API for the installation, configuration +and automatic upgrade of the Flux distribution. + +A single custom resource of this kind can exist in a Kubernetes cluster +with the name `flux` that must be created in the same namespace +where the flux-operator is deployed. + +## Example + +The following example shows a FluxInstance custom resource that +installs the upstream Flux distribution with all available components, +and configures the flux-operator to automatically upgrade Flux +to the latest stable version: + +```yaml +apiVersion: fluxcd.controlplane.io/v1 +kind: FluxInstance +metadata: + name: flux + namespace: flux-system + annotations: + fluxcd.controlplane.io/reconcile: "enabled" + fluxcd.controlplane.io/reconcileEvery: "1h" + fluxcd.controlplane.io/reconcileTimeout: "3m" +spec: + distribution: + version: "2.x" + registry: "ghcr.io/fluxcd" + components: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller + - image-reflector-controller + - image-automation-controller + cluster: + type: kubernetes + multitenant: false + networkPolicy: true + domain: "cluster.local" + storage: + class: "standard" + size: "10Gi" + kustomize: + patches: + - target: + kind: Deployment + name: "(kustomize-controller|helm-controller)" + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=10 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --requeue-dependency=5s +``` + +You can run this example by saving the manifest into `fluxinstance.yaml`. + +1. Apply the resource on the cluster: + + ```shell + kubectl apply -f fluxinstance.yaml + ``` + +2. Run `kubectl get fluxinstance` to see the status of the resource: + + ```console + $ kubectl -n flux-system get fluxinstance + NAME AGE READY STATUS REVISION + flux 59s True Reconciliation finished in 52s v2.3.0@sha256:4cc5babdb1279ad0177bf513292deadbfa3f7b7c3da0be7fa53b39ab434f7219 + ``` + +3. Run `kubectl describe fluxinstance` to see the reconciliation status components, conditions and events: + + ```console + $ kubectl -n flux-system describe fluxinstance flux + Status: + Components: + Digest: sha256:161da425b16b64dda4b3cec2ba0f8d7442973aba29bb446db3b340626181a0bc + Name: source-controller + Repository: ghcr.io/fluxcd/source-controller + Tag: v1.3.0 + Digest: sha256:48a032574dd45c39750ba0f1488e6f1ae36756a38f40976a6b7a588d83acefc1 + Name: kustomize-controller + Repository: ghcr.io/fluxcd/kustomize-controller + Tag: v1.3.0 + Digest: sha256:a67a037faa850220ff94d8090253732079589ad9ff10b6ddf294f3b7cd0f3424 + Name: helm-controller + Repository: ghcr.io/fluxcd/helm-controller + Tag: v1.0.1 + Digest: sha256:c0fab940c7e578ea519097d36c040238b0cc039ce366fdb753947428bbf0c3d6 + Name: notification-controller + Repository: ghcr.io/fluxcd/notification-controller + Tag: v1.3.0 + Digest: sha256:aed795c7a8b85bca93f6d199d5a14bbefaf925ad5aa5316b32a716cfa4070d0b + Name: image-reflector-controller + Repository: ghcr.io/fluxcd/image-reflector-controller + Tag: v0.32.0 + Digest: sha256:ab5097213194f3cd9f0e68d8a937d94c4fc7e821f6544453211e94815b282aa2 + Name: image-automation-controller + Repository: ghcr.io/fluxcd/image-automation-controller + Tag: v0.38.0 + Conditions: + Last Transition Time: 2024-06-03T12:20:57Z + Message: Reconciliation finished in 52s + Observed Generation: 1 + Reason: ReconciliationSucceeded + Status: True + Type: Ready + Last Applied Revision: v2.3.0@sha256:4cc5babdb1279ad0177bf513292deadbfa3f7b7c3da0be7fa53b39ab434f7219 + Last Attempted Revision: v2.3.0@sha256:4cc5babdb1279ad0177bf513292deadbfa3f7b7c3da0be7fa53b39ab434f7219 + Events: + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal Progressing 6m20s flux-controller Installing revision v2.3.0@sha256:4cc5babdb1279ad0177bf513292deadbfa3f7b7c3da0be7fa53b39ab434f7219 + Normal ReconciliationSucceeded 5m9s flux-controller Reconciliation finished in 52s + ``` + +4. Run `kubectl logs` on the flux-operator pod to see the reconciliation logs: + + ```shell + kubectl -n flux-system logs deployment/flux-operator + ``` + +5. Run `kubectl events` to see the events generated by the flux-operator: + + ```shell + kubectl -n flux-system events --for FluxInstance/flux + ``` + +6. Run `kubectl delete` to remove the FluxInstance resource and + to uninstall Flux without affecting any Flux-managed workloads: + + ```shell + kubectl -n flux-system delete FluxInstance/flux + ``` + +## Writing a FluxInstance spec + +As with all other Kubernetes config, a FluxInstance needs `apiVersion`, +`kind`, and `metadata` fields. The name of a FluxInstance object must be a +valid [DNS subdomain name](https://kubernetes.io/docs/concepts/overview/working-with-objects/names#dns-subdomain-names). + +A FluxInstance also needs a +[`.spec` section](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status). + +### Distribution configuration + +The `.spec.distribution` field is required and specifies the Flux distribution to install. + +Example using the upstream Flux distribution: + +```yaml +spec: + distribution: + version: "2.x" + registry: "ghcr.io/fluxcd" +``` + +### Distribution version + +The `.spec.distribution.version` field is required and specifies the version of the Flux distribution to install. +The version field value must be a valid [semver](https://semver.org/) range or an exact version. + +Example using a semver range to configure the automatic upgrade +to the latest Flux minor version: + +```yaml +spec: + distribution: + version: "2.x" +``` + +Example using a semver range to configure the automatic upgrade +to the latest Flux patch version of the `2.3` series: + +```yaml +spec: + distribution: + version: "2.3.x" +``` + +Example using an exact version to install a specific Flux version: + +```yaml +spec: + distribution: + version: "2.3.0" +``` + +### Distribution registry + +The `.spec.distribution.registry` field is required and specifies the container registry +where the Flux distribution images are pulled from. + +Example using the upstream Flux distribution registry: + +```yaml +spec: + distribution: + version: "2.x" + registry: "ghcr.io/fluxcd" +``` + +### Distribution image pull secret + +The `.spec.distribution.imagePullSecret` field is optional and specifies the name of the Kubernetes secret +that contains the credentials to pull the Flux distribution images from a private registry. + +Example using the ControlPlane enterprise registry: + +```yaml +spec: + distribution: + version: "2.3.x" + registry: "ghcr.io/controlplaneio-fluxcd/distroless" + imagePullSecret: "flux-enterprise-auth" +``` + +The image pull secret must be created in the same namespace where the FluxInstance is deployed +and must be of type `kubernetes.io/dockerconfigjson`. + +Example generating a secret for the ControlPlane enterprise registry: + +```sh +kubectl create secret docker-registry flux-enterprise-auth \ + --namespace flux-system \ + --docker-server=ghcr.io \ + --docker-username=flux \ + --docker-password=$ENTERPRISE_TOKEN +``` + +### Components configuration + +The `.spec.components` field is optional and specifies the list of Flux components to install. + +When not specified, the operator will install the default set of components for the Flux distribution: + +```yaml +spec: + components: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller +``` + +### Cluster configuration + +The `.spec.cluster` field is optional and specifies the Kubernetes cluster configuration. + +Example using the OpenShift cluster configuration: + +```yaml +spec: + cluster: + type: openshift + multitenant: true + networkPolicy: true + domain: "cluster.local" +``` + +### Cluster type + +The `.spec.cluster.type` field is optional and specifies the type of the Kubernetes cluster. +This field is used to enable specific configuration for AKS, EKS, GKE and OpenShift clusters. + +The supported values are `kubernetes` (default), `openshift`, `aks`, `eks` and `gke`. + +### Cluster multitenant + +The `.spec.cluster.multitenant` field is optional and specifies whether to enable Flux +[multi-tenancy lockdown](https://fluxcd.io/flux/installation/configuration/multitenancy/). + +### Cluster network policy + +The `.spec.cluster.networkPolicy` field is optional and specifies whether to restrict network access +to the Flux namespace from other namespaces. By default, network policy is enabled. + +### Cluster domain + +The `.spec.cluster.domain` field is optional and specifies the cluster internal domain name. +By default, the domain is set to `cluster.local`. + +### Storage configuration + +The `.spec.storage` field is optional and specifies the persistent storage for Flux internal artifacts. +When specified, the operator will create a persistent volume claim named `source-controller` with +the specified storage class and size and mount it to the Flux source-controller `/data` volume. + +### Storage class + +The `.spec.storage.class` field is required and specifies the storage class to use for the persistent volume claim. + +### Storage size + +The `.spec.storage.size` field is required and specifies the size of the persistent volume claim. + +### Kustomize patches + +The `.spec.kustomize.patches` field is optional and specifies the Kustomize patches to apply to the Flux controllers. + +Example: + +```yaml +spec: + kustomize: + patches: + - target: + kind: Deployment + name: "(kustomize-controller|helm-controller)" + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=10 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --requeue-dependency=5s +``` + +### Reconciliation configuration + +The reconciliation behaviour can be configured using the following annotations: + +- `fluxcd.controlplane.io/reconcile`: Enable or disable the reconciliation loop. Default is `enabled`, set to `disabled` to pause the reconciliation. +- `fluxcd.controlplane.io/reconcileEvery`: Set the reconciliation interval. Default is `1h`. +- `fluxcd.controlplane.io/reconcileTimeout`: Set the reconciliation timeout. Default is `5m`. + +## FluxInstance Status + +### Conditions + +A FluxInstance enters various states during its lifecycle, reflected as Kubernetes Conditions. +It can be [reconciling](#reconciling-fluxinstance) while applying the +resources on the cluster, it can be [ready](#ready-fluxinstance), or it can [fail during +reconciliation](#failed-fluxinstance). + +The FluxInstance API is compatible with the **kstatus** specification, +and reports `Reconciling` and `Stalled` conditions where applicable to +provide better (timeout) support to solutions polling the Kustomization to +become `Ready`. + +#### Reconciling FluxInstance + +The flux-operator marks a FluxInstance as _reconciling_ when it starts +the reconciliation of the same. The Condition added to the FluxInstance's +`.status.conditions` has the following attributes: + +- `type: Reconciling` +- `status: "True"` +- `reason: Progressing` | `reason: ProgressingWithRetry` + +The Condition `message` is updated during the course of the reconciliation to +report the action being performed at any particular moment such as +building manifests, detecting drift, etc. + +The `Ready` Condition's `status` is also marked as `Unkown`. + +#### Ready FluxInstance + +The flux-operator marks a FluxInstance as _ready_ when the Flux configuration was +built and applied on the cluster and all health checks are observed to be passing. + +When the FluxInstance is "ready", the flux-operator sets a Condition with the +following attributes in the FluxInstance’s `.status.conditions`: + +- `type: Ready` +- `status: "True"` +- `reason: ReconciliationSucceeded` + +#### Failed FluxInstance + +The flux-operator may get stuck trying to reconcile and apply a +FluxInstance without completing. This can occur due to some of the following factors: + +- The specified distribution version is not available. +- The kustomization of the Flux components fails to build. +- Garbage collection fails. +- Running health checks fails. + +When this happens, the flux-operator sets the `Ready` Condition status to False +and adds a Condition with the following attributes to the FluxInstance’s +`.status.conditions`: + +- `type: Ready` +- `status: "False"` +- `reason: BuildFailed | HealthCheckFailed | ReconciliationFailed` + +The `message` field of the Condition will contain more information about why +the reconciliation failed. + +While the FluxInstance has one or more of these Conditions, the flux-operator +will continue to attempt a reconciliation with an +exponential backoff, until it succeeds and the FluxInstance is marked as [ready](#ready-fluxinstance). + +### Components status + +In order to provide visibility into the Flux components that are installed, +the flux-operator records the status of each component in the `.status.components` field, +including the image repository, tag and digest. + +Example: + +```text +Status: + Components: + Digest: sha256:161da425b16b64dda4b3cec2ba0f8d7442973aba29bb446db3b340626181a0bc + Name: source-controller + Repository: ghcr.io/fluxcd/source-controller + Tag: v1.3.0 + Digest: sha256:48a032574dd45c39750ba0f1488e6f1ae36756a38f40976a6b7a588d83acefc1 + Name: kustomize-controller + Repository: ghcr.io/fluxcd/kustomize-controller + Tag: v1.3.0 +``` + +### Inventory status + +In order to perform operations such as drift detection, garbage collection, upgrades, etc., +the flux-operator needs to keep track of all Kubernetes objects that are +reconciled as part of a FluxInstance. To do this, it maintains an inventory +containing the list of Kubernetes resource object references that have been +successfully applied and records it in `.status.inventory`. The inventory +records are in the format `Id: ___, V: `. + +Example: + +```text +Status: + Inventory: + Entries: + Id: flux-system_source-controller__ServiceAccount + V: v1 + Id: flux-system_source-controller__Service + V: v1 + Id: flux-system_source-controller_apps_Deployment + V: v1 +``` + +### Last applied revision + +`.status.lastAppliedRevision` is the last revision of the Flux distribution +that was successfully applied to the cluster. + +The revision is in the format `@sha256:`. + +The version is the Flux distribution exact semver version that was applied to the cluster. + +The digest is the SHA256 hash of the Flux distribution manifests and customisations +that was applied to the cluster. + +### Last attempted revision + +`.status.lastAttemptedRevision` is the last revision of the Flux distribution +that was attempted to be applied to the cluster. + +Example: + +```text +Status: + Last Applied Revision: v2.3.0@sha256:4cc5babdb1279ad0177bf513292deadbfa3f7b7c3da0be7fa53b39ab434f7219 + Last Attempted Revision: v2.3.0@sha256:4cc5babdb1279ad0177bf513292deadbfa3f7b7c3da0be7fa53b39ab434f7219 +``` diff --git a/docs/operator/install.md b/docs/operator/install.md new file mode 100644 index 0000000..8a527fb --- /dev/null +++ b/docs/operator/install.md @@ -0,0 +1,123 @@ +# Flux Operator Installation + +The Flux Operator can be installed using the +[Helm chart](https://github.com/controlplaneio-fluxcd/charts/tree/main/charts/flux-operator) +available in the ControlPlane registry: + +```shell +helm install flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator \ + --namespace flux-system \ + --create-namespace +``` + +Or by using the Kubernetes manifests published on the releases page: + +```shell +kubectl apply -f https://github.com/controlplaneio-fluxcd/flux-operator/releases/latest/download/install.yaml +``` + +## Usage + +The Flux Operator comes with a Kubernetes CRD called `FluxInstance`. A single custom resource of this kind +can exist in a Kubernetes cluster with the name `flux` that must be created in the same +namespace where the operator is deployed. + +### Upstream Distribution + +To install the upstream distribution of Flux, create the following `FluxInstance` resource: + +```yaml +apiVersion: fluxcd.controlplane.io/v1 +kind: FluxInstance +metadata: + name: flux + namespace: flux-system +spec: + distribution: + version: "2.x" + registry: "ghcr.io/fluxcd" + components: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller + - image-reflector-controller + - image-automation-controller + cluster: + type: kubernetes + networkPolicy: true + kustomize: + patches: + - target: + kind: Deployment + name: "(kustomize-controller|helm-controller)" + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=10 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --requeue-dependency=5s +``` + +The operator will reconcile the `FluxInstance` resource and install +the latest Flux stable version with the specified components. + +### Enterprise Distribution + +To install the FIPS-compliant distribution of Flux, create the following `FluxInstance` resource: + +```yaml +apiVersion: fluxcd.controlplane.io/v1 +kind: FluxInstance +metadata: + name: flux + namespace: flux-system + annotations: + fluxcd.controlplane.io/reconcileEvery: "1h" + fluxcd.controlplane.io/reconcileTimeout: "5m" +spec: + distribution: + version: "2.3.x" + registry: "ghcr.io/controlplaneio-fluxcd/distroless" + imagePullSecret: "flux-enterprise-auth" + components: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller + cluster: + type: openshift + multitenant: true + networkPolicy: true + domain: "cluster.local" + storage: + class: "standard" + size: "10Gi" +``` + +Every hour, the operator will check for updates in the ControlPlane +[distribution repository](https://github.com/controlplaneio-fluxcd/distribution). +If a new patch version is available, the operator will update the Flux components by pinning the +container images to the latest digest published in the ControlPlane registry. + +Note that the `flux-enterprise-auth` Kubernetes secret must be created in the `flux-system` namespace +and should contain the credentials to pull the enterprise images: + +```shell +kubectl create secret docker-registry flux-enterprise-auth \ + --namespace flux-system \ + --docker-server=ghcr.io \ + --docker-username=flux \ + --docker-password=$ENTERPRISE_TOKEN +``` + +### Migration of a bootstrap cluster + +To migrate a cluster that was bootstrapped, after the flux-operator is installed +and the `FluxInstance` resource is created, the following steps are required: + +1. Checkout the branch of the Flux repository that was used to bootstrap the cluster. +2. Replace the contents of the `flux-system/gok-components.yaml` with the `FluxInstance` YAML manifest. +3. Remove all controllers patches from the `flux-system/kustomization.yaml`. +4. Commit and push the changes to the Flux repository. diff --git a/docs/operator/introduction.md b/docs/operator/introduction.md new file mode 100644 index 0000000..0d720b1 --- /dev/null +++ b/docs/operator/introduction.md @@ -0,0 +1,15 @@ +# Flux Operator Introduction + +The Flux Operator is a Kubernetes CRD controller that manages +the lifecycle of the ControlPlane enterprise distribution for Flux CD. + +## Features + +- Provide a declarative API for the installation and upgrade of the Flux distribution. +- Automate patching for hotfixes and CVEs affecting the Flux controllers container images. +- Provide first-class support for OpenShift, Azure, AWS, GCP and other marketplaces. +- Simplify the configuration of multi-tenancy lockdown on shared Kubernetes clusters. +- Provide a security-first approach to the Flux deployment and FIPS compliance. +- Incorporate best practices for running Flux at scale with persistent storage, sharding and horizontal scaling. +- Manage the update of Flux custom resources and prevent disruption during the upgrade process. +- Facilitate a clean uninstall and reinstall process without affecting the Flux-managed workloads. diff --git a/docs/pricing/index.md b/docs/pricing/index.md new file mode 100644 index 0000000..14dbc64 --- /dev/null +++ b/docs/pricing/index.md @@ -0,0 +1,33 @@ +--- +hide: + - toc +--- + +# Pricing + +## Annual Subscription Plans + +Flexible packages based on number of Production clusters or number of Production +nodes across clusters (whichever is hit first) and pricing to accommodate +various organisational needs and sizes. + +| Cluster bundles | Node bundles | Product | Inc. Support | +|-----------------|--------------|-------------|--------------| +| 1 cluster | 10 nodes | $12000 USD | $15000 USD | +| 10 clusters | 100 nodes | $60000 USD | $75000 USD | +| 25 clusters | 250 nodes | $100000 USD | $125000 USD | +| 100 clusters | 1000 nodes | $350000 USD | $500000 USD | + +## Flexible Pricing for Diverse Needs + +At ControlPlane, we understand that organizations come in various sizes and have different requirements, +especially when it comes to managing and securing their Kubernetes deployments using GitOps principles. +Our goal is to provide exceptional value to our customers while also contributing positively +to the open-source project, Flux CD. + +ControlPlane Enterprise for Flux CD is designed to meet this dual objective +by offering a hardened, enterprise-grade distribution and support services that go +beyond what the open-source project provides. + +[Contact us](https://control-plane.io/contact/?inquiry=fluxcd) to discuss your specific +requirements and to get a quote that fits your needs. diff --git a/docs/releases/release-v2.2.md b/docs/releases/release-v2.2.md new file mode 100644 index 0000000..b8309bb --- /dev/null +++ b/docs/releases/release-v2.2.md @@ -0,0 +1,210 @@ +# Enterprise Distribution for Flux v2.2 + +## Supported Kubernetes Versions + +| Distribution | Versions | +|:-------------|:--------------------------------------------------| +| Kubernetes | 1.24
1.25
1.26
1.27
1.28
1.29 | +| OpenShift | 4.12
4.13
4.14
4.15 | + +## API Versions + +### General Availability (GA) + +| kind | apiVersion | +|:---------------------------------------------------------------------------------------|:------------------------------------| +| [GitRepository](https://v2-2.docs.fluxcd.io/flux/components/source/gitrepositories/) | `source.toolkit.fluxcd.io/v1` | +| [Kustomization](https://v2-2.docs.fluxcd.io/flux/components/kustomize/kustomizations/) | `kustomize.toolkit.fluxcd.io/v1` | +| [Receiver](https://v2-2.docs.fluxcd.io/flux/components/notification/receivers/) | `notification.toolkit.fluxcd.io/v1` | + +### Beta (Preview) + +| kind | apiVersion | +|:---------------------------------------------------------------------------------------------------|:-----------------------------------------| +| [Alert](https://v2-2.docs.fluxcd.io/flux/components/notification/alerts/) | `notification.toolkit.fluxcd.io/v1beta3` | +| [Bucket](https://v2-2.docs.fluxcd.io/flux/components/source/buckets/) | `source.toolkit.fluxcd.io/v1beta2` | +| [HelmChart](https://v2-2.docs.fluxcd.io/flux/components/source/helmcharts/) | `source.toolkit.fluxcd.io/v1beta2` | +| [HelmRelease](https://v2-2.docs.fluxcd.io/flux/components/helm/helmreleases/) | `helm.toolkit.fluxcd.io/v2beta2` | +| [HelmRepository](https://v2-2.docs.fluxcd.io/flux/components/source/helmrepositories/) | `source.toolkit.fluxcd.io/v1beta2` | +| [ImagePolicy](https://v2-2.docs.fluxcd.io/flux/components/image/imagepolicies/) | `image.toolkit.fluxcd.io/v1beta2` | +| [ImageRepository](https://v2-2.docs.fluxcd.io/flux/components/image/imagerepositories/) | `image.toolkit.fluxcd.io/v1beta2` | +| [ImageUpdateAutomation](https://v2-2.docs.fluxcd.io/flux/components/image/imageupdateautomations/) | `image.toolkit.fluxcd.io/v1beta1` | +| [OCIRepository](https://v2-2.docs.fluxcd.io/flux/components/source/ocirepositories/) | `source.toolkit.fluxcd.io/v1beta2` | +| [Provider](https://v2-2.docs.fluxcd.io/flux/components/notification/providers/) | `notification.toolkit.fluxcd.io/v1beta3` | + +### Promotions + +| Kind | New Version | Deprecated Version | Group | +|:------------|:------------|:-------------------|:---------------------------------| +| Alert | **v1beta3** | v1beta2 | `notification.toolkit.fluxcd.io` | +| Provider | **v1beta3** | v1beta2 | `notification.toolkit.fluxcd.io` | +| HelmRelease | **v2beta2** | v2beta2 | `helm.toolkit.fluxcd.io` | + + +## v2.2.3 + +Upstream changelog: [fluxcd/flux2 v2.2.3](https://github.com/fluxcd/flux2/releases/tag/v2.2.3) + +### Mainline v2.2.3 + +#### Flux Controllers + +| Controller | Version | Architectures | +|:-------------------------------------------------------------------|---------|---------------| +| `ghcr.io/controlplaneio-fluxcd/alpine/source-controller` | v1.2.4 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/kustomize-controller` | v1.2.2 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/helm-controller` | v0.37.4 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/notification-controller` | v1.2.4 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/image-reflector-controller` | v0.31.2 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/image-automation-controller` | v0.37.1 | amd64 / arm64 | + +#### Flux Manifests + +| OCI Artifact | Version | +|:------------------------------------------------------|---------| +| `ghcr.io/controlplaneio-fluxcd/alpine/flux-manifests` | v2.2.3 | + +### FIPS-compliant v2.2.3 + +#### Flux Controllers + +| Controller | Version | Architectures | +|:------------------------------------------------------------------------|---------|---------------| +| `ghcr.io/controlplaneio-fluxcd/distroless/source-controller` | v1.2.4 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/kustomize-controller` | v1.2.2 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/helm-controller` | v0.37.4 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/notification-controller` | v1.2.4 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/image-reflector-controller` | v0.31.2 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/image-automation-controller` | v0.37.1 | amd64 / arm64 | + +#### Flux Manifests + +| OCI Artifact | Version | +|:-----------------------------------------------------------|---------| +| `ghcr.io/controlplaneio-fluxcd/distroless/flux-manifests` | v2.2.3 | + +## v2.2.2 + +Upstream changelog: [fluxcd/flux2 v2.2.2](https://github.com/fluxcd/flux2/releases/tag/v2.2.2) + +### Mainline v2.2.2 + +#### Flux Controllers + +| Controller | Version | Architectures | +|:-------------------------------------------------------------------|---------|---------------| +| `ghcr.io/controlplaneio-fluxcd/alpine/source-controller` | v1.2.3 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/kustomize-controller` | v1.2.1 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/helm-controller` | v0.37.2 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/notification-controller` | v1.2.3 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/image-reflector-controller` | v0.31.1 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/image-automation-controller` | v0.37.0 | amd64 / arm64 | + +#### Flux Manifests + +| OCI Artifact | Version | +|:------------------------------------------------------|---------| +| `ghcr.io/controlplaneio-fluxcd/alpine/flux-manifests` | v2.2.2 | + +### FIPS-compliant v2.2.2 + +#### Flux Controllers + +| Controller | Version | Architectures | +|:------------------------------------------------------------------------|---------|---------------| +| `ghcr.io/controlplaneio-fluxcd/distroless/source-controller` | v1.2.3 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/kustomize-controller` | v1.2.1 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/helm-controller` | v0.37.2 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/notification-controller` | v1.2.3 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/image-reflector-controller` | v0.31.1 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/image-automation-controller` | v0.37.0 | amd64 / arm64 | + +#### Flux Manifests + +| OCI Artifact | Version | +|:-----------------------------------------------------------|---------| +| `ghcr.io/controlplaneio-fluxcd/distroless/flux-manifests` | v2.2.2 | + +## v2.2.1 + +Upstream changelog: [fluxcd/flux2 v2.2.1](https://github.com/fluxcd/flux2/releases/tag/v2.2.1) + +### Mainline v2.2.1 + +#### Flux Controllers + +| Controller | Version | Architectures | +|:-------------------------------------------------------------------|---------|---------------| +| `ghcr.io/controlplaneio-fluxcd/alpine/source-controller` | v1.2.3 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/kustomize-controller` | v1.2.1 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/helm-controller` | v0.37.1 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/notification-controller` | v1.2.3 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/image-reflector-controller` | v0.31.1 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/image-automation-controller` | v0.37.0 | amd64 / arm64 | + +#### Flux Manifests + +| OCI Artifact | Version | +|:------------------------------------------------------|---------| +| `ghcr.io/controlplaneio-fluxcd/alpine/flux-manifests` | v2.2.1 | + +### FIPS-compliant v2.2.1 + +#### Flux Controllers + +| Controller | Version | Architectures | +|:------------------------------------------------------------------------|---------|---------------| +| `ghcr.io/controlplaneio-fluxcd/distroless/source-controller` | v1.2.3 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/kustomize-controller` | v1.2.1 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/helm-controller` | v0.37.1 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/notification-controller` | v1.2.3 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/image-reflector-controller` | v0.31.1 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/image-automation-controller` | v0.37.0 | amd64 / arm64 | + +#### Flux Manifests + +| OCI Artifact | Version | +|:-----------------------------------------------------------|---------| +| `ghcr.io/controlplaneio-fluxcd/distroless/flux-manifests` | v2.2.1 | + +## v2.2.0 + +Upstream changelog: [fluxcd/flux2 v2.2.0](https://github.com/fluxcd/flux2/releases/tag/v2.2.0) + +### Mainline v2.2.0 + +#### Flux Controllers + +| Controller | Version | Architectures | +|:-------------------------------------------------------------------|---------|---------------| +| `ghcr.io/controlplaneio-fluxcd/alpine/source-controller` | v1.2.2 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/kustomize-controller` | v1.2.0 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/helm-controller` | v0.37.0 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/notification-controller` | v1.2.2 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/image-reflector-controller` | v0.31.1 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/image-automation-controller` | v0.37.0 | amd64 / arm64 | + +#### Flux Manifests + +| OCI Artifact | Version | +|:------------------------------------------------------|---------| +| `ghcr.io/controlplaneio-fluxcd/alpine/flux-manifests` | v2.2.0 | + +### FIPS-compliant v2.2.0 + +#### Flux Controllers + +| Controller | Version | Architectures | +|:------------------------------------------------------------------------|---------|---------------| +| `ghcr.io/controlplaneio-fluxcd/distroless/source-controller` | v1.2.2 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/kustomize-controller` | v1.2.0 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/helm-controller` | v0.37.0 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/notification-controller` | v1.2.2 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/image-reflector-controller` | v0.31.1 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/image-automation-controller` | v0.37.0 | amd64 / arm64 | + +#### Flux Manifests + +| OCI Artifact | Version | +|:-----------------------------------------------------------|---------| +| `ghcr.io/controlplaneio-fluxcd/distroless/flux-manifests` | v2.2.0 | diff --git a/docs/releases/release-v2.3.md b/docs/releases/release-v2.3.md new file mode 100644 index 0000000..26cef35 --- /dev/null +++ b/docs/releases/release-v2.3.md @@ -0,0 +1,84 @@ +# Enterprise Distribution for Flux v2.3 + +## Supported Kubernetes Versions + +| Distribution | Versions | +|:-------------|:--------------------------------------------------| +| Kubernetes | 1.25
1.26
1.27
1.28
1.29
1.30 | +| OpenShift | 4.12
4.13
4.14
4.15 | + +## API Versions + +### General Availability (GA) + +| kind | apiVersion | +|:---------------------------------------------------------------------------------------|:------------------------------------| +| [GitRepository](https://v2-3.docs.fluxcd.io/flux/components/source/gitrepositories/) | `source.toolkit.fluxcd.io/v1` | +| [HelmChart](https://v2-3.docs.fluxcd.io/flux/components/source/helmcharts/) | `source.toolkit.fluxcd.io/v1` | +| [HelmRelease](https://v2-3.docs.fluxcd.io/flux/components/helm/helmreleases/) | `helm.toolkit.fluxcd.io/v2` | +| [HelmRepository](https://v2-3.docs.fluxcd.io/flux/components/source/helmrepositories/) | `source.toolkit.fluxcd.io/v1` | +| [Kustomization](https://v2-3.docs.fluxcd.io/flux/components/kustomize/kustomizations/) | `kustomize.toolkit.fluxcd.io/v1` | +| [Receiver](https://v2-3.docs.fluxcd.io/flux/components/notification/receivers/) | `notification.toolkit.fluxcd.io/v1` | + +### Beta (Preview) + +| kind | apiVersion | +|:---------------------------------------------------------------------------------------------------|:-----------------------------------------| +| [Alert](https://v2-3.docs.fluxcd.io/flux/components/notification/alerts/) | `notification.toolkit.fluxcd.io/v1beta3` | +| [Bucket](https://v2-3.docs.fluxcd.io/flux/components/source/buckets/) | `source.toolkit.fluxcd.io/v1beta2` | +| [ImagePolicy](https://v2-3.docs.fluxcd.io/flux/components/image/imagepolicies/) | `image.toolkit.fluxcd.io/v1beta2` | +| [ImageRepository](https://v2-3.docs.fluxcd.io/flux/components/image/imagerepositories/) | `image.toolkit.fluxcd.io/v1beta2` | +| [ImageUpdateAutomation](https://v2-3.docs.fluxcd.io/flux/components/image/imageupdateautomations/) | `image.toolkit.fluxcd.io/v1beta2` | +| [OCIRepository](https://v2-3.docs.fluxcd.io/flux/components/source/ocirepositories/) | `source.toolkit.fluxcd.io/v1beta2` | +| [Provider](https://v2-3.docs.fluxcd.io/flux/components/notification/providers/) | `notification.toolkit.fluxcd.io/v1beta3` | + +### Promotions + +| Kind | New Version | Deprecated Version | Group | +|:----------------------|:------------|:-------------------|:---------------------------| +| HelmChart | **v1** | v1beta2 | `source.toolkit.fluxcd.io` | +| HelmRelease | **v2** | v2beta2 | `helm.toolkit.fluxcd.io` | +| HelmRepository | **v1** | v1beta2 | `source.toolkit.fluxcd.io` | +| ImageUpdateAutomation | **v1beta2** | v1beta1 | `image.toolkit.fluxcd.io` | + +## v2.3.0 + +Upstream changelog: [fluxcd/flux2 v2.3.0](https://github.com/fluxcd/flux2/releases/tag/v2.3.0) + +### Mainline v2.3.0 + +#### Flux Controllers + +| Controller | Version | Architectures | +|:-------------------------------------------------------------------|---------|---------------| +| `ghcr.io/controlplaneio-fluxcd/alpine/source-controller` | v1.3.0 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/kustomize-controller` | v1.3.0 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/helm-controller` | v1.0.1 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/notification-controller` | v1.3.0 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/image-reflector-controller` | v0.32.0 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/alpine/image-automation-controller` | v0.38.0 | amd64 / arm64 | + +#### Flux Manifests + +| OCI Artifact | Version | +|:------------------------------------------------------|---------| +| `ghcr.io/controlplaneio-fluxcd/alpine/flux-manifests` | v2.3.0 | + +### FIPS-compliant v2.3.0 + +#### Flux Controllers + +| Controller | Version | Architectures | +|:------------------------------------------------------------------------|---------|---------------| +| `ghcr.io/controlplaneio-fluxcd/distroless/source-controller` | v1.3.0 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/kustomize-controller` | v1.3.0 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/helm-controller` | v1.0.1 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/notification-controller` | v1.3.0 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/image-reflector-controller` | v0.32.0 | amd64 / arm64 | +| `ghcr.io/controlplaneio-fluxcd/distroless/image-automation-controller` | v0.38.0 | amd64 / arm64 | + +#### Flux Manifests + +| OCI Artifact | Version | +|:-----------------------------------------------------------|---------| +| `ghcr.io/controlplaneio-fluxcd/distroless/flux-manifests` | v2.3.0 | diff --git a/docs/theme/home.html b/docs/theme/home.html new file mode 100644 index 0000000..831be28 --- /dev/null +++ b/docs/theme/home.html @@ -0,0 +1,230 @@ +{% extends "main.html" %} +{% block tabs %} +{{ super() }} + + + +
+
+
+
+ Flux Enterprise +
+
+

{{ config.home.tagline }}

+

{{ config.home.description }}

+ + Get Started + + + Pricing + +
+
+
+
+ +{%- if config.home.features -%} +
+
+
+

Enterprise Distribution Features

+
+
    +
  • +
    + {% include ".icons/fontawesome/solid/layer-group.svg" %} +
    +
    +

    Hardened Flux controllers

    +

    Hardened container images and SBOMs in-sync with upstream Flux releases.

    +
    +
    • +
  • +
    + {% include ".icons/fontawesome/solid/cloud-arrow-up.svg" %} +
    +
    +

    Zero CVEs

    +

    Continuous scanning and CVE patching for the Flux controllers.

    +
    +
    • +
  • +
    + {% include ".icons/fontawesome/solid/arrows-spin.svg" %} +
    +
    +

    24/7 Support

    +

    SLAs for remediation of critical vulnerabilities affecting Flux functionality.

    +
    +
    • +
  • +
    + {% include ".icons/fontawesome/solid/object-group.svg" %} +
    +
    +

    FIPS-compliance

    +

    FIPS-compliant Flux builds based on FIPS 140-2 validated BoringSSL.

    +
    +
    • +
  • +
    + {% include ".icons/fontawesome/solid/gear.svg" %} +
    +
    +

    Kubernetes compatibility

    +

    Assured compatibility with OpenShift and Kubernetes LTS versions provided by cloud vendors.

    +
    +
    • +
  • +
    + {% include ".icons/fontawesome/solid/code-fork.svg" %} +
    +
    +

    Supply Chain Security

    +

    SLSA Build Level 3, SMBOs and VEX support for Flux controllers.

    +
    +
    • +
+
+
+
+
+{%- endif -%} + +{% endblock %} +{% block content %}{% endblock %} +{% block footer %} +{{ super() }} +{% endblock %} \ No newline at end of file diff --git a/docs/theme/main.html b/docs/theme/main.html new file mode 100644 index 0000000..8a4c903 --- /dev/null +++ b/docs/theme/main.html @@ -0,0 +1,32 @@ +{% extends "base.html" %} + +{% block extrahead %} + + + + + +{% if page.is_homepage %} + + +{% else %} + + +{% endif %} + + + + +{% if page.is_homepage %} + + + + +{% else %} + + + + +{% endif %} + +{% endblock %} diff --git a/mkdocs.yml b/mkdocs.yml new file mode 100644 index 0000000..ce386b3 --- /dev/null +++ b/mkdocs.yml @@ -0,0 +1,96 @@ +site_name: ControlPlane Enterprise for Flux CD +site_description: | + ControlPlane offers a hardened, enterprise-grade distribution and + support services for the CNCF-graduated Flux project. +site_author: ControlPLane +#site_url: https://fluxcd.controlplane.io +repo_name: distribution +repo_url: https://github.com/controlplaneio-fluxcd/distribution +edit_uri: "" +copyright: Copyright © 2024 ControlPlane.io + +home: + image: images/flux-ee-white.png + tagline: Assured Flux CD + description: | + ControlPlane Enterprise enhances the security and stability of + Kubernetes GitOps delivery through comprehensive security assurance, including + rigorous bitstream remediation and compliance with required regulatory + standards for Flux CD. + features: true + +theme: + name: material + #logo: images/flux-logo.png + #favicon: images/flux-logo.png + language: en + custom_dir: docs/theme/ + palette: + - media: "(prefers-color-scheme: light)" + scheme: default + primary: indigo + accent: blue + toggle: + icon: material/brightness-7 + name: Switch to dark mode + - media: "(prefers-color-scheme: dark)" + scheme: slate + primary: indigo + accent: blue + toggle: + icon: material/brightness-4 + name: Switch to light mode + features: + - content.code.copy + - navigation.sections + - navigation.top + - navigation.tabs + +extra: + social: + - icon: fontawesome/brands/square-x-twitter + link: https://x.com/controlplaneio + - icon: fontawesome/brands/linkedin + link: https://www.linkedin.com/company/controlplane/mycompany/ + +docs_dir: docs + +plugins: + - search + +markdown_extensions: + - attr_list + - md_in_html + - admonition + - meta + - codehilite + - pymdownx.tilde + - pymdownx.progressbar + - pymdownx.tasklist + - pymdownx.superfences + - pymdownx.tabbed: + alternate_style: true + - pymdownx.superfences: + custom_fences: + - name: mermaid + class: mermaid + format: !!python/name:pymdownx.superfences.fence_code_format + - pymdownx.emoji: + emoji_index: !!python/name:material.extensions.emoji.twemoji + emoji_generator: !!python/name:material.extensions.emoji.to_svg + +nav: + - Home: index.md + - Flux Distribution: + - Introduction: distribution/introduction.md + - Installation: distribution/install.md + - Security: distribution/security.md + - Versions: + - Release v2.3: releases/release-v2.3.md + - Release v2.2: releases/release-v2.2.md + - Flux Operator: + - Introduction: operator/introduction.md + - Installation: operator/install.md + - API Reference: + - FluxInstance: operator/fluxinstance.md + - Pricing: pricing/index.md