yafu

module

v0.0.0-...-77320a0 Latest Latest Go to latest Published: May 5, 2026 License: MIT

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/guipguia/yafu

Links

Open Source Insights

README ¶

yafu — Yet Another Flux UI

A modern, open-source web UI for FluxCD — see your fleet, inspect drift, and trigger reconciles across every cluster you run Flux in, from a single dashboard.



Applications — every Kustomization and HelmRelease across the fleet, with sync status, source, and last revision.	Drift diff — what's in Git versus what's actually on the cluster, side-by-side, with the changed fields highlighted.

What yafu does

Fleet view — every registered cluster with health, Flux version, ready/total resource counts, and reachability at a glance.
Apps — unified list of Kustomizations and HelmReleases with source refs, last-applied revision, suspend state, and drift status. Per-app: revision history, inventory tree, live drift diff, rendered Git-vs-cluster diff (kustomize / helm), pod logs (SSE-streamed), raw manifest.
Sources — GitRepository, OCIRepository, HelmRepository, Bucket.
Alerts & events — Flux Alerts with provider resolution and Kubernetes events filtered to the resource you're looking at.
Image updates — ImageRepository status (image-policy and image-update-automation views land in v0.2).
Mutations — trigger reconcile, suspend, and resume from the UI on Kustomizations, HelmReleases, and source resources. Audited.
Multi-cluster — list endpoints fan out to every registered cluster in parallel; per-cluster errors come back in a partial-success envelope so one slow cluster doesn't break the page.

Status

Pre-release. The feature set above is implemented and covered by unit, integration, and a kind-based end-to-end test. No tagged release yet — see CHANGELOG.md.

Quick start

# 1. Install on a cluster that already runs Flux
helm install yafu oci://ghcr.io/guipguia/charts/yafu \
  --version 0.1.0 \
  --namespace yafu-system \
  --create-namespace

# 2. Register the cluster yafu itself runs in
kubectl apply -f examples/cluster-incluster.yaml

# 3. Open the UI
kubectl -n yafu-system port-forward svc/yafu 8080:80
open http://localhost:8080

⚠️ The default install runs in anonymous auth mode — every request is treated as authenticated. Fine for local evaluation, not for any deployment reachable from outside the cluster. See Authentication for OIDC setup.

Full step-by-step install: docs/install.md.

Architecture

yafu is a single Go binary that:

Watches yafu.io/v1alpha1.Cluster CRs to discover registered clusters and builds a typed client-go client per cluster.
Serves a JSON API at /api/v1/* (OpenAPI: api/openapi.yaml).
Embeds a React + Vite + TypeScript frontend (TanStack Query, MUI-free).
Authenticates via three pluggable modes: anonymous, header-trust, or native OIDC (authorization code with PKCE).
Authorises via a YAML policy file matching subject + verb + cluster glob.
Emits Prometheus metrics, structured JSON logs, an OTLP trace stream, and a JSON audit log on stdout.

Deeper detail: docs/architecture.md. Threat model and trust boundaries: docs/threat-model.md.

Documentation

Install guide — Helm chart, registering clusters
Authentication — anonymous / header / OIDC, with Dex, Keycloak, and oauth2-proxy recipes
Operations runbook — metrics, audit log, upgrades, troubleshooting
Architecture — packages, key flows, fan-out semantics
Threat model — auth assumptions, RBAC, ingress trust

Development

make install        # go mod download + npm install
make dev            # Go server (:8080) + Vite dev server (:5173) in parallel
make test           # Go unit tests + vitest
make e2e            # kind + Flux + yafu, ~5 min
make lint           # go vet, golangci-lint, eslint, prettier, tsc

make dev runs against your current ~/.kube/config (file mode); the embedded UI is bypassed so frontend changes hot-reload at http://localhost:5173.

Compatibility

Kubernetes: v1.27+
Flux: v2.0+ (controller API groups kustomize.toolkit.fluxcd.io/v1, helm.toolkit.fluxcd.io/v2, source.toolkit.fluxcd.io/v1, notification.toolkit.fluxcd.io/v1beta3, image.toolkit.fluxcd.io/v1beta2)

Contributing

Issues and PRs welcome. See CONTRIBUTING.md and CODE_OF_CONDUCT.md. Security disclosures: SECURITY.md.

License

MIT — see LICENSE.

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
api
v1alpha1 Package v1alpha1 contains API Schema definitions for the yafu.io v1alpha1 API group.	Package v1alpha1 contains API Schema definitions for the yafu.io v1alpha1 API group.
cmd
yafu command
internal
api
api/types Package types defines the JSON DTOs the HTTP API serves to the frontend.	Package types defines the JSON DTOs the HTTP API serves to the frontend.
audit Package audit emits one structured JSON record per privileged action (today: every reconcile/suspend/resume mutation; later: every denied request and every config change).	Package audit emits one structured JSON record per privileged action (today: every reconcile/suspend/resume mutation; later: every denied request and every config change).
auth Package auth handles authentication of HTTP requests and exposes the resulting Identity to downstream handlers via the request context.	Package auth handles authentication of HTTP requests and exposes the resulting Identity to downstream handlers via the request context.
cluster
controllers
metrics Package metrics owns the Prometheus metrics yafu exposes at /metrics.	Package metrics owns the Prometheus metrics yafu exposes at /metrics.
render Package render fetches FluxCD source-controller artifacts and renders them (via kustomize-build / helm-template) for the Git-vs-cluster diff endpoint.	Package render fetches FluxCD source-controller artifacts and renders them (via kustomize-build / helm-template) for the Git-vs-cluster diff endpoint.
reqid Package reqid carries a per-request correlation ID through context so the access log, audit log, metrics, and downstream handlers all share one id without forcing import cycles between server / api / audit.	Package reqid carries a per-request correlation ID through context so the access log, audit log, metrics, and downstream handlers all share one id without forcing import cycles between server / api / audit.
server
tracing Package tracing wires OpenTelemetry distributed tracing for yafu.	Package tracing wires OpenTelemetry distributed tracing for yafu.
version
watch Package watch wires Kubernetes watch streams across the registered clusters into a single in-process event hub.	Package watch wires Kubernetes watch streams across the registered clusters into a single in-process event hub.
web