Validates that ObjectLevelWorkloadIdentity feature gate is enabled
when default kubeconfig service account flags are set. This prevents
misconfiguration where lockdown flags are used without enabling
the required feature gate.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Adds new controller flag to enforce ServiceAccount usage in
multi-tenant clusters where administrators need to lock down workload
identity access:
- --default-kubeconfig-service-account
This flag complements the existing --default-service-account flag to
provide multi-tenancy lockdown coverage for kubeconfig ServiceAccount
fields in the HelmRelease API.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Update kustomize from v5.6.0 to v5.7.0 for consistency across
FluxCD components, aligning with the kustomize-controller
update that addresses issues with multiple $patch: delete
strategic merge patches in a single patch file.
Updated dependencies:
- sigs.k8s.io/kustomize/api v0.19.0 -> v0.20.0
- sigs.k8s.io/kustomize/kyaml v0.19.0 -> v0.20.0
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
As described at https://go.dev/wiki/Deprecated, the `Deprecated` comments shall start a new paragraph. This way, the deprecation is also visible to other tools like staticcheck and vscode.
Signed-off-by: Martin Hoffmann <hoffimar@gmail.com>
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
(chore): adds commonAnnotations and commonLabels to kustomize
if applied, this commit will pass the common labels and annotations specified in postRenderers kustomization and which gets propagated to all resources
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): generates updated api-docs
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds common metadata to spec
HelmRelease postRenderer uses `CommonMetadata` struct from kustomize controller to have a common CRD specification usage across flux API types
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): update helm release post renderer
HelmRelease kustomize post renderer uses the CommonMetadata type from kustomize controller to propagate common labels and annotations across all resources. Labels are not propagated to `selector.matchLabels`
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): generates updated CRD and api docs
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds common metadata types
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): removes common metadata
removes the insertion of common metadata info in `Kustomize.Run()`
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds common-metadata types
this commit adds CommonMetadata to HelmRelease spec as an optional field and when used will run a helm postRenderer to add specified labels and annotations resources contained in helm template. The digest of common metadata is stored as ObservedCommonMetadataDigest in the resource status
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): common post-renderer
this commit combines common metadata rendering and origin labels rendering into common_renderer.go with re-usable methods for label transformer and annotation transformer. Precedence is given to origin labels rendering over common metadata rendering.
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): trigger upgrade on commonMetadata value changes
this commit ensures that when commonMetadata value has changed after install triggers an upgrade action to re-render the new commonMetadata values to the helm release. The digest of commonMetadata values are stored in .status.ObservedCommonMetadataDigest for release state out-of-sync detection.
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(fix): adheres to import ordering
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(fix): revert go mod updates
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): updates copyright headers
Co-authored-by: Stefan Prodan <stefan.prodan@gmail.com>
Signed-off-by: Abhijith Ravindra <137736216+abhijith-darshan@users.noreply.github.com>
(chore): adds copyright headers
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): updates copyright headers
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): keep go mod in sync with upstream/main
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds common metadata documentation
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): fix precedence of label application
This commit will ensure that OriginLabels run last so that it has a higher precedence over CommonMetadata.Labels
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
Matheus Pimenta
cappyzawa
Stefan Prodan
Yves Mettier
dependabot[bot]
Martin Hoffmann
abhijith-darshan