From 07058a1f6019b4f72db6b7170a33af5bba7811a2 Mon Sep 17 00:00:00 2001 From: Matheus Pimenta Date: Fri, 16 May 2025 13:56:58 +0100 Subject: [PATCH] [RFC-0010] Introduce feature gate Signed-off-by: Matheus Pimenta --- api/go.mod | 2 +- api/go.sum | 4 +- go.mod | 23 ++++++++-- go.sum | 46 ++++++++++++++++---- internal/features/features.go | 9 +++- internal/source/git.go | 80 +++++++++++++++++++++++------------ internal/source/git_test.go | 40 ++++++++---------- main.go | 12 ++++-- 8 files changed, 148 insertions(+), 68 deletions(-) diff --git a/api/go.mod b/api/go.mod index 8f8ec97..b579c93 100644 --- a/api/go.mod +++ b/api/go.mod @@ -3,7 +3,7 @@ module github.com/fluxcd/image-automation-controller/api go 1.24.0 require ( - github.com/fluxcd/pkg/apis/meta v1.11.0 + github.com/fluxcd/pkg/apis/meta v1.12.0 github.com/fluxcd/source-controller/api v1.5.0 k8s.io/apimachinery v0.33.0 sigs.k8s.io/controller-runtime v0.20.4 diff --git a/api/go.sum b/api/go.sum index a4f152e..b1e5374 100644 --- a/api/go.sum +++ b/api/go.sum @@ -5,8 +5,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/fluxcd/pkg/apis/acl v0.7.0 h1:dMhZJH+g6ZRPjs4zVOAN9vHBd1DcavFgcIFkg5ooOE0= github.com/fluxcd/pkg/apis/acl v0.7.0/go.mod h1:uv7pXXR/gydiX4MUwlQa7vS8JONEDztynnjTvY3JxKQ= -github.com/fluxcd/pkg/apis/meta v1.11.0 h1:h8q95k6ZEK1HCfsLkt8Np3i6ktb6ZzcWJ6hg++oc9w0= -github.com/fluxcd/pkg/apis/meta v1.11.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI= +github.com/fluxcd/pkg/apis/meta v1.12.0 h1:XW15TKZieC2b7MN8VS85stqZJOx+/b8jATQ/xTUhVYg= +github.com/fluxcd/pkg/apis/meta v1.12.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI= github.com/fluxcd/source-controller/api v1.5.0 h1:caSR+u/r2Vh0jq/0pNR0r1zLxyvgatWuGSV2mxgTB/I= github.com/fluxcd/source-controller/api v1.5.0/go.mod h1:OZPuHMlLH2E2mnj6Q5DLkWfUOmJ20zA1LIvUVfNsYl8= github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU= diff --git a/go.mod b/go.mod index f4b5c3e..2dfe314 100644 --- a/go.mod +++ b/go.mod @@ -19,11 +19,11 @@ require ( github.com/fluxcd/image-reflector-controller/api v0.34.0 github.com/fluxcd/pkg/apis/acl v0.7.0 github.com/fluxcd/pkg/apis/event v0.17.0 - github.com/fluxcd/pkg/apis/meta v1.11.0 - github.com/fluxcd/pkg/auth v0.12.0 + github.com/fluxcd/pkg/apis/meta v1.12.0 + github.com/fluxcd/pkg/auth v0.14.0 github.com/fluxcd/pkg/cache v0.9.0 - github.com/fluxcd/pkg/git v0.29.0 - github.com/fluxcd/pkg/git/gogit v0.31.0 + github.com/fluxcd/pkg/git v0.31.0 + github.com/fluxcd/pkg/git/gogit v0.33.0 github.com/fluxcd/pkg/gittestserver v0.17.0 github.com/fluxcd/pkg/runtime v0.59.0 github.com/fluxcd/pkg/ssh v0.18.0 @@ -45,6 +45,7 @@ require ( ) require ( + cloud.google.com/go/compute/metadata v0.6.0 // indirect dario.cat/mergo v1.0.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 // indirect @@ -55,6 +56,20 @@ require ( github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.3.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect + github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect + github.com/aws/aws-sdk-go-v2/config v1.29.14 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect + github.com/aws/aws-sdk-go-v2/service/ecr v1.43.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect + github.com/aws/smithy-go v1.22.2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/bradleyfalzon/ghinstallation/v2 v2.15.0 // indirect diff --git a/go.sum b/go.sum index b461f30..93efae2 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,5 @@ +cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I= +cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg= dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk= @@ -33,6 +35,34 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM= +github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg= +github.com/aws/aws-sdk-go-v2/config v1.29.14 h1:f+eEi/2cKCg9pqKBoAIwRGzVb70MRKqWX4dg1BDcSJM= +github.com/aws/aws-sdk-go-v2/config v1.29.14/go.mod h1:wVPHWcIFv3WO89w0rE10gzf17ZYy+UVS1Geq8Iei34g= +github.com/aws/aws-sdk-go-v2/credentials v1.17.67 h1:9KxtdcIA/5xPNQyZRgUSpYOE6j9Bc4+D7nZua0KGYOM= +github.com/aws/aws-sdk-go-v2/credentials v1.17.67/go.mod h1:p3C44m+cfnbv763s52gCqrjaqyPikj9Sg47kUVaNZQQ= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= +github.com/aws/aws-sdk-go-v2/service/ecr v1.43.3 h1:YyH8Hk73bYzdbvf6S8NF5z/fb/1stpiMnFSfL6jSfRA= +github.com/aws/aws-sdk-go-v2/service/ecr v1.43.3/go.mod h1:iQ1skgw1XRK+6Lgkb0I9ODatAP72WoTILh0zXQ5DtbU= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY= +github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 h1:1Gw+9ajCV1jogloEv1RRnvfRFia2cL6c9cuKV2Ps+G8= +github.com/aws/aws-sdk-go-v2/service/sso v1.25.3/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 h1:hXmVKytPfTy5axZ+fYbR5d0cFmC3JvwLm5kM83luako= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 h1:1XuUZ8mYJw9B6lzAkXhqHlJd/XvaX32evhproijJEZY= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.19/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4= +github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ= +github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= @@ -86,16 +116,16 @@ github.com/fluxcd/pkg/apis/acl v0.7.0 h1:dMhZJH+g6ZRPjs4zVOAN9vHBd1DcavFgcIFkg5o github.com/fluxcd/pkg/apis/acl v0.7.0/go.mod h1:uv7pXXR/gydiX4MUwlQa7vS8JONEDztynnjTvY3JxKQ= github.com/fluxcd/pkg/apis/event v0.17.0 h1:foEINE++pCJlWVhWjYDXfkVmGKu8mQ4BDBlbYi5NU7M= github.com/fluxcd/pkg/apis/event v0.17.0/go.mod h1:0fLhLFiHlRTDKPDXdRnv+tS7mCMIQ0fJxnEfmvGM/5A= -github.com/fluxcd/pkg/apis/meta v1.11.0 h1:h8q95k6ZEK1HCfsLkt8Np3i6ktb6ZzcWJ6hg++oc9w0= -github.com/fluxcd/pkg/apis/meta v1.11.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI= -github.com/fluxcd/pkg/auth v0.12.0 h1:35o0ziYMLZVgJwNvJBGsv/wd903B2fMagcrnm1ptUjc= -github.com/fluxcd/pkg/auth v0.12.0/go.mod h1:gQD2VT5OhIR1E8ZTEsTaho3bDQZidr9P10smH/awcew= +github.com/fluxcd/pkg/apis/meta v1.12.0 h1:XW15TKZieC2b7MN8VS85stqZJOx+/b8jATQ/xTUhVYg= +github.com/fluxcd/pkg/apis/meta v1.12.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI= +github.com/fluxcd/pkg/auth v0.14.0 h1:AA9nmbFzTN5jcGROJK51LvQoDetMrXJLAo4Sd6WHpFI= +github.com/fluxcd/pkg/auth v0.14.0/go.mod h1:o91WIZZshLooBALXY/MVn0mmdUw3eATrqGXrG1M7nTE= github.com/fluxcd/pkg/cache v0.9.0 h1:EGKfOLMG3fOwWnH/4Axl5xd425mxoQbZzlZoLfd8PDk= github.com/fluxcd/pkg/cache v0.9.0/go.mod h1:jMwabjWfsC5lW8hE7NM3wtGNwSJ38Javx6EKbEi7INU= -github.com/fluxcd/pkg/git v0.29.0 h1:MHQ4F53e6Xt8a/POkd/fiChgysnd/XqiuK7vOWXAXLk= -github.com/fluxcd/pkg/git v0.29.0/go.mod h1:Ygn+LfrK6Ok+85uiq6s3NWG5LcHS4KY7mzES2JDJsGY= -github.com/fluxcd/pkg/git/gogit v0.31.0 h1:A56cmtgJBkWAj+gXSOdhPMQVTx0VF91S0PUaqpMXN4g= -github.com/fluxcd/pkg/git/gogit v0.31.0/go.mod h1:ya8z22xTvAAdW12HycxKYv4S+G+lqu5Kx/LyO/jWz8Y= +github.com/fluxcd/pkg/git v0.31.0 h1:hVUJcRujNa+GA5zrjrMpuVcgHbCBjfq0CZIZJqJl22I= +github.com/fluxcd/pkg/git v0.31.0/go.mod h1:rUgLXVQGBkBggHOLVMhHMHaweQ8Oc6HwZiN2Zm08Zxs= +github.com/fluxcd/pkg/git/gogit v0.33.0 h1:JYKa3XqA91AX7/sKEgARO9VzkwouXWjUgpwudEZEWq0= +github.com/fluxcd/pkg/git/gogit v0.33.0/go.mod h1:EvsVYcB3KjfhpdoyU1sO9HuMH5Xt0cVhW49kFlZcFLY= github.com/fluxcd/pkg/gittestserver v0.17.0 h1:JlBvWZQTDOI+np5Z+084m3DkeAH1hMusEybyRUDF63k= github.com/fluxcd/pkg/gittestserver v0.17.0/go.mod h1:E/40EmLoXcMqd6gLuLDC9F6KJxqHVGbBBeMNKk5XdxU= github.com/fluxcd/pkg/runtime v0.59.0 h1:3OrFkMJB39NcQ2vhhoxqls59sQVSn8U+thhyLbsQoA4= diff --git a/internal/features/features.go b/internal/features/features.go index 22d9fa9..0446a03 100644 --- a/internal/features/features.go +++ b/internal/features/features.go @@ -19,7 +19,10 @@ limitations under the License. // states. package features -import feathelper "github.com/fluxcd/pkg/runtime/features" +import ( + "github.com/fluxcd/pkg/auth" + feathelper "github.com/fluxcd/pkg/runtime/features" +) const ( // GitForcePushBranch enables the use of "force push" when push branches @@ -57,6 +60,10 @@ var features = map[string]bool{ CacheSecretsAndConfigMaps: false, } +func init() { + auth.SetFeatureGates(features) +} + // FeatureGates contains a list of all supported feature gates and // their default values. func FeatureGates() map[string]bool { diff --git a/internal/source/git.go b/internal/source/git.go index 22a1f00..0d86331 100644 --- a/internal/source/git.go +++ b/internal/source/git.go @@ -32,6 +32,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "github.com/fluxcd/pkg/auth" + authutils "github.com/fluxcd/pkg/auth/utils" "github.com/fluxcd/pkg/cache" "github.com/fluxcd/pkg/git" "github.com/fluxcd/pkg/git/github" @@ -183,41 +184,58 @@ func getAuthOpts(ctx context.Context, c client.Client, repo *sourcev1.GitReposit return nil, fmt.Errorf("failed to configure authentication options: %w", err) } - var authOpts []auth.Option + var getCreds func() (*authutils.GitCredentials, error) + switch provider := repo.GetProvider(); provider { + case sourcev1.GitProviderAzure: // If AWS or GCP are added in the future they can be added here separated by a comma. + getCreds = func() (*authutils.GitCredentials, error) { + var opts []auth.Option - if srcOpts.tokenCache != nil { - involvedObject := cache.InvolvedObject{ - Kind: imagev1.ImageUpdateAutomationKind, - Name: srcOpts.objName, - Namespace: srcOpts.objNamespace, - Operation: cache.OperationReconcile, - } - authOpts = append(authOpts, auth.WithCache(*srcOpts.tokenCache, involvedObject)) - } + if srcOpts.tokenCache != nil { + involvedObject := cache.InvolvedObject{ + Kind: imagev1.ImageUpdateAutomationKind, + Name: srcOpts.objName, + Namespace: srcOpts.objNamespace, + Operation: cache.OperationReconcile, + } + opts = append(opts, auth.WithCache(*srcOpts.tokenCache, involvedObject)) + } - if proxyURL != nil { - authOpts = append(authOpts, auth.WithProxyURL(*proxyURL)) - } + if proxyURL != nil { + opts = append(opts, auth.WithProxyURL(*proxyURL)) + } - switch repo.GetProvider() { - case sourcev1.GitProviderAzure: - opts.ProviderOpts = &git.ProviderOptions{ - Name: sourcev1.GitProviderAzure, - AuthOpts: authOpts, + return authutils.GetGitCredentials(ctx, provider, opts...) } case sourcev1.GitProviderGitHub: // if provider is github, but secret ref is not specified if repo.Spec.SecretRef == nil { return nil, fmt.Errorf("secretRef with github app data must be specified when provider is set to github: %w", ErrInvalidSourceConfiguration) } - opts.ProviderOpts = &git.ProviderOptions{ - Name: sourcev1.GitProviderGitHub, - GitHubOpts: []github.OptFunc{ - github.WithAppData(data), - github.WithProxyURL(proxyURL), - github.WithCache(srcOpts.tokenCache, imagev1.ImageUpdateAutomationKind, - srcOpts.objName, srcOpts.objNamespace, cache.OperationReconcile), - }, + + getCreds = func() (*authutils.GitCredentials, error) { + var opts []github.OptFunc + + if len(data) > 0 { + opts = append(opts, github.WithAppData(data)) + } + + if proxyURL != nil { + opts = append(opts, github.WithProxyURL(proxyURL)) + } + + if srcOpts.tokenCache != nil { + opts = append(opts, github.WithCache(srcOpts.tokenCache, imagev1.ImageUpdateAutomationKind, + srcOpts.objName, srcOpts.objNamespace, cache.OperationReconcile)) + } + + username, password, err := github.GetCredentials(ctx, opts...) + if err != nil { + return nil, err + } + return &authutils.GitCredentials{ + Username: username, + Password: password, + }, nil } default: // analyze secret, if it has github app data, perhaps provider should have been github. @@ -225,7 +243,15 @@ func getAuthOpts(ctx context.Context, c client.Client, repo *sourcev1.GitReposit return nil, fmt.Errorf("secretRef '%s/%s' has github app data but provider is not set to github: %w", repo.GetNamespace(), repo.Spec.SecretRef.Name, ErrInvalidSourceConfiguration) } } - + if getCreds != nil { + creds, err := getCreds() + if err != nil { + return nil, fmt.Errorf("failed to configure authentication options: %w", err) + } + opts.BearerToken = creds.BearerToken + opts.Username = creds.Username + opts.Password = creds.Password + } return opts, nil } diff --git a/internal/source/git_test.go b/internal/source/git_test.go index c8915e5..67cc2db 100644 --- a/internal/source/git_test.go +++ b/internal/source/git_test.go @@ -18,7 +18,6 @@ package source import ( "context" - "errors" "fmt" "net/url" "testing" @@ -143,12 +142,11 @@ func Test_getAuthOpts(t *testing.T) { func Test_getAuthOpts_providerAuth(t *testing.T) { tests := []struct { - name string - url string - secret *corev1.Secret - beforeFunc func(obj *sourcev1.GitRepository) - wantProviderOptsName string - wantErr error + name string + url string + secret *corev1.Secret + beforeFunc func(obj *sourcev1.GitRepository) + wantErr string }{ { name: "azure provider", @@ -156,7 +154,7 @@ func Test_getAuthOpts_providerAuth(t *testing.T) { beforeFunc: func(obj *sourcev1.GitRepository) { obj.Spec.Provider = sourcev1.GitProviderAzure }, - wantProviderOptsName: sourcev1.GitProviderAzure, + wantErr: "ManagedIdentityCredential", }, { name: "github provider with no secret ref", @@ -164,8 +162,7 @@ func Test_getAuthOpts_providerAuth(t *testing.T) { beforeFunc: func(obj *sourcev1.GitRepository) { obj.Spec.Provider = sourcev1.GitProviderGitHub }, - wantProviderOptsName: sourcev1.GitProviderGitHub, - wantErr: errors.New("secretRef with github app data must be specified when provider is set to github: invalid source configuration"), + wantErr: "secretRef with github app data must be specified when provider is set to github: invalid source configuration", }, { name: "github provider with secret ref that does not exist", @@ -176,7 +173,7 @@ func Test_getAuthOpts_providerAuth(t *testing.T) { Name: "githubAppSecret", } }, - wantErr: errors.New("failed to get auth secret '/githubAppSecret': secrets \"githubAppSecret\" not found"), + wantErr: "failed to get auth secret '/githubAppSecret': secrets \"githubAppSecret\" not found", }, { name: "github provider with github app data in secret", @@ -197,7 +194,7 @@ func Test_getAuthOpts_providerAuth(t *testing.T) { Name: "githubAppSecret", } }, - wantProviderOptsName: sourcev1.GitProviderGitHub, + wantErr: "Key must be a PEM encoded PKCS1 or PKCS8 key", }, { name: "generic provider with github app data in secret", @@ -216,7 +213,7 @@ func Test_getAuthOpts_providerAuth(t *testing.T) { Name: "githubAppSecret", } }, - wantErr: errors.New("secretRef '/githubAppSecret' has github app data but provider is not set to github: invalid source configuration"), + wantErr: "secretRef '/githubAppSecret' has github app data but provider is not set to github: invalid source configuration", }, { name: "generic provider", @@ -251,20 +248,19 @@ func Test_getAuthOpts_providerAuth(t *testing.T) { if tt.beforeFunc != nil { tt.beforeFunc(obj) } - opts, err := getAuthOpts(context.TODO(), c, obj, SourceOptions{}, nil) + ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) + defer cancel() + opts, err := getAuthOpts(ctx, c, obj, SourceOptions{}, nil) - if tt.wantErr != nil { + if tt.wantErr != "" { g.Expect(err).To(HaveOccurred()) - g.Expect(err.Error()).To(ContainSubstring(tt.wantErr.Error())) + g.Expect(err.Error()).To(ContainSubstring(tt.wantErr)) } else { g.Expect(err).ToNot(HaveOccurred()) g.Expect(opts).ToNot(BeNil()) - if tt.wantProviderOptsName != "" { - g.Expect(opts.ProviderOpts).ToNot(BeNil()) - g.Expect(opts.ProviderOpts.Name).To(Equal(tt.wantProviderOptsName)) - } else { - g.Expect(opts.ProviderOpts).To(BeNil()) - } + g.Expect(opts.BearerToken).To(BeEmpty()) + g.Expect(opts.Username).To(BeEmpty()) + g.Expect(opts.Password).To(BeEmpty()) } }) } diff --git a/main.go b/main.go index 7e0f682..430f0e7 100644 --- a/main.go +++ b/main.go @@ -35,6 +35,7 @@ import ( metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" imagev1_reflect "github.com/fluxcd/image-reflector-controller/api/v1beta2" + "github.com/fluxcd/pkg/auth" cache "github.com/fluxcd/pkg/cache" "github.com/fluxcd/pkg/runtime/acl" "github.com/fluxcd/pkg/runtime/client" @@ -59,9 +60,6 @@ import ( const ( controllerName = "image-automation-controller" - - // recoverPanic indicates whether panic caused by reconciles should be recovered. - recoverPanic = true ) var ( @@ -126,6 +124,14 @@ func main() { os.Exit(1) } + switch enabled, err := features.Enabled(auth.FeatureGateObjectLevelWorkloadIdentity); { + case err != nil: + setupLog.Error(err, "unable to check feature gate "+auth.FeatureGateObjectLevelWorkloadIdentity) + os.Exit(1) + case enabled: + auth.EnableObjectLevelWorkloadIdentity() + } + watchNamespace := "" if !watchOptions.AllNamespaces { watchNamespace = os.Getenv("RUNTIME_NAMESPACE")