diff --git a/go.mod b/go.mod index fd569d3..1efa195 100644 --- a/go.mod +++ b/go.mod @@ -20,12 +20,12 @@ require ( github.com/fluxcd/pkg/apis/acl v0.8.0 github.com/fluxcd/pkg/apis/event v0.18.0 github.com/fluxcd/pkg/apis/meta v1.18.0 - github.com/fluxcd/pkg/auth v0.21.0 + github.com/fluxcd/pkg/auth v0.26.0 github.com/fluxcd/pkg/cache v0.10.0 github.com/fluxcd/pkg/git v0.35.0 github.com/fluxcd/pkg/git/gogit v0.38.0 github.com/fluxcd/pkg/gittestserver v0.18.0 - github.com/fluxcd/pkg/runtime v0.79.0 + github.com/fluxcd/pkg/runtime v0.80.0 github.com/fluxcd/pkg/ssh v0.20.0 github.com/fluxcd/source-controller/api v1.6.1 github.com/go-git/go-billy/v5 v5.6.2 diff --git a/go.sum b/go.sum index 27af2fc..9b7e79a 100644 --- a/go.sum +++ b/go.sum @@ -134,8 +134,8 @@ github.com/fluxcd/pkg/apis/event v0.18.0 h1:PNbWk9gvX8gMIi6VsJapnuDO+giLEeY+6olL github.com/fluxcd/pkg/apis/event v0.18.0/go.mod h1:7S/DGboLolfbZ6stO6dcDhG1SfkPWQ9foCULvbiYpiA= github.com/fluxcd/pkg/apis/meta v1.18.0 h1:ACHrMIjlcioE9GKS7NGk62KX4NshqNewr8sBwMcXABs= github.com/fluxcd/pkg/apis/meta v1.18.0/go.mod h1:97l3hTwBpJbXBY+wetNbqrUsvES8B1jGioKcBUxmqd8= -github.com/fluxcd/pkg/auth v0.21.0 h1:ckAQqP12wuptXEkMY18SQKWEY09m9e6yI0mEMsDV15M= -github.com/fluxcd/pkg/auth v0.21.0/go.mod h1:MXmpsXT97c874HCw5hnfqFUP7TsG8/Ss1vFrk8JccfM= +github.com/fluxcd/pkg/auth v0.26.0 h1:jw128zPI4aRSvkGbFfAQcFNF3oK58P4rDdKIpj2/7yM= +github.com/fluxcd/pkg/auth v0.26.0/go.mod h1:YEAHpBFuW5oLlH9ekuJaQdnJ2Q3A7Ny8kha3WY7QMnY= github.com/fluxcd/pkg/cache v0.10.0 h1:M+OGDM4da1cnz7q+sZSBtkBJHpiJsLnKVmR9OdMWxEY= github.com/fluxcd/pkg/cache v0.10.0/go.mod h1:pPXRzQUDQagsCniuOolqVhnAkbNgYOg8d2cTliPs7ME= github.com/fluxcd/pkg/git v0.35.0 h1:mAauhsdfxNW4yQdXviVlvcN/uCGGG0+6p5D1+HFZI9w= @@ -144,8 +144,8 @@ github.com/fluxcd/pkg/git/gogit v0.38.0 h1:222KmjpKf9pxqi8rAtm1omDcpGTY4JkahLrAw github.com/fluxcd/pkg/git/gogit v0.38.0/go.mod h1:kHStdfd/AtkH5ED0UEWP2tmMGnfxg1GG92D29M+lRJ0= github.com/fluxcd/pkg/gittestserver v0.18.0 h1:jkuLmzWFfq+v1ziI0LspZrUzc5WzCO98BaWb8OVRPtk= github.com/fluxcd/pkg/gittestserver v0.18.0/go.mod h1:2wDLqUkPuixk/8pGQdef9ewaGJXf7Z+xHDVq8PIFG4E= -github.com/fluxcd/pkg/runtime v0.79.0 h1:9tv79EiQDx/QJH9mYDd9kZ9WybCVWBUGoiBHij+eKkc= -github.com/fluxcd/pkg/runtime v0.79.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw= +github.com/fluxcd/pkg/runtime v0.80.0 h1:vknT2vdQSGTFnAhz4xGk2ZXUWCrXh3whsISStgA57Go= +github.com/fluxcd/pkg/runtime v0.80.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw= github.com/fluxcd/pkg/ssh v0.20.0 h1:Ak0laIYIc/L8lEfqls/LDWRW8wYPESGaravQsCRGLb8= github.com/fluxcd/pkg/ssh v0.20.0/go.mod h1:sRfAAkxx1GwCGjYirKPnTKdNkNrJRo9kqzWLVFXKv7E= github.com/fluxcd/pkg/version v0.9.0 h1:pQBHMt9TbnnTUzj3EoMhRi5JUkNBqrTBSAaoLG1ovUA= diff --git a/internal/source/git.go b/internal/source/git.go index 5f93eb1..995a0ae 100644 --- a/internal/source/git.go +++ b/internal/source/git.go @@ -204,7 +204,10 @@ func getAuthOpts(ctx context.Context, c client.Client, repo *sourcev1.GitReposit switch provider := repo.GetProvider(); provider { case sourcev1.GitProviderAzure: // If AWS or GCP are added in the future they can be added here separated by a comma. getCreds = func() (*authutils.GitCredentials, error) { - var opts []auth.Option + opts := []auth.Option{ + auth.WithClient(c), + auth.WithServiceAccountNamespace(srcOpts.objNamespace), + } if srcOpts.tokenCache != nil { involvedObject := cache.InvolvedObject{ @@ -227,8 +230,7 @@ func getAuthOpts(ctx context.Context, c client.Client, repo *sourcev1.GitReposit if repo.Spec.SecretRef == nil { return nil, fmt.Errorf("secretRef with github app data must be specified when provider is set to github: %w", ErrInvalidSourceConfiguration) } - targetURL := fmt.Sprintf("%s://%s", u.Scheme, u.Host) - authMethods, err := secrets.AuthMethodsFromSecret(ctx, secret, secrets.WithTargetURL(targetURL), secrets.WithTLSSystemCertPool()) + authMethods, err := secrets.AuthMethodsFromSecret(ctx, secret, secrets.WithTLSSystemCertPool()) if err != nil { return nil, err } diff --git a/main.go b/main.go index 528d089..9593e63 100644 --- a/main.go +++ b/main.go @@ -93,12 +93,15 @@ func main() { watchOptions helper.WatchOptions concurrent int tokenCacheOptions cache.TokenFlags + defaultServiceAccount string ) flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&eventsAddr, "events-addr", "", "The address of the events receiver.") flag.StringVar(&healthAddr, "health-addr", ":9440", "The address the health endpoint binds to.") flag.IntVar(&concurrent, "concurrent", 4, "The number of concurrent resource reconciles.") + flag.StringVar(&defaultServiceAccount, auth.ControllerFlagDefaultServiceAccount, + "", "Default service account to use for workload identity when not specified in resources.") flag.StringSliceVar(&git.KexAlgos, "ssh-kex-algos", []string{}, "The list of key exchange algorithms to use for ssh connections, arranged from most preferred to the least.") flag.StringSliceVar(&git.HostKeyAlgos, "ssh-hostkey-algos", []string{}, @@ -115,6 +118,10 @@ func main() { flag.Parse() + if defaultServiceAccount != "" { + auth.SetDefaultServiceAccount(defaultServiceAccount) + } + logger.SetLogger(logger.NewLogger(logOptions)) err := featureGates.WithLogger(setupLog).