Fixes https://github.com/fluxcd/image-reflector-controller/issues/225
This PR adds a finalizer to the ImagePolicy and ImageRepository resources. This is to properly record the Deleted reconciliation status when the object is deleted from the cluster. Without this change, the resource would be deleted before the image reflector controller has a chance to properly report the resource's status in the metrics. As a result, end-users may see falsely reported metrics.
Signed-off-by: Kaden Nelson <kaden_l_nelson@apple.com>
This uses the helper in fluxcd/runtime/acl to bind the cross-ns flag,
passes it to the controller, and checks it when resolving the
potentially cross-namespace reference.
Signed-off-by: Michael Bridgen <michael@weave.works>
This commit replaces the local ACL-related API types, and the func for
checking access, with their standarised forms in fluxcd/pkg/apis/acl
and fluxcd/pkg/runtime/acl respectively.
The test case for "When the ACL is empty, it denies access" needed
adjustment because the zero value of acl.AccessFrom is not valid -- it
needs an explicit list of namespace selectors. Providing `nil` in the
test case is the equivalent of providing a zero value.
Signed-off-by: Michael Bridgen <michael@weave.works>
The imageRepoKey only contains the name of the ImageRepository resource.
This change uses the namespaced name to avoid collisions.
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
Cross-namespace ImageRepository resources should trigger reconciles for
ImagePolicies that refer to them. Previously, this was only done for
resources in the same namespace.
Fixes#195
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
This adds error check after creating a Policer.
For alphabetical and numerical policies, the k8s API validates the
input data. But for semver policy, there aren't predefined valid
values.
Adds a test to verify the fix.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
When a policy refers to a repository in a different namespace, the controller checks if the policy namespace labels match any of the selectors defined on the ImageRepository object. If the namespace where the policy resides, doesn't have labels or the labels don't match the repository ACL, then the controller sets the policy ready status to false and the reason to AccessDenied. The access denied error message is set on the ready condition message and logged before the controller rejects the policy.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
The schema is the same, which means this is a case of
- copying over the type definitions;
- changing the "stored" CRD version;
- giving a CRD conversion of None, meaning just change the apiVersion;
- using the new API package in the controller code;
- moving the API docs to v1beta1
Signed-off-by: Michael Bridgen <michael@weave.works>
A more verbose message associated with the error should give the user
better understanding of the cause and the nature of the failure.
Fixes#143
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
The errors generated by ImagePolicy resources having invalid tag filter
regex patterns were not being reported to the user correctly, no event
was recorded and the ReadyCondition message did not reflect the
encountered error.
Fixes#138
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
The image automation part of the API has changed structure (see [1]),
and had a version bump from `v1alpha1` to `v1alpha2`. Since the types
here are also in `image.toolkit.fluxcd.io`, there will be less
complication if they also get a version bump even though they aren't
changing.
[1] https://github.com/fluxcd/image-automation-controller/pull/139
Signed-off-by: Michael Bridgen <michael@weave.works>
Tag regex filtering allows the user to filter tags based on a regular
expression pattern and enables tag version extraction through capture
group replacement reference.
Fixes#73
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
This commit upgrades the `controller-runtime` dependency to `v0.7.0`,
including all changes required to make all wiring work again.
- Upgrade `runtime` to v0.6.0 to include `controller-runtime` changes.
- Logger has been removed from the reconciler, and is now retrieved
from the `context.Context` passed to the `Reconcile` method and
downwards functions.
- Logger configuration flags are now bound to the flag set using
`BindFlags` from `runtime/logger`, ensuring the same contract across
GitOps Toolkit controllers, and the `--log-json` flag has been
deprecated in favour of the `--log-encoding=json` default.
- The `ChangePredicate` from `runtime` has changed to a
`ReconcilateAtChangedPredicate`, and is now chained with the
`GenerationChangedPredicate` from `controller-runtime` using
`predicate.Or`.
- Signatures that made use of `runtime.Object` have changed to
`client.Object`, removing the requirement to e.g. call
`runtime.Object#Object`.
- The `leader-election-role` was changed, as leader election now works
via the `coordination/v1` API.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This implementation allows one to set a `MatchTagPrefix` to filter a
list of tags and/or use `Order` to set the ordering rule by which tags
are evaluated.
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
This introduces a key/value store for tags, with the keys being the
images and the values being JSON encoded versions of the tags.
The Badger data is stored in a PVC.
Signed-off-by: Kevin McDermott <bigkevmcd@gmail.com>
Previously the image policy controller, having worked through all the
preliminaries, would record a latest image if it found one, but
otherwise remain silent.
However, we also want to know if there _wasn't_ a latest image. So,
record a status in that case too.
Signed-off-by: Michael Bridgen <michael@weave.works>
This adds the conventional Conditions field to the ImagePolicy status,
and sets the status in the controller as well as reporting readiness
metrics.
Signed-off-by: Michael Bridgen <michael@weave.works>
This brings k8s/client-go, apimachinery, and so on up to 0.18 as a
consequence.
This commit also makes the version of the temporary (in case of it not
being on the path) controller-gen tool, to 0.3.0.
This adds the details of calculating the latest image for a policy. It
relies on the ImageRepository and ImagePolicy controllers having a
shared database of image tags. Usually, this sort of thing would be
objects in the Kubernetes database; but since tags (and images) can
number in the tens of thousands per image, I'm using a separate
database. For the minute, it's just a map.
Kaden Nelson
Sunny
Sanskar Jaiswal
Michael Bridgen
Aurel Canciu
Stefan Prodan
Max Jonas Werner
Hidde Beydals
Kevin McDermott
Michael Bridgen