When a policy refers to a repository in a different namespace, the controller checks if the policy namespace labels match any of the selectors defined on the ImageRepository object. If the namespace where the policy resides, doesn't have labels or the labels don't match the repository ACL, then the controller sets the policy ready status to false and the reason to AccessDenied. The access denied error message is set on the ready condition message and logged before the controller rejects the policy.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
- add `AccessFrom` to ImageRepositorySpec for granting cross-namespace access to repositories
- change `ImageRepositoryRef` type from local reference to namespaced reference
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Since the schema and semantics haven't changed, this is just the guide
for v1alpha2 with the version changed.
Signed-off-by: Michael Bridgen <michael@weave.works>
The schema is the same, which means this is a case of
- copying over the type definitions;
- changing the "stored" CRD version;
- giving a CRD conversion of None, meaning just change the apiVersion;
- using the new API package in the controller code;
- moving the API docs to v1beta1
Signed-off-by: Michael Bridgen <michael@weave.works>
A more verbose message associated with the error should give the user
better understanding of the cause and the nature of the failure.
Fixes#143
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
The errors generated by ImagePolicy resources having invalid tag filter
regex patterns were not being reported to the user correctly, no event
was recorded and the ReadyCondition message did not reflect the
encountered error.
Fixes#138
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
This was accidentally done while mirroring the work done on the
image-automation-controller. It technically should not hurt, but
should not be either.
Signed-off-by: Hidde Beydals <hello@hidde.co>
The image automation part of the API has changed structure (see [1]),
and had a version bump from `v1alpha1` to `v1alpha2`. Since the types
here are also in `image.toolkit.fluxcd.io`, there will be less
complication if they also get a version bump even though they aren't
changing.
[1] https://github.com/fluxcd/image-automation-controller/pull/139
Signed-off-by: Michael Bridgen <michael@weave.works>
Stefan Prodan