Introduce the flag `--default-service-account` for allowing cluster admins to enforce impersonation for resources reconciliation.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Introduce the flag `--no-cross-namespace-refs` (defaults to false) for allowing cluster admins to disable cross-namespace references to sources.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
If implemented, the kustomize controller will be able to retrieve a
secret containing a VAULT TOKEN and use it to decrypt the sops encrypted
master key. It will then use it to decrypt the data key and finally use the data
key to decrypt the final data.
Signed-off-by: Soule BA <bah.soule@gmail.com>
Introduce `kustomize.toolkit.fluxcd.io/reconcile` annotation. When set to `disabled`, the controller will no longer apply changes from source, nor it will prune the annotated resource.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Changes from v1beta1:
- `spec.validation` removed (server-side validation is implicit)
- `spec.status.snapshot` replaced by `spec.status.inventory`
- `spec.patchesStrategicMerge` deprecated in favour of `spec.patches`
- `spec.patchesJson6902` deprecated in favour of `spec.patches`
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Add `values.yaml` to the supported kubeconfig secret key names in order for SOPS to correctly detect the storage format based on the file extension.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Allow patching multiple resources instead of a single existing one as
StrategicMerge & JSON6902 are forced to target existing named resources.
Signed-off-by: Guillaume Le Biller <glebiller@Traveldoo.com>
The spec.retryInterval is the interval at which to retry a previously failed reconciliation.
When not specified, it defaults to the spec.interval value.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
As due to secure joins, the requirement on both providing a path
and/or requiring it to be in a certain format offers little value
over the UX experience of not having to provide it when you just
want to reconcile whatever can be found in the root of the source
reference.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Drop the ServiceAccount field in favour of ServiceAccountName to prevent privilege escalation in multi-tenancy environments.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Updates to use metav1.Condition type and removes references for
deprecated corev1.Condition* constants and uses the new k8s api/meta
helpers in place of the old pkg/apis/meta types.
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
Stefan Prodan
Soule BA
Gonzalo Villafañe Tapia
George Gaál
Somtochi Onyekwere
Oliver Bähler
Guillaume Le Biller
bob.rohan
Hidde Beydals
Aurel Canciu
Paweł Kowalczyk