- allow `OCIRepository` to be specified in `sourceRef.kind`
- react to `OCIRepository` artifacts events
- add end-to-end test for OCI repositories
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
- remove the Go spec section
- add basic usage example
- fix SOPS CLI examples
- explain how to generate image pull secrets from encrypted dockerconfigjson files
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This adds a SOPS GCP KMS key source which makes use of the latest GCP
client, and supports both injection of master key credentials and a
default client making use of environmental runtime values.
The implementation fully replaces SOPS', and is covered with
compatability tests.
Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
Add an optional flag for disabling remote bases. While the `--no-remote-bases` is set to `false` by default, Flux users are encouraged to enable it on production system for security and performance reasons. Using Kustomize remote bases means that kustomize-controller must clone the remote repositories on every reconciliation instead of using the source-controller artifacts cache. Allowing remote bases on multi-tenant clusters, means platform admins have no control over which repositories make up the desired state.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
When the flag --default-service-account was added it changed
slightly the behaviour of the spec.KubeConfig field. It forces
the impersonation to always take place, either via the contents
of spec.ServiceAccountName or its fallback at controller level.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
This includes an update of the source-controller to v0.22.0, to pull in
the v1beta2 API which makes use of the same packages.
Co-authored-by: Sunny <darkowlzz@protonmail.com>
Signed-off-by: Hidde Beydals <hello@hidde.co>
This includes a refactor of the other entries, to start moving guides
to the website while containing minimal technical (instructions)
in-spec.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Introduce an annotation that configures kustomize-controller to co-manage objects applied with kubectl.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
In a Kustomization's post-build substitution sources, introduce a new
"Optional" field to allow referencing a Kubernetes ConfigMap or Secret
that may not exist at time of reconciliation. Treat substitution when
the referenced object is missing as if the object had been present but
empty, lacking any variable bindings.
Retain the longstanding behavior of interpreting references to
Kubernetes objects being mandatory by default, such that
reconciliation fails if such a referenced object does not exist. Only
when the "Optional" field is set to true will reconciliation tolerate
finding the referenced object to be missing.
Signed-off-by: Steven E. Harris <seh@panix.com>
+ in the `spec.path` of the Flux `Kustomization`
In #2357 it was noted that we mention `spec.path` but the code example
provided for context is a `GitRepository`. This is a leap too far, let's
provide this to better clarify the context.
Signed-off-by: Kingdon Barrett <kingdon@weave.works>
Introduce the flag `--default-service-account` for allowing cluster admins to enforce impersonation for resources reconciliation.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Introduce the flag `--no-cross-namespace-refs` (defaults to false) for allowing cluster admins to disable cross-namespace references to sources.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
If implemented, the kustomize controller will be able to retrieve a
secret containing a VAULT TOKEN and use it to decrypt the sops encrypted
master key. It will then use it to decrypt the data key and finally use the data
key to decrypt the final data.
Signed-off-by: Soule BA <bah.soule@gmail.com>
Introduce `kustomize.toolkit.fluxcd.io/reconcile` annotation. When set to `disabled`, the controller will no longer apply changes from source, nor it will prune the annotated resource.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
- Add `.spec.wait` optional boolean field to API
- Wait for all applied resources to become ready when `.spec.wait` is set to `true`
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Changes from v1beta1:
- `spec.validation` removed (server-side validation is implicit)
- `spec.status.snapshot` replaced by `spec.status.inventory`
- `spec.patchesStrategicMerge` deprecated in favour of `spec.patches`
- `spec.patchesJson6902` deprecated in favour of `spec.patches`
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Add `values.yaml` to the supported kubeconfig secret key names in order for SOPS to correctly detect the storage format based on the file extension.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Allow patching multiple resources instead of a single existing one as
StrategicMerge & JSON6902 are forced to target existing named resources.
Signed-off-by: Guillaume Le Biller <glebiller@Traveldoo.com>
Allow passing --force to kubectl apply. Useful when dealing with
immutable field changes in resources.
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
The spec.retryInterval is the interval at which to retry a previously failed reconciliation.
When not specified, it defaults to the spec.interval value.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
As due to secure joins, the requirement on both providing a path
and/or requiring it to be in a certain format offers little value
over the UX experience of not having to provide it when you just
want to reconcile whatever can be found in the root of the source
reference.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Drop the ServiceAccount field in favour of ServiceAccountName to prevent privilege escalation in multi-tenancy environments.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Updates to use metav1.Condition type and removes references for
deprecated corev1.Condition* constants and uses the new k8s api/meta
helpers in place of the old pkg/apis/meta types.
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
Surya
Stefan Prodan
Andrés Botero
Somtochi Onyekwere
Sanskar Jaiswal
Hidde Beydals
Nick Stogner
Paulo Gomes
Sunny
Kingdon Barrett
Steven E. Harris
Daniel Holbach
Soule BA
Gonzalo Villafañe Tapia
George Gaál
Oliver Bähler
Guillaume Le Biller
bob.rohan
Aurel Canciu
Paweł Kowalczyk
Tomas Virgl
Michael Bridgen
leigh capili
Philip Laine