Adds two new controller flags to enforce ServiceAccount usage in
multi-tenant clusters where administrators need to lock down workload
identity access:
- --default-decryption-service-account
- --default-kubeconfig-service-account
These flags complement the existing --default-service-account flag to
provide complete multi-tenancy lockdown coverage for all three classes
of ServiceAccount fields in the Kustomization API.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
This test ensures that the controller properly handles multiple
$patch: delete directives in strategic merge patches, which was
causing panic errors in kustomize v5.6.0 but is now fixed in v5.7.0.
The test includes two scenarios:
- Multiple delete directives in a single patch (the main fix)
- Multiple delete directives in separate patches (previously a workaround)
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
There are edge cases where a reonciliation can be triggered on a
suspended Kustomization, mainly through changes in a source.
In these cases a "no-op" reconciliation occurs, which can be confusing
for the user. This returns early if the Kustomization ist suspended.
Signed-off-by: Norman Stetter <85173861+norman-zon@users.noreply.github.com>
The `Mark…` functions in the `conditions` package accept a format string and
(optional) arguments, just like `fmt.Printf` and friends.
In many places, the code passed an error message as the format string, causing
it to be interpreted as a format string by the `fmt` package. This leads to
issues when the message contains percent signs, e.g. URL-encoded values.
This PR adds a format string and shortens `err.Error()` to `err`, which yields
the same output.
This change is identical in principle to
https://github.com/fluxcd/source-controller/pull/1529.
Signed-off-by: Florian Forster <fforster@gitlab.com>
This configures a logger on the archive fetcher, to make HTTP errors
surface faster when it fails to retrieve the artifact of a source.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Signed-off-by: Luke Mallon (Nalum) <luke@mallon.ie>
Setup new flag to allow overriding additional managers and pass this data to the KustomizationReconciler instance
Signed-off-by: Luke Mallon (Nalum) <luke@mallon.ie>
Update field name to be more specific
Co-authored-by: Stefan Prodan <stefan.prodan@gmail.com>
Signed-off-by: Luke Mallon <luke@mallon.ie>
Update the remaining fieldManagers vars to match the new definition
Signed-off-by: Luke Mallon (Nalum) <luke@mallon.ie>
Change AdditionalFieldManagers to DisallowedFieldManagers
Signed-off-by: Luke Mallon (Nalum) <luke@mallon.ie>
Add unit test to cover the new disallowed field manager change
Signed-off-by: Luke Mallon (Nalum) <luke@mallon.ie>
Use correct variable in the final Run
Signed-off-by: Luke Mallon (Nalum) <luke@mallon.ie>
Undo the timeout multiplication
Signed-off-by: Luke Mallon (Nalum) <luke@mallon.ie>
Update internal/controller/kustomization_disallowed_managers_test.go
Co-authored-by: Stefan Prodan <stefan.prodan@gmail.com>
Signed-off-by: Luke Mallon <luke@mallon.ie>
Check for we're not getting errors on the Patch calls and remove the eventually as not needed here
Signed-off-by: Luke Mallon (Nalum) <luke@mallon.ie>
Update main.go
Co-authored-by: Stefan Prodan <stefan.prodan@gmail.com>
Signed-off-by: Luke Mallon <luke@mallon.ie>
- Update ``sigs.k8s.io/kustomize` to v5.2.1
- Update `k8s.io` packages to v0.28.4
- Update `sigs.k8s.io/controller-runtime` to v0.16.3 and adapt to breaking changes
- Switch from `sigs.k8s.io/cli-utils` to `github.com/fluxcd/cli-utils`
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Stefan Prodan
cappyzawa
Matheus Pimenta
Norman Stetter
Daniel Brown
Erik Godding Boye
hasithsen
Yuriy
Sunny
Florian Forster
gdasson
Hidde Beydals
Luke Mallon (Nalum)