`KustomizeGenerator.WriteFile` now detects alternative kustomization
file names such as `kustomization.yml` and `Kustomization`.
closes#737
Signed-off-by: Max Jonas Werner <max@e13.dev>
- Update Go to 1.19 in CI
- Use Go 1.19 in base image
- Update controller-gen v0.8.0 (v0.7 fails with Go 1.19) and regenerate manifests
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
The existing fuzzers are converted into the Go native format. This
works well with most fuzzers, apart from the one that fuzzes the
controller.
That specific test depends on funcs and vars that are defined on
suite_test.go, which is not supported when building fuzzers leveraging
Go native fuzz for oss-fuzz. That test is therefore ignored when
executed with make fuzz-native. But, all tests are covered with
make fuzz-smoketest, in order to support oss-fuzz.
Once the controller is rewritten we can revist this and ensure that
fuzzers does not require envtest nor embedded CRDs.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
- allow `OCIRepository` to be specified in `sourceRef.kind`
- react to `OCIRepository` artifacts events
- add end-to-end test for OCI repositories
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Based on user reports, there seems to be a small chance for the
underlying SOPS store implementation to panic when a user provides input
and/or output format instructions which do not actually match the type
of the file. Recover from this to ensure continuity of operations.
Signed-off-by: Hidde Beydals <hello@hidde.co>
- Extract the artifact operations such as download, verify, untar into a dedicated struct
- Introduce a dedicated type for artifact not found errors
- On artifact not found errors, log the error, update the ready status message and requeue the object
- Retry the artifact download at the interval set with `--requeue-dependency` (defaults to 30s)
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This adds a SOPS GCP KMS key source which makes use of the latest GCP
client, and supports both injection of master key credentials and a
default client making use of environmental runtime values.
The implementation fully replaces SOPS', and is covered with
compatability tests.
Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
As patch has been merged upstream, and `keyservice.LocalClient` does
now accept the `KeyServiceServer` interface.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This checks the base64 decoded bytes from a Secret field for any of the
marker bytes, thereby allowing data to be encrypted into any format.
Instead of the previous behavior which assumed it to either be YAML or
JSON.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This ensures the Secret field gets formatted back into JSON, instead of
it being detected as binary output.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Add an optional flag for disabling remote bases. While the `--no-remote-bases` is set to `false` by default, Flux users are encouraged to enable it on production system for security and performance reasons. Using Kustomize remote bases means that kustomize-controller must clone the remote repositories on every reconciliation instead of using the source-controller artifacts cache. Allowing remote bases on multi-tenant clusters, means platform admins have no control over which repositories make up the desired state.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Rather than inspecting the source file name supplied to kustomize's
Secret generator to determine the format of the SOPS-encrypted file
content, instead inspect the Secret key (when supplied separately from
the source file name) as a more reliable heuristic.
Doing so allows kustomization authors to name their SOPS-encrypted
output files with a ".json" extension accurately reflecting the format
in which SOPS writes its encrypted output, even if the encrypted
content itself is not in JSON format.
Signed-off-by: Steven E. Harris <seh@panix.com>
- Refactored recursion while iterating over Kustomization files.
References of files that have been visited are cached, and not
visited again. In addition, symlinks are confirmed to not traverse
outside the working directory.
- Optimized various bits around (un)marshalling (encrypted) data, and
YAML -> JSON -> YAML roundtrips are prevented where not required.
- Added support for decrypting INI Kustomize EnvSource references using
the dedicated SOPS store for the format.
- Introduced support for decrypting Kustomize FileSources:
https://pkg.go.dev/sigs.k8s.io/kustomize@v1.0.2/pkg/types#DataSources
Signed-off-by: Hidde Beydals <hello@hidde.co>
Stefan Prodan
Max Jonas Werner
Boris Kreitchman
Paulo Gomes
Santosh Kaluskar
Hidde Beydals
Somtochi Onyekwere
Sanskar Jaiswal
Hidde Beydals
Nick Stogner
Steven E. Harris
York Chen