- Add `.spec.wait` optional boolean field to API
- Wait for all applied resources to become ready when `.spec.wait` is set to `true`
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
When impersonation fails, emit an event with the stale objects and continue with the finalization as this is not a retryable error.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Set the healthiness status to progressing and specify the health check timeout in the condition message.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Reconciler behaviour:
- Creates an inventory of objects to be applied (persisted in-cluster under `.status.inventory`).
- Applies first custom resource definitions (CRDs) and namespaces, waits for them to register and only then applies the custom resources.
- Validates all resources with server-side dry-run apply (namespaced objects must contain `metadata.namespace`, defaulting to the `default` namespace is no longer supported).
- Reconciles only the resources that drifted.
- Prunes the objects that were previously applied but are missing from the current inventory.
- Emits events for only the resources that where created, configured or deleted.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Reduce the log level from error to info to match the level of the event.
Signed-off-by: Allen Porter <allen.porter@gmail.com>
Signed-off-by: Allen Porter <allen@thebends.org>
This should give users some guidance when `kubectl apply` itself does
not give any useful output back itself, till date only observed when
it times out waiting.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Allow passing --force to kubectl apply. Useful when dealing with
immutable field changes in resources.
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
- record the last health assessment result in a dedicated status condition
- use the condition status when issuing events to prevent notifications spam
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Log the reconciliation error instead of returning it, so that controller-runtime doesn't requeue immediately. Reconciliation failures should be scheduled at the specified retry interval.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
To include a bug fix to the `ReconcilateAtChangedPredicate`
and renaming to `ReconcileRequestedPredicate`.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit ensures that relative (user configurable) paths never
traverse outside their working directory.
It does _not_ provide protection against path traversal within
`kustomization.yaml` files.
Signed-off-by: Hidde Beydals <hello@hidde.co>
- filter kubectl apply output and extract errors
- limit apply output to 20K charts (avoid reaching max etcd size)
- log kubectl exit code when the process is killed
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Drop the ServiceAccount field in favour of ServiceAccountName to prevent privilege escalation in multi-tenancy environments.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Stefan Prodan
Michal Schott
Jodok Batlogg
Hidehito Yabuuchi
Chanwit Kaewkasi
Allen Porter
Hidde Beydals
Florian Richter
Aurel Canciu
Laszlo Fogas
Christian Hernvall
Sylvain Rabot