`KustomizeGenerator.WriteFile` now detects alternative kustomization
file names such as `kustomization.yml` and `Kustomization`.
closes#737
Signed-off-by: Max Jonas Werner <max@e13.dev>
- allow `OCIRepository` to be specified in `sourceRef.kind`
- react to `OCIRepository` artifacts events
- add end-to-end test for OCI repositories
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
- Extract the artifact operations such as download, verify, untar into a dedicated struct
- Introduce a dedicated type for artifact not found errors
- On artifact not found errors, log the error, update the ready status message and requeue the object
- Retry the artifact download at the interval set with `--requeue-dependency` (defaults to 30s)
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Add an optional flag for disabling remote bases. While the `--no-remote-bases` is set to `false` by default, Flux users are encouraged to enable it on production system for security and performance reasons. Using Kustomize remote bases means that kustomize-controller must clone the remote repositories on every reconciliation instead of using the source-controller artifacts cache. Allowing remote bases on multi-tenant clusters, means platform admins have no control over which repositories make up the desired state.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
- Refactored recursion while iterating over Kustomization files.
References of files that have been visited are cached, and not
visited again. In addition, symlinks are confirmed to not traverse
outside the working directory.
- Optimized various bits around (un)marshalling (encrypted) data, and
YAML -> JSON -> YAML roundtrips are prevented where not required.
- Added support for decrypting INI Kustomize EnvSource references using
the dedicated SOPS store for the format.
- Introduced support for decrypting Kustomize FileSources:
https://pkg.go.dev/sigs.k8s.io/kustomize@v1.0.2/pkg/types#DataSources
Signed-off-by: Hidde Beydals <hello@hidde.co>
Two new flags were added to allow users to enable the
use of user.Exec and InsecureTLS in the kubeconfigs
provided remote apply reconciliations.
Breaking change: both functionalities are no longer
enabled by default.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
This to facilitate improvements on the notification-controller side,
where annotations prefixed with the FQDN of the Group of the Involved
Object will be transformed into "fields".
Signed-off-by: Hidde Beydals <hello@hidde.co>
This includes an update of the source-controller to v0.22.0, to pull in
the v1beta2 API which makes use of the same packages.
Co-authored-by: Sunny <darkowlzz@protonmail.com>
Signed-off-by: Hidde Beydals <hello@hidde.co>
Introduce an annotation that configures kustomize-controller to co-manage objects applied with kubectl.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
If the service account used for impersonation has been deleted, skip pruning, log the error and continue with finalization to allow tenants removals from clusters.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Introduce the flag `--default-service-account` for allowing cluster admins to enforce impersonation for resources reconciliation.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Introduce the flag `--no-cross-namespace-refs` (defaults to false) for allowing cluster admins to disable cross-namespace references to sources.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Validate that the resources built with kustomize conform to the Kubernetes API conventions before passing them to the server-side apply engine.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
After downloading an artifact, compute its checksum and verify that it matches the original checksum advertised by source-controller.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Introduce `kustomize.toolkit.fluxcd.io/reconcile` annotation. When set to `disabled`, the controller will no longer apply changes from source, nor it will prune the annotated resource.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
If decryption is not enabled, SOPS encrypted secrets will fail to apply with a validation error that doesn't give any hints. It's better to exit early and throw an error that tells users to enable decryption.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Stefan Prodan
Max Jonas Werner
Santosh Kaluskar
Somtochi Onyekwere
Hidde Beydals
Sanskar Jaiswal
York Chen
Hidde Beydals
Paulo Gomes
harshi1122
Kingdon Barrett
Florian Fl Bauer
Aurel Canciu
Rishabh Bohra