Add benchmark for recurseKustomizationFiles() to measure the performance
of recursively loading kustomization files with certain percentage of
symlinks in the kustomizations.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
- Refactored recursion while iterating over Kustomization files.
References of files that have been visited are cached, and not
visited again. In addition, symlinks are confirmed to not traverse
outside the working directory.
- Optimized various bits around (un)marshalling (encrypted) data, and
YAML -> JSON -> YAML roundtrips are prevented where not required.
- Added support for decrypting INI Kustomize EnvSource references using
the dedicated SOPS store for the format.
- Introduced support for decrypting Kustomize FileSources:
https://pkg.go.dev/sigs.k8s.io/kustomize@v1.0.2/pkg/types#DataSources
Signed-off-by: Hidde Beydals <hello@hidde.co>
This includes an update of the source-controller to v0.22.0, to pull in
the v1beta2 API which makes use of the same packages.
Co-authored-by: Sunny <darkowlzz@protonmail.com>
Signed-off-by: Hidde Beydals <hello@hidde.co>
Validate that the resources built with kustomize conform to the Kubernetes API conventions before passing them to the server-side apply engine.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
If implemented, the kustomize controller will be able to retrieve a
secret containing a VAULT TOKEN and use it to decrypt the sops encrypted
master key. It will then use it to decrypt the data key and finally use the data
key to decrypt the final data.
Signed-off-by: Soule BA <bah.soule@gmail.com>
After downloading an artifact, compute its checksum and verify that it matches the original checksum advertised by source-controller.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Reconciler behaviour:
- Creates an inventory of objects to be applied (persisted in-cluster under `.status.inventory`).
- Applies first custom resource definitions (CRDs) and namespaces, waits for them to register and only then applies the custom resources.
- Validates all resources with server-side dry-run apply (namespaced objects must contain `metadata.namespace`, defaulting to the `default` namespace is no longer supported).
- Reconciles only the resources that drifted.
- Prunes the objects that were previously applied but are missing from the current inventory.
- Emits events for only the resources that where created, configured or deleted.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Sunny
Hidde Beydals
Stefan Prodan
Soule BA
Rishabh Bohra
Somtochi Onyekwere