- If authentication token is not specified in provider, attempt to get the token using workload identity.
= Add new field .spec.serviceAccountName to support multi-tenant workload identity as defined in RFC-0010 to use an identity with a service account other than the notification-controller.
- Use proxy to get the token if specified in provider spec.
- Cache the tokens if enabled in the notification controller options.
- If address has SAS connection string, use that for authentication, this takes priority over token-authentication
- If static JWT token is specified in the secret reference, use it for authentication, this takes priority over workload identity-acquired token.
- Update RBAC for notification-controller to be able to create service token requests.
- Add unit tests for the 3 authentication mechanisms (SAS, JWT, managed identity).
- Add documentation for using single-tenant and multi-tenant approaches of workload identity with azureeventhub provider.
- Add operation post to github helpers and provider controller for cache event metrics
- Enable token cache by default.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
review comments
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
enable cache by default
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
- Add providerOpts in notifier to configure authentication options for various providers.
- If token/password are not set to PAT, check if github app details are configured in secret and if found; authenticate using github-app by retrieving app installation token.
- If proxy is specified in the provider spec OR in the secret, configure github app authentication to fetch the installation token over the proxy.
- Add unit tests for providers.
- Update documentation describing the usage of github app authentication with the providers.
- Add token cache to notification controller to cache and re-use the tokens.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Flag detailed-metrics added to provide a way to disable exposing all accessed paths to the metrics and prevent potential metrics cardinality explosion
Signed-off-by: Alexey Kuzbekov <alexey@kuzbekov.me>
Add new Alert and Provider reconcilers to perform migration to static
objects. The new Alert and Provider APIs don't contain any status. When
the existing Alerts and Providers are queries using the new API client,
the status would be dropped. A subsequent write of the object to update
the object in api-server will migrate the objects to the new version and
drop the status.
For the stale finalizers on the objects, the new reconcilers ensure that
the finalizers get removed.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Emit events in the event handler along with logs on the respective alert
to make the message visible on the alert it belongs to.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
v1beta3 API for Alert and Provider makes them static objects, removing
the status subresource and spec fields that are relevant to dynamic
objects with reconcilers.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
The metrics helper now accepts owned finalizers to determine if an
object is no longer managed by the controller and is being deleted, and
deletes the metrics associated with the object.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
This commit bumps the Receiver API version to v1 in preparation of
the Flux GitOps GA milestone
(https://fluxcd.io/roadmap/#flux-gitops-ga-q1-2023).
We are now actively maintaining two versions of the notification API
group in parallel: v1 which currently only holds the Receiver kind and
v1beta2 for all other kinds.
Since we haven't run into this situation before, I had to change the
way we expose the API docs in ./docs/api: The directory now has
sub-directories for each active API version. Therefore we need to
change our scripts in the website repository to take this change into
account so that we expose both API group version at
https://fluxcd.io/flux/components/notification/api/. This change is
implemented in https://github.com/fluxcd/website/pull/1427.
refs #436
Signed-off-by: Max Jonas Werner <mail@makk.es>
This uses the newly introduced helper from runtime, which also
configures the logger for `klog`.
Resulting in all logs now being properly formatted, even when logged by
internal Kubernetes elements like the leader election or a dynamic
client.
The update from `fluxcd/pkg/runtime` from `v0.29.0` to `v0.31.0` in
addition includes a change which configures the event recoder to only
log on level `trace` (as opposed to `debug`).
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
You can re-enable caching by starting the controller with the argument
`--feature-gates=CacheSecretsAndConfigMaps=true`.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Add two new flags to enable users to configure exponential
back-off for Flux objects. The default values are now
set to 750ms for minimum retry time, and 15min for max.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
Introduce the flag `--no-cross-namespace-refs` (defaults to false) for allowing cluster admins to disable cross-namespace event sources for alerts.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Using the helper from `pkg/runtime/pprof`, which follows the suggestion
from controller-runtime to use `AddMetricsExtraHandler`.
Signed-off-by: Hidde Beydals <hello@hidde.co>
- Add ImageRepository to the Receiver API known kinds and RBAC
- Trigger container image updates to Git by annotating ImageRepository objects
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit upgrades the `controller-runtime` dependency to `v0.7.0`,
including all changes required to make all wiring work again.
- Upgrade `runtime` to v0.6.0 to include `controller-runtime` changes.
- Loggers have been removed from the reconcilers and are now retrieved
from the `context.Context` passed to the `Reconcile` method and
downwards functions.
- Logger configuration flags are now bound to the flag set using
`BindFlags` from `runtime/logger`, ensuring the same contract across
GitOps Toolkit controllers, and the `--log-json` flag has been
deprecated in favour of the `--log-encoding=json` default.
- The `ChangePredicate` from `runtime` has changed to a
`ReconcilateAtChangedPredicate`, and is now chained with the
`GenerationChangedPredicate` from `controller-runtime` using
`predicate.Or`.
- The `leader-election-role` was changed, as leader election now works
via the `coordination/v1` API.
Other notable changes:
- Use `DeletionTimestamp` of resource object to determine readiness.
- `source-controller` API dependency has been upgraded to `v0.6.0`
which also uses `controller-runtime` `v0.7.0`.
Co-authored-by: Hidde Beydals <hiddeco@users.noreply.github.com>
Signed-off-by: Philip Laine <philip.laine@gmail.com>
Signed-off-by: Hidde Beydals <hello@hidde.co>
Matheus Pimenta
Dipti Pai
Alexey Kuzbekov
Sunny
Stefan Prodan
Sanskar Jaiswal
Max Jonas Werner
Hidde Beydals
Hidde Beydals
Paulo Gomes
Somtochi Onyekwere
Philip Laine
Philip Laine