Add support for object-level GCP workload identity authentication to enable
individual Providers to authenticate using their own ServiceAccount without
needing to manage JSON credentials. This extends beyond the existing
controller-level workload identity that is automatically handled by
Google libraries.
The implementation maintains backward compatibility by prioritizing
JSON credentials when both authentication methods are available.
Proxy support is also added following the Azure DevOps pattern
for consistency across notifiers.
This change is part of the broader effort to support multi-tenant
workload identity across Flux controllers (RFC-0010).
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
- Implement mTLS support for 10 postMessage notifiers
- Unify constructor signatures with tlsConfig parameter
- Make TLSConfig field public for consistency
- Update factory functions and fuzz tests
- Add mTLS test cases
- Replace CertPool with TLSConfig using runtime/secrets
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Introduce spec.proxySecretRef to enable secure proxy configuration
through dedicated Secrets. This provides a more secure alternative
to the deprecated spec.proxy field and secret proxy key.
The new field integrates with runtime/secrets for unified proxy
handling and maintains backward compatibility. Deprecation warnings
are implemented for existing proxy configuration methods.
Proxy priority: ProxySecretRef > secret proxy key > spec.proxy
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
- If authentication token is not specified in provider, attempt to get the token using workload identity.
= Add new field .spec.serviceAccountName to support multi-tenant workload identity as defined in RFC-0010 to use an identity with a service account other than the notification-controller.
- Use proxy to get the token if specified in provider spec.
- Cache the tokens if enabled in the notification controller options.
- If address has SAS connection string, use that for authentication, this takes priority over token-authentication
- If static JWT token is specified in the secret reference, use it for authentication, this takes priority over workload identity-acquired token.
- Update RBAC for notification-controller to be able to create service token requests.
- Add unit tests for the 3 authentication mechanisms (SAS, JWT, managed identity).
- Add documentation for using single-tenant and multi-tenant approaches of workload identity with azureeventhub provider.
- Add operation post to github helpers and provider controller for cache event metrics
- Enable token cache by default.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
review comments
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
enable cache by default
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
For backwards compatibility with v1beta2 Provider, add .spec.interval
with deprecation marker.
Interval was an optional field in v1beta2 with internal default. Only
the users who had explicitly set intervals would have encountered this
incompatibility error after upgrade.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
v1beta3 API for Alert and Provider makes them static objects, removing
the status subresource and spec fields that are relevant to dynamic
objects with reconcilers.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Receiver .status.url was deprecated in v1beta2 API and replaced with
.status.webhookPath. Remove it from v1 API and all references to it.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
This commit bumps the Receiver API version to v1 in preparation of
the Flux GitOps GA milestone
(https://fluxcd.io/roadmap/#flux-gitops-ga-q1-2023).
We are now actively maintaining two versions of the notification API
group in parallel: v1 which currently only holds the Receiver kind and
v1beta2 for all other kinds.
Since we haven't run into this situation before, I had to change the
way we expose the API docs in ./docs/api: The directory now has
sub-directories for each active API version. Therefore we need to
change our scripts in the website repository to take this change into
account so that we expose both API group version at
https://fluxcd.io/flux/components/notification/api/. This change is
implemented in https://github.com/fluxcd/website/pull/1427.
refs #436
Signed-off-by: Max Jonas Werner <mail@makk.es>
This has been introduced in #482 but we actually want this feature to
only be available in v1 of the API. A follow-up PR will re-add this to
the v1 API.
Signed-off-by: Max Jonas Werner <mail@makk.es>
Periodically reconcile providers and receivers with their
Secret references to surface config errors after initialisation.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This sets the `status.observedGeneration` field to -1 by default. This
is a follow-up to https://github.com/fluxcd/helm-controller/pull/294,
porting the same code to the notification-controller so that all Flux
2 controllers work the same way in this regard.
Signed-off-by: Max Jonas Werner <mail@makk.es>
Updates to use metav1.Condition type and removes references for
deprecated corev1.Condition* constants and uses the new k8s api/meta
helpers in place of the old pkg/apis/meta types.
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
Due to required domain changes for the helm-controller so that it
can co-exist in a cluster with the Helm Operator, other Toolkit
components are moving to a *.toolklit.fluxcd.io domain too.
cappyzawa