This commit ensures that if GitHub app secret data contains ca.crt then a TLS config with user provided custom ca is used in the underlying HTTP transports. The ca.crt in GitHub App secretRef is ignored if certSecretRef is also provided.
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): keep Makefile in sync with other controllers
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): use proper func naming format
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): revert Makefile changes
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): add get secret helper
This commit creates a getSecret helper func which can be used to resolve secret. createNotifier re-uses this helper func to extract and pass secrets down to other methods
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds tls test cases
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): remove debug logs
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds documentation
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): update docs with mTLS info
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
Add --default-service-account flag for multi-tenant workload identity
lockdown support. This flag sets the default service account name to
be used when .spec.serviceAccountName is not specified in resources.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Add support for object-level GCP workload identity authentication to enable
individual Providers to authenticate using their own ServiceAccount without
needing to manage JSON credentials. This extends beyond the existing
controller-level workload identity that is automatically handled by
Google libraries.
The implementation maintains backward compatibility by prioritizing
JSON credentials when both authentication methods are available.
Proxy support is also added following the Azure DevOps pattern
for consistency across notifiers.
This change is part of the broader effort to support multi-tenant
workload identity across Flux controllers (RFC-0010).
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
These notifiers were using x509.CertPool which only supports CA
certificates for server authentication. By migrating to tls.Config,
they now support mutual TLS authentication with client certificates.
This enables secure communication in enterprise environments that
require client certificate authentication, completing the runtime/secrets
migration for these remaining notifiers.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Replace x509.CertPool with tls.Config across all Git-based notifiers
(GitHub, GitLab, Gitea, Bitbucket, Azure DevOps, GitHub Dispatch) to
enable mutual TLS authentication for enterprise environments.
Adopt runtime/secrets AuthMethodsFromSecret for standardized handling
of Bearer tokens, basic auth, and token auth while maintaining full
backward compatibility with existing Secret formats.
This unifies authentication processing across Git-based providers and
adds mTLS capability without changing API surface or breaking existing
deployments.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
- Azure DevOps commit status update using Managed Identity.
- Migrate Azure Event Hubs to new ProducerClient (azeventhubs) sdk
- Unit Tests and doc update
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
This change removes the generic address validation from event_handlers.go
that was preventing address-optional providers from functioning without
specifying a dummy address value. Some providers generate URLs internally
and don't require external address configuration.
This allows providers that generate URLs internally to work without
requiring dummy address values in the provider configuration.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Replace shoutrrr with direct Telegram Bot API calls to enable proxy
configuration through postMessage function.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
- Implement mTLS support for 10 postMessage notifiers
- Unify constructor signatures with tlsConfig parameter
- Make TLSConfig field public for consistency
- Update factory functions and fuzz tests
- Add mTLS test cases
- Replace CertPool with TLSConfig using runtime/secrets
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
- If authentication token is not specified in provider, attempt to get the token using workload identity.
= Add new field .spec.serviceAccountName to support multi-tenant workload identity as defined in RFC-0010 to use an identity with a service account other than the notification-controller.
- Use proxy to get the token if specified in provider spec.
- Cache the tokens if enabled in the notification controller options.
- If address has SAS connection string, use that for authentication, this takes priority over token-authentication
- If static JWT token is specified in the secret reference, use it for authentication, this takes priority over workload identity-acquired token.
- Update RBAC for notification-controller to be able to create service token requests.
- Add unit tests for the 3 authentication mechanisms (SAS, JWT, managed identity).
- Add documentation for using single-tenant and multi-tenant approaches of workload identity with azureeventhub provider.
- Add operation post to github helpers and provider controller for cache event metrics
- Enable token cache by default.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
review comments
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
enable cache by default
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
It is required when a custom CA is passed, otherwise the
gitea.NewClient() call will fail with the 'tls: failed to verify
certificate: x509: certificate signed by unknown authority' error.
Because the current version of Gitea SDK performs a call to the
'/api/v1/version' endpoint during a new client creation, so the
'certPool' must be passed when creating the client.
Resolves: #1083
Signed-off-by: Sergey Dreger <sergey.dreger@gmail.com>
- Add providerOpts in notifier to configure authentication options for various providers.
- If token/password are not set to PAT, check if github app details are configured in secret and if found; authenticate using github-app by retrieving app installation token.
- If proxy is specified in the provider spec OR in the secret, configure github app authentication to fetch the installation token over the proxy.
- Add unit tests for providers.
- Update documentation describing the usage of github app authentication with the providers.
- Add token cache to notification controller to cache and re-use the tokens.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Signed-off-by: Georgi Panov <77702912+d4rkfella@users.noreply.github.com>
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Update alertmanager_test.go
Signed-off-by: Georgi Panov <77702912+d4rkfella@users.noreply.github.com>
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Update alertmanager_fuzz_test.go
Signed-off-by: Georgi Panov <77702912+d4rkfella@users.noreply.github.com>
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Update factory.go
Signed-off-by: Georgi Panov <77702912+d4rkfella@users.noreply.github.com>
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Update factory.go
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Fix a mistake with the last commit to update the docs
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Fix another formatting issue
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Screwed up my previous commit so implementing the suggested changes again and fixed formatting for the structs
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Tried to use better wording, to outline that authentication is optional
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Another small change to the explanation for bearer token authentication
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Fix incorrect article usage and the configured address example as suggested
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Configure the adaptive card to expand and make full use of extra canvas
space in teams.
Signed-off-by: Valentin Flaux <38909103+vflaux@users.noreply.github.com>
The test would sometimes fail because the metadata lines are built
from a map and map iteration order in Go is non-deterministic.
Therefore, the lines may be ordered differently between different test
runs.
Now, the test sorts the metadata lines of the telegram message so they
are always the same and only then verifies the expected output.
closes#867
Signed-off-by: Max Jonas Werner <max.werner@associmates.eu>
This test will make sure we're properly escaping the message and
constructing the URL correctly.
Signed-off-by: Max Jonas Werner <max.werner@associmates.eu>
notification-controller posted all outgoing Alertmanager alerts with
"timestamp" label, effectively preventing grouping alerts related to the
same resource and forcing users to configure a separate alert receiver
with `send_resolved: false`.
This changes it to instead set "startsAt", which was previously set
(automatically by Alertmanager) to alert posting time. "endsAt" remains
unset, as we have no way of figuring that out but the reconciliation
interval of the resource that generated the alert, which can currently
only be found out by making a Kubernetes API round-trip.
Note that this requires users to adapt alert templates that relied on
.Labels.Timestamp.
Signed-off-by: Timur Demin <me@tdem.in>
v1beta3 API for Alert and Provider makes them static objects, removing
the status subresource and spec fields that are relevant to dynamic
objects with reconcilers.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Dipti Pai