This commit ensures that if GitHub app secret data contains ca.crt then a TLS config with user provided custom ca is used in the underlying HTTP transports. The ca.crt in GitHub App secretRef is ignored if certSecretRef is also provided.
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): keep Makefile in sync with other controllers
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): use proper func naming format
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): revert Makefile changes
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): add get secret helper
This commit creates a getSecret helper func which can be used to resolve secret. createNotifier re-uses this helper func to extract and pass secrets down to other methods
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds tls test cases
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): remove debug logs
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds documentation
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): update docs with mTLS info
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
Add --default-service-account flag for multi-tenant workload identity
lockdown support. This flag sets the default service account name to
be used when .spec.serviceAccountName is not specified in resources.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Updates pkg/runtime dependency to v0.80.0 which removes the need for
the insecure parameter in TLSConfigFromSecretRef. This change removes
the forced ServerName pinning behavior that was causing TLS verification
issues, allowing for more flexible certificate validation.
The TLS config creation now relies on the standard Go TLS verification
process without forcing specific ServerName values, improving
compatibility with various certificate configurations.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Add comprehensive workload identity documentation for both Google Pub/Sub and Azure DevOps providers.
Include controller-level and object-level authentication patterns with feature gate requirements
and setup instructions for multi-tenant environments.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Add support for object-level GCP workload identity authentication to enable
individual Providers to authenticate using their own ServiceAccount without
needing to manage JSON credentials. This extends beyond the existing
controller-level workload identity that is automatically handled by
Google libraries.
The implementation maintains backward compatibility by prioritizing
JSON credentials when both authentication methods are available.
Proxy support is also added following the Azure DevOps pattern
for consistency across notifiers.
This change is part of the broader effort to support multi-tenant
workload identity across Flux controllers (RFC-0010).
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Reorganize Certificate secret reference section to prioritize mutual TLS
authentication discovery and reduce user friction. The previous structure
buried mTLS information within generic certificate documentation, causing
users to miss this important security feature.
Move provider compatibility validation before configuration examples to
prevent wasted effort with unsupported providers. Create dedicated sections
for mTLS and CA-only authentication with complete examples and clear
explanations of field requirements.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
These notifiers were using x509.CertPool which only supports CA
certificates for server authentication. By migrating to tls.Config,
they now support mutual TLS authentication with client certificates.
This enables secure communication in enterprise environments that
require client certificate authentication, completing the runtime/secrets
migration for these remaining notifiers.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Updates pkg/runtime/secrets to v0.75.0 which adds targetURL and insecure
parameters to TLS functions. This resolves ServerName regression that
caused TLS handshake failures in virtual hosting environments.
The Provider API has no insecure field, so certificates are always
verified (insecure=false). This maintains secure-by-default behavior
and is consistent with the original pre-pkg/runtime/secrets implementation.
All 17+ notification providers automatically benefit from proper ServerName
setting through the centralized TLS configuration in createNotifier().
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Matheus Pimenta