This commit ensures that if GitHub app secret data contains ca.crt then a TLS config with user provided custom ca is used in the underlying HTTP transports. The ca.crt in GitHub App secretRef is ignored if certSecretRef is also provided.
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): keep Makefile in sync with other controllers
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): use proper func naming format
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): revert Makefile changes
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): add get secret helper
This commit creates a getSecret helper func which can be used to resolve secret. createNotifier re-uses this helper func to extract and pass secrets down to other methods
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds tls test cases
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): remove debug logs
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds documentation
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): update docs with mTLS info
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
Add --default-service-account flag for multi-tenant workload identity
lockdown support. This flag sets the default service account name to
be used when .spec.serviceAccountName is not specified in resources.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Updates pkg/runtime dependency to v0.80.0 which removes the need for
the insecure parameter in TLSConfigFromSecretRef. This change removes
the forced ServerName pinning behavior that was causing TLS verification
issues, allowing for more flexible certificate validation.
The TLS config creation now relies on the standard Go TLS verification
process without forcing specific ServerName values, improving
compatibility with various certificate configurations.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Updates pkg/runtime/secrets to v0.75.0 which adds targetURL and insecure
parameters to TLS functions. This resolves ServerName regression that
caused TLS handshake failures in virtual hosting environments.
The Provider API has no insecure field, so certificates are always
verified (insecure=false). This maintains secure-by-default behavior
and is consistent with the original pre-pkg/runtime/secrets implementation.
All 17+ notification providers automatically benefit from proper ServerName
setting through the centralized TLS configuration in createNotifier().
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Replace x509.CertPool with tls.Config across all Git-based notifiers
(GitHub, GitLab, Gitea, Bitbucket, Azure DevOps, GitHub Dispatch) to
enable mutual TLS authentication for enterprise environments.
Adopt runtime/secrets AuthMethodsFromSecret for standardized handling
of Bearer tokens, basic auth, and token auth while maintaining full
backward compatibility with existing Secret formats.
This unifies authentication processing across Git-based providers and
adds mTLS capability without changing API surface or breaking existing
deployments.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
This change removes the generic address validation from event_handlers.go
that was preventing address-optional providers from functioning without
specifying a dummy address value. Some providers generate URLs internally
and don't require external address configuration.
This allows providers that generate URLs internally to work without
requiring dummy address values in the provider configuration.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
This commit addresses the performance issue where spec.secretRef
was being fetched twice - once in extractAuthFromSecret and again
in secrets.BasicAuthFromSecret. The fix moves BasicAuth processing
directly into extractAuthFromSecret using the already-fetched
secret data, eliminating the redundant API call.
This aligns with the special nature of spec.secretRef that contains
multiple authentication methods and follows the advice to not use
runtime/secrets for special requirements as discussed in flux2#5433.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
This commit refactors the createNotifier function to use
pkg/runtime/secrets.BasicAuthFromSecret for standardized BasicAuth
handling while maintaining token-first authentication precedence.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
- Implement mTLS support for 10 postMessage notifiers
- Unify constructor signatures with tlsConfig parameter
- Make TLSConfig field public for consistency
- Update factory functions and fuzz tests
- Add mTLS test cases
- Replace CertPool with TLSConfig using runtime/secrets
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Introduce spec.proxySecretRef to enable secure proxy configuration
through dedicated Secrets. This provides a more secure alternative
to the deprecated spec.proxy field and secret proxy key.
The new field integrates with runtime/secrets for unified proxy
handling and maintains backward compatibility. Deprecation warnings
are implemented for existing proxy configuration methods.
Proxy priority: ProxySecretRef > secret proxy key > spec.proxy
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
- If authentication token is not specified in provider, attempt to get the token using workload identity.
= Add new field .spec.serviceAccountName to support multi-tenant workload identity as defined in RFC-0010 to use an identity with a service account other than the notification-controller.
- Use proxy to get the token if specified in provider spec.
- Cache the tokens if enabled in the notification controller options.
- If address has SAS connection string, use that for authentication, this takes priority over token-authentication
- If static JWT token is specified in the secret reference, use it for authentication, this takes priority over workload identity-acquired token.
- Update RBAC for notification-controller to be able to create service token requests.
- Add unit tests for the 3 authentication mechanisms (SAS, JWT, managed identity).
- Add documentation for using single-tenant and multi-tenant approaches of workload identity with azureeventhub provider.
- Add operation post to github helpers and provider controller for cache event metrics
- Enable token cache by default.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
review comments
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
enable cache by default
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
- Add providerOpts in notifier to configure authentication options for various providers.
- If token/password are not set to PAT, check if github app details are configured in secret and if found; authenticate using github-app by retrieving app installation token.
- If proxy is specified in the provider spec OR in the secret, configure github app authentication to fetch the installation token over the proxy.
- Add unit tests for providers.
- Update documentation describing the usage of github app authentication with the providers.
- Add token cache to notification controller to cache and re-use the tokens.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Flag detailed-metrics added to provide a way to disable exposing all accessed paths to the metrics and prevent potential metrics cardinality explosion
Signed-off-by: Alexey Kuzbekov <alexey@kuzbekov.me>
eventv1.MetaTokenKey is required to be considered in rate limiting but
it is only for internal use by flux components and should not be sent to
the alert provider. Remove eventv1.MetaTokenKey from the metadata of
event before processing the event for various matching alerts.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
The provider address is already capped at 2048 bytes in the CRD and
this commit adds the same upper limit when reading the address from a
Secret.
Signed-off-by: Max Jonas Werner <mail@makk.es>
Use the context containing proper information about the event for
logging. Previously, the logged error didn't contain any information
about the event, alert or the involved object.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Emit events in the event handler along with logs on the respective alert
to make the message visible on the alert it belongs to.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
- Break down the EventServer.handleEvent() implementation into multiple
smaller functions which are extensively tested on their own.
- New implementation of filter Alerts for Event
- New implementation of Event matches Alert
- Remove any readiness check on Alert or Provider.
- Add kubebuilder marker for generating RBAC permissions to create and
patch events, and query Alert and Provider objects.
- Convert the event handler test from controllers/ dir to work with
just EventServer without any reconciler, keeping all the test cases
and slightly modified test set up code.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
This to prevent collisions between different event attributes.
For example when first an event with revision `foo` is received
without a token, after which a token `foo` is received without a
revision.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Stefan Prodan