This commit ensures that if GitHub app secret data contains ca.crt then a TLS config with user provided custom ca is used in the underlying HTTP transports. The ca.crt in GitHub App secretRef is ignored if certSecretRef is also provided.
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): keep Makefile in sync with other controllers
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): use proper func naming format
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): revert Makefile changes
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): add get secret helper
This commit creates a getSecret helper func which can be used to resolve secret. createNotifier re-uses this helper func to extract and pass secrets down to other methods
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds tls test cases
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): remove debug logs
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds documentation
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): update docs with mTLS info
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
Add comprehensive workload identity documentation for both Google Pub/Sub and Azure DevOps providers.
Include controller-level and object-level authentication patterns with feature gate requirements
and setup instructions for multi-tenant environments.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Reorganize Certificate secret reference section to prioritize mutual TLS
authentication discovery and reduce user friction. The previous structure
buried mTLS information within generic certificate documentation, causing
users to miss this important security feature.
Move provider compatibility validation before configuration examples to
prevent wasted effort with unsupported providers. Create dedicated sections
for mTLS and CA-only authentication with complete examples and clear
explanations of field requirements.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
These notifiers were using x509.CertPool which only supports CA
certificates for server authentication. By migrating to tls.Config,
they now support mutual TLS authentication with client certificates.
This enables secure communication in enterprise environments that
require client certificate authentication, completing the runtime/secrets
migration for these remaining notifiers.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Replace x509.CertPool with tls.Config across all Git-based notifiers
(GitHub, GitLab, Gitea, Bitbucket, Azure DevOps, GitHub Dispatch) to
enable mutual TLS authentication for enterprise environments.
Adopt runtime/secrets AuthMethodsFromSecret for standardized handling
of Bearer tokens, basic auth, and token auth while maintaining full
backward compatibility with existing Secret formats.
This unifies authentication processing across Git-based providers and
adds mTLS capability without changing API surface or breaking existing
deployments.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
- Azure DevOps commit status update using Managed Identity.
- Migrate Azure Event Hubs to new ProducerClient (azeventhubs) sdk
- Unit Tests and doc update
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
This change removes the generic address validation from event_handlers.go
that was preventing address-optional providers from functioning without
specifying a dummy address value. Some providers generate URLs internally
and don't require external address configuration.
This allows providers that generate URLs internally to work without
requiring dummy address values in the provider configuration.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Replace shoutrrr with direct Telegram Bot API calls to enable proxy
configuration through postMessage function.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
- Implement mTLS support for 10 postMessage notifiers
- Unify constructor signatures with tlsConfig parameter
- Make TLSConfig field public for consistency
- Update factory functions and fuzz tests
- Add mTLS test cases
- Replace CertPool with TLSConfig using runtime/secrets
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Introduce spec.proxySecretRef to enable secure proxy configuration
through dedicated Secrets. This provides a more secure alternative
to the deprecated spec.proxy field and secret proxy key.
The new field integrates with runtime/secrets for unified proxy
handling and maintains backward compatibility. Deprecation warnings
are implemented for existing proxy configuration methods.
Proxy priority: ProxySecretRef > secret proxy key > spec.proxy
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
- If authentication token is not specified in provider, attempt to get the token using workload identity.
= Add new field .spec.serviceAccountName to support multi-tenant workload identity as defined in RFC-0010 to use an identity with a service account other than the notification-controller.
- Use proxy to get the token if specified in provider spec.
- Cache the tokens if enabled in the notification controller options.
- If address has SAS connection string, use that for authentication, this takes priority over token-authentication
- If static JWT token is specified in the secret reference, use it for authentication, this takes priority over workload identity-acquired token.
- Update RBAC for notification-controller to be able to create service token requests.
- Add unit tests for the 3 authentication mechanisms (SAS, JWT, managed identity).
- Add documentation for using single-tenant and multi-tenant approaches of workload identity with azureeventhub provider.
- Add operation post to github helpers and provider controller for cache event metrics
- Enable token cache by default.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
review comments
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
enable cache by default
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
- Add providerOpts in notifier to configure authentication options for various providers.
- If token/password are not set to PAT, check if github app details are configured in secret and if found; authenticate using github-app by retrieving app installation token.
- If proxy is specified in the provider spec OR in the secret, configure github app authentication to fetch the installation token over the proxy.
- Add unit tests for providers.
- Update documentation describing the usage of github app authentication with the providers.
- Add token cache to notification controller to cache and re-use the tokens.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Currrent gitlab API does not accept project name for setting git commit
status, a project ID must be used.
Signed-off-by: Sebastian Woehrl <sebastian.woehrl@maibornwolff.de>
Signed-off-by: Georgi Panov <77702912+d4rkfella@users.noreply.github.com>
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Update alertmanager_test.go
Signed-off-by: Georgi Panov <77702912+d4rkfella@users.noreply.github.com>
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Update alertmanager_fuzz_test.go
Signed-off-by: Georgi Panov <77702912+d4rkfella@users.noreply.github.com>
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Update factory.go
Signed-off-by: Georgi Panov <77702912+d4rkfella@users.noreply.github.com>
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Update factory.go
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Fix a mistake with the last commit to update the docs
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Fix another formatting issue
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Screwed up my previous commit so implementing the suggested changes again and fixed formatting for the structs
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Tried to use better wording, to outline that authentication is optional
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Another small change to the explanation for bearer token authentication
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
Fix incorrect article usage and the configured address example as suggested
Signed-off-by: Darkfella91 <darkfella91@gmail.com>
notification-controller posted all outgoing Alertmanager alerts with
"timestamp" label, effectively preventing grouping alerts related to the
same resource and forcing users to configure a separate alert receiver
with `send_resolved: false`.
This changes it to instead set "startsAt", which was previously set
(automatically by Alertmanager) to alert posting time. "endsAt" remains
unset, as we have no way of figuring that out but the reconciliation
interval of the resource that generated the alert, which can currently
only be found out by making a Kubernetes API round-trip.
Note that this requires users to adapt alert templates that relied on
.Labels.Timestamp.
Signed-off-by: Timur Demin <me@tdem.in>
- Update README.md to point to v1beta3 spec docs.
- Remove provider testdata which had old API version and is no longer
used in any test.
- Update Provider v1beta2 spec docs to use Alert v1beta2.
- Update Provider v1beta3 spec docs to use v1beta3 API in all the
code snippets.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
In order to streamline the docs across all controllers, the CRD spec
file names are pluralized. This lets us better automate docs generation
from CRD specs.
refs fluxcd/website#1577
Signed-off-by: Max Jonas Werner <mail@makk.es>
Stefan Prodan