Introduce InvalidProviderConfigurationReason for Git provider github
related misconfiguration.
Add github provider related tests to check the status conditions reason.
Rearrange and modify a test case for getAuthOpts() for provider test
where a referred secret doesn't exist. This scenario is not specific to
any provider.
Signed-off-by: Sunny <github@darkowlzz.space>
- API change to add new `github` provider field in `GitRepository` spec.
- Controller change to use the GitHub authentication information specified in `.spec.secretRef` to create the auth options to authenticate to git repositories when the `provider` field is set to `github`,
- Tests for new `github` provider field
- Updated docs to use GitHub Apps for authentication in source-controller.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
For backwards compatibility, remove the default value for GitRepository
provider. An empty provider value will still be considered as the
default provider.
Signed-off-by: Sunny <github@darkowlzz.space>
- Add a new provider field to GitRepository API spec which can be set to azure to enable passwordless authentication to Azure DevOps repositories.
- API docs for new provider field and guidance to setup Azure environment with workload identity.
- Controller changes to set the provider options in git authoptions to fetch credential while cloning the repository.
- Add unit tests for testing provider
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Many of the functions in the `conditions` package accept a format string and
(optional) arguments, just like `fmt.Printf` and friends.
In many places, the code passed an error message as the format string, causing
it to be interpreted by the `fmt` package. This leads to issues when the
message contains percent signs, e.g. URL-encoded values.
Consider the following code:
```go
// internal/controller/ocirepository_controller.go
revision, err := r.getRevision(ref, opts)
if err != nil {
e := serror.NewGeneric(
fmt.Errorf("failed to determine artifact digest: %w", err),
ociv1.OCIPullFailedReason,
)
conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
return sreconcile.ResultEmpty, e
}
```
Since `getRevision()` includes the URL in the error message and the error
message is used as a format string, the resulting condition reads:
```
failed to determine artifact digest: GET https://gitlab.com/jwt/auth?scope=repository%!A(MISSING)fforster%!F(MISSING)<REDACTED>%!F(MISSING)k8s-resource-manifests%!A(MISSING)pull&service=container_registry: DENIED: access forbidden
```
This adds an explicit format string and shortens `e.Error()` and
`e.Err.Error()` to `e`, which yields the same output.
To the best of my knowledge, Go is safe from format string attacks. I **don't**
think this is a security vulnerability, but I'm also not a security expert.
Signed-off-by: Florian Forster <fforster@gitlab.com>
If implemented, A transport from the pool with safe defaults will be used when creating an oci registry client.
This will enable using the proxy configuration.
Signed-off-by: Soule BA <bah.soule@gmail.com>
There is a race condition happening in main due to the mockdns resolver.
This is an attempt to fix it (cannot repoduce locally).
Signed-off-by: Soule BA <bah.soule@gmail.com>
If implemented a semver filter regex can be declared in conjuction with
a semver range in the OCIRepository `spec.Reference`
Signed-off-by: Soule BA <bah.soule@gmail.com>
Introduces a new verification provider `notation` to verify notation signed artifacts. Currently only cosign is supported and that is a problem if the end user utilises notation.
---------
Signed-off-by: Jason <jagoodse@microsoft.com>
Signed-off-by: JasonTheDeveloper <jagoodse@microsoft.com>
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Co-authored-by: souleb <bah.soule@gmail.com>
Co-authored-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Co-authored-by: Sunny <github@darkowlzz.space>
This will be logged/event emitted forever once in the lifecycle of
HelmRepository OCI object because all new objects have to remove the
.status.observedGeneration which is set to -1 by the API defaulting.
Better to perform the object conversion internally without any log or
event.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Rename `OCIChartRepository.insecure` to `OCIChartRepository.insecureHTTP` in
`internal/helm/repository` to match the code docs and the related setter
method.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Dipti Pai
Matheus Pimenta
zhaque44
Sunny
hasithsen
Stefan Prodan
ricardo.bartels@telekom.de
Florian Forster
Soule BA
Robin Breathe
Paulo Canilho
Austin Abro
Jagpreet Singh Tamber
JasonTheDeveloper
Sunny
Sanskar Jaiswal