If implemented a semver filter regex can be declared in conjuction with
a semver range in the OCIRepository `spec.Reference`
Signed-off-by: Soule BA <bah.soule@gmail.com>
Introduces a new verification provider `notation` to verify notation signed artifacts. Currently only cosign is supported and that is a problem if the end user utilises notation.
---------
Signed-off-by: Jason <jagoodse@microsoft.com>
Signed-off-by: JasonTheDeveloper <jagoodse@microsoft.com>
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Co-authored-by: souleb <bah.soule@gmail.com>
Co-authored-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Co-authored-by: Sunny <github@darkowlzz.space>
With static HelmRepository OCI, the interval become optional. Make
interval optional in the API. Introduce getters for interval, in the
form of GetRequeueAfter(), and timeout with internal default values.
HelmRepository will not have interval and timeout fields unless it's
explicitly set.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Remove the HelmRepositoryOCI reconciler and make HelmRepository of type
OCI static. The existing HelmRepository OCI objects are migrated to
static object by removing their finalizers and status. New
HelmRepository OCI objects go through one time migration to remove the
status. These are not reconciled again, unless the type is changed to
default. On type switching from HelmRepository default to OCI, the
finalizer, status and artifact are removed to make the object static. On
switching from OCI to default, a complete reconciliation of
HelmRepository takes place to build artifact and add status and
finalizer.
The HelmRepository .spec.url has a new validation to check the URL
scheme. This is to add some validation to HelmRepository OCI since it's
not backed by a reconciler for full validation.
Add HelmRepositoryOCIMigrationPredicate predicate to detect and allow
reconciliation of HelmRepository OCI objects that need migration. The
other predicates that filtered the HelmRepository events based on the
type have been removed as all the HelmRepositories will now be
reconciled by a single reconciler. HelmRepositoryOCIMigrationPredicate
readily allows non-OCI objects and only checks if a migration is needed
for OCI type object.
Add controller tests for different migration scenarios.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Add `.spec.verify.matchOIDCIdentity` to OCIRepository and HelmChart.
It allows specifying regular expressions to match against the subject and
issuer of the certificate related to the artifact signature. Its used
only if the artifact was signed using Cosign keyless signing.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Adopt Kubernetes TLS secrets API to check for TLS data in the Secret
referred to by `.spec.certSecretRef`, i.e. check for keys `tls.crt` and
`tls.key` for the certificate and private key. Use `ca.crt` for the CA
certificate.
Deprecate the usage of `caFile`, `certFile` and `keyFile` keys.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Adopt Kubernetes TLS secrets API to check for TLS data in the Secret
referred to by `.spec.certSecretRef`, i.e. check for keys `tls.crt` and
`tls.key` for the certificate and private key. Use `ca.crt` for the CA
certificate.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Add `.spec.certSecretRef` to HelmRepository for specifying TLS auth data
in a secret using the `certFile`, `caFile` and `keyFile` keys. Mark
support for these keys in the secret specified in `.spec.secretRef` as
deprecated.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
While we initially decided against it, this otherwise causes the regexp
validator to error on an empty field when it goes through a YAML -> JSON
encode loop (even when marked with `+optional`).
This is not actually a viable path the controller could take, as the
controller trying to update the Artifact with an older version of the
API package would omit the `Digest` field (because it does not exist
in that version), while a newer version of the controller would always
include the field (because we produce it for all kinds). While in cases
where the controller would be backed by a Persistent Volume (and a
partial status update is made), the validation rule would not be
triggered because the field is not part of the patch.
However, for sake of correctness, we still issue a patch.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Add a new field `.spec.ref.name` which points to a Git reference which
enables checking out to a particular commit pointed to by the specified
reference.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
This allows consumers to better handle the transition to the new
RFC-0005 format ("/" -> "@" separation).
Signed-off-by: Hidde Beydals <hello@hidde.co>
As discussed in RFC-0005, this introduces a `Digest` field to the
`Artifact` in favor of the now deprecated `Checksum`.
Signed-off-by: Hidde Beydals <hello@hidde.co>
When using a TLS authentication, user can provide a custom certificate
by setting the caFile key in the secret, not caCert.
Signed-off-by: Yohan Belléguic <yohan.belleguic@arkea.com>
Delete a failed verification condition at the beginning of the source
reconciliation and set `SourceVerifiedCondition` to false approprietly.
Set the `BuildOptions.Verify` to true as long as Verify is enabled in the
API fields.
Signed-off-by: Soule BA <soule@weave.works>
Replace content config checksum with explicit artifact content config
observations. It makes the observations of the controller more
transparent and easier to debug.
Introduces `observedIgnore`, `observedRecurseSubmodules` and
`observedInclude` status fields.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Replace content config checksum with explicit artifact content config
observations. It makes the observations of the controller more
transparent and easier to debug.
Introduces `observedIgnore` and `observedLayerSelector` status fields.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Introduce contentConfigChecksum in the OCIRepository status to store a
checksum of the values that affect the source artifact. It is used to
detect when to rebuild an artifact when the spec changes.
The considerations for this are similar to the GitRepository
reconciler no-op clone implementation. Both reconcileSource and
reconcileArtifact need to consider the source configuration change
when deciding if the artifact in the storage is up-to-date.
Adds tests for reconcileSource and reconcileArtifact for the noop
cases.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Add on optional field to the `OCIRepository.spec.layerSelector` called `operation` that accepts one of the following values: `extract` or `copy`. When the operation is set to `copy`, instead of extracting the compressed layer, the controller copies the compressed blob as it is to storage, thus keeping the original content unaltered.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
If implemented, this pr will enable user to use the auto login feature
in order to automatically login to their provider of choice's container
registry (i.e. aws, gcr, acr).
Signed-off-by: Soule BA <soule@weave.works>
Matheus Pimenta
Stefan Prodan
Robin Breathe
Paulo Canilho
Soule BA
JasonTheDeveloper
Georg Molau
Sunny
Sanskar Jaiswal
Hidde Beydals
Hidde Beydals
Yohan Belléguic
Paulo Gomes
Soule BA
Furkan