- Add `.spec.sparseCheckout` and `.status.observedSparseCheckout` fields to `GitRepository`.
- Add controller support to send the sparse checkout directories to go-git via pkg methods.
- Use `.status/observedSparseCheckout` to detect drift in configuration.
- Trim leading "./" in directory paths.
- Validate spec configuration by checking directories specified in spec exist in the cloned repository after successful checkout
- Add tests for testing the observed sparse checkout behavior.
- Add docs describing the new fields.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Introduce InvalidProviderConfigurationReason for Git provider github
related misconfiguration.
Add github provider related tests to check the status conditions reason.
Rearrange and modify a test case for getAuthOpts() for provider test
where a referred secret doesn't exist. This scenario is not specific to
any provider.
Signed-off-by: Sunny <github@darkowlzz.space>
- API change to add new `github` provider field in `GitRepository` spec.
- Controller change to use the GitHub authentication information specified in `.spec.secretRef` to create the auth options to authenticate to git repositories when the `provider` field is set to `github`,
- Tests for new `github` provider field
- Updated docs to use GitHub Apps for authentication in source-controller.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
For backwards compatibility, remove the default value for GitRepository
provider. An empty provider value will still be considered as the
default provider.
Signed-off-by: Sunny <github@darkowlzz.space>
- Add a new provider field to GitRepository API spec which can be set to azure to enable passwordless authentication to Azure DevOps repositories.
- API docs for new provider field and guidance to setup Azure environment with workload identity.
- Controller changes to set the provider options in git authoptions to fetch credential while cloning the repository.
- Add unit tests for testing provider
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Many of the functions in the `conditions` package accept a format string and
(optional) arguments, just like `fmt.Printf` and friends.
In many places, the code passed an error message as the format string, causing
it to be interpreted by the `fmt` package. This leads to issues when the
message contains percent signs, e.g. URL-encoded values.
Consider the following code:
```go
// internal/controller/ocirepository_controller.go
revision, err := r.getRevision(ref, opts)
if err != nil {
e := serror.NewGeneric(
fmt.Errorf("failed to determine artifact digest: %w", err),
ociv1.OCIPullFailedReason,
)
conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
return sreconcile.ResultEmpty, e
}
```
Since `getRevision()` includes the URL in the error message and the error
message is used as a format string, the resulting condition reads:
```
failed to determine artifact digest: GET https://gitlab.com/jwt/auth?scope=repository%!A(MISSING)fforster%!F(MISSING)<REDACTED>%!F(MISSING)k8s-resource-manifests%!A(MISSING)pull&service=container_registry: DENIED: access forbidden
```
This adds an explicit format string and shortens `e.Error()` and
`e.Err.Error()` to `e`, which yields the same output.
To the best of my knowledge, Go is safe from format string attacks. I **don't**
think this is a security vulnerability, but I'm also not a security expert.
Signed-off-by: Florian Forster <fforster@gitlab.com>
There is a race condition happening in main due to the mockdns resolver.
This is an attempt to fix it (cannot repoduce locally).
Signed-off-by: Soule BA <bah.soule@gmail.com>
If implemented a semver filter regex can be declared in conjuction with
a semver range in the OCIRepository `spec.Reference`
Signed-off-by: Soule BA <bah.soule@gmail.com>
Introduces a new verification provider `notation` to verify notation signed artifacts. Currently only cosign is supported and that is a problem if the end user utilises notation.
---------
Signed-off-by: Jason <jagoodse@microsoft.com>
Signed-off-by: JasonTheDeveloper <jagoodse@microsoft.com>
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Co-authored-by: souleb <bah.soule@gmail.com>
Co-authored-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Co-authored-by: Sunny <github@darkowlzz.space>
This will be logged/event emitted forever once in the lifecycle of
HelmRepository OCI object because all new objects have to remove the
.status.observedGeneration which is set to -1 by the API defaulting.
Better to perform the object conversion internally without any log or
event.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Although all the APIs had interval as a required field, when tests
objects were created, they had the zero value of interval, which the API
server accepts. A zero interval value results in the test objects to
reconcile only once when they are created and never reconcile again
unless there's an update to the object. Most of the tests worked with
this behavior.
With HelmRepository removing the interval requirement and adding an
internal default, all the HelmRepository objects created in the tests
without any interval have a default interval value which results in
objects to reconcile automatically if they are not cleaned up after
running tests. TestHelmRepositoryReconciler_InMemoryCaching and
TestHelmChartReconciler_Reconcile create HelmRepository but doesn't
delete it at the end. This leads to a reconciliation of HelmRepository
outside of the test in the envtest environment. It just happened to be
that the reconciliation time matches with the end of test time. At the
end of the test run, the reconcilers receive shutdown signal and any
test server, like helmrepository server, are stopped. A HelmRepository
reconciliation triggered just before the shutdown signal gets stuck in
the reconciliation. HelmRepository can't download the index as the test
index server has stopped and hangs for some time. The HelmRepository
reconciler worker remains in active state, unlike other reconciler
workers that shut down, resulting in the test to timeout at the end.
The is fixed by deleting the HelmRepository object created in
TestHelmRepositoryReconciler_InMemoryCaching and
TestHelmChartReconciler_Reconcile at the end of the test similar to
other tests.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
With static HelmRepository OCI, the interval become optional. Make
interval optional in the API. Introduce getters for interval, in the
form of GetRequeueAfter(), and timeout with internal default values.
HelmRepository will not have interval and timeout fields unless it's
explicitly set.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Matheus Pimenta
Stefan Prodan
Dipti Pai
Sunny
hasithsen
Florian Forster
Robin Breathe
Paulo Canilho
Austin Abro
Jagpreet Singh Tamber
Soule BA
JasonTheDeveloper
Sunny
Sanskar Jaiswal