Introduce InvalidProviderConfigurationReason for Git provider github
related misconfiguration.
Add github provider related tests to check the status conditions reason.
Rearrange and modify a test case for getAuthOpts() for provider test
where a referred secret doesn't exist. This scenario is not specific to
any provider.
Signed-off-by: Sunny <github@darkowlzz.space>
- API change to add new `github` provider field in `GitRepository` spec.
- Controller change to use the GitHub authentication information specified in `.spec.secretRef` to create the auth options to authenticate to git repositories when the `provider` field is set to `github`,
- Tests for new `github` provider field
- Updated docs to use GitHub Apps for authentication in source-controller.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
For backwards compatibility, remove the default value for GitRepository
provider. An empty provider value will still be considered as the
default provider.
Signed-off-by: Sunny <github@darkowlzz.space>
- Add a new provider field to GitRepository API spec which can be set to azure to enable passwordless authentication to Azure DevOps repositories.
- API docs for new provider field and guidance to setup Azure environment with workload identity.
- Controller changes to set the provider options in git authoptions to fetch credential while cloning the repository.
- Add unit tests for testing provider
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
If implemented a semver filter regex can be declared in conjuction with
a semver range in the OCIRepository `spec.Reference`
Signed-off-by: Soule BA <bah.soule@gmail.com>
Introduces a new verification provider `notation` to verify notation signed artifacts. Currently only cosign is supported and that is a problem if the end user utilises notation.
---------
Signed-off-by: Jason <jagoodse@microsoft.com>
Signed-off-by: JasonTheDeveloper <jagoodse@microsoft.com>
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Co-authored-by: souleb <bah.soule@gmail.com>
Co-authored-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Co-authored-by: Sunny <github@darkowlzz.space>
- github.com/go-logr/logr to v1.3.0
- golang.org/x/net to v0.19.0
- golang.org/x/text to v0.14.0
- k8s.io/klog/v2 to v2.110.1
- k8s.io/utils to v0.0.0-20231127182322-b307cd553661
- sigs.k8s.io/structured-merge-diff/v4 to v4.4.1
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
With static HelmRepository OCI, the interval become optional. Make
interval optional in the API. Introduce getters for interval, in the
form of GetRequeueAfter(), and timeout with internal default values.
HelmRepository will not have interval and timeout fields unless it's
explicitly set.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Remove the HelmRepositoryOCI reconciler and make HelmRepository of type
OCI static. The existing HelmRepository OCI objects are migrated to
static object by removing their finalizers and status. New
HelmRepository OCI objects go through one time migration to remove the
status. These are not reconciled again, unless the type is changed to
default. On type switching from HelmRepository default to OCI, the
finalizer, status and artifact are removed to make the object static. On
switching from OCI to default, a complete reconciliation of
HelmRepository takes place to build artifact and add status and
finalizer.
The HelmRepository .spec.url has a new validation to check the URL
scheme. This is to add some validation to HelmRepository OCI since it's
not backed by a reconciler for full validation.
Add HelmRepositoryOCIMigrationPredicate predicate to detect and allow
reconciliation of HelmRepository OCI objects that need migration. The
other predicates that filtered the HelmRepository events based on the
type have been removed as all the HelmRepositories will now be
reconciled by a single reconciler. HelmRepositoryOCIMigrationPredicate
readily allows non-OCI objects and only checks if a migration is needed
for OCI type object.
Add controller tests for different migration scenarios.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Add `.spec.verify.matchOIDCIdentity` to OCIRepository and HelmChart.
It allows specifying regular expressions to match against the subject and
issuer of the certificate related to the artifact signature. Its used
only if the artifact was signed using Cosign keyless signing.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Introduce a new event reason for patch operation failure and update all
the returned errors from serial patcher to be a generic error so that
they are handled like any other error with an associated warning event.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Adopt Kubernetes TLS secrets API to check for TLS data in the Secret
referred to by `.spec.certSecretRef`, i.e. check for keys `tls.crt` and
`tls.key` for the certificate and private key. Use `ca.crt` for the CA
certificate.
Deprecate the usage of `caFile`, `certFile` and `keyFile` keys.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Adopt Kubernetes TLS secrets API to check for TLS data in the Secret
referred to by `.spec.certSecretRef`, i.e. check for keys `tls.crt` and
`tls.key` for the certificate and private key. Use `ca.crt` for the CA
certificate.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Add three new verification modes for `.spec.verify.mode`:
* `HEAD`: Verify the commit that the HEAD of the repo points to after
checking out to the ref specified in `.spec.ref`. Its the same as
`head`, which cannot be removed due to backwards compatibility
reasons and is converted to `HEAD` internally.
* `Tag`: Verify the tag referred to by `.spec.ref.tag`.
* `TagAndHEAD`: Verify the tag referred to by `.spec.ref.tag` and the
commit that the tag points to.
The default is `HEAD`, to ensure backwards compatibility.
Furthermore, add `.status.sourceVerificationMode` to record the last
successful verification mode used.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Stefan Prodan
Sunny
Dipti Pai
Matheus Pimenta
Robin Breathe
Paulo Canilho
Soule BA
JasonTheDeveloper
Georg Molau
Hidde Beydals
Sunny
Sanskar Jaiswal
dependabot[bot]