Add --default-service-account flag for multi-tenant workload identity
lockdown support. This flag sets the default service account name to
be used when .spec.serviceAccountName is not specified in resources.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Remove ServerName pinning functionality that can cause TLS
verification failures in production environments with redirects,
proxies, and multi-host scenarios.
The Go standard library automatically handles SNI and hostname
verification based on the actual connection target, providing
better compatibility and security than fixed ServerName values.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
this commit ensures that if ca.crt or caFile is available in the github app secret, a tls config with user provided certs is appended to system cert pool and passed to the underlying http transport
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): update target URL for TLSConfigFromSecret
this commit ensures that the target URL for runtime/secrets.TLSConfigFromSecret has the scheme and host
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds test scenarios
this commit adds test scenarios for mTLS GitHub app in reconcile source auth strategy
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): use runtime/secrets authMethods
this commit ensures that GitHubApp secret resolution happens via pkg/runtime/secrets
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): update docs
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds github app data check
this commit ensures that when provider is github and no github app data is present in the secret, it will error out with invalid configuration
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): removes getProxyOpts helper func
this commit removes the helper method getProxyOpts and uses the standardized pkg/runtime/secrets APIs to get proxy options.
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): removes getProxyOpts test
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): improves test coverage
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): do not stall on missing github app data
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds a note on mTLS configuration in docs
This commit mentions in the docs that if tls.crt and tls.key is part of the secret then mutual TLS configuration will be automatically enabled and should be used optionally.
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
Include namespace in secret error message for better debugging context.
The secret name was already present in the error, but namespace information
was missing, making it harder to identify which secret in which namespace
was not found.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Replaces internal credential management with runtime/secrets package
to standardize authentication, proxy configuration, and TLS handling
across controllers. This migration eliminates code duplication by
leveraging shared utilities and improves maintainability through
consistent error handling patterns.
The refactoring splits the large reconcileSource method into focused
helper functions for better separation of concerns.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Update HelmRepository, OCIRepository, and Bucket documentation to use
"Mutual TLS Authentication" section titles instead of "Cert secret
reference". This improves discoverability of mTLS capabilities and
follows GitRepository's established pattern.
The previous generic titles obscured mutual TLS functionality, causing
users to miss this important security feature. Updated descriptions
explicitly mention mutual TLS authentication while maintaining all
existing YAML examples and technical accuracy.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Update pkg/runtime dependency from v0.76.0 to v0.78.0 and add
WithSystemCertPool() options to maintain backward compatibility
with the existing extend approach (system CAs + user CA).
This ensures source-controller continues to work with both system
and user-provided CA certificates, maintaining the same behavior
as before the pkg/runtime/secrets API changes.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Remove the insecure parameter from TLS configuration function calls to prevent
InsecureSkipVerify from being set when using certificate-based authentication.
This ensures TLS certificate verification is always performed when certificates
are provided, aligning with our security policy.
Updated pkg/runtime to v0.76.0 which no longer accepts the insecure parameter
in TLS configuration functions. For OCIRepository, maintain backward compatibility
by handling the specific case where no certificate is provided and insecure is
explicitly set to true. This is the only allowed exception in Flux controllers.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Add ServerName configuration to TLS config in HelmRepository client
options to ensure proper SNI (Server Name Indication) support for
virtual hosting environments. This addresses the regression introduced
when migrating from internal/tls to runtime/secrets, where ServerName
was not being set automatically.
Without ServerName, TLS handshakes fail with certificate mismatch
errors when connecting to Helm repositories using virtual hosting
where multiple repositories are hosted on the same IP address.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Migrates the OCIRepository controller's authentication handling from
internal implementations to the unified runtime/secrets API package.
The migration moves TLS configuration from internal/tls to
runtime/secrets.TLSConfigFromSecretRef and ServiceAccount processing
to secrets.PullSecretsFromServiceAccountRef, providing consistent
authentication handling across all source-controller components.
This change eliminates duplicate secret fetching logic and aligns
the OCIRepository controller with the standardized authentication
patterns used by other controllers in the GitOps Toolkit.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
This commit upgrades pkg/runtime to v0.73.0 and adopts the unified
AuthMethodsFromSecret API for HelmRepository authentication handling.
The change replaces complex manual authentication detection with a
single API call and improves error handling consistency.
Breaking Changes:
- TLS certificate validation is now strictly enforced. Invalid CA
certificates will cause authentication failures even for public
repositories, where they were previously ignored.
- Empty TLS certificate secrets now trigger validation errors instead
of being silently ignored. This affects certSecretRef with empty
Data map - previously ignored, now causes proper error.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Stefan Prodan
dependabot[bot]
Matheus Pimenta
cappyzawa
Dipti Pai
abhijith-darshan
Terry Howe