Add --default-service-account flag for multi-tenant workload identity
lockdown support. This flag sets the default service account name to
be used when .spec.serviceAccountName is not specified in resources.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Remove ServerName pinning functionality that can cause TLS
verification failures in production environments with redirects,
proxies, and multi-host scenarios.
The Go standard library automatically handles SNI and hostname
verification based on the actual connection target, providing
better compatibility and security than fixed ServerName values.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
this commit ensures that if ca.crt or caFile is available in the github app secret, a tls config with user provided certs is appended to system cert pool and passed to the underlying http transport
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): update target URL for TLSConfigFromSecret
this commit ensures that the target URL for runtime/secrets.TLSConfigFromSecret has the scheme and host
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds test scenarios
this commit adds test scenarios for mTLS GitHub app in reconcile source auth strategy
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): use runtime/secrets authMethods
this commit ensures that GitHubApp secret resolution happens via pkg/runtime/secrets
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): update docs
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds github app data check
this commit ensures that when provider is github and no github app data is present in the secret, it will error out with invalid configuration
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): removes getProxyOpts helper func
this commit removes the helper method getProxyOpts and uses the standardized pkg/runtime/secrets APIs to get proxy options.
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): removes getProxyOpts test
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): improves test coverage
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): do not stall on missing github app data
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds a note on mTLS configuration in docs
This commit mentions in the docs that if tls.crt and tls.key is part of the secret then mutual TLS configuration will be automatically enabled and should be used optionally.
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
Update pkg/runtime dependency from v0.76.0 to v0.78.0 and add
WithSystemCertPool() options to maintain backward compatibility
with the existing extend approach (system CAs + user CA).
This ensures source-controller continues to work with both system
and user-provided CA certificates, maintaining the same behavior
as before the pkg/runtime/secrets API changes.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Remove the insecure parameter from TLS configuration function calls to prevent
InsecureSkipVerify from being set when using certificate-based authentication.
This ensures TLS certificate verification is always performed when certificates
are provided, aligning with our security policy.
Updated pkg/runtime to v0.76.0 which no longer accepts the insecure parameter
in TLS configuration functions. For OCIRepository, maintain backward compatibility
by handling the specific case where no certificate is provided and insecure is
explicitly set to true. This is the only allowed exception in Flux controllers.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Migrates the OCIRepository controller's authentication handling from
internal implementations to the unified runtime/secrets API package.
The migration moves TLS configuration from internal/tls to
runtime/secrets.TLSConfigFromSecretRef and ServiceAccount processing
to secrets.PullSecretsFromServiceAccountRef, providing consistent
authentication handling across all source-controller components.
This change eliminates duplicate secret fetching logic and aligns
the OCIRepository controller with the standardized authentication
patterns used by other controllers in the GitOps Toolkit.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
This commit upgrades pkg/runtime to v0.73.0 and adopts the unified
AuthMethodsFromSecret API for HelmRepository authentication handling.
The change replaces complex manual authentication detection with a
single API call and improves error handling consistency.
Breaking Changes:
- TLS certificate validation is now strictly enforced. Invalid CA
certificates will cause authentication failures even for public
repositories, where they were previously ignored.
- Empty TLS certificate secrets now trigger validation errors instead
of being silently ignored. This affects certSecretRef with empty
Data map - previously ignored, now causes proper error.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Update fluxcd/pkg/auth to v0.18.0 and remove unnecessary authenticator
nil check in Helm OCI repository authentication.
With fluxcd/pkg/auth v0.18.0, GetArtifactRegistryCredentials() returns
valid authenticator when error is nil, making the nil check redundant.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Bumps the go-deps group with 1 update in the / directory: [github.com/fluxcd/pkg/oci](https://github.com/fluxcd/pkg).
Updates `github.com/fluxcd/pkg/oci` from 0.44.0 to 0.45.0
- [Commits](https://github.com/fluxcd/pkg/compare/oci/v0.44.0...oci/v0.45.0)
---
updated-dependencies:
- dependency-name: github.com/fluxcd/pkg/oci
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-deps
...
Signed-off-by: dependabot[bot] <support@github.com>
- Add a new provider field to GitRepository API spec which can be set to azure to enable passwordless authentication to Azure DevOps repositories.
- API docs for new provider field and guidance to setup Azure environment with workload identity.
- Controller changes to set the provider options in git authoptions to fetch credential while cloning the repository.
- Add unit tests for testing provider
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Stefan Prodan
dependabot[bot]
cappyzawa
abhijith-darshan
Matheus Pimenta
Dipti Pai