Add --default-service-account flag for multi-tenant workload identity
lockdown support. This flag sets the default service account name to
be used when .spec.serviceAccountName is not specified in resources.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Remove ServerName pinning functionality that can cause TLS
verification failures in production environments with redirects,
proxies, and multi-host scenarios.
The Go standard library automatically handles SNI and hostname
verification based on the actual connection target, providing
better compatibility and security than fixed ServerName values.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
this commit ensures that if ca.crt or caFile is available in the github app secret, a tls config with user provided certs is appended to system cert pool and passed to the underlying http transport
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): update target URL for TLSConfigFromSecret
this commit ensures that the target URL for runtime/secrets.TLSConfigFromSecret has the scheme and host
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds test scenarios
this commit adds test scenarios for mTLS GitHub app in reconcile source auth strategy
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): use runtime/secrets authMethods
this commit ensures that GitHubApp secret resolution happens via pkg/runtime/secrets
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): update docs
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds github app data check
this commit ensures that when provider is github and no github app data is present in the secret, it will error out with invalid configuration
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): removes getProxyOpts helper func
this commit removes the helper method getProxyOpts and uses the standardized pkg/runtime/secrets APIs to get proxy options.
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): removes getProxyOpts test
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): improves test coverage
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): do not stall on missing github app data
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
(chore): adds a note on mTLS configuration in docs
This commit mentions in the docs that if tls.crt and tls.key is part of the secret then mutual TLS configuration will be automatically enabled and should be used optionally.
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
Include namespace in secret error message for better debugging context.
The secret name was already present in the error, but namespace information
was missing, making it harder to identify which secret in which namespace
was not found.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Replaces internal credential management with runtime/secrets package
to standardize authentication, proxy configuration, and TLS handling
across controllers. This migration eliminates code duplication by
leveraging shared utilities and improves maintainability through
consistent error handling patterns.
The refactoring splits the large reconcileSource method into focused
helper functions for better separation of concerns.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Update pkg/runtime dependency from v0.76.0 to v0.78.0 and add
WithSystemCertPool() options to maintain backward compatibility
with the existing extend approach (system CAs + user CA).
This ensures source-controller continues to work with both system
and user-provided CA certificates, maintaining the same behavior
as before the pkg/runtime/secrets API changes.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Remove the insecure parameter from TLS configuration function calls to prevent
InsecureSkipVerify from being set when using certificate-based authentication.
This ensures TLS certificate verification is always performed when certificates
are provided, aligning with our security policy.
Updated pkg/runtime to v0.76.0 which no longer accepts the insecure parameter
in TLS configuration functions. For OCIRepository, maintain backward compatibility
by handling the specific case where no certificate is provided and insecure is
explicitly set to true. This is the only allowed exception in Flux controllers.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Migrates the OCIRepository controller's authentication handling from
internal implementations to the unified runtime/secrets API package.
The migration moves TLS configuration from internal/tls to
runtime/secrets.TLSConfigFromSecretRef and ServiceAccount processing
to secrets.PullSecretsFromServiceAccountRef, providing consistent
authentication handling across all source-controller components.
This change eliminates duplicate secret fetching logic and aligns
the OCIRepository controller with the standardized authentication
patterns used by other controllers in the GitOps Toolkit.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
This commit upgrades pkg/runtime to v0.73.0 and adopts the unified
AuthMethodsFromSecret API for HelmRepository authentication handling.
The change replaces complex manual authentication detection with a
single API call and improves error handling consistency.
Breaking Changes:
- TLS certificate validation is now strictly enforced. Invalid CA
certificates will cause authentication failures even for public
repositories, where they were previously ignored.
- Empty TLS certificate secrets now trigger validation errors instead
of being silently ignored. This affects certSecretRef with empty
Data map - previously ignored, now causes proper error.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Update fluxcd/pkg/auth to v0.18.0 and remove unnecessary authenticator
nil check in Helm OCI repository authentication.
With fluxcd/pkg/auth v0.18.0, GetArtifactRegistryCredentials() returns
valid authenticator when error is nil, making the nil check redundant.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
- Add `.spec.sparseCheckout` and `.status.observedSparseCheckout` fields to `GitRepository`.
- Add controller support to send the sparse checkout directories to go-git via pkg methods.
- Use `.status/observedSparseCheckout` to detect drift in configuration.
- Trim leading "./" in directory paths.
- Validate spec configuration by checking directories specified in spec exist in the cloned repository after successful checkout
- Add tests for testing the observed sparse checkout behavior.
- Add docs describing the new fields.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Introduce InvalidProviderConfigurationReason for Git provider github
related misconfiguration.
Add github provider related tests to check the status conditions reason.
Rearrange and modify a test case for getAuthOpts() for provider test
where a referred secret doesn't exist. This scenario is not specific to
any provider.
Signed-off-by: Sunny <github@darkowlzz.space>
- API change to add new `github` provider field in `GitRepository` spec.
- Controller change to use the GitHub authentication information specified in `.spec.secretRef` to create the auth options to authenticate to git repositories when the `provider` field is set to `github`,
- Tests for new `github` provider field
- Updated docs to use GitHub Apps for authentication in source-controller.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
For backwards compatibility, remove the default value for GitRepository
provider. An empty provider value will still be considered as the
default provider.
Signed-off-by: Sunny <github@darkowlzz.space>
- Add a new provider field to GitRepository API spec which can be set to azure to enable passwordless authentication to Azure DevOps repositories.
- API docs for new provider field and guidance to setup Azure environment with workload identity.
- Controller changes to set the provider options in git authoptions to fetch credential while cloning the repository.
- Add unit tests for testing provider
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Stefan Prodan
cappyzawa
Dipti Pai
abhijith-darshan
Matheus Pimenta
Sunny
hasithsen
Florian Forster