Replaces internal credential management with runtime/secrets package
to standardize authentication, proxy configuration, and TLS handling
across controllers. This migration eliminates code duplication by
leveraging shared utilities and improves maintainability through
consistent error handling patterns.
The refactoring splits the large reconcileSource method into focused
helper functions for better separation of concerns.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Update pkg/runtime dependency from v0.76.0 to v0.78.0 and add
WithSystemCertPool() options to maintain backward compatibility
with the existing extend approach (system CAs + user CA).
This ensures source-controller continues to work with both system
and user-provided CA certificates, maintaining the same behavior
as before the pkg/runtime/secrets API changes.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Remove the insecure parameter from TLS configuration function calls to prevent
InsecureSkipVerify from being set when using certificate-based authentication.
This ensures TLS certificate verification is always performed when certificates
are provided, aligning with our security policy.
Updated pkg/runtime to v0.76.0 which no longer accepts the insecure parameter
in TLS configuration functions. For OCIRepository, maintain backward compatibility
by handling the specific case where no certificate is provided and insecure is
explicitly set to true. This is the only allowed exception in Flux controllers.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Migrates the OCIRepository controller's authentication handling from
internal implementations to the unified runtime/secrets API package.
The migration moves TLS configuration from internal/tls to
runtime/secrets.TLSConfigFromSecretRef and ServiceAccount processing
to secrets.PullSecretsFromServiceAccountRef, providing consistent
authentication handling across all source-controller components.
This change eliminates duplicate secret fetching logic and aligns
the OCIRepository controller with the standardized authentication
patterns used by other controllers in the GitOps Toolkit.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
This commit upgrades pkg/runtime to v0.73.0 and adopts the unified
AuthMethodsFromSecret API for HelmRepository authentication handling.
The change replaces complex manual authentication detection with a
single API call and improves error handling consistency.
Breaking Changes:
- TLS certificate validation is now strictly enforced. Invalid CA
certificates will cause authentication failures even for public
repositories, where they were previously ignored.
- Empty TLS certificate secrets now trigger validation errors instead
of being silently ignored. This affects certSecretRef with empty
Data map - previously ignored, now causes proper error.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Update fluxcd/pkg/auth to v0.18.0 and remove unnecessary authenticator
nil check in Helm OCI repository authentication.
With fluxcd/pkg/auth v0.18.0, GetArtifactRegistryCredentials() returns
valid authenticator when error is nil, making the nil check redundant.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
- Add `.spec.sparseCheckout` and `.status.observedSparseCheckout` fields to `GitRepository`.
- Add controller support to send the sparse checkout directories to go-git via pkg methods.
- Use `.status/observedSparseCheckout` to detect drift in configuration.
- Trim leading "./" in directory paths.
- Validate spec configuration by checking directories specified in spec exist in the cloned repository after successful checkout
- Add tests for testing the observed sparse checkout behavior.
- Add docs describing the new fields.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Introduce InvalidProviderConfigurationReason for Git provider github
related misconfiguration.
Add github provider related tests to check the status conditions reason.
Rearrange and modify a test case for getAuthOpts() for provider test
where a referred secret doesn't exist. This scenario is not specific to
any provider.
Signed-off-by: Sunny <github@darkowlzz.space>
- API change to add new `github` provider field in `GitRepository` spec.
- Controller change to use the GitHub authentication information specified in `.spec.secretRef` to create the auth options to authenticate to git repositories when the `provider` field is set to `github`,
- Tests for new `github` provider field
- Updated docs to use GitHub Apps for authentication in source-controller.
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
For backwards compatibility, remove the default value for GitRepository
provider. An empty provider value will still be considered as the
default provider.
Signed-off-by: Sunny <github@darkowlzz.space>
- Add a new provider field to GitRepository API spec which can be set to azure to enable passwordless authentication to Azure DevOps repositories.
- API docs for new provider field and guidance to setup Azure environment with workload identity.
- Controller changes to set the provider options in git authoptions to fetch credential while cloning the repository.
- Add unit tests for testing provider
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Many of the functions in the `conditions` package accept a format string and
(optional) arguments, just like `fmt.Printf` and friends.
In many places, the code passed an error message as the format string, causing
it to be interpreted by the `fmt` package. This leads to issues when the
message contains percent signs, e.g. URL-encoded values.
Consider the following code:
```go
// internal/controller/ocirepository_controller.go
revision, err := r.getRevision(ref, opts)
if err != nil {
e := serror.NewGeneric(
fmt.Errorf("failed to determine artifact digest: %w", err),
ociv1.OCIPullFailedReason,
)
conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
return sreconcile.ResultEmpty, e
}
```
Since `getRevision()` includes the URL in the error message and the error
message is used as a format string, the resulting condition reads:
```
failed to determine artifact digest: GET https://gitlab.com/jwt/auth?scope=repository%!A(MISSING)fforster%!F(MISSING)<REDACTED>%!F(MISSING)k8s-resource-manifests%!A(MISSING)pull&service=container_registry: DENIED: access forbidden
```
This adds an explicit format string and shortens `e.Error()` and
`e.Err.Error()` to `e`, which yields the same output.
To the best of my knowledge, Go is safe from format string attacks. I **don't**
think this is a security vulnerability, but I'm also not a security expert.
Signed-off-by: Florian Forster <fforster@gitlab.com>
cappyzawa
Matheus Pimenta
Stefan Prodan
Dipti Pai
Sunny
hasithsen
Florian Forster
Robin Breathe
Paulo Canilho
Austin Abro