This commit introduces new Condition types to the v1beta1 API,
facilitating easier observation of (potentially) problematic state for
end-users.
- `ArtifactUnavailableCondition`: indicates there is no artifact
available for the resource. This Condition should be set by the
reconciler as soon as it observes the absence of an artifact for a
source.
- `CheckoutFailedCondition`: indicates a transient or persistent
checkout failure. This Condition should be set by the reconciler as
soon as it observes a Git checkout failure, including any
prerequisites like the unavailability of the referenced Secret used
for authentication. It should be deleted as soon as a successful
checkout has been observed again.
- `SourceVerifiedCondition`: indicates the integrity of the source has
been verified. The Condition should be set to True or False by the
reconciler based on the result of the integrity check.
If there is no verification mode and/or secret configured, the
Condition should be removed.
- `IncludeUnavailableCondition`: indicates one of the referenced
includes is not available. This Condition should for example be set
by the reconciler when the include does not exist, or does not have
an artifact. If the includes become available, it should be deleted.
- `ArtifactOutdatedCondition`: indicates the current artifact of the
source is outdated. This Condition should for example be set by the
reconciler when it notices there is a newer revision for an artifact,
or the previously included artifacts differ from the current available
ones. The Condition should be removed after writing a new artifact
to the storage.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit changes the checksum method which is used to calculate the
revision of a Bucket source, so that the file paths are taken into
account and directory structure changes can be observed.
Signed-off-by: Hidde Beydals <hello@hidde.co>
controller-runtime's client package provides ObjectKeyFromObject() to
extract NamespacedName from a given object. ObjectKey() in
internal/util package is a helper for the same. Replace the internal
helper with controller-runtime's helper for the same.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
SetHeadDetached (git_repository_set_head_detached) only changes HEAD,
and does not actually checkout the files on disk. Use CheckoutHead with
the CheckoutForce Strategy to actually check the files out on disk.
Additionally add a test that validates the hash of a checked out file's
contents.
Previously, the hash of the desired tag was being reported as the
checked out revision by the GitRepository. However the wrong files were
checked out and an incorrect revision would be deployed by Flux.
Signed-off-by: Blake Burkhart <blake.burkhart@us.af.mil>
We received reports from users no longer being able to clone Git
repositories using libgit2 because of errors during the cloning
attempt: `error: Failed to authenticate SSH session: Unable to extract
public key from private key.`
After an extensive scavenger hunt I was able to pinpoint the issue to
`libssh2` being linked against `libgcrypt` instead of `openssl`. The
problem with this is that the libgcrypt backend in libssh2 contains
a hand written slimmed down ASN.1 parser to read out keys, while the
OpenSSL backend in libssh2 uses OpenSSL, which supports a lot more
formats (and more specifically, most PKCS* formats).
As Debian's bullseye/testing repository has been frozen, and a
backport has not been made available yet, fetching the dependency from
"unstable" seems to be the best option for now, as this has `libssh2`
available including OpenSSL.
Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271
Signed-off-by: Hidde Beydals <hello@hidde.co>
v3.6.1 is a a security update from Helm, ensuring that credentials are
always only passed to the defined repository host.
Based on Helm user reports, disabling this behavior may be required for
some Helm repository solutions like Artifactory, and may be done by
setting `PassCredentials` in the `HelmRepositorySpec`.
For more information, see:
https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf
Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit changes the base image for the build and controller
container images to Debian slim.
Reason for this is that it has proven to be hard to produce working
executables for AMD64, ARM64 and ARMv7 at all times using Alpine,
due to them being dynamically linked and compiled using CGO, and
Alpine having constraints like musl that create an extra barrier,
especially in combination with our exotic set of dependency
constraints.
There are a number of trade-offs we have to live with by doing this,
not limited to:
* An increased build time, the full release pipeline used to take 25-35
minutes, based on the images we have build for testing purposes this
seems to have become 35-40 minutes.
* An increased image size of roughly two times the (compressed) size of
the Alpine based image.
Signed-off-by: Hidde Beydals <hello@hidde.co>
There seems to have been a change in the dependencies that now causes
ARMv7 builds to fail:
```
sigs.k8s.io/kustomize/kyaml/yaml/merge3=$WORK/b742/_pkg_.a
sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/errors=$WORK/b678/_pkg_.a
-importcfg $WORK/b001/importcfg.link -buildmode=exe
-buildid=YHfd11eGufJ7RVGSGz2z/H9JgY3lbjsdhQ8_r06Gz/HiYQEtSgCAIHJ7rrNYN6/YHfd11eGufJ7RVGSGz2z
-extld=gcc $WORK/b001/_pkg_.a
exit status 1
-c CGO_ENABLED=1 go build -x -o source-controller main.go]: exit
code: 2
```
After trying various things, including downgrading Go, using
packages from `edge`, using `gcc-go` to get a "grouped" version of
the dependencies, it seems that using `binutils-gold` solves the issue
and produces a working build for all our target architectures.
Signed-off-by: Hidde Beydals <hello@hidde.co>
As the `github.event.repository.name` property is not always available,
for example when the action gets triggered by a cron job.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Controller-runtime has been updated to `v0.9.0`, K8s dependencies to
`v0.21.1`, and all `fluxcd/pkg` and other dependencies to the versions
that have matching dependencies and/or build constraints.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Hidde Beydals
Hidde Beydals
Sunny
Stefan Prodan
Blake Burkhart