This changes the format of the Artifact checksum from SHA1 to SHA256 to
mitigate chosen-prefix and length extension attacks, and ensures it can
be used to secure content against malicious modifications.
Source consumers (including our own {kustomize,helm}-controllers)
should ensure the SHA256 of a downloaded artifact matches the
advertised checksum before making use of it.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit ensures all API objects implement the interfaces used by
the runtime package to work with conditions, etc., and prepares the
test suite to work with the `pkg/runtime/testenv` wrapper.
Changes are made in a backwards compatible way (that being: the
existing code can still be build and works as expected), but without
proper dependency boundaries. The result of this is that the API
package temporary depends on the runtime package, which is resolved
when all reconcilers have been refactored and the API package does
no longer contain condition modifying functions.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit introduces new Condition types to the v1beta1 API,
facilitating easier observation of (potentially) problematic state for
end-users.
- `ArtifactUnavailableCondition`: indicates there is no artifact
available for the resource. This Condition should be set by the
reconciler as soon as it observes the absence of an artifact for a
source.
- `CheckoutFailedCondition`: indicates a transient or persistent
checkout failure. This Condition should be set by the reconciler as
soon as it observes a Git checkout failure, including any
prerequisites like the unavailability of the referenced Secret used
for authentication. It should be deleted as soon as a successful
checkout has been observed again.
- `SourceVerifiedCondition`: indicates the integrity of the source has
been verified. The Condition should be set to True or False by the
reconciler based on the result of the integrity check.
If there is no verification mode and/or secret configured, the
Condition should be removed.
- `IncludeUnavailableCondition`: indicates one of the referenced
includes is not available. This Condition should for example be set
by the reconciler when the include does not exist, or does not have
an artifact. If the includes become available, it should be deleted.
- `ArtifactOutdatedCondition`: indicates the current artifact of the
source is outdated. This Condition should for example be set by the
reconciler when it notices there is a newer revision for an artifact,
or the previously included artifacts differ from the current available
ones. The Condition should be removed after writing a new artifact
to the storage.
Signed-off-by: Hidde Beydals <hello@hidde.co>
v3.6.1 is a a security update from Helm, ensuring that credentials are
always only passed to the defined repository host.
Based on Helm user reports, disabling this behavior may be required for
some Helm repository solutions like Artifactory, and may be done by
setting `PassCredentials` in the `HelmRepositorySpec`.
For more information, see:
https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf
Signed-off-by: Hidde Beydals <hello@hidde.co>
Controller-runtime has been updated to `v0.9.0`, K8s dependencies to
`v0.21.1`, and all `fluxcd/pkg` and other dependencies to the versions
that have matching dependencies and/or build constraints.
Signed-off-by: Hidde Beydals <hello@hidde.co>
- Prevents a deadlock in active-passive HA setups with multiple
replicas and during upgrades that previously occurred. As the
leader election would be held hostage by the previous replica
set due to the rolling update strategy.
- Ensures backing persistent (RW) volumes can safely be used, as
they can not be shared and will not become available to the next
pod without recreating all.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit upgrades the `controller-runtime` dependency to `v0.7.0`,
including all changes required to make all wiring work again.
- Upgrade `runtime` to v0.6.0 to include `controller-runtime` changes.
- Loggers have been removed from the reconcilers and are now retrieved
from the `context.Context` passed to the `Reconcile` method and
downwards functions.
- Logger configuration flags are now bound to the flag set using
`BindFlags` from `runtime/logger`, ensuring the same contract across
GitOps Toolkit controllers, and the `--log-json` flag has been
deprecated in favour of the `--log-encoding=json` default.
- The `ChangePredicate` from `runtime` has changed to a
`ReconcilateAtChangedPredicate`, and is now chained with the
`GenerationChangedPredicate` from `controller-runtime` using
`predicate.Or`.
- Signatures that made use of `runtime.Object` have changed to
`client.Object`, removing the requirement to e.g. call
`runtime.Object#Object`.
- The `client.MatchingField` function was deprecated, and has been
replaced with `client.MatchingFields{}`.
- The `leader-election-role` was changed, as leader election now works
via the `coordination/v1` API.
Other notable changes:
- `util.ObjectKey` was added to easily construct a `client.ObjectKey` /
`types.NamespacedName` from a `metav1.Object`.
- The `SourceIndexKey` constant has been split out into
`{GitRepository,HelmRepository,Bucket}IndexKey` constants.
Signed-off-by: Hidde Beydals <hello@hidde.co>
As part of the feature implementation to support helm chart
dependencies, the functionality for allowing values files overwriting
from any location scoped to the same source was altered. This should fix
the problem by allowing users to load files from any arbitrary location
as long as it's in the context of the same source from where the helm
chart itself is loaded.
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
Stefan Prodan
Hidde Beydals
Philip Laine
Dylan Arbour
abhinav454
Aurel Canciu