In Reconcile() methods, move the object deletion above add finalizer.
Finalizers can't be set when an object is being deleted.
Introduce a cacheless client in suite_test to use for testing this
change. It ensures that the Reconcile() call always operates on the
latest version of the object which has the deletion timestamp and
existing finalizer.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Add support for verifying insecure HTTP OCI repositories with cosign. If
`.spec.insecure` set to true, then cosign uses plain HTTP connections to
communicate with the registry.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Add support for specifying TLS auth data via `.spec.certSecretRef` in
HelmRepository and log a deprecation warning if TLS is configured via
`.spec.secretRef`. Introduce (and refactor) Helm client builder and
auth helpers to reduce duplicated code and increase uniformity and
testability.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
This deals with various breaking changes in controller-runtime, as
documented in the release notes:
https://github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.15.0
In short:
- `Watches` now use a `client.Object` instead of a `source.Kind`.
- `handler.MapFunc` signature accepts a Go context, which is used to
log any errors, instead of silently ignoring them and/or panicking.
- Fake clients used in tests are now configured using
`WithStatusSubresource` to enable the correct behavior for status
updates and patches.
- Max concurrent reconciles is configured on the manager, instead of
configuring them per reconciler instance.
- Various manager configuration options have been moved to new
structures and/or fields.
In addition to this, all other dependencies which had updates are
updated to their latest (compatible) versions as well.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This commits adds verification of the digest of the artifact in storage
to all reconcilers which manage artifacts.
When the artifact does not have a digest or if it mismatches with the
file in storage, the file is removed from the storage and status of the
object.
This hardens the storage against potential tampering, in addition to
resolving an issue where users upgrading from a (much) older version of
the controller would run into an error after the checksum field was
removed from the API.
This would cause the controller to not advertise any checksum at all,
while not producing a new one until a new revision was detected.
Resulting in fetch failures for consumers while they would try to
verify the digest of the advertised artifact.
While not strictly part of this exercise, some of the tests were
altered to prepare the storage used in test cases to become isolated
by strictly using the `storage` provided via the callback. Actually
isolating this has however been left as a task at a later moment.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Sunny
Sanskar Jaiswal
Hidde Beydals
Stefan Prodan