Skip to content

Commit

Permalink
Merge branch 'main' into devholic/#708
Browse files Browse the repository at this point in the history 
Signed-off-by: Sunghoon Kang <hoon@akuity.io>
  • Loading branch information
Sunghoon Kang committed Feb 22, 2024
2 parents 2384fdc + bc55b39 commit 392b094
Show file tree
Hide file tree
Showing 21 changed files with 479 additions and 400 deletions.
3 changes: 3 additions & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@ endif
# Kargo development activities inside WSL2.
GOOS ?= $(shell uname -s | tr '[:upper:]' '[:lower:]')
GOARCH ?= $(shell uname -m)
ifeq ($(GOARCH), x86_64)
override GOARCH = amd64
endif

################################################################################
# Tests #
Expand Down
6 changes: 3 additions & 3 deletions api/v1alpha1/generated.proto
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion api/v1alpha1/stage_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ type GitRepoUpdate struct {
// RepoURL is the URL of the repository to update. This is a required field.
//
//+kubebuilder:validation:MinLength=1
//+kubebuilder:validation:Pattern=`^https://(\w+([\.-]\w+)*@)?\w+([\.-]\w+)*(:[\d]+)?(/.*)?$`
//+kubebuilder:validation:Pattern=`^https?://(\w+([\.-]\w+)*@)?\w+([\.-]\w+)*(:[\d]+)?(/.*)?$`
RepoURL string `json:"repoURL,omitempty" protobuf:"bytes,1,opt,name=repoURL"`
// InsecureSkipTLSVerify specifies whether certificate verification errors
// should be ignored when connecting to the repository. This should be enabled
Expand Down
4 changes: 2 additions & 2 deletions api/v1alpha1/warehouse_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ type GitSubscription struct {
// URL is the repository's URL. This is a required field.
//
//+kubebuilder:validation:MinLength=1
//+kubebuilder:validation:Pattern=`^https://(\w+([\.-]\w+)*@)?\w+([\.-]\w+)*(:[\d]+)?(/.*)?$`
//+kubebuilder:validation:Pattern=`^https?://(\w+([\.-]\w+)*@)?\w+([\.-]\w+)*(:[\d]+)?(/.*)?$`
RepoURL string `json:"repoURL,omitempty" protobuf:"bytes,1,opt,name=repoURL"`
// CommitSelectionStrategy specifies the rules for how to identify the newest
// commit of interest in the repository specified by the RepoURL field. This
Expand Down Expand Up @@ -131,7 +131,7 @@ type ImageSubscription struct {
// revision of that source code that was used to build the image.
//
//+kubebuilder:validation:Optional
//+kubebuilder:validation:Pattern=`^https://(\w+([\.-]\w+)*@)?\w+([\.-]\w+)*(:[\d]+)?(/.*)?$`
//+kubebuilder:validation:Pattern=`^https?://(\w+([\.-]\w+)*@)?\w+([\.-]\w+)*(:[\d]+)?(/.*)?$`
GitRepoURL string `json:"gitRepoURL,omitempty" protobuf:"bytes,2,opt,name=gitRepoURL"`
// ImageSelectionStrategy specifies the rules for how to identify the newest version
// of the image specified by the RepoURL field. This field is optional. When
Expand Down
7 changes: 4 additions & 3 deletions charts/kargo/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,10 +73,11 @@ the Kargo controller is running.
| `api.ingress.pathType` | You may want to use `Prefix` for some controllers (like AWS LoadBalancer Ingress controller), which don't support `/` as wildcard path when pathType is set to `ImplementationSpecific` | `ImplementationSpecific` |
| `api.service.type` | If you're not going to use an ingress controller, you may want to change this value to `LoadBalancer` for production deployments. If running locally, you may want to change it to `NodePort` OR leave it as `ClusterIP` and use `kubectl port-forward` to map a port on the local network interface to the service. | `ClusterIP` |
| `api.service.nodePort` | Host port the `Service` will be mapped to when `type` is either `NodePort` or `LoadBalancer`. If not specified, Kubernetes chooses. | `undefined` |
| `api.secret.name` | Specifies the name of an existing Secret which contains the `ADMIN_ACCOUNT_PASSWORD_HASH` and `ADMIN_ACCOUNT_TOKEN_SIGNING_KEY` values. By setting this, the Secret will **not** be generated by Helm. | `""` |
| `api.adminAccount.enabled` | Whether to enable the admin account. | `true` |
| `api.adminAccount.passwordHash` | Bcrypt password hash for the admin account. If specified, will ignore `password`. A value **must** be provided for either this field or `password`. | `""` |
| `api.adminAccount.password` | A password for the admin account. Ignored if `passwordHash` is set. It is suggested that you generate this using a password manager or a command like: `openssl rand -base64 29 \| tr -d "=+/" \| cut -c1-25`. A value **must** be provided for either this field or `passwordHash`. | `""` |
| `api.adminAccount.tokenSigningKey` | Key used to sign ID tokens (JWTs) for the admin account. It is suggested that you generate this using a password manager or a command like: `openssl rand -base64 29 \| tr -d "=+/" \| cut`. A value **must** be provided for this field. | `""` |
| `api.adminAccount.passwordHash` | Bcrypt password hash for the admin account. If specified, will ignore `password`. A value **must** be provided for either this field or `password`, unless `api.secret.name` is specified. | `""` |
| `api.adminAccount.password` | A password for the admin account. Ignored if `passwordHash` is set. It is suggested that you generate this using a password manager or a command like: `openssl rand -base64 29 \| tr -d "=+/" \| cut -c1-25`. A value **must** be provided for either this field or `passwordHash`, unless `api.secret.name` is specified. | `""` |
| `api.adminAccount.tokenSigningKey` | Key used to sign ID tokens (JWTs) for the admin account. It is suggested that you generate this using a password manager or a command like: `openssl rand -base64 29 \| tr -d "=+/" \| cut`. A value **must** be provided for this field, unless `api.secret.name` is specified. | `""` |
| `api.adminAccount.tokenTTL` | Specifies how long ID tokens for the admin account are valid. (i.e. The expiry will be the time of issue plus this duration.) | `24h` |
| `api.oidc.enabled` | Whether to enable authentication using Open ID Connect. | `false` |
| `api.oidc.issuerURL` | The issuer URL for the identity provider. If Dex is enabled, this value will be ignored and the issuer URL will be automatically configured. If Dex is not enabled, this should be set to the issuer URL provided to you by your identity provider. | `nil` |
Expand Down
2 changes: 1 addition & 1 deletion charts/kargo/crds/kargo.akuity.io_stages.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -399,7 +399,7 @@ spec:
description: RepoURL is the URL of the repository to update.
This is a required field.
minLength: 1
pattern: ^https://(\w+([\.-]\w+)*@)?\w+([\.-]\w+)*(:[\d]+)?(/.*)?$
pattern: ^https?://(\w+([\.-]\w+)*@)?\w+([\.-]\w+)*(:[\d]+)?(/.*)?$
type: string
writeBranch:
description: WriteBranch specifies the particular branch
Expand Down
4 changes: 2 additions & 2 deletions charts/kargo/crds/kargo.akuity.io_warehouses.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ spec:
description: URL is the repository's URL. This is a required
field.
minLength: 1
pattern: ^https://(\w+([\.-]\w+)*@)?\w+([\.-]\w+)*(:[\d]+)?(/.*)?$
pattern: ^https?://(\w+([\.-]\w+)*@)?\w+([\.-]\w+)*(:[\d]+)?(/.*)?$
type: string
semverConstraint:
description: SemverConstraint specifies constraints on what
Expand Down Expand Up @@ -162,7 +162,7 @@ spec:
this is specified, Kargo MAY be able to infer and link
to the exact revision of that source code that was used
to build the image.
pattern: ^https://(\w+([\.-]\w+)*@)?\w+([\.-]\w+)*(:[\d]+)?(/.*)?$
pattern: ^https?://(\w+([\.-]\w+)*@)?\w+([\.-]\w+)*(:[\d]+)?(/.*)?$
type: string
ignoreTags:
description: IgnoreTags is a list of tags that must be ignored
Expand Down
2 changes: 1 addition & 1 deletion charts/kargo/templates/api/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ spec:
- configMapRef:
name: kargo-api
- secretRef:
name: kargo-api
name: {{ .Values.api.secret.name | default "kargo-api" }}
ports:
- name: h2c
containerPort: 8080
Expand Down
2 changes: 1 addition & 1 deletion charts/kargo/templates/api/secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.api.enabled }}
{{- if and .Values.api.enabled (not .Values.api.secret.name) }}
apiVersion: v1
kind: Secret
type: Opaque
Expand Down
10 changes: 7 additions & 3 deletions charts/kargo/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,14 +112,18 @@ api:
## @param api.service.nodePort [nullable] Host port the `Service` will be mapped to when `type` is either `NodePort` or `LoadBalancer`. If not specified, Kubernetes chooses.
# nodePort:

secret:
## @param api.secret.name Specifies the name of an existing Secret which contains the `ADMIN_ACCOUNT_PASSWORD_HASH` and `ADMIN_ACCOUNT_TOKEN_SIGNING_KEY` values. By setting this, the Secret will **not** be generated by Helm.
name: ""

adminAccount:
## @param api.adminAccount.enabled Whether to enable the admin account.
enabled: true
## @param api.adminAccount.passwordHash Bcrypt password hash for the admin account. If specified, will ignore `password`. A value **must** be provided for either this field or `password`.
## @param api.adminAccount.passwordHash Bcrypt password hash for the admin account. If specified, will ignore `password`. A value **must** be provided for either this field or `password`, unless `api.secret.name` is specified.
passwordHash: ""
## @param api.adminAccount.password A password for the admin account. Ignored if `passwordHash` is set. It is suggested that you generate this using a password manager or a command like: `openssl rand -base64 29 \| tr -d "=+/" \| cut -c1-25`. A value **must** be provided for either this field or `passwordHash`.
## @param api.adminAccount.password A password for the admin account. Ignored if `passwordHash` is set. It is suggested that you generate this using a password manager or a command like: `openssl rand -base64 29 \| tr -d "=+/" \| cut -c1-25`. A value **must** be provided for either this field or `passwordHash`, unless `api.secret.name` is specified.
password: ""
## @param api.adminAccount.tokenSigningKey Key used to sign ID tokens (JWTs) for the admin account. It is suggested that you generate this using a password manager or a command like: `openssl rand -base64 29 \| tr -d "=+/" \| cut`. A value **must** be provided for this field.
## @param api.adminAccount.tokenSigningKey Key used to sign ID tokens (JWTs) for the admin account. It is suggested that you generate this using a password manager or a command like: `openssl rand -base64 29 \| tr -d "=+/" \| cut`. A value **must** be provided for this field, unless `api.secret.name` is specified.
tokenSigningKey: ""
## @param api.adminAccount.tokenTTL Specifies how long ID tokens for the admin account are valid. (i.e. The expiry will be the time of issue plus this duration.)
tokenTTL: 24h
Expand Down
5 changes: 3 additions & 2 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,7 @@ require (
github.com/evanphx/json-patch/v5 v5.9.0
github.com/fatih/structtag v1.2.0
github.com/gobwas/glob v0.2.3
github.com/gogo/protobuf v1.3.2
github.com/golang-jwt/jwt/v5 v5.2.0
github.com/google/go-cmp v0.6.0
github.com/google/uuid v1.6.0
github.com/kelseyhightower/envconfig v1.4.0
github.com/oklog/ulid/v2 v2.1.0
Expand Down Expand Up @@ -57,6 +55,8 @@ require (
sigs.k8s.io/yaml v1.4.0
)

require github.com/gogo/protobuf v1.3.2

require (
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
Expand Down Expand Up @@ -93,6 +93,7 @@ require (
github.com/golang/protobuf v1.5.3 // indirect
github.com/google/btree v1.1.2 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/go-github/v56 v56.0.0
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
Expand Down
10 changes: 10 additions & 0 deletions internal/credentials/credentials.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"

"github.com/akuity/kargo/internal/git"
"github.com/akuity/kargo/internal/logging"
)

const (
Expand Down Expand Up @@ -100,6 +101,15 @@ func (k *kubernetesDatabase) Get(
) (Credentials, bool, error) {
creds := Credentials{}

// If we are dealing with an insecure HTTP endpoint (of any type),
// refuse to return any credentials
if strings.HasPrefix(repoURL, "http://") {
logger := logging.LoggerFromContext(ctx).WithField("repoURL", repoURL)
logger.Warnf("refused to get credentials for insecure HTTP endpoint")

return creds, false, nil
}

var secret *corev1.Secret
var err error

Expand Down
Loading

0 comments on commit 392b094

Please sign in to comment.