From dff79355ecbc61f08dbfab870ba1d7d228930d49 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Fri, 22 Jan 2021 10:23:47 +0200 Subject: [PATCH] Update fluxcd/pkg/runtime to v0.8.0 Signed-off-by: Stefan Prodan --- api/go.mod | 2 +- api/go.sum | 4 +- api/v1beta1/alert_types.go | 4 +- api/v1beta1/provider_types.go | 4 +- api/v1beta1/receiver_types.go | 3 +- api/v1beta1/zz_generated.deepcopy.go | 4 +- ...notification.toolkit.fluxcd.io_alerts.yaml | 5 +- ...ification.toolkit.fluxcd.io_providers.yaml | 5 +- ...ification.toolkit.fluxcd.io_receivers.yaml | 5 +- docs/api/notification.md | 24 +++------ docs/spec/v1beta1/README.md | 2 +- docs/spec/v1beta1/alert.md | 2 +- docs/spec/v1beta1/provider.md | 22 ++++++--- docs/spec/v1beta1/receiver.md | 49 +++++++------------ go.mod | 8 +-- go.sum | 16 +++--- main.go | 13 +++-- 17 files changed, 77 insertions(+), 95 deletions(-) diff --git a/api/go.mod b/api/go.mod index 5aa42faba..9f358183c 100644 --- a/api/go.mod +++ b/api/go.mod @@ -3,7 +3,7 @@ module github.com/fluxcd/notification-controller/api go 1.15 require ( - github.com/fluxcd/pkg/apis/meta v0.6.0 + github.com/fluxcd/pkg/apis/meta v0.7.0 k8s.io/api v0.20.2 k8s.io/apimachinery v0.20.2 sigs.k8s.io/controller-runtime v0.8.0 diff --git a/api/go.sum b/api/go.sum index f065654ed..95f76fb45 100644 --- a/api/go.sum +++ b/api/go.sum @@ -88,8 +88,8 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7 github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/fluxcd/pkg/apis/meta v0.6.0 h1:3ETc/Yz4qXGKLj+Iti6vKFwVE024WX+Jr+jIHlxj7zs= -github.com/fluxcd/pkg/apis/meta v0.6.0/go.mod h1:yHuY8kyGHYz22I0jQzqMMGCcHViuzC/WPdo9Gisk8Po= +github.com/fluxcd/pkg/apis/meta v0.7.0 h1:5e8gm4OLqjuKWdrOIY5DEEsjcwzyJFK8rCDesJ+V8IY= +github.com/fluxcd/pkg/apis/meta v0.7.0/go.mod h1:yHuY8kyGHYz22I0jQzqMMGCcHViuzC/WPdo9Gisk8Po= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= diff --git a/api/v1beta1/alert_types.go b/api/v1beta1/alert_types.go index 3adf54d42..17e20cc12 100644 --- a/api/v1beta1/alert_types.go +++ b/api/v1beta1/alert_types.go @@ -17,7 +17,7 @@ limitations under the License. package v1beta1 import ( - corev1 "k8s.io/api/core/v1" + "github.com/fluxcd/pkg/apis/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -25,7 +25,7 @@ import ( type AlertSpec struct { // Send events using this provider // +required - ProviderRef corev1.LocalObjectReference `json:"providerRef"` + ProviderRef meta.LocalObjectReference `json:"providerRef"` // Filter events based on severity, defaults to ('info'). // If set to 'info' no events will be filtered. diff --git a/api/v1beta1/provider_types.go b/api/v1beta1/provider_types.go index c5bdfb5cd..60a6a6688 100644 --- a/api/v1beta1/provider_types.go +++ b/api/v1beta1/provider_types.go @@ -17,7 +17,7 @@ limitations under the License. package v1beta1 import ( - corev1 "k8s.io/api/core/v1" + "github.com/fluxcd/pkg/apis/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -51,7 +51,7 @@ type ProviderSpec struct { // Secret reference containing the provider webhook URL // using "address" as data key // +optional - SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"` + SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"` } const ( diff --git a/api/v1beta1/receiver_types.go b/api/v1beta1/receiver_types.go index 9e23cdc4f..2b871a1c9 100644 --- a/api/v1beta1/receiver_types.go +++ b/api/v1beta1/receiver_types.go @@ -17,7 +17,6 @@ limitations under the License. package v1beta1 import ( - corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/fluxcd/pkg/apis/meta" @@ -43,7 +42,7 @@ type ReceiverSpec struct { // Secret reference containing the token used // to validate the payload authenticity // +required - SecretRef corev1.LocalObjectReference `json:"secretRef,omitempty"` + SecretRef meta.LocalObjectReference `json:"secretRef,omitempty"` // This flag tells the controller to suspend subsequent events handling. // Defaults to false. diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 8a473a51b..c31060bee 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -21,7 +21,7 @@ limitations under the License. package v1beta1 import ( - corev1 "k8s.io/api/core/v1" + "github.com/fluxcd/pkg/apis/meta" "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -207,7 +207,7 @@ func (in *ProviderSpec) DeepCopyInto(out *ProviderSpec) { *out = *in if in.SecretRef != nil { in, out := &in.SecretRef, &out.SecretRef - *out = new(corev1.LocalObjectReference) + *out = new(meta.LocalObjectReference) **out = **in } } diff --git a/config/crd/bases/notification.toolkit.fluxcd.io_alerts.yaml b/config/crd/bases/notification.toolkit.fluxcd.io_alerts.yaml index 7b67aa31a..483ed1167 100644 --- a/config/crd/bases/notification.toolkit.fluxcd.io_alerts.yaml +++ b/config/crd/bases/notification.toolkit.fluxcd.io_alerts.yaml @@ -95,9 +95,10 @@ spec: description: Send events using this provider properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: Name of the referent type: string + required: + - name type: object summary: description: Short description of the impact and affected cluster. diff --git a/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml b/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml index caa4a5f53..8f83c8720 100644 --- a/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml +++ b/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml @@ -62,9 +62,10 @@ spec: using "address" as data key properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: Name of the referent type: string + required: + - name type: object type: description: Type of provider diff --git a/config/crd/bases/notification.toolkit.fluxcd.io_receivers.yaml b/config/crd/bases/notification.toolkit.fluxcd.io_receivers.yaml index 44f7fc666..498ccd717 100644 --- a/config/crd/bases/notification.toolkit.fluxcd.io_receivers.yaml +++ b/config/crd/bases/notification.toolkit.fluxcd.io_receivers.yaml @@ -93,9 +93,10 @@ spec: the payload authenticity properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: Name of the referent type: string + required: + - name type: object suspend: description: This flag tells the controller to suspend subsequent diff --git a/docs/api/notification.md b/docs/api/notification.md index a03b32aff..8839d6c46 100644 --- a/docs/api/notification.md +++ b/docs/api/notification.md @@ -76,9 +76,7 @@ AlertSpec providerRef
- -Kubernetes core/v1.LocalObjectReference - +github.com/fluxcd/pkg/apis/meta.LocalObjectReference @@ -275,9 +273,7 @@ string secretRef
- -Kubernetes core/v1.LocalObjectReference - +github.com/fluxcd/pkg/apis/meta.LocalObjectReference @@ -404,9 +400,7 @@ e.g. ‘push’ for GitHub or ‘Push Hook’ for GitLab.

secretRef
- -Kubernetes core/v1.LocalObjectReference - +github.com/fluxcd/pkg/apis/meta.LocalObjectReference @@ -467,9 +461,7 @@ ReceiverStatus providerRef
- -Kubernetes core/v1.LocalObjectReference - +github.com/fluxcd/pkg/apis/meta.LocalObjectReference @@ -714,9 +706,7 @@ string secretRef
- -Kubernetes core/v1.LocalObjectReference - +github.com/fluxcd/pkg/apis/meta.LocalObjectReference @@ -822,9 +812,7 @@ e.g. ‘push’ for GitHub or ‘Push Hook’ for GitLab.

secretRef
- -Kubernetes core/v1.LocalObjectReference - +github.com/fluxcd/pkg/apis/meta.LocalObjectReference diff --git a/docs/spec/v1beta1/README.md b/docs/spec/v1beta1/README.md index 823bf8bf9..0968661bd 100644 --- a/docs/spec/v1beta1/README.md +++ b/docs/spec/v1beta1/README.md @@ -11,4 +11,4 @@ This is the v1alpha1 API specification for defining events handling and dispatch ## Go Client -* [github.com/fluxcd/pkg/recorder](https://github.com/fluxcd/pkg/tree/master/recorder) +* [github.com/fluxcd/pkg/recorder](https://github.com/fluxcd/pkg/tree/main/recorder) diff --git a/docs/spec/v1beta1/alert.md b/docs/spec/v1beta1/alert.md index 8c4024655..c04bab6c4 100644 --- a/docs/spec/v1beta1/alert.md +++ b/docs/spec/v1beta1/alert.md @@ -10,7 +10,7 @@ Spec: type AlertSpec struct { // Send events using this provider // +required - ProviderRef corev1.LocalObjectReference `json:"providerRef"` + ProviderRef meta.LocalObjectReference `json:"providerRef"` // Filter events based on severity, defaults to ('info'). // +kubebuilder:validation:Enum=info;error diff --git a/docs/spec/v1beta1/provider.md b/docs/spec/v1beta1/provider.md index 97e579218..a5243e66d 100644 --- a/docs/spec/v1beta1/provider.md +++ b/docs/spec/v1beta1/provider.md @@ -33,7 +33,7 @@ type ProviderSpec struct { // Secret reference containing the provider webhook URL // +optional - SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"` + SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"` } ``` @@ -133,11 +133,15 @@ spec: ``` #### Authentication -GitHub. GitLab, and Azure DevOps use personal access tokens to authenticate with their API. - - [GitHub personal access token](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token) - - [GitLab personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) - - [Azure DevOps personal access token](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page) -Both provider types require a secret in the same format, with the personal access token as the value for the token key. + +GitHub. GitLab, and Azure DevOps use personal access tokens to authenticate with their API: + +- [GitHub personal access token](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token) +- [GitLab personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) +- [Azure DevOps personal access token](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page) + +The providers require a secret in the same format, with the personal access token as the value for the token key: + ```yaml apiVersion: v1 kind: Secret @@ -148,9 +152,11 @@ data: token: ``` -Bitbucket authenticates using an [app password](https://support.atlassian.com/bitbucket-cloud/docs/app-passwords/). It requires -both the username and the password when authenticating. There for the token needs to be passed with the format `:`. +Bitbucket authenticates using an [app password](https://support.atlassian.com/bitbucket-cloud/docs/app-passwords/). +It requires both the username and the password when authenticating. +There for the token needs to be passed with the format `:`. A token that is not in this format will cause the provider to fail. + ```yaml apiVersion: v1 kind: Secret diff --git a/docs/spec/v1beta1/receiver.md b/docs/spec/v1beta1/receiver.md index 1809c414f..2deeb45ed 100644 --- a/docs/spec/v1beta1/receiver.md +++ b/docs/spec/v1beta1/receiver.md @@ -9,7 +9,7 @@ reconciliation for a group of resources. type ReceiverSpec struct { // Type of webhook sender, used to determine // the validation procedure and payload deserialization. - // +kubebuilder:validation:Enum=generic;github;gitlab;harbor;dockerhub;quay + // +kubebuilder:validation:Enum=generic;generic-hmac;github;gitlab;bitbucket;harbor;dockerhub;quay;gcr;nexus // +required Type string `json:"type"` @@ -25,7 +25,7 @@ type ReceiverSpec struct { // Secret reference containing the token used // to validate the payload authenticity // +required - SecretRef corev1.LocalObjectReference `json:"secretRef,omitempty"` + SecretRef meta.LocalObjectReference `json:"secretRef,omitempty"` // This flag tells the controller to suspend subsequent events handling. // Defaults to false. @@ -121,51 +121,38 @@ spec: namespace: default ``` -This generic receiver performs token validation. The controller uses the `X-Signature` header to get -the hash signature. The signature should be prefixed with the hash function(`sha1`, `sha256`, or `sha512`) like this: +This generic receiver verifies that the request is legitimate using HMAC. +The controller uses the `X-Signature` header to get the hash signature. +The signature should be prefixed with the hash function(`sha1`, `sha256`, or `sha512`) like this: `=`. -1. Generate hash using open ssl and sha1 +1. Generate hash signature using OpenSSL: + ```sh -echo -n '' | openssl dgst -sha1 -hmac "aHR0cHM6Ly9ob29rcy5zbGFjay5jb20vc2VydmljZXMv" +echo -n '' | openssl dgst -sha1 -hmac "" ``` -You can use the flag `sha256` or `sha512` if you want a different hash function -This would output the hash. +You can use the flag `sha256` or `sha512` if you want a different hash function. -2. Send a POST request to the webhook url -``` -curl \ --X POST \ - -H "X-Signature: sha1=" \ --d '' +2. Send a HTTP POST request to the webhook URL: + +```sh +curl -X POST -H "X-Signature: sha1=" -d '' ``` Generate hash signature using Go: ```go -package main - -import ( - "crypto/hmac" - "fmt" - "crypto/sha1" -) - -// input is the body of the request -// key is your secret token -func GetSignature(input, key string) string { - key_for_sign := []byte(key) - h := hmac.New(sha1.New, key_for_sign) - h.Write([]byte(input)) +func sign(payload, key string) string { + h := hmac.New(sha1.New, []byte(key)) + h.Write([]byte(payload)) return fmt.Sprintf("%x", h.Sum(nil)) } -// Don't forget to set request Headers -// req.Header.Set("X-Signature", fmt.Sprintf("sha1=%s", )) +// set headers +req.Header.Set("X-Signature", fmt.Sprintf("sha1=%s", sign(payload, key))) ``` - ### GitHub receiver ```yaml diff --git a/go.mod b/go.mod index 1420f318b..da82688aa 100644 --- a/go.mod +++ b/go.mod @@ -5,12 +5,12 @@ go 1.15 replace github.com/fluxcd/notification-controller/api => ./api require ( - github.com/fluxcd/image-reflector-controller/api v0.3.0 + github.com/fluxcd/image-reflector-controller/api v0.4.0 github.com/fluxcd/notification-controller/api v0.6.2 - github.com/fluxcd/pkg/apis/meta v0.6.0 + github.com/fluxcd/pkg/apis/meta v0.7.0 github.com/fluxcd/pkg/recorder v0.0.6 - github.com/fluxcd/pkg/runtime v0.7.0 - github.com/fluxcd/source-controller/api v0.6.2 + github.com/fluxcd/pkg/runtime v0.8.0 + github.com/fluxcd/source-controller/api v0.7.0 github.com/go-logr/logr v0.3.0 github.com/google/go-github/v32 v32.1.0 github.com/hashicorp/go-retryablehttp v0.6.8 diff --git a/go.sum b/go.sum index b02110140..082945ecd 100644 --- a/go.sum +++ b/go.sum @@ -97,16 +97,16 @@ github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi github.com/evanphx/json-patch v4.9.0+incompatible h1:kLcOMZeuLAJvL2BPWLMIj5oaZQobrkAqrL+WFZwQses= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/fluxcd/image-reflector-controller/api v0.3.0 h1:ZG/gb+XUQWX6FSvuzpvxz4kgdRp1mfRJIQyaHx4XMrQ= -github.com/fluxcd/image-reflector-controller/api v0.3.0/go.mod h1:tE+oSbiM0bXDhmt1Jrg5o9pdFmXCBxlpPn1GQSCzXv0= -github.com/fluxcd/pkg/apis/meta v0.6.0 h1:3ETc/Yz4qXGKLj+Iti6vKFwVE024WX+Jr+jIHlxj7zs= -github.com/fluxcd/pkg/apis/meta v0.6.0/go.mod h1:yHuY8kyGHYz22I0jQzqMMGCcHViuzC/WPdo9Gisk8Po= +github.com/fluxcd/image-reflector-controller/api v0.4.0 h1:/7mxmTsjmwmzTchWG06FaTki4hbN4qrVXdT5l/Yio5A= +github.com/fluxcd/image-reflector-controller/api v0.4.0/go.mod h1:MS3mGjZLnzZsfSqVLGbp0WNJr/k8XRFpw4G6ApLFTbc= +github.com/fluxcd/pkg/apis/meta v0.7.0 h1:5e8gm4OLqjuKWdrOIY5DEEsjcwzyJFK8rCDesJ+V8IY= +github.com/fluxcd/pkg/apis/meta v0.7.0/go.mod h1:yHuY8kyGHYz22I0jQzqMMGCcHViuzC/WPdo9Gisk8Po= github.com/fluxcd/pkg/recorder v0.0.6 h1:me/n8syeeGXz50OXoPX3jgIj9AtinvhHdKT9Dy+MbHs= github.com/fluxcd/pkg/recorder v0.0.6/go.mod h1:IfQxfVRSNsWs3B0Yp5B6ObEWwKHILlAx8N7XkoDdhFg= -github.com/fluxcd/pkg/runtime v0.7.0 h1:AMzqHGae0zqDQAmKwa1htjStk2wphwWF0xQw/zD3FY4= -github.com/fluxcd/pkg/runtime v0.7.0/go.mod h1:1dzGFwtowST5AIW5i9f0Pn0fMhCmOHFyBizuPJSKX+s= -github.com/fluxcd/source-controller/api v0.6.2 h1:xgKZg0Ajeh/jPPePZJriDUgzxgCXIFBPqZso9obtpko= -github.com/fluxcd/source-controller/api v0.6.2/go.mod h1:LzLXD6RfQ+4Es+gUuIZE4NCSW2WkWIK91EnVBCMvbQw= +github.com/fluxcd/pkg/runtime v0.8.0 h1:cnSBZJLcXlKgjXpFFFExu+4ZncIxmPgNIx+ErLcCLnA= +github.com/fluxcd/pkg/runtime v0.8.0/go.mod h1:tQwEN+RESjJmtwSSv7I+6bkNM9raIXpGsCjruaIVX6A= +github.com/fluxcd/source-controller/api v0.7.0 h1:QDpr6ZjHtTxw+mc+mZ1p9qRujHb+PzPdoQP3YgWlqOA= +github.com/fluxcd/source-controller/api v0.7.0/go.mod h1:u2sdc/QDm0tzXHL7mZVj928hc3MMU+4mKCuAQg+94Bk= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= diff --git a/main.go b/main.go index aa8c1e9f5..6782854af 100644 --- a/main.go +++ b/main.go @@ -17,7 +17,6 @@ limitations under the License. package main import ( - goflag "flag" "os" flag "github.com/spf13/pflag" @@ -28,6 +27,7 @@ import ( crtlmetrics "sigs.k8s.io/controller-runtime/pkg/metrics" imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1" + "github.com/fluxcd/pkg/runtime/client" "github.com/fluxcd/pkg/runtime/logger" "github.com/fluxcd/pkg/runtime/metrics" "github.com/fluxcd/pkg/runtime/probes" @@ -62,6 +62,7 @@ func main() { enableLeaderElection bool concurrent int watchAllNamespaces bool + clientOptions client.Options logOptions logger.Options ) @@ -77,11 +78,8 @@ func main() { "Watch for custom resources in all namespaces, if set to false it will only watch the runtime namespace.") flag.Bool("log-json", false, "Set logging to JSON format.") flag.CommandLine.MarkDeprecated("log-json", "Please use --log-encoding=json instead.") - { - var fs goflag.FlagSet - logOptions.BindFlags(&fs) - flag.CommandLine.AddGoFlagSet(&fs) - } + clientOptions.BindFlags(flag.CommandLine) + logOptions.BindFlags(flag.CommandLine) flag.Parse() log := logger.NewLogger(logOptions) @@ -95,7 +93,8 @@ func main() { watchNamespace = os.Getenv("RUNTIME_NAMESPACE") } - mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ + restConfig := client.GetConfigOrDie(clientOptions) + mgr, err := ctrl.NewManager(restConfig, ctrl.Options{ Scheme: scheme, MetricsBindAddress: metricsAddr, HealthProbeBindAddress: healthAddr,