From 1a89fa419eb07a6c104f0308ad7a34fa9782a3f2 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Tue, 8 Apr 2025 14:28:43 +0300 Subject: [PATCH 1/7] RFC External Artifact API Signed-off-by: Stefan Prodan --- rfcs/0000-external-artifact/README.md | 166 ++++++++++++++++++++++++++ 1 file changed, 166 insertions(+) create mode 100644 rfcs/0000-external-artifact/README.md diff --git a/rfcs/0000-external-artifact/README.md b/rfcs/0000-external-artifact/README.md new file mode 100644 index 00000000..dcba3047 --- /dev/null +++ b/rfcs/0000-external-artifact/README.md @@ -0,0 +1,166 @@ +# RFC External Artifacts + +**Status:** provisional + +**Creation date:** 2025-04-08 + +**Last update:** 2025-04-08 + +## Summary + +This RFC proposes the introduction of a new API called `ExternalArtifact` that would allow +3rd party controllers to act as a source of truth for the cluster desired state. In effect, +the `ExternalArtifact` API acts as an extension of the existing `source.toolkit.fluxcd.io` APIs +that enables Flux `kustomize-controller` and `helm-controller` to consume artifacts from external +source types that are not natively supported by `source-controller`. + +## Motivation + +Over the years, we've received requests from users to support other source types besides the +ones natively supported by `source-controller`. For example, users have asked for support of +downloading Kubernetes manifests from GitHub/GitLab releases, Omaha protocol, SFTP protocol, +and other remote storage systems. + +Another common request is to run transformations on the artifacts fetched by source-controller. +For example, users want to be able to generate YAML manifests from jsonnet, cue, and other +templating engines before they are consumed by Flux `kustomize-controller`. + +In order to support these use cases, we need to define a standard API that allows 3rd party +controllers to expose artifacts in-cluster (in the same way `source-controller` does) +that can be consumed by Flux `kustomize-controller` and `helm-controller`. + +### Goals + +Define a standard API for 3rd party controllers to expose artifacts that can be consumed by +Flux controllers in the same way as the existing `source.toolkit.fluxcd.io` APIs. + +Allow Flux users to transition from using `source-controller` to using 3rd party source controllers +with minimal changes to their existing `Kustomizations` and `HelmReleases`. + +### Non-Goals + +Allow arbitrary custom resources to be referenced in Flux `Kustomization` and `HelmRelease` as `sourceRef`. + +Extend the Flux controllers permissions to access custom resources that are not part of the +`source.toolkit.fluxcd.io` APIs. + +## Proposal + +Assuming we have a custom controller called `release-controller` that is responsible for +reconciling `GitHubRelease` custom resources. This controller downloads the Kubernetes +deployment YAML manifests from the GitHub API and stores them in a local file system +as a `tar.gz` file. The `release-controller` then creates an `ExternalArtifact` +custom resource that tells the Flux controllers from where to fetch the artifact. + +Every time the `release-controller` reconciles a `GitHubRelease` custom resource, +it updates the `ExternalArtifact` status with the latest artifact information if the +upstream release has changed. + +The `release-controller` is responsible for exposing a HTTP endpoint that serves +the artifacts from its own storage. The URL of the `tar.gz` artifact is stored in +the `ExternalArtifact` status and should be accessible from the Flux controllers +running in the cluster. + +Example of a generated `ExternalArtifact` custom resource: + +```yaml +apiVersion: source.toolkit.fluxcd.io/v1 +kind: ExternalArtifact +metadata: + name: podinfo + namespace: apps +spec: + # SourceRef points to the Kubernetes custom resource for + # which the artifact is generated. + # +required + sourceRef: + apiVersion: source.example.com/v1alpha1 + kind: GitHubRelease + name: podinfo + namespace: apps +status: + artifact: + # Digest is the digest of the tar.gz file in the form of ':'. + # The digest is used by the Flux controllers to verify the integrity of the artifact. + # +required + digest: sha256:35d47c9db0eee6ffe08a404dfb416bee31b2b79eabc3f2eb26749163ce487f52 + # LastUpdateTime is the timestamp corresponding to the last update of the + # Artifact in storage. + # +required + lastUpdateTime: "2025-03-21T13:37:31Z" + # Path is the relative file path of the Artifact. It can be used to locate + # the file in the root of the Artifact storage on the local file system of + # the controller managing the Source. + # +required + path: release/apps/podinfo/6.8.0-b3396ad.tar.gz + # Revision is a human-readable identifier traceable in the origin source system + # in the form of '@:'. + # The revision is used by the Flux controllers to determine if the artifact has changed. + # +required + revision: 6.8.0@sha256:35d47c9db0eee6ffe08a404dfb416bee31b2b79eabc3f2eb26749163ce487f52 + # Size is the number of bytes of the tar.gz file. + # +required + size: 20914 + # URL is the in-cluster HTTP address of the Artifact as exposed by the controller + # managing the Source. It can be used to retrieve the Artifact for + # consumption, e.g. by kustomize-controller applying the Artifact contents. + # +required + url: http://release-controller.flux-system.svc.cluster.local./release/apps/podinfo/6.8.0-b3396ad.tar.gz + conditions: + - lastTransitionTime: "2025-04-08T09:09:49Z" + message: stored artifact for release 6.8.0 + observedGeneration: 1 + reason: Succeeded + status: "True" + type: Ready +``` + +Note that the `.status.artifact` is identical to how `source-controller` exposes the +artifact information for `Bucket`, `GitRepository`, and `OCIRepository` custom resources. +This allows the Flux controllers to consume external artifacts with minimal changes. + +The `ExternalArtifact` custom resource is referenced by a Flux `Kustomization` as follows: + +```yaml +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: podinfo + namespace: apps +spec: + interval: 10m + sourceRef: + kind: ExternalArtifact + name: podinfo + path: "./" + prune: true +``` + +Flux `kustomize-controller` will then fetch the artifact from the URL specified in the +`ExternalArtifact` status, verifies the integrity of the artifact using the digest +and applies the contents of the artifact to the cluster. + +Like with the existing `source.toolkit.fluxcd.io` APIs, `kustomize-controller` will +watch the `ExternalArtifact` custom resource for changes and will re-apply the +contents of the artifact when the `.status.artifact.revision` changes. + +### User Stories + +TODO + +### Alternatives + +TODO + +## Design Details + +TODO + +## Implementation History + + From e97da26435c048776d89106ec22bf01bbaaffd28 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Tue, 15 Jul 2025 16:26:17 +0300 Subject: [PATCH 2/7] Add design details to `ExternalArtifact` RFC Signed-off-by: Stefan Prodan --- rfcs/0000-external-artifact/README.md | 104 ++++++++++++++++++++++++-- 1 file changed, 99 insertions(+), 5 deletions(-) diff --git a/rfcs/0000-external-artifact/README.md b/rfcs/0000-external-artifact/README.md index dcba3047..9492b514 100644 --- a/rfcs/0000-external-artifact/README.md +++ b/rfcs/0000-external-artifact/README.md @@ -4,7 +4,7 @@ **Creation date:** 2025-04-08 -**Last update:** 2025-04-08 +**Last update:** 2025-07-15 ## Summary @@ -72,7 +72,7 @@ metadata: spec: # SourceRef points to the Kubernetes custom resource for # which the artifact is generated. - # +required + # +optional sourceRef: apiVersion: source.example.com/v1alpha1 kind: GitHubRelease @@ -144,17 +144,111 @@ Like with the existing `source.toolkit.fluxcd.io` APIs, `kustomize-controller` w watch the `ExternalArtifact` custom resource for changes and will re-apply the contents of the artifact when the `.status.artifact.revision` changes. +When the `ExternalArtifact` contains a Helm chart, it can be referenced by a Flux `HelmRelease` as follows: + +```yaml +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: podinfo + namespace: apps +spec: + interval: 10m + releaseName: podinfo + chartRef: + kind: ExternalArtifact + name: podinfo + values: + replicaCount: 2 +``` + ### User Stories -TODO +#### 3rd Party Source Controller + +As a 3rd party controller developer, I want to expose artifacts in-cluster that are sourced from `flatcar/nebraska` +that can be consumed by Flux `kustomize-controller` and `helm-controller` so that Flux users can use my controller +as a source of truth for their cluster desired state. + +#### Custom Source Transform + +As a Flux user, I want to use a custom controller that generates Kubernetes manifests from CUE templates +which can be consumed by Flux `kustomize-controller`. + +#### Policy Enforcement + +As a cluster administrator, I want to ensure that only trusted 3rd party controllers +can create and manage `ExternalArtifact` resources in the cluster. + +```yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "trusted-external-artifacts" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["source.toolkit.fluxcd.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["externalartifacts"] + validations: + # Restrict the sourceRef to only allow trusted APIs + - expression: > + object.spec.sourceRef.apiVersion.startsWith('source.example.com') + # Restrict the sourceRef to only allow trusted Kinds + - expression: > + object.spec.sourceRef.kind == 'GitHubRelease' || + object.spec.sourceRef.kind == 'GitLabRelease' + # Restrict the artifacts to be served only by trusted endpoints within the cluster + - expression: > + !has(object.status.artifact) || + object.status.artifact.url.startsWith('http://release-controller.flux-system.svc.cluster.local./') + # Restrict the artifact operations to trusted service accounts + - expression: > + request.userInfo.username == 'system:serviceaccount:flux-system:release-controller' +``` ### Alternatives -TODO +An alternative to this proposal would be to deploy an OCI registry in-cluster. +The 3rd party controllers would then push the artifacts to the registry +and Flux `kustomize-controller` and `helm-controller` would consume the artifacts +via the `OCIRepository` custom resource. + +While this approach is feasible, it requires additional infrastructure and +configuration, which may not be desirable for all users. The `ExternalArtifact` API +provides a simpler and more flexible way to expose artifacts in-cluster without +the need to self-host an OCI registry. In addition, the `ExternalArtifact` API +offers a better user experience by allowing Flux user to trace the origin of reconciled resources +back to the original source via `ExternalArtifact.spec.sourceRef` and `flux trace` command. ## Design Details -TODO +The `ExternalArtifact` API will be added to `source-controller/api` Go package. +3rd party controllers will import `github.com/fluxcd/source-controller/api/v1` +to generate valid `ExternalArtifact` custom resources using the controller-runtime client. +To create `tar.gz` files compatible with Flux, the controller will make use of +the `github.com/fluxcd/pkg/oci` package, calling the `client.Build` function. + +The `ExternalArtifact` CRD will be bundled with the `source-controller` CRDs manifests which +are part of the standard Flux distribution. This means that users will not need to install +the `ExternalArtifact` CRD separately, as it will be available out of the box with Flux. + +The `ExternalArtifact` API specifications will be published to the Flux documentation website, +under the `source.toolkit.fluxcd.io` API reference section. + +The Flux `Kustomization` and `HelmRelease` APIs will be extended to support the `ExternalArtifact` kind +as a valid `sourceRef.kind` and `chartRef.kind`. The `kustomize-controller` and `helm-controller` +will gain the ability to consume artifacts from `ExternalArtifact` and watch for revision changes. + +The `flux trace` command will be extended to support the `ExternalArtifact` API, allowing Flux users +to trace any Kubernetes resource in-cluster that originates from an `ExternalArtifact` and see the +`sourceRef` information that points to the original source. + +The `flux` CLI will implement the `flux get externalartifact` command for listing and status checking +of `ExternalArtifact` custom resources in the cluster. ## Implementation History From 8bc7822fe544907ec5ff4a0b42d1643cfc3660bd Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Sat, 30 Aug 2025 12:39:59 +0300 Subject: [PATCH 3/7] Add security considerations and recommendations Signed-off-by: Stefan Prodan --- rfcs/0000-external-artifact/README.md | 49 ++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/rfcs/0000-external-artifact/README.md b/rfcs/0000-external-artifact/README.md index 9492b514..29866824 100644 --- a/rfcs/0000-external-artifact/README.md +++ b/rfcs/0000-external-artifact/README.md @@ -4,7 +4,7 @@ **Creation date:** 2025-04-08 -**Last update:** 2025-07-15 +**Last update:** 2025-08-30 ## Summary @@ -162,6 +162,53 @@ spec: replicaCount: 2 ``` +### Security Considerations + +With the introduction of the `ExternalArtifact` API, the trust boundary of Flux is extended +to include 3rd party controllers that are capable of creating and managing `ExternalArtifact` +custom resources in the cluster. This means that the security posture of the cluster +is now dependent on the security of these 3rd party controllers. + +To mitigate potential security risks, it is recommended to implement the following measures +when developing 3rd party source controllers: + +- **Authentication and Authorization**: Ensure that the controller uses proper authentication + and authorization mechanisms to interact with upstream sources and avoid embedding sensitive + information directly in the custom resource specifications. Following source-controller + best practices for managing credentials is highly recommended: use `serviceAccountName` to + integrate with Kubernetes Workload Identity for short-lived credentials, use `secretRef` to + reference long-lived credentials, never cache long-lived credentials on disk or in-memory. +- **TLS Encryption**: Use TLS encryption for all communications between the controller + and upstream sources to protect sensitive data in transit. Following source-controller + best practices for TLS is highly recommended: use `certSecretRef` to reference + custom CA certificates and client certificates, prefer Mutual TLS authentication, never + allow skipping TLS verification. +- **Provenance and Integrity**: Ensure that the controller verifies the integrity of the + artifacts it generates and exposes in-cluster. This can be achieved by using checksums + and digital signatures to validate the authenticity of upstream sources. Following + source-controller best practices for source integrity is highly recommended: + verify the provenance of upstream artifacts using Sigstore Cosign or Notary + Notation signatures, prefer keyless verification using OIDC identity tokens and + public transparency logs. +- **Access Control**: Implement access control mechanisms to restrict cross-namespace + generation of `ExternalArtifact` custom resources. Following source-controller + best practices for access control is highly recommended: expose a `--no-cross-namespace-refs` + flag to restrict the controller from generating `ExternalArtifact` resources in a different + namespace than the one where the source custom resource is located. Use Kubernetes owner + references to establish a clear ownership relationship between the source custom resource + and the `ExternalArtifact` resource, allowing Kubernetes garbage collection to clean up + the `ExternalArtifact` when the source resource is deleted. +- **Least Privilege**: Run the controller with the least privilege necessary to perform + its functions. Following source-controller best practices for least privilege is highly recommended: + use a dedicated Kubernetes service account with minimal RBAC permissions, avoid running + the controller as a cluster-admin or with wildcard permissions, conform with the restricted pod security + standard (e.g., disallow running as root, disallow host network access, read-only rootfs). +- **Artifact persistent storage integrity**: Ensure that the controller can be configured to use + persistent storage for storing artifacts, to avoid data loss in case of controller restarts + or failures. Following source-controller best practices for artifact storage is highly recommended: + at startup, ensure that the artifacts in-storage have not been tampered with by verifying + the checksums of all stored artifacts against the `ExternalArtifact` digests in the cluster. + ### User Stories #### 3rd Party Source Controller From 19cd02e54823bfebd4d1a463b0bf88c6f3c04582 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Sat, 30 Aug 2025 12:40:46 +0300 Subject: [PATCH 4/7] Add SDK for packaging and exposing artifacts Signed-off-by: Stefan Prodan --- rfcs/0000-external-artifact/README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rfcs/0000-external-artifact/README.md b/rfcs/0000-external-artifact/README.md index 29866824..912dced1 100644 --- a/rfcs/0000-external-artifact/README.md +++ b/rfcs/0000-external-artifact/README.md @@ -276,8 +276,11 @@ back to the original source via `ExternalArtifact.spec.sourceRef` and `flux trac The `ExternalArtifact` API will be added to `source-controller/api` Go package. 3rd party controllers will import `github.com/fluxcd/source-controller/api/v1` to generate valid `ExternalArtifact` custom resources using the controller-runtime client. -To create `tar.gz` files compatible with Flux, the controller will make use of -the `github.com/fluxcd/pkg/oci` package, calling the `client.Build` function. + +The Flux maintainers will develop an SDK for packaging and exposing artifacts +in-cluster using the `ExternalArtifact` API. The SDK will provide helper functions +for generating Flux-compliant artifacts, as well as for storing artifacts in a persistent storage. +The SDK will be published as a Go module under the `github.com/fluxcd/pkg` repository. The `ExternalArtifact` CRD will be bundled with the `source-controller` CRDs manifests which are part of the standard Flux distribution. This means that users will not need to install From df57392f4871c4929cbaf3d8f2da264e886f8a36 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Sat, 30 Aug 2025 12:41:13 +0300 Subject: [PATCH 5/7] Add Feature Gate Signed-off-by: Stefan Prodan --- rfcs/0000-external-artifact/README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/rfcs/0000-external-artifact/README.md b/rfcs/0000-external-artifact/README.md index 912dced1..e48a0ef1 100644 --- a/rfcs/0000-external-artifact/README.md +++ b/rfcs/0000-external-artifact/README.md @@ -300,6 +300,17 @@ to trace any Kubernetes resource in-cluster that originates from an `ExternalArt The `flux` CLI will implement the `flux get externalartifact` command for listing and status checking of `ExternalArtifact` custom resources in the cluster. +### Feature Gate + +While the `ExternalArtifact` API will be available out of the box with Flux, +the ability for `kustomize-controller` and `helm-controller` to consume artifacts +from `ExternalArtifact` resources will be behind a feature gate called `ExternalArtifact`. + +The feature gate will be disabled by default and can be enabled by setting +the `--feature-gates=ExternalArtifact=true` flag on the `kustomize-controller` +and `helm-controller` deployments. This allows cluster administrators to +control the adoption of the `ExternalArtifact` feature in their clusters. + ## Implementation History