diff --git a/rfcs/0004-insecure-http/README.md b/rfcs/0004-insecure-http/README.md index 5f463ab4..55188260 100644 --- a/rfcs/0004-insecure-http/README.md +++ b/rfcs/0004-insecure-http/README.md @@ -136,3 +136,37 @@ Instead of adding a flag, we can instruct users to make use of Kyverno policies all objects have `.spec.insecure` as `false` and any URLs present in the definition don't have `http` as the scheme. This is less attractive, as this would ask users to install another software and prevent Flux multi-tenancy from being standalone. + +## Design Details +If a controller is started with `--insecure-allow-http=false`, any URL in a Flux object which has `http` +as the scheme will result in an error and the following condition will be added to the object's +`.status.conditions`: + +```yaml +status: + conditions: + - lastTransitionTime: "2022-09-06T09:14:21Z" + message: "Use of insecure HTTP connections isn't allowed for this controller" + observedGeneration: 1 + reason: URLInvalid + status: "True" + type: FetchFailedCondition +``` + +Similarly, if an object has `.spec.insecure` as `true` but the Cloud provider doesn't allow HTTP connections, +the reconciler will error out and add the condition below to the object's `.status.conditions`: + +```yaml +status: + conditions: + - lastTransitionTime: "2022-09-06T09:14:21Z" + message: "Use of insecure HTTP connections isn't allowed for Azure Storage" + observedGeneration: 1 + reason: InsecureConnectionsDisallowed + status: "True" + type: FetchFailedCondition +``` + +If an object has `.spec.insecure` as `true`, the registry client or bucket client shall be created with the use +of HTTP connections enabled explicitly. +