Mirrors
/
flux2
mirror of https://github.com/fluxcd/flux2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

address concerns about kustomize and helm controller

Browse Source 
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
pull/3081/head
Sanskar Jaiswal 2 years ago
parent 7a1d978339
commit 7a5f60e23f
1 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File

20
rfcs/0004-insecure-http/README.md
Unescape Escape View File

@ -20,7 +20,7 @@ Controllers that deal only with `http` and `https` schemes have no way to block
Some Flux objects provide a `.spec.insecure` field to enable the use of non-TLS based endpoints, but they don't clearly notify users when the option is not supported (e.g. Azure/GCP Buckets). Some Flux objects provide a `.spec.insecure` field to enable the use of non-TLS based endpoints, but they don't clearly notify users when the option is not supported (e.g. Azure/GCP Buckets).
### Goals ### Goals
* Provide a flag across all Flux controllers which disables all outgoing HTTP connections. * Provide a flag across relevant Flux controllers which disables all outgoing HTTP connections.
* Add a field which enables the use of non-TLS endpoints to appropriate Flux objects. * Add a field which enables the use of non-TLS endpoints to appropriate Flux objects.
* Provide a way for users to be made aware that their use of non-TLS endpoints is not supported if that is the case. * Provide a way for users to be made aware that their use of non-TLS endpoints is not supported if that is the case.
@ -95,7 +95,10 @@ an endpoint such as creating an `OCIRepository`:
``` ```
Since these commands essentially create object definitions, the CLI should offer a boolean flag `--insecure` Since these commands essentially create object definitions, the CLI should offer a boolean flag `--insecure`
for relevant objects, which will be used for specifying the value of `.spec.insecure` of such objects. for the required commands, which will be used for specifying the value of `.spec.insecure` of such objects.
> Note: This flag should not be confused with `--insecure-skip-tls-verify` which is meant to skip TLS verification
> when using an HTTPS connection.
### Precedence & Validity ### Precedence & Validity
Objects with `.spec.insecure` as `true ` will only be allowed if HTTP connections are allowed at the controller level. Objects with `.spec.insecure` as `true ` will only be allowed if HTTP connections are allowed at the controller level.
@ -103,7 +106,6 @@ Similarly, an object can have `.spec.insecure` as `true` only if the Saas/Cloud
For example, using a `Bucket` with its `.spec.provider` set to `azure` would be invalid since Azure doesn't allow For example, using a `Bucket` with its `.spec.provider` set to `azure` would be invalid since Azure doesn't allow
HTTP connections. HTTP connections.
### User Stories ### User Stories
#### Story 1 #### Story 1
@ -125,7 +127,17 @@ patches:
value: --allow-insecure-http=false value: --allow-insecure-http=false
target: target:
kind: Deployment kind: Deployment
name: "(kustomize-controller|helm-controller|source-controller|notification-controller)" name: "(source-controller|notification-controller|image-reflector-controller|image-automation-controller)"
# Since this above flag is not available in kustomize-controller for reasons explained in a previous section,
# we disable the Kustomize remote build by disallowing use of remote bases. This ensures that kustomize-controller
# won't initiate any plain HTTP connections.
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: --no-remote-bases=true
target:
kind: Deployment
name: kustomize-controller
``` ```
#### Story 2 #### Story 2

Write Preview
Loading…
Cancel
Save