Mirrors/flux2
1
0
Fork 0
mirror of synced 2026-04-14 18:56:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add --audience-claim for GCR Receivers

Browse Source 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan
2026-04-10 12:34:26 +03:00
parent 02734f28ba
commit c601a212f6
5 changed files with 42 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
cmd/flux/create_secret_receiver.go
View File

@@ -55,10 +55,11 @@ computed webhook URL.`,
} }
type secretReceiverFlags struct { type secretReceiverFlags struct {
receiverType flags.ReceiverType receiverType flags.ReceiverType
token string token string
hostname string hostname string
emailClaim string emailClaim string
audienceClaim string
} }
var secretReceiverArgs secretReceiverFlags var secretReceiverArgs secretReceiverFlags
@@ -68,6 +69,7 @@ func init() {
createSecretReceiverCmd.Flags().StringVar(&secretReceiverArgs.token, "token", "", "webhook token used for payload validation and URL computation, auto-generated if not specified") createSecretReceiverCmd.Flags().StringVar(&secretReceiverArgs.token, "token", "", "webhook token used for payload validation and URL computation, auto-generated if not specified")
createSecretReceiverCmd.Flags().StringVar(&secretReceiverArgs.hostname, "hostname", "", "hostname for the webhook URL e.g. flux.example.com") createSecretReceiverCmd.Flags().StringVar(&secretReceiverArgs.hostname, "hostname", "", "hostname for the webhook URL e.g. flux.example.com")
createSecretReceiverCmd.Flags().StringVar(&secretReceiverArgs.emailClaim, "email-claim", "", "IAM service account email, required for gcr type") createSecretReceiverCmd.Flags().StringVar(&secretReceiverArgs.emailClaim, "email-claim", "", "IAM service account email, required for gcr type")
createSecretReceiverCmd.Flags().StringVar(&secretReceiverArgs.audienceClaim, "audience-claim", "", "custom OIDC token audience for gcr type, defaults to the webhook URL")
createSecretCmd.AddCommand(createSecretReceiverCmd) createSecretCmd.AddCommand(createSecretReceiverCmd)
} }
@@ -93,13 +95,14 @@ func createSecretReceiverCmdRun(cmd *cobra.Command, args []string) error {
} }
opts := sourcesecret.Options{ opts := sourcesecret.Options{
Name: name, Name: name,
Namespace: *kubeconfigArgs.Namespace, Namespace: *kubeconfigArgs.Namespace,
Labels: labels, Labels: labels,
ReceiverType: secretReceiverArgs.receiverType.String(), ReceiverType: secretReceiverArgs.receiverType.String(),
Token: secretReceiverArgs.token, Token: secretReceiverArgs.token,
Hostname: secretReceiverArgs.hostname, Hostname: secretReceiverArgs.hostname,
EmailClaim: secretReceiverArgs.emailClaim, EmailClaim: secretReceiverArgs.emailClaim,
AudienceClaim: secretReceiverArgs.audienceClaim,
} }
secret, err := sourcesecret.GenerateReceiver(opts) secret, err := sourcesecret.GenerateReceiver(opts)

5
cmd/flux/create_secret_receiver_test.go
View File

@@ -56,6 +56,11 @@ func TestCreateReceiverSecret(t *testing.T) {
args: "create secret receiver gcr-secret --type=gcr --token=test-token --hostname=flux.example.com --email-claim=sa@project.iam.gserviceaccount.com --namespace=my-namespace --export", args: "create secret receiver gcr-secret --type=gcr --token=test-token --hostname=flux.example.com --email-claim=sa@project.iam.gserviceaccount.com --namespace=my-namespace --export",
assert: assertGoldenFile("testdata/create_secret/receiver/secret-receiver-gcr.yaml"), assert: assertGoldenFile("testdata/create_secret/receiver/secret-receiver-gcr.yaml"),
}, },
{
name: "gcr receiver secret with custom audience",
args: "create secret receiver gcr-secret --type=gcr --token=test-token --hostname=flux.example.com --email-claim=sa@project.iam.gserviceaccount.com --audience-claim=https://custom.audience.example.com --namespace=my-namespace --export",
assert: assertGoldenFile("testdata/create_secret/receiver/secret-receiver-gcr-audience.yaml"),
},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {

13
cmd/flux/testdata/create_secret/receiver/secret-receiver-gcr-audience.yaml vendored Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: Secret
metadata:
annotations:
notification.toolkit.fluxcd.io/webhook: https://flux.example.com/hook/6d6c55e9affb9d1e0d101ce604ae4270880ec1ff24d1bd2d928fcd64243d21a4
name: gcr-secret
namespace: my-namespace
stringData:
audience: https://custom.audience.example.com
email: sa@project.iam.gserviceaccount.com
token: test-token

9
pkg/manifestgen/sourcesecret/options.go
View File

@@ -90,10 +90,11 @@ type Options struct {
GitHubAppBaseURL string GitHubAppBaseURL string
// Receiver options // Receiver options
ReceiverType string ReceiverType string
Token string Token string
Hostname string Hostname string
EmailClaim string EmailClaim string
AudienceClaim string
} }
type VerificationCrt struct { type VerificationCrt struct {

6
pkg/manifestgen/sourcesecret/sourcesecret.go
View File

@@ -306,7 +306,11 @@ func GenerateReceiver(options Options) (*manifestgen.Manifest, error) {
return nil, fmt.Errorf("email-claim is required for gcr receiver type") return nil, fmt.Errorf("email-claim is required for gcr receiver type")
} }
secret.StringData[EmailSecretKey] = options.EmailClaim secret.StringData[EmailSecretKey] = options.EmailClaim
secret.StringData[AudienceSecretKey] = webhookURL if options.AudienceClaim != "" {
secret.StringData[AudienceSecretKey] = options.AudienceClaim
} else {
secret.StringData[AudienceSecretKey] = webhookURL
}
} }
return secretToManifest(secret, options) return secretToManifest(secret, options)