Reads --ssh-signing-key-file when set, decodes the file contents,
resolves the effective signing passphrase, and appends
bootstrap.WithSSHCommitSigning to the bootstrap options. When
--ssh-signing-reuse-private-key is set, reads the transport
--private-key-file, pre-flights it against the subcommand-local
gitArgs.password, and reuses the same bytes + passphrase for signing.
The reuse-path pre-flight lives in this subcommand's RunE because
bootstrapValidate does not have access to the transport password.
Mutual exclusion with --gpg-* and explicit-path key-parse validation
are enforced upstream in bootstrapValidate.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Introduces four new persistent flags on flux bootstrap:
--ssh-signing-key-file, --ssh-signing-password, the hidden alias
--ssh-signing-passphrase, and the reuse boolean
--ssh-signing-reuse-private-key. They sit next to the existing
--gpg-key-ring / --gpg-passphrase / --gpg-key-id surface.
bootstrapValidate pre-flights the configured signing key for the
explicit GPG and SSH paths so malformed PEM, wrong passphrases, and
unsupported SSH algorithms surface before any clone runs. The GPG
pre-flight calls the now-exported SelectOpenPGPSigningEntity from
pkg/bootstrap directly, so the pre-flight cannot drift from the
bootstrap commit path. The reuse path's pre-flight runs inside each
subcommand's RunE (where the subcommand-local SSH transport password
is in scope) and lands with the wiring commits that follow.
A small effectiveSshSigningPassword helper resolves the
--ssh-signing-passphrase alias purely (returning the resolved value
or a mutual-exclusion error) instead of mutating the
package-scoped bootstrapArgs singleton inside bootstrapValidate.
Mutual exclusion is enforced between the GPG and SSH groups, and
between --ssh-signing-key-file and --ssh-signing-reuse-private-key.
--ssh-signing-reuse-private-key requires --private-key-file;
--ssh-signing-password requires --ssh-signing-key-file. The
--ssh-signing-passphrase alias is hidden in --help.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Reject HelmRepository source URLs with schemes unsupported by the
source-controller API before generating or applying the object.
Signed-off-by: Immanuel Tikhonov <pchpr.00@list.ru>
Assisted-by: codex/gpt-5
This adds a --resolve-symlinks flag to the flux build artifact and flux push artifact
commands. When enabled, symlinks in the source directory are resolved (copied as regular
files/directories) before building the artifact. This includes:
- Recursive symlink resolution with cycle detection
- File permission preservation
- Proper handling of both single-file and directory symlink targets
- Comprehensive test coverage
Fixes#5055
Signed-off-by: Rohan Sood <56945243+rohansood10@users.noreply.github.com>
Fixes#5673
On Windows, when using absolute paths like C:\path\to\dir,
the path could be incorrectly concatenated, resulting in:
C:\working\dir\C:\path\to\dir\file
This fix applies filepath.Abs() and filepath.Clean() to normalize
the path before using it, ensuring absolute paths are handled
correctly on all platforms.
Changes:
- Apply filepath.Abs() to convert relative paths to absolute
- Apply filepath.Clean() to remove redundant separators and resolve ..
- Add tests for absolute paths, complex paths with .., and paths
with redundant separators to verify normalization works correctly
The tests use actual 'flux build kustomization' commands with:
1. Absolute paths (prevents concatenation bugs)
2. Paths with parent directory (..) references
3. Paths with redundant separators (//)
All tests verify the command produces correct output, ensuring
the path normalization fix works as expected.
Signed-off-by: Sibasis Padhi <sibasis.padhi@gmail.com>
Add --skip-namespace flag to the 'create tenant' command to skip automatic
namespace creation when the namespace already exists.
Signed-off-by: Anshuman Singh <anshumanchauhan9@gmail.com>
Hidde Beydals