Merge pull request #2382 from SomtochiAma/commit-sha

Use `client.Patch` for suspend/resume operations

cmd/flux/bootstrap_bitbucket_server.go

@@ -254,6 +254,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithKubeconfig(kubeconfigArgs),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))

cmd/flux/bootstrap_github.go

@@ -243,6 +243,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithKubeconfig(kubeconfigArgs),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))

cmd/flux/bootstrap_gitlab.go

@@ -257,6 +257,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithKubeconfig(kubeconfigArgs),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))

cmd/flux/diff.go

@@ -23,7 +23,7 @@ import (
 var diffCmd = &cobra.Command{
 	Use:   "diff",
 	Short: "Diff a flux resource",
-	Long:  "The diff command is used to do a server-side dry-run on flux resources, then output the diff.",
+	Long:  "The diff command is used to do a server-side dry-run on flux resources, then prints the diff.",
 }
 
 func init() {

cmd/flux/diff_kustomization.go

@@ -31,8 +31,9 @@ var diffKsCmd = &cobra.Command{
 	Use:     "kustomization",
 	Aliases: []string{"ks"},
 	Short:   "Diff Kustomization",
-	Long:    `The diff command does a build, then it performs a server-side dry-run and output the diff.`,
-	Example: `# Preview changes local changes as they were applied on the cluster
+	Long: `The diff command does a build, then it performs a server-side dry-run and prints the diff.
+Exit status: 0 No differences were found. 1 Differences were found. >1 diff failed with an error.`,
+	Example: `# Preview local changes as they were applied on the cluster
 flux diff kustomization my-app --path ./path/to/local/manifests`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              diffKsCmdRun,
@@ -56,16 +57,16 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 
 	if diffKsArgs.path == "" {
-		return fmt.Errorf("invalid resource path %q", diffKsArgs.path)
+		return &RequestError{StatusCode: 2, Err: fmt.Errorf("invalid resource path %q", diffKsArgs.path)}
 	}
 
 	if fs, err := os.Stat(diffKsArgs.path); err != nil || !fs.IsDir() {
-		return fmt.Errorf("invalid resource path %q", diffKsArgs.path)
+		return &RequestError{StatusCode: 2, Err: fmt.Errorf("invalid resource path %q", diffKsArgs.path)}
 	}
 
 	builder, err := build.NewBuilder(kubeconfigArgs, name, diffKsArgs.path, build.WithTimeout(rootArgs.timeout))
 	if err != nil {
-		return err
+		return &RequestError{StatusCode: 2, Err: err}
 	}
 
 	// create a signal channel
@@ -74,13 +75,18 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 
 	errChan := make(chan error)
 	go func() {
-		output, err := builder.Diff()
+		output, hasChanged, err := builder.Diff()
 		if err != nil {
-			errChan <- err
+			errChan <- &RequestError{StatusCode: 2, Err: err}
 		}
 
 		cmd.Print(output)
-		errChan <- nil
+
+		if hasChanged {
+			errChan <- &RequestError{StatusCode: 1, Err: fmt.Errorf("identified at least one change, exiting with non-zero exit code")}
+		} else {
+			errChan <- nil
+		}
 	}()
 
 	select {

cmd/flux/main.go

@@ -105,6 +105,16 @@ type rootFlags struct {
 	defaults     install.Options
 }
 
+// RequestError is a custom error type that wraps an error returned by the flux api.
+type RequestError struct {
+	StatusCode int
+	Err        error
+}
+
+func (r *RequestError) Error() string {
+	return r.Err.Error()
+}
+
 var rootArgs = NewRootFlags()
 var kubeconfigArgs = genericclioptions.NewConfigFlags(false)
 
@@ -144,6 +154,11 @@ func main() {
 	log.SetFlags(0)
 	if err := rootCmd.Execute(); err != nil {
 		logger.Failuref("%v", err)
+
+		if err, ok := err.(*RequestError); ok {
+			os.Exit(err.StatusCode)
+		}
+
 		os.Exit(1)
 	}
 }

cmd/flux/main_test.go

@@ -325,6 +325,12 @@ type cmdTestCase struct {
 
 func (cmd *cmdTestCase) runTestCmd(t *testing.T) {
 	actual, testErr := executeCommand(cmd.args)
+
+	// If the cmd error is a change, discard it
+	if isChangeError(testErr) {
+		testErr = nil
+	}
+
 	if assertErr := cmd.assert(actual, testErr); assertErr != nil {
 		t.Error(assertErr)
 	}
@@ -366,3 +372,12 @@ func resetCmdArgs() {
 	getArgs = GetFlags{}
 	secretGitArgs = NewSecretGitFlags()
 }
+
+func isChangeError(err error) bool {
+	if reqErr, ok := err.(*RequestError); ok {
+		if strings.Contains(err.Error(), "identified at least one change, exiting with non-zero exit code") && reqErr.StatusCode == 1 {
+			return true
+		}
+	}
+	return false
+}

cmd/flux/resume.go

@@ -48,6 +48,7 @@ func init() {
 
 type resumable interface {
 	adapter
+	copyable
 	statusable
 	setUnsuspended()
 	successMessage() string
@@ -97,10 +98,13 @@ func (resume resumeCommand) run(cmd *cobra.Command, args []string) error {
 
 	for i := 0; i < resume.list.len(); i++ {
 		logger.Actionf("resuming %s %s in %s namespace", resume.humanKind, resume.list.resumeItem(i).asClientObject().GetName(), *kubeconfigArgs.Namespace)
-		resume.list.resumeItem(i).setUnsuspended()
-		if err := kubeClient.Update(ctx, resume.list.resumeItem(i).asClientObject()); err != nil {
+		obj := resume.list.resumeItem(i)
+		patch := client.MergeFrom(obj.deepCopyClientObject())
+		obj.setUnsuspended()
+		if err := kubeClient.Patch(ctx, obj.asClientObject(), patch); err != nil {
 			return err
 		}
+
 		logger.Successf("%s resumed", resume.humanKind)
 
 		namespacedName := types.NamespacedName{

cmd/flux/suspend.go

@@ -46,6 +46,7 @@ func init() {
 
 type suspendable interface {
 	adapter
+	copyable
 	isSuspended() bool
 	setSuspended()
 }
@@ -94,8 +95,11 @@ func (suspend suspendCommand) run(cmd *cobra.Command, args []string) error {
 
 	for i := 0; i < suspend.list.len(); i++ {
 		logger.Actionf("suspending %s %s in %s namespace", suspend.humanKind, suspend.list.item(i).asClientObject().GetName(), *kubeconfigArgs.Namespace)
-		suspend.list.item(i).setSuspended()
-		if err := kubeClient.Update(ctx, suspend.list.item(i).asClientObject()); err != nil {
+
+		obj := suspend.list.item(i)
+		patch := client.MergeFrom(obj.deepCopyClientObject())
+		obj.setSuspended()
+		if err := kubeClient.Patch(ctx, obj.asClientObject(), patch); err != nil {
 			return err
 		}
 		logger.Successf("%s suspended", suspend.humanKind)

internal/bootstrap/bootstrap_provider.go

@@ -275,7 +275,7 @@ func (b *GitProviderBootstrapper) reconcileOrgRepository(ctx context.Context) (g
 	subOrgs, repoName := splitSubOrganizationsFromRepositoryName(b.repositoryName)
 	orgRef, err := b.getOrganization(ctx, subOrgs)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create new Git repository for the organization %q: %w", orgRef.String(), err)
+		return nil, fmt.Errorf("failed to create new Git repository %q: %w", b.repositoryName, err)
 	}
 	repoRef := newOrgRepositoryRef(*orgRef, repoName)
 	repoInfo := newRepositoryInfo(b.description, b.defaultBranch, b.visibility)

internal/build/build.go

@@ -36,6 +36,7 @@ import (
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/kyaml/filesys"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
 const (
@@ -262,16 +263,30 @@ func trimSopsData(res *resource.Resource) error {
 
 	if res.GetKind() == "Secret" {
 		dataMap := res.GetDataMap()
-		for k, v := range dataMap {
-			data, err := base64.StdEncoding.DecodeString(v)
-			if err != nil {
-				if _, ok := err.(base64.CorruptInputError); ok {
-					return fmt.Errorf("failed to decode secret data: %w", err)
-				}
+		asYaml, err := res.AsYAML()
+		if err != nil {
+			return fmt.Errorf("failed to decode secret %s data: %w", res.GetName(), err)
+		}
+
+		//delete any sops data as we don't want to expose it
+		if bytes.Contains(asYaml, []byte("sops:")) && bytes.Contains(asYaml, []byte("mac: ENC[")) {
+			res.PipeE(yaml.FieldClearer{Name: "sops"})
+			for k := range dataMap {
+				dataMap[k] = sopsMess
 			}
 
-			if bytes.Contains(data, []byte("sops")) && bytes.Contains(data, []byte("ENC[")) {
-				dataMap[k] = sopsMess
+		} else {
+			for k, v := range dataMap {
+				data, err := base64.StdEncoding.DecodeString(v)
+				if err != nil {
+					if _, ok := err.(base64.CorruptInputError); ok {
+						return fmt.Errorf("failed to decode secret %s data: %w", res.GetName(), err)
+					}
+				}
+
+				if bytes.Contains(data, []byte("sops")) && bytes.Contains(data, []byte("ENC[")) {
+					dataMap[k] = sopsMess
+				}
 			}
 		}
 

internal/build/build_test.go

@@ -91,6 +91,45 @@ kind: Secret
 metadata:
   name: secret-basic-auth
 type: kubernetes.io/basic-auth
+`,
+		},
+		{
+			name: "secret sops secret",
+			yamlStr: `apiVersion: v1
+data:
+  .dockercfg: ENC[AES256_GCM,data:KHCFH3hNnc+PMfWLFEPjebf3W4z4WXbGFAANRZyZC+07z7wlrTALJM6rn8YslW4tMAWCoAYxblC5WRCszTy0h9rw0U/RGOv5H0qCgnNg/FILFUqhwo9pNfrUH+MEP4M9qxxbLKZwObpHUE7DUsKx1JYAxsI=,iv:q48lqUbUQD+0cbYcjNMZMJLRdGHi78ZmDhNAT2th9tg=,tag:QRI2SZZXQrAcdql3R5AH2g==,type:str]
+kind: Secret
+metadata:
+  name: secret
+type: kubernetes.io/dockerconfigjson
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age10la2ge0wtvx3qr7datqf7rs4yngxszdal927fs9rukamr8u2pshsvtz7ce
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eU1CTEJhVXZ4eEVYYkVV
+        OU90TEcrR2pYckttN0pBanJoSUZWSW1RQXlRCkUydFJ3V1NZUTBuVFF0aC9GUEcw
+        bUdhNjJWTkoyL1FUVi9Dc1dxUDBkM0UKLS0tIE1sQXkwcWdGaEFuY0RHQTVXM0J6
+        dWpJcThEbW15V3dXYXpPZklBdW1Hd1kKoIAdmGNPrEctV8h1w8KuvQ5S+BGmgqN9
+        MgpNmUhJjWhgcQpb5BRYpQesBOgU5TBGK7j58A6DMDKlSiYZsdQchQ==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2022-02-03T16:03:17Z"
+  mac: ENC[AES256_GCM,data:AHdYSawajwgAFwlmDN1IPNmT9vWaYKzyVIra2d6sPcjTbZ8/p+VRSRpVm4XZFFsaNnW5AUJaouwXnKYDTmJDXKlr/rQcu9kXqsssQgdzcXaA6l5uJlgsnml8ba7J3OK+iEKMax23mwQEx2EUskCd9ENOwFDkunP02sxqDNOz20k=,iv:8F5OamHt3fAVorf6p+SoIrWoqkcATSGWVoM0EK87S4M=,tag:E1mxXnc7wWkEX5BxhpLtng==,type:str]
+  pgp: []
+  encrypted_regex: ^(data|stringData)$
+  version: 3.7.1
+`,
+			expected: `apiVersion: v1
+data:
+  .dockercfg: KipTT1BTKio=
+kind: Secret
+metadata:
+  name: secret
+type: kubernetes.io/dockerconfigjson
 `,
 		},
 	}

internal/build/diff.go

@@ -51,28 +51,29 @@ func (b *Builder) Manager() (*ssa.ResourceManager, error) {
 	return ssa.NewResourceManager(b.client, statusPoller, owner), nil
 }
 
-func (b *Builder) Diff() (string, error) {
+func (b *Builder) Diff() (string, bool, error) {
 	output := strings.Builder{}
+	createdOrDrifted := false
 	res, err := b.Build()
 	if err != nil {
-		return "", err
+		return "", createdOrDrifted, err
 	}
 	// convert the build result into Kubernetes unstructured objects
 	objects, err := ssa.ReadObjects(bytes.NewReader(res))
 	if err != nil {
-		return "", err
+		return "", createdOrDrifted, err
 	}
 
 	resourceManager, err := b.Manager()
 	if err != nil {
-		return "", err
+		return "", createdOrDrifted, err
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), b.timeout)
 	defer cancel()
 
 	if err := ssa.SetNativeKindsDefaults(objects); err != nil {
-		return "", err
+		return "", createdOrDrifted, err
 	}
 
 	// create an inventory of objects to be reconciled
@@ -101,20 +102,23 @@ func (b *Builder) Diff() (string, error) {
 
 		if change.Action == string(ssa.CreatedAction) {
 			output.WriteString(writeString(fmt.Sprintf("► %s created\n", change.Subject), bunt.Green))
+			createdOrDrifted = true
 		}
 
 		if change.Action == string(ssa.ConfiguredAction) {
 			output.WriteString(writeString(fmt.Sprintf("► %s drifted\n", change.Subject), bunt.WhiteSmoke))
 			liveFile, mergedFile, tmpDir, err := writeYamls(liveObject, mergedObject)
 			if err != nil {
-				return "", err
+				return "", createdOrDrifted, err
 			}
 			defer cleanupDir(tmpDir)
 
 			err = diff(liveFile, mergedFile, &output)
 			if err != nil {
-				return "", err
+				return "", createdOrDrifted, err
 			}
+
+			createdOrDrifted = true
 		}
 
 		addObjectsToInventory(newInventory, change)
@@ -125,7 +129,7 @@ func (b *Builder) Diff() (string, error) {
 		if oldStatus.Inventory != nil {
 			diffObjects, err := diffInventory(oldStatus.Inventory, newInventory)
 			if err != nil {
-				return "", err
+				return "", createdOrDrifted, err
 			}
 			for _, object := range diffObjects {
 				output.WriteString(writeString(fmt.Sprintf("► %s deleted\n", ssa.FmtUnstructured(object)), bunt.OrangeRed))
@@ -133,7 +137,7 @@ func (b *Builder) Diff() (string, error) {
 		}
 	}
 
-	return output.String(), nil
+	return output.String(), createdOrDrifted, nil
 }
 
 func writeYamls(liveObject, mergedObject *unstructured.Unstructured) (string, string, string, error) {

rfcs/0003-multi-tenancy-mode/README.md

@@ -1,206 +0,0 @@
-# RFC-0003 Flux Multi-Tenancy Mode
-
-**Status:** provisional
-
-**Creation date:** 2021-11-16
-
-**Last update:** 2022-02-03
-
-## Summary
-
-For multi-tenant environments, we want to offer an easy way of configuring Flux to enforce tenant isolation
-(as defined by the Soft Multi-Tenancy model from RFC-0001).
-
-When running in the multi-tenant mode, Flux will lock down access to sources (as defined by RFC-0002),
-and will use the tenant service account instead of defaulting to `cluster-admin`.
-
-From an end-user perspective, the multi-tenancy mode means that:
-
-- Platform admins have to create a Kubernetes service account and RBAC in each namespace where
-  Flux performs source-to-cluster reconciliation on behalf of tenants.
-  By default, Flux will have no permissions to reconcile the tenants sources onto clusters.
-- Source owners have to specify with which tenants they wish to share their sources.
-  By default, nothing is shared between tenants.
-
-## Motivation
-
-As of [version 0.26](https://github.com/fluxcd/flux2/releases/tag/v0.26.0) (Feb 2022),
-configuring Flux for soft multi-tenancy requires platform admins to:
-- Deny cross-namespace access to Flux custom resources by setting the `--no-cross-namespace-refs` flag.
-- Enforce impersonation by setting a default service account with the `--default-service-account` flag.
-
-Instead of using a Kustomize patch to lock down Flux as descried in the
-[multi-tenancy lockdown documentation](https://fluxcd.io/docs/installation/#multi-tenancy-lockdown),
-we could extend `flux install` and `flux bootstrap` and offer a flag to configure Flux with multi-tenancy enforcements. 
-
-### Goals
-
-- Enforce service account impersonation for source-to-cluster reconciliation.
-- Enforce ACLs for cross-namespace access to sources.
-
-### Non-Goals
-
-- Enforce tenant's workload isolation with network policies and pod security standards as described
-  [here](https://kubernetes.io/blog/2021/04/15/three-tenancy-models-for-kubernetes/#security-considerations).
-
-## Proposal
-
-### User Stories
-
-#### Story 1
-
-> As a platform admin, I want to install Flux with lowest privilege/permission level possible.
-
-#### Story 2
-
-> As a platform admin, I want to give tenants full control over their assigned namespaces.
-> So that tenants could use their own repositories and manager the app delivery with Flux.
-
-#### Story 3
-
-> As a platform admin, I want to prevent tenants from changing the cluster-wide configuration.
-> If a tenant adds to their repository a cluster-scoped resource such as a namespace or cluster role,
-> Flux should reject the change and notify the tenant that this operation is not allowed.
-
-### Multi-tenant Bootstrap
-
-When bootstrapping Flux, platform admins should have the option to lock down Flux for multi-tenant environments e.g.:
-
-```shell
-flux bootstrap --security-profile=multi-tenant
-```
-
-The security profile flag accepts two values: `single-tenant` and `multi-tenant`.
-Platform admins may switch between the two modes at any time, either by rerunning bootstrap
-or by patching the Flux manifests in Git.
-
-The `multi-tenant` profile is just a shortcut to setting the following container args in the Flux deployment manifests:
-
-```yaml
-      containers:
-      - name: manager
-        args:
-          - --default-service-account=flux
-          - --enable-source-acl=true
-```
-
-And for disabling cross-namespace references when using the notification API:
-
-```yaml
-kind: Deployment
-metadata:
-  name: notification-controller
-spec:
-  template:
-    spec:
-      containers:
-      - name: manager
-        args:
-          - --no-cross-namespace-refs=true
-```
-
-When running in the `multi-tenant` mode, Flux behaves differently:
-
-- The source-to-cluster reconciliation no longer runs under the service account of
-  the Flux controllers. The controller service account, is only used to impersonate
-  the service account specified in the Flux custom resources (`Kustomizations`, `HelmReleases`).
-- When no service account name is specified in a Flux custom resource,
-  a default will be used e.g. `system:serviceaccount:<tenant-namespace>:flux`.
-- When a Flux custom resource (`Kustomizations`, `HelmReleases`, `ImagePolicies`, `ImageUpdateAutomations`)
-  refers to a source in a different namespace, access is granted based the source access control list.
-  If no ACL is defined for a source, cross-namespace access is denied.
-- When a Flux notification (`Alerts`, `Receivers`)
-  refers to a resource in a different namespace, access is denied.
-
-### Tenants Onboarding
-
-When onboarding tenants, platform admins should have the option to assign namespaces, set
-permissions and register the tenants repositories onto clusters in a declarative manner. 
-
-The Flux CLI offers an easy way of generating all the Kubernetes manifests needed to onboard tenants:
-
-- `flux create tenant` command generates namespaces, service accounts and Kubernetes RBAC
-  with restricted access to the cluster resources, given tenants access only to their namespaces.
-- `flux create secret git` command generates SSH keys used by Flux to clone the tenants repositories.
-- `flux create source git` command generates the configuration that tells Flux which repositories belong to tenants.
-- `flux create kustomization` command generates the configuration that tells Flux how to reconcile the manifests found in the tenants repositories.
-
-All the above commands have an `--export` flag for generating the Kubernetes resources in YAML format.
-The platform admins should place the generated manifests in the repository that defines the cluster(s) desired state.
-
-Here is an example of the generated manifests:
-
-```yaml
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: tenant1
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: flux
-  namespace: tenant1
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: flux
-  namespace: tenant1
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: flux
-    namespace: tenant1
----
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: GitRepository
-metadata:
-  name: tenant1
-  namespace: tenant1
-spec:
-  interval: 5m0s
-  ref:
-    branch: main
-  secretRef:
-    name: tenant1-git-auth
-  url: ssh://git@github.com/org/tenant1
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: tenant1
-  namespace: tenant1
-spec:
-  interval: 10m0s
-  path: ./
-  prune: true
-  serviceAccountName: flux
-  sourceRef:
-    kind: GitRepository
-    name: tenant1
-```
-
-Note that the [cluster-admin](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
-role is used in a `RoleBinding`, this only gives full control over every resource in the role binding's namespace.
-
-Once the tenants repositories are registered on the cluster(s), the tenants can configure their app delivery 
-in Git using Kubernetes namespace-scoped resources such as `Deployments`, `Services`, Flagger `Canaries`,
-Flux `Kustomizations`, `HelmReleases`, `ImageUpdateAutomations`, `Alerts`, `Receivers`, etc.
-
-## Alternatives
-
-Instead of introducing the security profile flag to `flux bootstrap`,
-we could document how to patch each controller deployment with Kustomize as described in the
-[multi-tenancy lockdown documentation](https://fluxcd.io/docs/installation/#multi-tenancy-lockdown).
-
-Having an easy way of locking down Flux with a single flag, make users aware of the security implications
-and improves the user experience.
-
-## Implementation History
-
-- Disabling cross-namespace access and providing a default service account was first released in flux2 **v0.26.0**.

tests/azure/azure_test.go

@@ -483,7 +483,7 @@ func TestImageRepositoryACR(t *testing.T) {
 			Interval: metav1.Duration{
 				Duration: 1 * time.Minute,
 			},
-			SourceRef: automationv1beta1.SourceReference{
+			SourceRef: automationv1beta1.CrossNamespaceSourceReference{
 				Kind: "GitRepository",
 				Name: name,
 			},