Mirrors
/
flux2
mirror of https://github.com/fluxcd/flux2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/github_actions/ci-bc7ce186f4
rfc-custom-health-checks
main
rfc-0008-implemented
dependabot/go_modules/github.com/go-git/go-git/v5-5.13.0
dependabot/go_modules/tests/integration/golang.org/x/net-0.33.0
dependabot/go_modules/tests/integration/github.com/golang-jwt/jwt/v4-4.5.1
release/v2.4.x
remove-notation-validation
release/v2.3.x
dependabot/go_modules/github.com/hashicorp/go-retryablehttp-0.7.7
dependabot/go_modules/github.com/Azure/azure-sdk-for-go/sdk/azidentity-1.6.0
rfc-flux-bootstrap-oci
release/v2.2.x
RFC
fix-commit-log
flux-audit
release/v2.1.x
context-ns
ksm-dashboard
rfc-passwordless-git-auth
release/v2.0.x
rfc-gating
release/v0.27.4
rfc-0003
rfc-0002
rfc-0001
prompt-for-tokens
encrypt-init-cmd
v2.4.0
v2.3.0
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v2.0.0-rc.5
v2.0.0-rc.4
v2.0.0-rc.3
v2.0.0-rc.2
v2.0.0-rc.1
v0.41.2
v0.40.0
v0.39.0
v0.38.2
v0.38.1
v0.38.0
v0.37.0
v0.36.0
v0.35.0
v0.34.0
v0.33.0
v0.32.0
v0.31.3
v0.31.2
v0.31.1
v0.31.0
v0.30.1
v0.28.2
v0.27.2
v0.27.1
v0.27.0
v0.26.3
v0.26.2
v0.26.1
v0.26.0
v0.25.3
v0.0.1
v0.0.1-alpha.1
v0.0.1-beta.1
v0.0.1-beta.2
v0.0.1-beta.3
v0.0.1-beta.4
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.10.0
v0.11.0
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.14.0
v0.14.1
v0.14.2
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.16.1
v0.16.2
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.19.0
v0.19.1
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.22.0
v0.22.1
v0.23.0
v0.24.0
v0.24.1
v0.25.0
v0.25.1
v0.25.2
v0.27.3
v0.27.4
v0.28.0
v0.28.1
v0.28.3
v0.28.4
v0.28.5
v0.29.0
v0.29.1
v0.29.2
v0.29.3
v0.29.4
v0.29.5
v0.3.0
v0.30.0
v0.30.2
v0.31.4
v0.31.5
v0.38.3
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.40.1
v0.40.2
v0.41.0
v0.41.1
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.8.0
v0.8.1
v0.8.2
v0.9.0
v0.9.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1d8105247a'
${ noResults }
flux2/rfcs/0004-insecure-http
History
Sanskar Jaiswal 1d8105247a add RFC for blocking insecure HTTP connections across Flux 
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
 		2 years ago
..
README.md add RFC for blocking insecure HTTP connections across Flux 2 years ago

README.md

RFC-0004 Block insecure HTTP connections across Flux

Status: provisional

Creation Date: 2022-09-08

Summary

Flux should have a consistent way of disabling insecure HTTP connections.

At the controller level, a flag should be present which would disable all outgoing HTTP connections. At the object level, a field should be provided which would enable the use of non-TLS endpoints.

If the use of a non-TLS endpoint is not supported, it should be made clear to users through the use of logs and status conditions.

Motivation

Today the use of non-TLS based connections is inconsistent across Flux controllers.

Controllers that deal only with http and https schemes have no way to block use of the http scheme at controller-level. Some Flux objects provide a .spec.insecure field to enable the use of non-TLS based endpoints, but they don't clearly notify users when the option is not supported (e.g. Azure/GCP Buckets).

Goals

  • Provide a flag across all Flux controllers which disables all outgoing HTTP connections.
  • Add a field which enables the use of non-TLS endpoints to appropriate Flux objects.
  • Provide a way for users to be made aware that their use of non-TLS endpoints is not supported if that is the case.

Non-Goals

  • Break Flux's current behavior of allowing HTTP connections.

Proposal

Controllers

Flux users should be able to enforce that controllers are using HTTPS connections only. This shall be enabled by adding a new boolean flag --allow-insecure-http to the following controllers:

  • source-controller
  • notification-controller
  • image-automation-controller
  • image-reflector-controller

Note: The flag shall not be added to the following controllers:

  • kustomize-controller: This flag is excluded from this controller, as the upstream kubenetes-sigs/kustomize project does not support disabling HTTP connections while fetching resources from remote bases. We can revisit this if the upstream project adds support for this at a later point in time.
  • helm-controller: This flag does not serve a purpose in this controller, as the controller does not make any HTTP calls. Furthermore although both controllers can also do remote applies, serving kube-apiserver over plain HTTP is disabled by default. While technically this can be enabled, the option for this configuration was also disabled quite a while back (ref: https://github.com/kubernetes/kubernetes/pull/65830/).

The default value of this flag shall be true. This would ensure that there is no breaking change with controllers still being able to access non-TLS endpoints. To disable this behavior and enforce the use of HTTPS connections, users would have to explicitly pass the flag to the controller:

spec:
  template:
    spec:
      containers:
      - name: manager
        image: fluxcd/source-controller
        args:
          - --watch-all-namespaces
          - --log-level=info
          - --log-encoding=json
          - --enable-leader-election
          - --storage-path=/data
          - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.cluster.local.
          - --allow-insecure-http=false

Objects

Some Flux objects, like GitRepository, provide a field for specifying a URL, and the URL would contain the scheme. In such cases, the scheme can be used for inferring the transport type of the connection and consequently, whether to use HTTP or HTTPS connections for that object. But there are a few objects that don't allow such behavior, for example:

  • ImageRepository: It provides a field, .spec.image, which is used for specifying the URL of the image present on a container registry. But any URL containing a scheme is considered invalid and HTTPS is the default transport used. This prevents users from using images present on insecure registries.
  • OCI HelmRepository: When using an OCI registry as a Helm repository, the .spec.url is expected to begin with oci://. Since the scheme part of the URL is used to specify the type of HelmRepository, there is no way for users to specify that the registry is hosted at a non-TLS endpoint.

For such objects, we shall introduce a new boolean field .spec.insecure, which shall be false by default. Users that need their object to point to an HTTP endpoint, can set this to true.

Precedence & Validity

Objects with .spec.insecure as true will only be allowed if HTTP connections are allowed at the controller level. Similarly, an object can have .spec.insecure as true only if the Saas/Cloud provider allows HTTP connections. For example, using a Bucket with its .spec.provider set to azure would be invalid since Azure doesn't allow HTTP connections.