CHANGELOG.md

@@ -1,5 +1,34 @@
 # Changelog
 
+## 0.19.0
+
+**Release date:** 2022-04-05
+
+This prerelease adds some breaking changes around the use and handling of kubeconfigs 
+files for remote reconciliations. It updates documentation and progress other 
+housekeeping tasks.
+
+**Breaking changes**:
+
+- Use of file-based KubeConfig options are now permanently disabled (e.g. 
+`TLSClientConfig.CAFile`, `TLSClientConfig.KeyFile`, `TLSClientConfig.CertFile`
+and `BearerTokenFile`). The drive behind the change was to discourage
+insecure practices of mounting Kubernetes tokens inside the controller's container file system.
+- Use of `TLSClientConfig.Insecure` in KubeConfig file is disabled by default,
+but can enabled at controller level with the flag `--insecure-kubeconfig-tls`.
+- Use of `ExecProvider` in KubeConfig file is now disabled by default,
+but can enabled at controller level with the flag `--insecure-kubeconfig-exec`.
+
+Improvements:
+- Update KubeConfig documentation
+  [#457](https://github.com/fluxcd/helm-controller/pull/457)
+- Update docs links to toolkit.fluxcd.io
+  [#456](https://github.com/fluxcd/helm-controller/pull/456)
+- Add kubeconfig flags
+  [#455](https://github.com/fluxcd/helm-controller/pull/455)
+- Align version of dependencies when Fuzzing
+  [#452](https://github.com/fluxcd/helm-controller/pull/452)
+
 ## 0.18.2
 
 **Release date:** 2022-03-25

Makefile

@@ -3,12 +3,17 @@ IMG ?= fluxcd/helm-controller:latest
 # Produce CRDs that work back to Kubernetes 1.16
 CRD_OPTIONS ?= crd:crdVersions=v1
 
-# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
+# Repository root based on Git metadata
+REPOSITORY_ROOT := $(shell git rev-parse --show-toplevel)
+BUILD_DIR := $(REPOSITORY_ROOT)/build
+
+# If gobin not set, create one on ./build and add to path.
 ifeq (,$(shell go env GOBIN))
-GOBIN=$(shell go env GOPATH)/bin
+GOBIN=$(BUILD_DIR)/gobin
 else
 GOBIN=$(shell go env GOBIN)
 endif
+export PATH:=$(GOBIN):${PATH}
 
 # Allows for defining additional Docker buildx arguments, e.g. '--push'.
 BUILD_ARGS ?= --load
@@ -28,7 +33,7 @@ test: tidy generate fmt vet manifests api-docs install-envtest
 
 # Build manager binary
 manager: generate fmt vet
-	go build -o bin/manager main.go
+	go build -o $(BUILD_DIR)/bin/manager main.go
 
 # Run against the configured Kubernetes cluster in ~/.kube/config
 run: generate fmt vet manifests
@@ -101,24 +106,24 @@ docker-push:
 	docker push ${IMG}
 
 # Find or download controller-gen
-CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
+CONTROLLER_GEN = $(GOBIN)/controller-gen
 .PHONY: controller-gen
 controller-gen: ## Download controller-gen locally if necessary.
 	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.7.0)
 
 # Find or download gen-crd-api-reference-docs
-GEN_CRD_API_REFERENCE_DOCS = $(shell pwd)/bin/gen-crd-api-reference-docs
+GEN_CRD_API_REFERENCE_DOCS = $(GOBIN)/gen-crd-api-reference-docs
 .PHONY: gen-crd-api-reference-docs
 gen-crd-api-reference-docs:
 	$(call go-install-tool,$(GEN_CRD_API_REFERENCE_DOCS),github.com/ahmetb/gen-crd-api-reference-docs@v0.3.0)
 
-ENVTEST_ASSETS_DIR=$(shell pwd)/build/testbin
+ENVTEST_ASSETS_DIR=$(BUILD_DIR)/testbin
 ENVTEST_KUBERNETES_VERSION?=latest
 install-envtest: setup-envtest
 	mkdir -p ${ENVTEST_ASSETS_DIR}
 	$(ENVTEST) use $(ENVTEST_KUBERNETES_VERSION) --arch=$(ENVTEST_ARCH) --bin-dir=$(ENVTEST_ASSETS_DIR)
 
-ENVTEST = $(shell pwd)/bin/setup-envtest
+ENVTEST = $(GOBIN)/setup-envtest
 .PHONY: envtest
 setup-envtest: ## Download envtest-setup locally if necessary.
 	$(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
@@ -132,27 +137,27 @@ TMP_DIR=$$(mktemp -d) ;\
 cd $$TMP_DIR ;\
 go mod init tmp ;\
 echo "Downloading $(2)" ;\
-GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
+GOBIN=$(GOBIN) go install $(2) ;\
 rm -rf $$TMP_DIR ;\
 }
 endef
 
 # Build fuzzers
 fuzz-build:
-	rm -rf $(shell pwd)/build/fuzz/
-	mkdir -p $(shell pwd)/build/fuzz/out/
+	rm -rf $(BUILD_DIR)/fuzz/
+	mkdir -p $(BUILD_DIR)/fuzz/out/
 
 	docker build . --tag local-fuzzing:latest -f tests/fuzz/Dockerfile.builder
 	docker run --rm \
 		-e FUZZING_LANGUAGE=go -e SANITIZER=address \
 		-e CIFUZZ_DEBUG='True' -e OSS_FUZZ_PROJECT_NAME=fluxcd \
-		-v "$(shell pwd)/build/fuzz/out":/out \
+		-v "$(BUILD_DIR)/fuzz/out":/out \
 		local-fuzzing:latest
 
 # Run each fuzzer once to ensure they are working
 fuzz-smoketest: fuzz-build
 	docker run --rm \
-		-v "$(shell pwd)/build/fuzz/out":/out \
-		-v "$(shell pwd)/tests/fuzz/oss_fuzz_run.sh":/runner.sh \
+		-v "$(BUILD_DIR)/fuzz/out":/out \
+		-v "$(REPOSITORY_ROOT)/tests/fuzz/oss_fuzz_run.sh":/runner.sh \
 		local-fuzzing:latest \
 		bash -c "/runner.sh"

README.md

@@ -7,7 +7,7 @@
 [![release](https://img.shields.io/github/release/fluxcd/helm-controller/all.svg)](https://github.com/fluxcd/helm-controller/releases)
 
 The helm-controller is a Kubernetes operator, allowing one to declaratively
-manage Helm chart releases. It is part of a composable [GitOps toolkit](https://toolkit.fluxcd.io)
+manage Helm chart releases. It is part of a composable [GitOps toolkit](https://fluxcd.io/docs/components)
 and depends on [source-controller][] to acquire the Helm charts from Helm
 repositories.
 
@@ -41,9 +41,9 @@ operator.
 
 ## Guides
 
-* [Get started with GitOps Toolkit](https://toolkit.fluxcd.io/get-started/)
-* [Manage Helm Releases](https://toolkit.fluxcd.io/guides/helmreleases/)
-* [Setup Notifications](https://toolkit.fluxcd.io/guides/notifications/)
+* [Get started with GitOps Toolkit](https://fluxcd.io/docs/get-started/)
+* [Manage Helm Releases](https://fluxcd.io/docs/guides/helmreleases/)
+* [Setup Notifications](https://fluxcd.io/docs/guides/notifications/)
 
 ## Specifications
 

api/v2beta1/helmrelease_types.go

@@ -74,7 +74,12 @@ type HelmReleaseSpec struct {
 	Interval metav1.Duration `json:"interval"`
 
 	// KubeConfig for reconciling the HelmRelease on a remote cluster.
-	// When specified, KubeConfig takes precedence over ServiceAccountName.
+	// When used in combination with HelmReleaseSpec.ServiceAccountName,
+	// forces the controller to act on behalf of that Service Account at the
+	// target cluster.
+	// If the --default-service-account flag is set, its value will be used as
+	// a controller level fallback for when HelmReleaseSpec.ServiceAccountName
+	// is empty.
 	// +optional
 	KubeConfig *KubeConfig `json:"kubeConfig,omitempty"`
 

config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml

@@ -237,7 +237,11 @@ spec:
                 type: string
               kubeConfig:
                 description: KubeConfig for reconciling the HelmRelease on a remote
-                  cluster. When specified, KubeConfig takes precedence over ServiceAccountName.
+                  cluster. When used in combination with HelmReleaseSpec.ServiceAccountName,
+                  forces the controller to act on behalf of that Service Account at
+                  the target cluster. If the --default-service-account flag is set,
+                  its value will be used as a controller level fallback for when HelmReleaseSpec.ServiceAccountName
+                  is empty.
                 properties:
                   secretRef:
                     description: SecretRef holds the name to a secret that contains

config/manager/kustomization.yaml

@@ -5,4 +5,4 @@ resources:
 images:
   - name: fluxcd/helm-controller
     newName: fluxcd/helm-controller
-    newTag: v0.18.2
+    newTag: v0.19.0

controllers/helmrelease_controller.go

@@ -51,6 +51,7 @@ import (
 	apiacl "github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/acl"
+	fluxClient "github.com/fluxcd/pkg/runtime/client"
 	"github.com/fluxcd/pkg/runtime/events"
 	"github.com/fluxcd/pkg/runtime/metrics"
 	"github.com/fluxcd/pkg/runtime/predicates"
@@ -81,6 +82,7 @@ type HelmReleaseReconciler struct {
 	MetricsRecorder       *metrics.Recorder
 	DefaultServiceAccount string
 	NoCrossNamespaceRef   bool
+	KubeConfigOpts        fluxClient.KubeConfigOptions
 }
 
 func (r *HelmReleaseReconciler) SetupWithManager(mgr ctrl.Manager, opts HelmReleaseReconcilerOptions) error {
@@ -503,7 +505,7 @@ func (r *HelmReleaseReconciler) getRESTClientGetter(ctx context.Context, hr v2.H
 		if len(kubeConfig) == 0 {
 			return nil, fmt.Errorf("KubeConfig secret '%s' does not contain a 'value' key", secretName)
 		}
-		return kube.NewMemoryRESTClientGetter(kubeConfig, hr.GetReleaseNamespace(), impersonateAccount, r.Config.QPS, r.Config.Burst), nil
+		return kube.NewMemoryRESTClientGetter(kubeConfig, hr.GetReleaseNamespace(), impersonateAccount, r.Config.QPS, r.Config.Burst, r.KubeConfigOpts), nil
 	}
 
 	if r.DefaultServiceAccount != "" || hr.Spec.ServiceAccountName != "" {

docs/api/helmrelease.md

@@ -107,7 +107,12 @@ KubeConfig
 <td>
 <em>(Optional)</em>
 <p>KubeConfig for reconciling the HelmRelease on a remote cluster.
-When specified, KubeConfig takes precedence over ServiceAccountName.</p>
+When used in combination with HelmReleaseSpec.ServiceAccountName,
+forces the controller to act on behalf of that Service Account at the
+target cluster.
+If the &ndash;default-service-account flag is set, its value will be used as
+a controller level fallback for when HelmReleaseSpec.ServiceAccountName
+is empty.</p>
 </td>
 </tr>
 <tr>
@@ -743,7 +748,12 @@ KubeConfig
 <td>
 <em>(Optional)</em>
 <p>KubeConfig for reconciling the HelmRelease on a remote cluster.
-When specified, KubeConfig takes precedence over ServiceAccountName.</p>
+When used in combination with HelmReleaseSpec.ServiceAccountName,
+forces the controller to act on behalf of that Service Account at the
+target cluster.
+If the &ndash;default-service-account flag is set, its value will be used as
+a controller level fallback for when HelmReleaseSpec.ServiceAccountName
+is empty.</p>
 </td>
 </tr>
 <tr>

go.mod

@@ -5,11 +5,11 @@ go 1.17
 replace github.com/fluxcd/helm-controller/api => ./api
 
 require (
-	github.com/fluxcd/helm-controller/api v0.18.2
+	github.com/fluxcd/helm-controller/api v0.19.0
 	github.com/fluxcd/pkg/apis/acl v0.0.3
 	github.com/fluxcd/pkg/apis/kustomize v0.3.2
 	github.com/fluxcd/pkg/apis/meta v0.12.1
-	github.com/fluxcd/pkg/runtime v0.13.2
+	github.com/fluxcd/pkg/runtime v0.13.3
 	github.com/fluxcd/source-controller/api v0.22.3
 	github.com/go-logr/logr v1.2.3
 	github.com/hashicorp/go-retryablehttp v0.7.0

go.sum

@@ -317,8 +317,8 @@ github.com/fluxcd/pkg/apis/kustomize v0.3.2 h1:ULoAwOOekHf5cy6mYIwL+K6v8/cfcNVVb
 github.com/fluxcd/pkg/apis/kustomize v0.3.2/go.mod h1:p8iAH5TeqMBnnxkkpCNNDvWYfKlNRx89a6WKOo+hJHA=
 github.com/fluxcd/pkg/apis/meta v0.12.1 h1:m5PfKAqbqWBvGp9+JRj1sv+xNkGsHwUVf+3rJ8wm6SE=
 github.com/fluxcd/pkg/apis/meta v0.12.1/go.mod h1:f8YVt70/KAhqzZ7xxhjvqyzKubOYx2pAbakb/FfCEg8=
-github.com/fluxcd/pkg/runtime v0.13.2 h1:6jkQQUbp17WxHsbozlJFCvHmOS4JIB+yB20CdCd8duE=
-github.com/fluxcd/pkg/runtime v0.13.2/go.mod h1:dzWNKqFzFXeittbpFcJzR3cdC9CWlbzw+pNOgaVvF/0=
+github.com/fluxcd/pkg/runtime v0.13.3 h1:k0Xun+RoEC/F6iuAPTA6rQb+I4B4oecBx6pOcodX11A=
+github.com/fluxcd/pkg/runtime v0.13.3/go.mod h1:dzWNKqFzFXeittbpFcJzR3cdC9CWlbzw+pNOgaVvF/0=
 github.com/fluxcd/source-controller/api v0.22.3 h1:HnpSnCtIytwSGSz2qu+GJwyZRmD5UXZL5oOQapiQOtk=
 github.com/fluxcd/source-controller/api v0.22.3/go.mod h1:Vb13q9Pq+1IW/sJUZn/RSb7IU5WT86Er6uCFPCFm9L4=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=

internal/kube/client.go

@@ -24,6 +24,8 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/restmapper"
 	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/fluxcd/pkg/runtime/client"
 )
 
 func NewInClusterRESTClientGetter(cfg *rest.Config, namespace string) genericclioptions.RESTClientGetter {
@@ -49,15 +51,23 @@ type MemoryRESTClientGetter struct {
 	impersonateAccount string
 	qps                float32
 	burst              int
+	kubeConfigOpts     client.KubeConfigOptions
 }
 
-func NewMemoryRESTClientGetter(kubeConfig []byte, namespace string, impersonateAccount string, qps float32, burst int) genericclioptions.RESTClientGetter {
+func NewMemoryRESTClientGetter(
+	kubeConfig []byte,
+	namespace string,
+	impersonateAccount string,
+	qps float32,
+	burst int,
+	kubeConfigOpts client.KubeConfigOptions) genericclioptions.RESTClientGetter {
 	return &MemoryRESTClientGetter{
 		kubeConfig:         kubeConfig,
 		namespace:          namespace,
 		impersonateAccount: impersonateAccount,
 		qps:                qps,
 		burst:              burst,
+		kubeConfigOpts:     kubeConfigOpts,
 	}
 }
 
@@ -66,6 +76,7 @@ func (c *MemoryRESTClientGetter) ToRESTConfig() (*rest.Config, error) {
 	if err != nil {
 		return nil, err
 	}
+	cfg = client.KubeConfig(cfg, c.kubeConfigOpts)
 	if c.impersonateAccount != "" {
 		cfg.Impersonate = rest.ImpersonationConfig{UserName: c.impersonateAccount}
 	}

main.go

@@ -70,6 +70,7 @@ func main() {
 		watchAllNamespaces    bool
 		httpRetry             int
 		clientOptions         client.Options
+		kubeConfigOpts        client.KubeConfigOptions
 		logOptions            logger.Options
 		aclOptions            acl.Options
 		leaderElectionOptions leaderelection.Options
@@ -89,6 +90,7 @@ func main() {
 	logOptions.BindFlags(flag.CommandLine)
 	aclOptions.BindFlags(flag.CommandLine)
 	leaderElectionOptions.BindFlags(flag.CommandLine)
+	kubeConfigOpts.BindFlags(flag.CommandLine)
 	flag.Parse()
 
 	ctrl.SetLogger(logger.NewLogger(logOptions))
@@ -141,6 +143,7 @@ func main() {
 		MetricsRecorder:       metricsRecorder,
 		NoCrossNamespaceRef:   aclOptions.NoCrossNamespaceRefs,
 		DefaultServiceAccount: defaultServiceAccount,
+		KubeConfigOpts:        kubeConfigOpts,
 	}).SetupWithManager(mgr, controllers.HelmReleaseReconcilerOptions{
 		MaxConcurrentReconciles:   concurrent,
 		DependencyRequeueInterval: requeueDependency,

tests/fuzz/oss_fuzz_build.sh

@@ -22,15 +22,15 @@ PROJECT_PATH="github.com/fluxcd/helm-controller"
 
 cd "${GO_SRC}"
 
-# Move fuzzer to their respective directories. 
+# Move fuzzer to their respective directories.
 # This removes dependency noises from the modules' go.mod and go.sum files.
 cp "${PROJECT_PATH}/tests/fuzz/fuzz_controllers.go" "${PROJECT_PATH}/controllers/"
 
 
 # compile fuzz tests for the runtime module
 pushd "${PROJECT_PATH}"
 
-go mod tidy
+go get -d github.com/AdaLogics/go-fuzz-headers
 compile_go_fuzzer "${PROJECT_PATH}/controllers/" FuzzHelmreleaseComposeValues fuzz_helmrelease_composevalues
 compile_go_fuzzer "${PROJECT_PATH}/controllers/" FuzzHelmreleaseReconcile fuzz_helmrelease_reconcile