cyclops-ui · petar-cvit · Feb 11, 2025 · Feb 12, 2025 · Feb 12, 2025 · Feb 12, 2025
@@ -31,8 +31,9 @@ type TemplateAuthRuleSpec struct {
 
 	Repo string `json:"repo"`
 
-	Username v1.SecretKeySelector `json:"username"`
-	Password v1.SecretKeySelector `json:"password"`
+	Username v1.SecretKeySelector  `json:"username"`
+	Password v1.SecretKeySelector  `json:"password"`
+	CABundle *v1.SecretKeySelector `json:"ca-bundle,omitempty"`
 }
 
 //+kubebuilder:object:root=true

@@ -39,6 +39,31 @@ spec:
           spec:
             description: TemplateAuthRuleSpec defines the desired state of TemplateAuthRule
             properties:
+              ca-bundle:
+                description: SecretKeySelector selects a key of a Secret.
+                properties:
+                  key:
+                    description: The key of the secret to select from.  Must be a
+                      valid secret key.
+                    type: string
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      TODO: Add other useful fields. apiVersion, kind, uid?
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+                    type: string
+                  optional:
+                    description: Specify whether the Secret or its key must be defined
+                    type: boolean
+                required:
+                - key
+                type: object
+                x-kubernetes-map-type: atomic
               password:
                 description: SecretKeySelector selects a key of a Secret.
                 properties:

@@ -13,6 +13,7 @@ type TemplatesResolver struct {
 type Credentials struct {
 	Username string
 	Password string
+	CABundle []byte
 }
 
 func NewTemplatesResolver(k8s k8sClient) TemplatesResolver {
@@ -44,9 +45,18 @@ func (t TemplatesResolver) RepoAuthCredentials(repo string) (*Credentials, error
 				return nil, err
 			}
 
+			var caBundle []byte
+			if ta.Spec.CABundle != nil {
+				caBundle, err = t.k8s.GetTemplateAuthRuleSecret(ta.Spec.CABundle.Name, ta.Spec.CABundle.Key)
+				if err != nil {
+					return nil, err
+				}
+			}
+
 			return &Credentials{
-				Username: username,
-				Password: password,
+				Username: string(username),
+				Password: string(password),
+				CABundle: caBundle,
 			}, err
 		}
 	}
@@ -55,6 +65,6 @@ func (t TemplatesResolver) RepoAuthCredentials(repo string) (*Credentials, error
 }
 
 type k8sClient interface {
-	GetTemplateAuthRuleSecret(string, string) (string, error)
+	GetTemplateAuthRuleSecret(string, string) ([]byte, error)
 	ListTemplateAuthRules() ([]v1alpha1.TemplateAuthRule, error)
 }
@@ -129,7 +129,7 @@ var _ = Describe("Templates resolver", func() {
 				repo: "https://github.com/my-org/my-team",
 				mockCalls: func() {
 					k8sClient.On("ListTemplateAuthRules").Return(tars, nil)
-					k8sClient.On("GetTemplateAuthRuleSecret", "secret-name", "username").Return("", errors.New("some k8s error"))
+					k8sClient.On("GetTemplateAuthRuleSecret", "secret-name", "username").Return(nil, errors.New("some k8s error"))
 				},
 			},
 			out: caseOutput{
@@ -143,8 +143,8 @@ var _ = Describe("Templates resolver", func() {
 				repo: "https://github.com/my-org/my-team",
 				mockCalls: func() {
 					k8sClient.On("ListTemplateAuthRules").Return(tars, nil)
-					k8sClient.On("GetTemplateAuthRuleSecret", "secret-name", "username").Return("my-secret-username", nil)
-					k8sClient.On("GetTemplateAuthRuleSecret", "secret-name", "token").Return("", errors.New("some k8s error"))
+					k8sClient.On("GetTemplateAuthRuleSecret", "secret-name", "username").Return([]byte("my-secret-username"), nil)
+					k8sClient.On("GetTemplateAuthRuleSecret", "secret-name", "token").Return(nil, errors.New("some k8s error"))
 				},
 			},
 			out: caseOutput{
@@ -158,8 +158,8 @@ var _ = Describe("Templates resolver", func() {
 				repo: "https://github.com/my-org/my-team",
 				mockCalls: func() {
 					k8sClient.On("ListTemplateAuthRules").Return(tars, nil)
-					k8sClient.On("GetTemplateAuthRuleSecret", "secret-name", "username").Return("my-secret-username", nil)
-					k8sClient.On("GetTemplateAuthRuleSecret", "secret-name", "token").Return("my-secret-token", nil)
+					k8sClient.On("GetTemplateAuthRuleSecret", "secret-name", "username").Return([]byte("my-secret-username"), nil)
+					k8sClient.On("GetTemplateAuthRuleSecret", "secret-name", "token").Return([]byte("my-secret-token"), nil)
 				},
 			},
 			out: caseOutput{

@@ -287,6 +287,7 @@ func resolveRef(repo, version string, creds *auth.Credentials) (string, error) {
 	refs, err := rem.List(&git.ListOptions{
 		PeelingOption: git.AppendPeeled,
 		Auth:          httpBasicAuthCredentials(creds),
+		CABundle:      gitCABundle(creds),
 	})
 	if err != nil {
 		return "", errors.Wrap(err, fmt.Sprintf("repo %s was not cloned successfully; authentication might be required; check if repository exists and you referenced it correctly", repo))
@@ -312,6 +313,7 @@ func resolveDefaultBranchRef(repo string, creds *auth.Credentials) (string, erro
 	refs, err := rem.List(&git.ListOptions{
 		PeelingOption: git.AppendPeeled,
 		Auth:          httpBasicAuthCredentials(creds),
+		CABundle:      gitCABundle(creds),
 	})
 	if err != nil {
 		return "", errors.Wrap(err, fmt.Sprintf("repo %s was not cloned successfully; authentication might be required; check if repository exists and you referenced it correctly", repo))
@@ -359,9 +361,10 @@ func clone(repoURL, commit string, creds *auth.Credentials) (billy.Filesystem, e
 	}
 
 	repo, err := git.Clone(memory.NewStorage(), memfs.New(), &git.CloneOptions{
-		URL:  repoURL,
-		Tags: git.AllTags,
-		Auth: httpBasicAuthCredentials(creds),
+		URL:      repoURL,
+		Tags:     git.AllTags,
+		Auth:     httpBasicAuthCredentials(creds),
+		CABundle: gitCABundle(creds),
 	})
 	if err != nil {
 		return nil, errors.Wrap(err, fmt.Sprintf("repo %s was not cloned successfully; authentication might be required; check if repository exists and you referenced it correctly", repoURL))
@@ -381,7 +384,8 @@ func clone(repoURL, commit string, creds *auth.Credentials) (billy.Filesystem, e
 			return nil, err
 		}
 		refList, err := remote.List(&git.ListOptions{
-			Auth: httpBasicAuthCredentials(creds),
+			Auth:     httpBasicAuthCredentials(creds),
+			CABundle: gitCABundle(creds),
 		})
 		if err != nil {
 			return nil, err
@@ -568,3 +572,11 @@ func httpBasicAuthCredentials(creds *auth.Credentials) *http.BasicAuth {
 		Password: creds.Password,
 	}
 }
+
+func gitCABundle(creds *auth.Credentials) []byte {
+	if creds == nil {
+		return nil
+	}
+
+	return creds.CABundle
+}
@@ -101,7 +101,7 @@ type IKubernetesClient interface {
 	WatchResource(group, version, resource, name, namespace string) (watch.Interface, error)
 	WatchKubernetesResources(gvrs []ResourceWatchSpec, stopCh chan struct{}) (chan *unstructured.Unstructured, error)
 	ListTemplateAuthRules() ([]cyclopsv1alpha1.TemplateAuthRule, error)
-	GetTemplateAuthRuleSecret(name, key string) (string, error)
+	GetTemplateAuthRuleSecret(string, string) ([]byte, error)
 	ListTemplateStore() ([]cyclopsv1alpha1.TemplateStore, error)
 	CreateTemplateStore(ts *cyclopsv1alpha1.TemplateStore) error
 	UpdateTemplateStore(ts *cyclopsv1alpha1.TemplateStore) error

@@ -13,16 +13,16 @@ func (k *KubernetesClient) ListTemplateAuthRules() ([]cyclopsv1alpha1.TemplateAu
 	return k.moduleset.TemplateAuthRules(k.moduleNamespace).List(metav1.ListOptions{})
 }
 
-func (k *KubernetesClient) GetTemplateAuthRuleSecret(name, key string) (string, error) {
+func (k *KubernetesClient) GetTemplateAuthRuleSecret(name, key string) ([]byte, error) {
 	secret, err := k.clientset.CoreV1().Secrets(k.moduleNamespace).Get(context.Background(), name, metav1.GetOptions{})
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 
 	secretValue, ok := secret.Data[key]
 	if !ok {
-		return "", errors.New("key not found")
+		return nil, errors.New("key not found")
 	}
 
-	return string(secretValue), err
+	return secretValue, err
 }
@@ -186,6 +186,31 @@ spec:
             spec:
               description: TemplateAuthRuleSpec defines the desired state of TemplateAuthRule
               properties:
+                ca-bundle:
+                  description: SecretKeySelector selects a key of a Secret.
+                  properties:
+                    key:
+                      description: The key of the secret to select from.  Must be a
+                        valid secret key.
+                      type: string
+                    name:
+                      default: ""
+                      description: |-
+                        Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
+                        TODO: Add other useful fields. apiVersion, kind, uid?
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+                      type: string
+                    optional:
+                      description: Specify whether the Secret or its key must be defined
+                      type: boolean
+                  required:
+                    - key
+                  type: object
+                  x-kubernetes-map-type: atomic
                 password:
                   description: SecretKeySelector selects a key of a Secret.
                   properties:
@@ -383,7 +408,7 @@ spec:
     spec:
       containers:
         - name: cyclops-ui
-          image: cyclopsui/cyclops-ui:v0.16.1
+          image: cyclopsui/cyclops-ui:v0.18.0-rc.2
           ports:
             - containerPort: 80
           env:
@@ -448,7 +473,7 @@ spec:
       serviceAccountName: cyclops-ctrl
       containers:
         - name: cyclops-ctrl
-          image: cyclopsui/cyclops-ctrl:v0.16.1
+          image: cyclopsui/cyclops-ctrl:v0.18.0-rc.2
           ports:
             - containerPort: 8080
           env: