305a90f428
* feat(addon): Store addon registry tokens in Secrets Previously, addon registry tokens were stored in plaintext within the 'vela-addon-registry' ConfigMap. This is not a secure practice for sensitive data. This commit refactors the addon registry functionality to store tokens in Kubernetes Secrets. The ConfigMap now only contains a reference to the secret name, while the token itself is stored securely. This change includes: - Creating/updating secrets when a registry is added/updated. - Loading tokens from secrets when a registry is listed/retrieved. - Deleting secrets when a registry is deleted. Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com> * test(addon): Add tests for registry token secret storage This commit introduces a comprehensive test suite for the addon registry feature. It includes: - Isolated unit tests for each CRUD operation (Add, Update, List, Get, Delete) to ensure each function works correctly in isolation. - A stateful integration test to validate the complete lifecycle of an addon registry from creation to deletion. The tests verify that tokens are handled correctly via Kubernetes Secrets, confirming the implementation of the secure token storage feature. Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com> * feat(addon): improve addon registry robustness and fix bugs This commit introduces several improvements to the addon registry to make it more robust and fixes several bugs. - When updating a secret, the existing secret is now fetched and updated to avoid potential conflicts. - Deleting a non-existent registry now returns no error, making the operation idempotent. - Getting a non-existent registry now returns a structured not-found error. - Loading a token from a non-existent secret is now handled gracefully. - When setting a token directly on a git-based addon source, the token secret reference is now cleared. - The token secret reference is now correctly copied in `SafeCopy`. Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com> * Refactor(addon): Fix secret deletion and improve registry logic This commit refactors the addon registry data store to fix a critical bug where deleting an addon registry would not delete its associated token secret. The root cause was that the `GetRegistry` function, which was used by `DeleteRegistry`, would load the token from the secret and then clear the `TokenSecretRef` field on the in-memory object. This meant that when `DeleteRegistry` tried to find the secret to delete, the reference was already gone. This has been fixed by: 1. Introducing a central `getRegistries` helper function to read the raw registry data from the ConfigMap. 2. Refactoring all data store methods (`List`, `Get`, `Add`, `Update`, `Delete`) to use this central helper, removing duplicate code. 3. Ensuring `DeleteRegistry` uses the raw, unmodified registry data so that the `TokenSecretRef` is always available for deletion. Additionally, comprehensive unit tests for the new helper functions (`getRegistries`, `loadTokenFromSecret`, `createOrUpdateTokenSecret`) have been added to verify the fix and improve overall code quality and stability. Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com> * feat(addon): improve addon registry token security and logging This commit enhances the security and observability of addon registry token handling. - Adds a warning message to users when an insecure inline token is detected in an addon registry configuration, prompting them to migrate to a more secure secret-based storage. - Implements info-level logging to create an audit trail for token migrations, providing administrators with visibility into security-related events. - Refactors the token migration logic into a new `migrateInlineTokenToSecret` function, improving code clarity and maintainability. - Introduces unit tests for the `TokenSource` interface methods and the `GetTokenSource` function to ensure correctness and prevent regressions. Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com> * Chore: remove comments to triger ci Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com> --------- Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
Make shipping applications more enjoyable.
Introduction
KubeVela is a modern application delivery platform that makes deploying and operating applications across today's hybrid, multi-cloud environments easier, faster and more reliable.
Highlights
KubeVela practices the "render, orchestrate, deploy" workflow with below highlighted values added to existing ecosystem:
Deployment as Code
Declare your deployment plan as workflow, run it automatically with any CI/CD or GitOps system, extend or re-program the workflow steps with CUE. No ad-hoc scripts, no dirty glue code, just deploy. The deployment workflow in KubeVela is powered by Open Application Model.
Built-in observability, multi-tenancy and security support
Choose from the wide range of LDAP integrations we provided out-of-box, enjoy enhanced multi-tenancy and multi-cluster authorization and authentication, pick and apply fine-grained RBAC modules and customize them as per your own supply chain requirements. All delivery process has fully automated observability dashboards.
Multi-cloud/hybrid-environments app delivery as first-class citizen
Natively supports multi-cluster/hybrid-cloud scenarios such as progressive rollout across test/staging/production environments, automatic canary, blue-green and continuous verification, rich placement strategy across clusters and clouds, along with automated cloud environments provision.
Lightweight but highly extensible architecture
Minimize your control plane deployment with only one pod and 0.5c1g resources to handle thousands of application delivery. Glue and orchestrate all your infrastructure capabilities as reusable modules with a highly extensible architecture and share the large growing community addons.
Getting Started
Get Your Own Demo with Alibaba Cloud
-
install KubeVela on a Serverless K8S cluster in 3 minutes, try:
Documentation
Full documentation is available on the KubeVela website.
Blog
Official blog is available on KubeVela blog.
Community
We want your contributions and suggestions! One of the easiest ways to contribute is to participate in discussions on the Github Issues/Discussion, chat on IM or the bi-weekly community calls. For more information on the community engagement, developer and contributing guidelines and more, head over to the KubeVela community repo.
Contact Us
Reach out with any questions you may have and we'll make sure to answer them as soon as possible!
-
Slack: CNCF Slack kubevela channel (English)
-
DingTalk Group:
23310022(Chinese) -
Wechat Group (Chinese): Broker wechat to add you into the user group.
Community Call
Every two weeks we host a community call to showcase new features, review upcoming milestones, and engage in a Q&A. All are welcome!
- Bi-weekly Community Call:
- Bi-weekly Chinese Community Call:
Talks and Conferences
Check out KubeVela videos for these talks and conferences.
Contributing
Check out CONTRIBUTING to see how to develop with KubeVela.
Report Vulnerability
Security is a first priority thing for us at KubeVela. If you come across a related issue, please send email to security@mail.kubevela.io .
Code of Conduct
KubeVela adopts CNCF Code of Conduct.