mirror of
https://github.com/kubevela/kubevela.git
synced 2026-05-25 18:53:38 +00:00
bcf6af9747
* feat: kv native helm auth implementation Signed-off-by: Ayush Kumar <aykumar@guidewire.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * feat: add e2e test cases for helm auth Signed-off-by: Ayush Kumar <aykumar@guidewire.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * test: remove the env auth gate and improve test cases Signed-off-by: Ayush Kumar <aykumar@guidewire.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * lint: drop unused []byte return from non-docker secret dispatchers unparam flagged dispatchBasicAuthSecret, dispatchTLSSecret, and dispatchOpaqueSecret because the second return value (raw config bytes) was always nil. Only dispatchDockerConfigJSONSecret actually needs that slot for the OCI temp credfile. Drop it from the other three and update resolveAuthOptions plus the unit tests to match. Signed-off-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * feat: pr review changes Signed-off-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * style: gofmt/goimports auth.go doc comments Signed-off-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * chore: remove e2e-auth-images-load-local target The dedicated target is gone; e2e-test-local now reads the same .vscode/k3d-preload.txt image list that the VS Code setup task uses so both flows pull from one source. Empty or missing file is a no-op. Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * chore: inline auth-test image list in e2e-test-local `.vscode/k3d-preload.txt` is gitignored so it would not exist on a fresh clone. Inline the three auth-test registry images directly in the Make target so `make e2e-test-local` is self-contained. Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * feat: address PR review comments - Webhook ValidateCuexTemplate now wraps the context in helm.WithDryRun so a ComponentDefinition with concrete helm.#Render arguments cannot trigger a real chart fetch or install during admission validation. - helmchart audit ConfigMap keeps `helm.oam.dev/chart` as a label when the source string is a valid Kubernetes label value (alphanumeric + `.-_`, 1-63 chars); URLs containing `://` or `/` only live in the annotation. Preserves existing label selectors for repo-style sources without breaking long OCI/HTTPS URLs. - helm_test.go capture-and-restore singleton.KubeClient in fetchURLChart and fetchRepoChart auth Describes so fake clients do not leak into later tests in the package. - utils_test.go swap the defer order so singleton.ReloadClients runs before WorkloadCompiler.Reload, otherwise the compiler reload would pick up the fake dynamic client and leak fake state. - e2e.mk pre-load loop separates docker pull and k3d image import with `;` rather than `&&`. `set -e` does not abort a for-loop body when a command inside an `&&` chain fails, so the old form could continue after a failed pull. Signed-off-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * style: gofmt AfterAll indentation in helmchart_test.go Signed-off-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * feat: enhance Docker Hub credential handling in auth configuration Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * feat: enhance Docker Hub credential handling in auth configuration Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * fix(helm-auth): normalize Docker Hub alias for dockerconfigjson Secrets Cubic flagged that the Docker Hub alias fix in writeOCIRegistryConfigFile only covered synthesized basic-auth credentials. For verbatim kubernetes.io/dockerconfigjson Secrets, a user-supplied config keyed under "registry-1.docker.io" (the OCI pull host) would not be found by ORAS/Helm, which normalizes to "https://index.docker.io/v1/". normalizeDockerHubAliases parses the verbatim JSON, and when any of the three Docker Hub host aliases ("registry-1.docker.io", "index.docker.io", "docker.io") is keyed but the canonical v1 key is absent, copies the entry under the canonical key. No-op when: - the canonical key is already present - no Docker Hub host is involved - the JSON is malformed or missing the auths field Includes 7 new unit specs for the helper covering each alias, the no-op cases, and malformed input. Also brings in collateral local-fix changes: - pkg/webhook/utils/utils_test.go: register the cue.oam.dev/v1alpha1 Package GVK in the fake DynamicClient scheme so TestValidateCuexTemplate/withCuexPackageImports can resolve the test/ext package after the WorkloadCompiler switch. - gofmt field-alignment normalization on auth_test.go and auth_registry_helpers_test.go (drift caught by check-diff CI). Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * fix: namespace-default rendered resources, bind chart cache to credentials, surface HTTP 401s clearly, inject auth-test CA in e2e Four fixes from stress testing the helmchart component: 1. Rendered resources without metadata.namespace landed in vela-system. Both code paths now default to releaseNamespace for namespaced kinds: the velaLabelPostRenderer (before helm SDK apply) and parseManifestResources (before KubeVela's tracker re-applies). isClusterScopedKind covers CRDs, ClusterRoles, Namespaces, etc. 2. Cached chart bytes survived credential rotation. computeAuthCacheTag hashes Secret.Type + sorted Data into a 16-char tag suffixed onto the cache key when auth.secretRef is declared. Any Secret edit (or different Secret reference) invalidates the cache and forces a fresh registry call that exercises the new credentials at the wire. Public charts (no auth) are unaffected. 3. HTTP 401/403 on chart fetch surfaced as YAML/JSON parse errors. HTTPGetWithOption now rejects non-2xx responses with 'HTTP <status>: <body>' instead of returning the raw body for downstream parsers to choke on. 4. E2E HTTPS tests against chartmuseum's self-signed cert failed at the admission webhook. injectAuthTestCA patches vela-core in BeforeSuite with an init container that combines /etc/ssl/certs/ca-certificates.crt with testdata/auth/certs/ca.crt into a shared volume and points SSL_CERT_FILE at it. Also normalize Docker Hub host aliases on verbatim kubernetes.io/dockerconfigjson Secrets (cubic comment), and revert TestValidateCuexTemplate's fake DynamicClient to the empty-scheme form that lets it wrap every GVK as Unstructured (CI unit test fix). Finding 3 (options.wait default) is deferred: schema-level defaults don't materialize for optional fields carried into _options as a structural copy. Tracked separately. Issue 2 from the stress matrix (cache + credential rotation) is also filed upstream as kubevela/kubevela#7150 for a longer-term credential-bound cache invalidation design. Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * fix(helm-auth): RESTMapper scope detection + auth tag binds source URL + drop flaky webhook test case Address cubic P1 review comments and the unit-test CI failure. isClusterScopedKind only matched well-known built-in kinds; isClusterScopedGVK now asks the RESTMapper first so third-party cluster-scoped CRDs are recognised, with the static allowlist as a fallback. computeAuthCacheTag now folds params.Source and params.RepoURL into the hash so a multi-host dockerconfigjson Secret cannot reuse cached bytes across different registries. TestValidateCuexTemplate/withCuexPackageImports relied on cuex.DefaultCompiler.Reload picking up a fake-client-served Package CRD; since ValidateCuexTemplate now uses velacuex.WorkloadCompiler the fake-client setup does not surface the test/ext package, so the case is dropped (covered transitively by the helm provider unit tests and the e2e suite under helm.WithDryRun). Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * style: gofmt import order in helm.go (lint + check-diff) Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * fix(e2e): correct vela-core selector, alpine bundler, harden rollout wait The label selector app.kubernetes.io/name=vela-core also matches the cluster-gateway Deployment, so the init container was being appended to the wrong workload and the controller pod never picked up the test CA. Switching to the unique controller.oam.dev/name label fixes the routing, and the diagnostic message at the empty-list branch is updated to point operators at the new label. addVolume and addInitContainer now update in place when an entry with the same name already exists. Previously they silently skipped, which meant the first patch on a cluster stuck for the lifetime of that cluster and a corrected image or args could not be picked up by a re-run. busybox:1.36 ships without /etc/ssl/certs/ca-certificates.crt, so the bundler was silently producing an empty combined.crt. alpine:3.18 ships the public CA roots, so concatenating the auth-test CA onto the system bundle produces a usable trust store that the main container reads via SSL_CERT_FILE. waitForDeploymentsAvailable used to return as soon as DeploymentAvailable flipped to True and the new RS reached the desired replica count, which left a window where old-RS pods still satisfied Available while the controller container was still running with the previous image. The check now also requires Status.Replicas == Status.UpdatedReplicas, AvailableReplicas >= specReplicas and UnavailableReplicas == 0, so the helper only returns once the rollout is fully complete. Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> * test(e2e): gate auth-test setup behind KUBEVELA_E2E_AUTH so other suites stay green webhook-upgrade-check runs the same test/e2e-test suite as the full e2e job but with ginkgo --focus-file requiredparam_validation_test.go. The unconditional setupAuthRegistries in BeforeSuite was bringing up the ChartMuseum / zot / nginx-bearer stack and patching vela-core for a focus that did not need any of it, and the patched controller never finished rolling on the upgrade-check cluster (the helm upgrade in that job is expected to fail, so vela-core is in a stretched state when our BeforeSuite tries to patch it). Re-introduce KUBEVELA_E2E_AUTH=1 as the explicit opt-in. BeforeSuite and AfterSuite only touch the auth registries when the env var is set, the Helmchart Auth Describe block skips otherwise, and the make e2e-test and e2e-test-local targets export the env so the full suite still runs the auth specs. CI workflows that run a focused subset (like webhook-upgrade-check) inherit the default off behavior and stop paying the registry-setup cost. Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com> --------- Signed-off-by: Ayush Kumar <aykumar@guidewire.com> Signed-off-by: Vishal Kumar <vishal210893@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Vishal Kumar <vishal210893@gmail.com>
Make shipping applications more enjoyable.
Introduction
KubeVela is a modern application delivery platform that makes deploying and operating applications across today's hybrid, multi-cloud environments easier, faster and more reliable.
Highlights
KubeVela practices the "render, orchestrate, deploy" workflow with below highlighted values added to existing ecosystem:
Deployment as Code
Declare your deployment plan as workflow, run it automatically with any CI/CD or GitOps system, extend or re-program the workflow steps with CUE. No ad-hoc scripts, no dirty glue code, just deploy. The deployment workflow in KubeVela is powered by Open Application Model.
Built-in observability, multi-tenancy and security support
Choose from the wide range of LDAP integrations we provided out-of-box, enjoy enhanced multi-tenancy and multi-cluster authorization and authentication, pick and apply fine-grained RBAC modules and customize them as per your own supply chain requirements. All delivery process has fully automated observability dashboards.
Multi-cloud/hybrid-environments app delivery as first-class citizen
Natively supports multi-cluster/hybrid-cloud scenarios such as progressive rollout across test/staging/production environments, automatic canary, blue-green and continuous verification, rich placement strategy across clusters and clouds, along with automated cloud environments provision.
Lightweight but highly extensible architecture
Minimize your control plane deployment with only one pod and 0.5c1g resources to handle thousands of application delivery. Glue and orchestrate all your infrastructure capabilities as reusable modules with a highly extensible architecture and share the large growing community addons.
Getting Started
Get Your Own Demo with Alibaba Cloud
-
install KubeVela on a Serverless K8S cluster in 3 minutes, try:
Documentation
Full documentation is available on the KubeVela website.
Blog
Official blog is available on KubeVela blog.
Community
We want your contributions and suggestions! One of the easiest ways to contribute is to participate in discussions on the Github Issues/Discussion, chat on IM or the bi-weekly community calls. For more information on the community engagement, developer and contributing guidelines and more, head over to the KubeVela community repo.
Contact Us
Reach out with any questions you may have and we'll make sure to answer them as soon as possible!
-
Slack: CNCF Slack kubevela channel (English)
-
DingTalk Group:
23310022(Chinese) -
Wechat Group (Chinese): Broker wechat to add you into the user group.
Community Call
Every two weeks we host a community call to showcase new features, review upcoming milestones, and engage in a Q&A. All are welcome!
- Bi-weekly Community Call:
- Bi-weekly Chinese Community Call:
Talks and Conferences
Check out KubeVela videos for these talks and conferences.
Contributing
Check out CONTRIBUTING to see how to develop with KubeVela
Report Vulnerability
Security is a first priority thing for us at KubeVela. If you come across a related issue, please send email to security@mail.kubevela.io .
Code of Conduct
KubeVela adopts CNCF Code of Conduct.