[RFC-0010] Introduce feature gate

Signed-off-by: Matheus Pimenta <[email protected]>

Author: matheuscscp

go.mod

@@ -23,11 +23,11 @@ require (
 	github.com/elazarl/goproxy v1.7.2
 	github.com/fluxcd/cli-utils v0.36.0-flux.13
 	github.com/fluxcd/pkg/apis/event v0.17.0
-	github.com/fluxcd/pkg/apis/meta v1.11.0
-	github.com/fluxcd/pkg/auth v0.12.0
+	github.com/fluxcd/pkg/apis/meta v1.12.0
+	github.com/fluxcd/pkg/auth v0.13.0
 	github.com/fluxcd/pkg/cache v0.9.0
-	github.com/fluxcd/pkg/git v0.29.0
-	github.com/fluxcd/pkg/git/gogit v0.31.0
+	github.com/fluxcd/pkg/git v0.30.0
+	github.com/fluxcd/pkg/git/gogit v0.32.0
 	github.com/fluxcd/pkg/gittestserver v0.17.0
 	github.com/fluxcd/pkg/helmtestserver v0.24.0
 	github.com/fluxcd/pkg/lockedfile v0.6.0

go.sum

@@ -372,16 +372,16 @@ github.com/fluxcd/pkg/apis/acl v0.7.0 h1:dMhZJH+g6ZRPjs4zVOAN9vHBd1DcavFgcIFkg5o
 github.com/fluxcd/pkg/apis/acl v0.7.0/go.mod h1:uv7pXXR/gydiX4MUwlQa7vS8JONEDztynnjTvY3JxKQ=
 github.com/fluxcd/pkg/apis/event v0.17.0 h1:foEINE++pCJlWVhWjYDXfkVmGKu8mQ4BDBlbYi5NU7M=
 github.com/fluxcd/pkg/apis/event v0.17.0/go.mod h1:0fLhLFiHlRTDKPDXdRnv+tS7mCMIQ0fJxnEfmvGM/5A=
-github.com/fluxcd/pkg/apis/meta v1.11.0 h1:h8q95k6ZEK1HCfsLkt8Np3i6ktb6ZzcWJ6hg++oc9w0=
-github.com/fluxcd/pkg/apis/meta v1.11.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI=
-github.com/fluxcd/pkg/auth v0.12.0 h1:35o0ziYMLZVgJwNvJBGsv/wd903B2fMagcrnm1ptUjc=
-github.com/fluxcd/pkg/auth v0.12.0/go.mod h1:gQD2VT5OhIR1E8ZTEsTaho3bDQZidr9P10smH/awcew=
+github.com/fluxcd/pkg/apis/meta v1.12.0 h1:XW15TKZieC2b7MN8VS85stqZJOx+/b8jATQ/xTUhVYg=
+github.com/fluxcd/pkg/apis/meta v1.12.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI=
+github.com/fluxcd/pkg/auth v0.13.0 h1:CLJJk+NPrCIDs1yPqdwAvNLwFBaogum2XJLI4TD2gr4=
+github.com/fluxcd/pkg/auth v0.13.0/go.mod h1:gQD2VT5OhIR1E8ZTEsTaho3bDQZidr9P10smH/awcew=
 github.com/fluxcd/pkg/cache v0.9.0 h1:EGKfOLMG3fOwWnH/4Axl5xd425mxoQbZzlZoLfd8PDk=
 github.com/fluxcd/pkg/cache v0.9.0/go.mod h1:jMwabjWfsC5lW8hE7NM3wtGNwSJ38Javx6EKbEi7INU=
-github.com/fluxcd/pkg/git v0.29.0 h1:MHQ4F53e6Xt8a/POkd/fiChgysnd/XqiuK7vOWXAXLk=
-github.com/fluxcd/pkg/git v0.29.0/go.mod h1:Ygn+LfrK6Ok+85uiq6s3NWG5LcHS4KY7mzES2JDJsGY=
-github.com/fluxcd/pkg/git/gogit v0.31.0 h1:A56cmtgJBkWAj+gXSOdhPMQVTx0VF91S0PUaqpMXN4g=
-github.com/fluxcd/pkg/git/gogit v0.31.0/go.mod h1:ya8z22xTvAAdW12HycxKYv4S+G+lqu5Kx/LyO/jWz8Y=
+github.com/fluxcd/pkg/git v0.30.0 h1:jwc67whpwSvDJTo+GS1pW1fZsx/VVjhiSWfWeWxbqQM=
+github.com/fluxcd/pkg/git v0.30.0/go.mod h1:8nrHf1RrExQsJfR7ihErv2UpFaKy0zrcUzkXlQ+7pZs=
+github.com/fluxcd/pkg/git/gogit v0.32.0 h1:sm8dO9UuUHO5zJRj0GJ7WQnqHvEzolpBFge0y2V16mA=
+github.com/fluxcd/pkg/git/gogit v0.32.0/go.mod h1:xjtCSqV53VNCSjs5CXp8Qo3AFGyYD9V4r3GFTXU+O18=
 github.com/fluxcd/pkg/gittestserver v0.17.0 h1:JlBvWZQTDOI+np5Z+084m3DkeAH1hMusEybyRUDF63k=
 github.com/fluxcd/pkg/gittestserver v0.17.0/go.mod h1:E/40EmLoXcMqd6gLuLDC9F6KJxqHVGbBBeMNKk5XdxU=
 github.com/fluxcd/pkg/helmtestserver v0.24.0 h1:9sSfRG17GnDIup4sI8V+fdvKROtunU4JyIo34uvXq3Q=

internal/controller/ocirepository_controller.go

@@ -369,6 +369,13 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 	if _, ok := keychain.(soci.Anonymous); obj.Spec.Provider != ociv1.GenericOCIProvider && ok {
 		var opts []auth.Option
 		if obj.Spec.ServiceAccountName != "" {
+			// Check object-level workload identity feature gate.
+			if !auth.IsObjectLevelWorkloadIdentityEnabled() {
+				const gate = auth.FeatureGateObjectLevelWorkloadIdentity
+				const msgFmt = "to use spec.serviceAccountName for provider authentication please enable the %s feature gate in the controller"
+				err := fmt.Errorf(msgFmt, gate)
+				return sreconcile.ResultEmpty, serror.NewStalling(err, meta.FeatureGateDisabledReason)
+			}
 			serviceAccount := client.ObjectKey{
 				Name:      obj.Spec.ServiceAccountName,
 				Namespace: obj.GetNamespace(),

internal/controller/ocirepository_controller_test.go

@@ -60,6 +60,7 @@ import (
 
 	kstatus "github.com/fluxcd/cli-utils/pkg/kstatus/status"
 	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/auth"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/oci"
 	"github.com/fluxcd/pkg/runtime/conditions"
@@ -2971,10 +2972,10 @@ func TestOCIRepository_getArtifactRef(t *testing.T) {
 	}
 }
 
-func TestOCIRepository_stalled(t *testing.T) {
+func TestOCIRepository_invalidURL(t *testing.T) {
 	g := NewWithT(t)
 
-	ns, err := testEnv.CreateNamespace(ctx, "ocirepository-stalled-test")
+	ns, err := testEnv.CreateNamespace(ctx, "ocirepository-invalid-url-test")
 	g.Expect(err).ToNot(HaveOccurred())
 	defer func() { g.Expect(testEnv.Delete(ctx, ns)).To(Succeed()) }()
 
@@ -3013,6 +3014,74 @@ func TestOCIRepository_stalled(t *testing.T) {
 	g.Expect(stalledCondition.Reason).Should(Equal(sourcev1.URLInvalidReason))
 }
 
+func TestOCIRepository_objectLevelWorkloadIdentityFeatureGate(t *testing.T) {
+	g := NewWithT(t)
+
+	ns, err := testEnv.CreateNamespace(ctx, "ocirepository-olwifg-test")
+	g.Expect(err).ToNot(HaveOccurred())
+	defer func() { g.Expect(testEnv.Delete(ctx, ns)).To(Succeed()) }()
+
+	err = testEnv.Create(ctx, &corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: ns.Name,
+			Name:      "test",
+		},
+	})
+	g.Expect(err).NotTo(HaveOccurred())
+
+	obj := &ociv1.OCIRepository{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "ocirepository-reconcile",
+			Namespace:    ns.Name,
+		},
+		Spec: ociv1.OCIRepositorySpec{
+			URL:                "oci://ghcr.io/stefanprodan/manifests/podinfo",
+			Interval:           metav1.Duration{Duration: 60 * time.Minute},
+			Provider:           "aws",
+			ServiceAccountName: "test",
+		},
+	}
+
+	g.Expect(testEnv.Create(ctx, obj)).To(Succeed())
+
+	key := client.ObjectKey{Name: obj.Name, Namespace: obj.Namespace}
+	resultobj := &ociv1.OCIRepository{}
+
+	g.Eventually(func() bool {
+		if err := testEnv.Get(ctx, key, resultobj); err != nil {
+			return false
+		}
+		return conditions.IsStalled(resultobj)
+	}).Should(BeTrue())
+
+	stalledCondition := conditions.Get(resultobj, meta.StalledCondition)
+	g.Expect(stalledCondition).ToNot(BeNil())
+	g.Expect(stalledCondition.Reason).Should(Equal(meta.FeatureGateDisabledReason))
+	g.Expect(stalledCondition.Message).Should(Equal("to use spec.serviceAccountName for provider authentication please enable the ObjectLevelWorkloadIdentity feature gate in the controller"))
+
+	t.Setenv(auth.EnvVarEnableObjectLevelWorkloadIdentity, "true")
+
+	g.Eventually(func() bool {
+		if err := testEnv.Get(ctx, key, resultobj); err != nil {
+			return false
+		}
+		resultobj.Annotations = map[string]string{
+			meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339),
+		}
+		return testEnv.Update(ctx, resultobj) == nil
+	}).Should(BeTrue())
+
+	g.Expect(testEnv.Update(ctx, resultobj)).To(Succeed())
+	g.Eventually(func() bool {
+		if err := testEnv.Get(ctx, key, resultobj); err != nil {
+			return false
+		}
+		logOCIRepoStatus(t, resultobj)
+		return !conditions.IsReady(resultobj) &&
+			conditions.GetReason(resultobj, meta.ReadyCondition) == sourcev1.AuthenticationFailedReason
+	}).Should(BeTrue())
+}
+
 func TestOCIRepository_reconcileStorage(t *testing.T) {
 	tests := []struct {
 		name             string

internal/controller/suite_test.go

@@ -43,6 +43,7 @@ import (
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/yaml"
 
 	"github.com/distribution/distribution/v3/configuration"
 	dockerRegistry "github.com/distribution/distribution/v3/registry"
@@ -452,3 +453,8 @@ func randStringRunes(n int) string {
 func int64p(i int64) *int64 {
 	return &i
 }
+
+func logOCIRepoStatus(t *testing.T, obj *sourcev1beta2.OCIRepository) {
+	sts, _ := yaml.Marshal(obj.Status)
+	t.Log(string(sts))
+}

internal/features/features.go

@@ -19,7 +19,10 @@ limitations under the License.
 // states.
 package features
 
-import feathelper "github.com/fluxcd/pkg/runtime/features"
+import (
+	"github.com/fluxcd/pkg/auth"
+	feathelper "github.com/fluxcd/pkg/runtime/features"
+)
 
 const (
 	// CacheSecretsAndConfigMaps controls whether secrets and configmaps should be cached.
@@ -35,6 +38,10 @@ var features = map[string]bool{
 	CacheSecretsAndConfigMaps: false,
 }
 
+func init() {
+	auth.SetFeatureGates(features)
+}
+
 // FeatureGates contains a list of all supported feature gates and
 // their default values.
 func FeatureGates() map[string]bool {

main.go

@@ -39,6 +39,7 @@ import (
 	ctrlmetrics "sigs.k8s.io/controller-runtime/pkg/metrics"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
+	"github.com/fluxcd/pkg/auth"
 	pkgcache "github.com/fluxcd/pkg/cache"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/runtime/client"
@@ -178,6 +179,14 @@ func main() {
 		os.Exit(1)
 	}
 
+	switch enabled, err := features.Enabled(auth.FeatureGateObjectLevelWorkloadIdentity); {
+	case err != nil:
+		setupLog.Error(err, "unable to check feature gate "+auth.FeatureGateObjectLevelWorkloadIdentity)
+		os.Exit(1)
+	case enabled:
+		auth.EnableObjectLevelWorkloadIdentity()
+	}
+
 	if err := intervalJitterOptions.SetGlobalJitter(nil); err != nil {
 		setupLog.Error(err, "unable to set global jitter")
 		os.Exit(1)