v0.4.0

Features ✨

RemoteTarget #81

The RemoteTarget CRD brings a new way of using Syngit. The whole operator architecture has been modified to implement this new feature. A RemoteTarget allows the user to define the repository and the branch where the resources should be pushed. The RemoteTarget must be associated with a Kubernetes user in the RemoteUserBinding object. It will be used if it is associated with the user AND if the upstream repository & branch are the same as the RemoteSyncer which as intercepted the resource.

Example:

apiVersion: syngit.io/v1beta3
kind: RemoteTarget
metadata:
  name: remotetarget-sample
spec:
  upstreamRepository: https://github.com/upstream/repo.git
  upstreamBranch: main
  targetRepository: https://github.com/myself/fork-repo.git
  targetBranch: main
  mergeStrategy: TryFastForwardOrHardReset

Patterns #81

Patterns are a way to quickly configure Syngit by letting the operator manage the associations and targets. Basic patterns already exist in Syngit; they are based on common and the majority of use cases. Patterns can be used using annotations on objects. This version brings patterns for RemoteTarget. The annotations must be used on the RemoteSyncer object:

1. syngit.io/remotetarget.pattern.user-specific: one-user-one-branch
   A specific RemoteTarget will be automatically associated and managed for each users. This RemoteTarget has the same target repository as the upstream and targets a branch with the same name as the user.

2. syngit.io/remotetarget.pattern.user-specific: one-user-one-fork
   A specific RemoteTarget will be automatically associated and managed for each users. This RemoteTarget will target the forked repository. The target branch is the same as the default branch of the RemoteSyncer. An external provider addon must be installed to make it works.

3. syngit.io/remotetarget.pattern.one-or-many-branches: branch1, branch2
   The same RemoteTarget will be automatically associated and managed for all users. This RemoteTarget will target the same repository as the one defined in the RemoteSyncer. One RemoteTarget will be created for each branch. In the case of multiple branches, the targetStrategy of the RemoteSyncer must be set to MultipleTarget.

Gitlab provider 0.2.0

Implement the gitlab provider v0.2.0. This version brings annotations to skip TLS verification or add a CA bundle to the RemoteUser connection test.

Internal features 🛠️

RBAC test refactor #83

Before, the test users were all used almost randomly in the tests. This PR brings clear distinct roles/personas for each users (described in the documentation). It is now easier to write tests using the right role/persona.

Package release 📦

Docker image:
ghcr.io/syngit-org/syngit:v0.4.0

Helm chart:
https://syngit-org.github.io/syngit version 0.4.0

Helm install

helm repo add syngit https://syngit-org.github.io/syngit
helm repo update syngit
helm install syngit syngit/syngit --version 0.4.0 -n <SYNGIT_NAMESPACE>

Helm upgrade

helm repo update syngit
helm upgrade -n <SYNGIT_NAMESPACE> --version 0.4.0 syngit syngit/syngit

v0.3.5

Bug fix 🐛

Fix conversion webhook

The conversion webhook embedded in the chart was calling the wrong Service.

Package release 📦

Docker image:
ghcr.io/syngit-org/syngit:v0.3.5

Helm chart:
https://syngit-org.github.io/syngit version 0.3.5

Helm install

helm repo add syngit https://syngit-org.github.io/syngit
helm repo update syngit
helm install syngit syngit/syngit --version 0.3.5 -n <SYNGIT_NAMESPACE>

Helm upgrade

helm repo update syngit
helm upgrade -n <SYNGIT_NAMESPACE> --version 0.3.5 syngit syngit/syngit

v0.3.4

Improvement 🌱

Prevent unauthorized impersonation on RemoteUserBinding

Before, user A was able to turn off the RemoteUserBinding association on a RemoteUser that belongs to user B (syngit.io/associated-remoteuserbinding: "false"). Now, the association webhook prevents this action.

Internal features 🛠️

Refactor cert-injection architecture

The injection scripts are located in /hack. The custom resources related to the custom certificate injection are now located in config/local.

Package release 📦

Docker image:
ghcr.io/syngit-org/syngit:v0.3.4

Helm chart:
https://syngit-org.github.io/syngit version 0.3.4

Helm install

helm repo add syngit https://syngit-org.github.io/syngit
helm repo update syngit
helm install syngit syngit/syngit --version 0.3.4 -n <SYNGIT_NAMESPACE>

Helm upgrade

helm repo update syngit
helm upgrade -n <SYNGIT_NAMESPACE> --version 0.3.4 syngit syngit/syngit

v0.3.3

Improvement 🌱

RemoteUserBindings managed by label selector #64

The RemoteUserBinding managed by syngit (with the syngit.io/associated-remote-userbinding: "true" annotation on RemoteUser) were retrieved by name selector (if the name of the RUB starts with associated-rub-). That was a bad way of getting the RemoteUserBindings managed by syngit.

Now, the RemoteUserBindings managed by Syngit have two labels:
"managed-by": "syngit.io" and "syngit.io/k8s-user": "username".

The RemoteUser association webhook selects the corresponding RemoteUserBinding using these label as selectors.

RemoteUser association annotation change #64

syngit.io/associated-remote-userbinding: "true" -> syngit.io/associated-remoteuserbinding: "true"

Better RemoteUserBinding management #65

If an user already created an associated-rub-username RemoteUserBinding, then the one managed by syngit will be called associated-rub-username-1 (and selected with the labels). If the ..-1 already exists, then the one managed by syngit will be ..-2 and so on.

Internal features 🛠️

Automatic dev webhook management #66

The make run command automatically generate development purpose certificates. Therefore, we can test webhook logic by using make run.

Others 👀

Change behavior test command name #65

make test-e2e -> make test-behavior

Package release 📦

Docker image:
ghcr.io/syngit-org/syngit:v0.3.3

Helm chart:
https://syngit-org.github.io/syngit version 0.3.3

Helm install

helm repo add syngit https://syngit-org.github.io/syngit
helm repo update syngit
helm install syngit syngit/syngit --version 0.3.3 -n <SYNGIT_NAMESPACE>

Helm upgrade

helm repo update syngit
helm upgrade -n <SYNGIT_NAMESPACE> syngit syngit/syngit

v0.3.2

Features ✨

Dynamic webhook lifecycle management

• The dynamic webhook (that handle the RemoteSyncers interception) is now created/deleted on operator's creation/deletion.
• The dynamic webhook is automatically reconciled when manually updating or deleting it. The only way to get rid of it is to uninstall the Syngit operator.

Dynamic webhook server registered with the default server

The dynamic webhook server was running in parallel as the main controller-runtime's webhook server. It was served on the port 9444.
Now, the dynamic webhook server is served by the main controller-runtime's webhook server.

Helm chart startup checker

The chart has been fully reviewed to be cleaner. When installing or upgrading the chart, the process is blocked until the operator is fully deployed:

• the controller has its state set to Ready
• the certificate is Ready

Internal features 🛠️

Clean Makefile

Commands are placed in the right section. Make the commands name simpler.

Bug fixes 🐛

• Fix a memory issue in the webhook interceptor that was calling an empty Log object.

Others 👀

Add new tests

• helm install test
• helm upgrade test

Test coverage

The end-to-end tests are now executed using the coverage option.

Package release 📦

Docker image:
ghcr.io/syngit-org/syngit:v0.3.2

Helm chart:
https://syngit-org.github.io/syngit version 0.3.2

Helm install

helm repo add syngit https://syngit-org.github.io/syngit
helm repo update syngit
helm install syngit syngit/syngit --version 0.3.2 -n <SYNGIT_NAMESPACE>

Helm upgrade

helm repo update syngit
helm upgrade -n <SYNGIT_NAMESPACE> syngit syngit/syngit

v0.3.1

End-users features ✨

RemoteUser RBAC checker

When creating, updating or deleting a RemoteUser, a webhook will take care of checking if the user who has made the operation has the permission to get the referenced secret.

RemoteUserBinding RBAC checker

When creating, updating or deleting a RemoteUserBinding, a webhook will take care of checking if the user who has made the operation has the permission to get the referenced remoteusers.

Internal features 🛠️

Commands refinement

Rename some commands to make them more intuitive to use.

• make dev-deploy -> make deploy-all
• make cleanup-deploy -> make undeploy-all

Add some commands:

• make chart-install
• make chart-upgrade
• make chart-uninstall
• make fast-e2e

See the 💻 Commands documentation for more information.

Package release 📦

Docker image:
ghcr.io/syngit-org/syngit:v0.3.1

Helm chart:
https://syngit-org.github.io/syngit version 0.3.1

Helm install

helm repo add syngit https://syngit-org.github.io/syngit
helm repo update syngit
helm install syngit syngit/syngit --version 0.3.1 -n <SYNGIT_NAMESPACE>

Helm upgrade

helm repo update syngit
helm upgrade -n <SYNGIT_NAMESPACE> syngit syngit/syngit

v0.3.0

End-users features ✨

Add authentication checker for Github & Gitlab

The main goal is to use features that are specific to these platforms (such as PR/MR, forks, etc...). For this version, we implement the v0.1.0 version of each of them. This version implement an authentication check against the Gitlab/Github API.

To use this feature, add github.syngit.io/auth.test= "true" / gitlab.syngit.io/auth.test= "true" annotation to the RemoteUser. Then check the status of the RemoteUser. The test is performed when updating the RemoteUser or the referenced Secret.

Last Transition Time:  2024-12-24T12:49:08Z
Message:               Authentication was successful with the user damsien
Reason:                AuthenticationSucceded
Status:                True
Type:                  Authenticated

These providers act as a micro-operator that are plugged to Syngit. They do not have their own api. They reconcile on the Syngit's CRD instead. Access to the providers projects by following these links:

• https://github.com/syngit-org/syngit-provider-github
• https://github.com/syngit-org/syngit-provider-gitlab

Bug fixes 🐛

• Fix wrong default image used in the helm chart for the providers.

Others 👀

• Change the demo gif (quality increased).
• Restructure the files architecture in order to have a more convenient coding space. Also, it is important to export the rights variables & functions to be used in the providers projects.

Package release 📦

Docker image:
ghcr.io/syngit-org/syngit:v0.3.0

Helm chart:
https://syngit-org.github.io/syngit version 0.3.0

Helm install

helm repo add syngit https://syngit-org.github.io/syngit
helm repo update syngit
helm install syngit syngit/syngit --version 0.3.0 -n <SYNGIT_NAMESPACE>

Helm upgrade

helm repo update syngit
helm upgrade -n <SYNGIT_NAMESPACE> syngit syngit/syngit

v0.2.1

End-users features ✨

Add Github & Gitlab providers alpha feature

The main final goal is to use features that are specific to these platforms (such as PR/MR, forks, etc...). For this version, we implement the v0.0.1 version of each of them.

Bug fixes 🐛

• Fix deprecated kube-rbac-proxy image

Package release 📦

Docker image:
ghcr.io/syngit-org/syngit:v0.2.1

Helm chart:
https://syngit-org.github.io/syngit version 0.2.1

Helm install

helm repo add syngit https://syngit-org.github.io/syngit
helm repo update syngit
helm install syngit syngit/syngit --version 0.2.1 -n <SYNGIT_NAMESPACE>

Helm upgrade

helm repo update syngit
helm upgrade -n <SYNGIT_NAMESPACE> syngit syngit/syngit

v0.2.0

End-users features ✨

RemoteSyncer RBAC checker

When creating, updating or deleting a RemoteSyncer, a webhook will take care of checking if the user who has made the operation has the permission to access the resources listed in scopedResources (for create, update or delete).

Add short names for CRDs

• ru & rus for RemoteUser
• rub & rubs for RemoteUserBinding
• rsy & rsys for RemoteSyncer

Migrating from the syngit.syngit.io apiVersion to syngit.io

If the operator is upgraded using helm, then the process is fully automated.
⚠️ The "syngit.syngit.io/associated-remote-userbinding": "true" annotation (used in RemoteUser) must be changed to "syngit.io/associated-remote-userbinding": "true".

Internal features 🌱

Linter

Add a linter job to the github workflow

Implement more tests

1. Multiple concurrent RemoteSyncer test (9.)
   When exactly two same remotesyncers exist (same target repo/branch, same scoped resources), it check that the webhook failed because the commit hash are not the same. The validation webhooks run in parallel. This behavior is intended (locked mutex). In a future version, a retry behavior will be implemented (see 📜 Roadmap).
2. RemoteUser update does not automatically add a new entry in the remoteRefs of the associated RemoteUserBinding

Add test utilities make fast-e2e & make cleanup-e2e (see 🚀 Tests)

Bug fixes 🐛

• When an update was made on a RemoteUser, then a new entry was added to the remoteRefs of the associated RemoteUserBinding.
• There was an error in the conversion webhook of the RemoteUser which was spamming the log of the controller. Now a default value is set instead of returning an error.

Package release 📦

Docker image:
ghcr.io/syngit-org/syngit:v0.2.0

Helm chart:
https://syngit-org.github.io/syngit version 0.2.0

Helm install

helm repo add syngit https://syngit-org.github.io/syngit
helm repo update syngit
helm install syngit syngit/syngit --version 0.2.0 -n <SYNGIT_NAMESPACE>

Helm upgrade

helm repo update syngit
helm upgrade -n <SYNGIT_NAMESPACE> syngit syngit/syngit

0.1.1

Internal features 🌱

Full e2e environment implementation

This environment includes:

• 2 git platforms with 2 repos in each of them (using gitea).
• 3 personas having different access on the git repositories.
• Utilities functions to quickly check k8s objects in a git repository
• Impersonation function to act on the cluster as one of the personas

Major use-case tests implementation

• Test RemoteUser & RemoteUserBinding dependency
• Test RemoteSyncer & ValidationWebhook dependency
• Test CommitOnly & CommitApply mode
• Test excludedFields
• Test default RemoteUser when RemoteUserBinding does not exist
• Test bypass interception subject

kubebuilder v3 to kubebuilder v4 migration

Add CRD markers for a better manifest generation

End-users features ✨

CRD version managment

Skip versions v1alpha1, v1alpha2, v1alpha3 & v1alpha4 so their CRDs are not generated and taken into account for the next releases.

CRD new api version: v1beta2

Moving associatedRemoteUserBinding out of the specs and place it as an annotation instead (syngit.syngit.io/associated-remote-userbinding).

Bug fixes 🐛

• The webhook responsible of the association between RemoteUser & RemoteUserBinding was not deleting the RemoteUserBinding when no remoteusers were associated to it anymore.

Others 👀

• Change the README for a better end-users on boarding.
• Enhance the wiki for a better contributors on boarding.

Package release 📦

Docker image:
ghcr.io/syngit-org/syngit:0.1.1

Helm chart:
https://syngit-org.github.io/syngit version 0.1.1

Helm install

helm repo add syngit https://syngit-org.github.io/syngit
helm repo update syngit
helm install syngit syngit/syngit --version 0.1.1 -n <SYNGIT_NAMESPACE>

Helm upgrade

helm repo update syngit
helm upgrade -n <SYNGIT_NAMESPACE> syngit syngit/syngit