You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Migrate Flux controllers to use runtime/secrets package
Background
We have successfully consolidated secret handling patterns in the Flux ecosystem by creating a new runtime/secrets package in fluxcd/pkg. This package provides unified functions for handling Kubernetes secrets across all Flux components.
Key developments:
Issue fluxcd/pkg#949: Consolidate the handling of secrets
Migration not required: Git authentication uses the established pkg/git module with git.NewAuthOptions(), which provides equivalent functionality to runtime/secrets. The pkg/git module is specifically designed for Git authentication and is used consistently across the Flux ecosystem (source-controller, image-automation-controller) for Git operations.
kustomize-controller: TLS certificates for webhook validation, SOPS decryption keys
Migration not required: kustomize-controller only handles secrets for SOPS decryption, which uses file extension-based processing (.asc, .agekey, sops.aws-kms, etc.) rather than standard Kubernetes secret field names (tls.crt, tls.key, ca.crt, username, password). This unique requirement makes the controller incompatible with the runtime/secrets package's field-based approach, as SOPS expects specific file names for different encryption methods rather than standardized secret fields.
helm-controller: TLS certificates for Helm repositories, authentication secrets
Migration not required: helm-controller delegates all authentication (TLS/BasicAuth/Proxy) to source-controller and only consumes authenticated artifacts. The controller handles KubeConfig secrets and values injection, which are outside the scope of runtime/secrets package.
Migration not required: Git authentication already uses the established pkg/git module with git.NewAuthOptions(), which provides equivalent functionality to runtime/secrets for Git-specific authentication patterns. The pkg/git module is specifically designed for Git authentication and is used consistently across the Flux ecosystem for Git operations.
image-reflector-controller: Registry authentication for image scanning
Migration not required: These commands already use the established pkg/git module for Git authentication, providing equivalent functionality to runtime/secrets for Git operations.
Migrate Flux controllers to use runtime/secrets package
Background
We have successfully consolidated secret handling patterns in the Flux ecosystem by creating a new
runtime/secretspackage in fluxcd/pkg. This package provides unified functions for handling Kubernetes secrets across all Flux components.Key developments:
fluxcd/pkg/runtime v0.62.0now available for use across FluxNew runtime/secrets Package
The
runtime/secretspackage provides:Core Functions
TLSConfigFromSecret(ctx, client, name, namespace, logger)- Creates TLS config with legacy field supportProxyURLFromSecret(ctx, client, name, namespace)- Extracts proxy configurationBasicAuthFromSecret(ctx, client, name, namespace)- Retrieves basic auth credentialsPullSecretsFromServiceAccount(ctx, client, name, namespace)- Resolves image pull secretsHelper Functions
MakeTLSSecret(),MakeProxySecret(),MakeBasicAuthSecret(), etc.Key Features
certFile,keyFile,caFile) for backward compatibilitytls.crt,tls.key,ca.crt) take precedenceMigration Goals
Target Repositories
The following repositories contain secret handling functionality that can benefit from migrating to
runtime/secrets:GitRepository controller migrationpkg/gitmodule withgit.NewAuthOptions(), which provides equivalent functionality to runtime/secrets. Thepkg/gitmodule is specifically designed for Git authentication and is used consistently across the Flux ecosystem (source-controller, image-automation-controller) for Git operations.kustomize-controller: TLS certificates for webhook validation, SOPS decryption keys.asc,.agekey,sops.aws-kms, etc.) rather than standard Kubernetes secret field names (tls.crt,tls.key,ca.crt,username,password). This unique requirement makes the controller incompatible with the runtime/secrets package's field-based approach, as SOPS expects specific file names for different encryption methods rather than standardized secret fields.helm-controller: TLS certificates for Helm repositories, authentication secretsProxy URL parsing optimization (planned for Flux v1)image-automation-controller: Git authentication secretspkg/gitmodule withgit.NewAuthOptions(), which provides equivalent functionality to runtime/secrets for Git-specific authentication patterns. Thepkg/gitmodule is specifically designed for Git authentication and is used consistently across the Flux ecosystem for Git operations.TLSConfigFromSecret()ProxyURLFromSecret()PullSecretsFromServiceAccount()Git authentication commands (flux bootstrap,flux create secret git)pkg/gitmodule for Git authentication, providing equivalent functionality to runtime/secrets for Git operations.mTLS Terminology and Consistency
Based on the implementation in notification-controller PR #1137, we've established important guidelines for mTLS terminology:
Historical Context
Before Flux 2.6: The term "mTLS" or "mutual" was not used in documentation
Flux 2.6: First mention of "mutual TLS"
Decision
We will maintain consistency with pkg/runtime/secrets definition of mTLS:
tls.crt+tls.key+ optionalca.crtTLSConfigFromSecret