source-controller icon indicating copy to clipboard operation
source-controller copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

Create a new flag to block use of HTTP endpoints for sources

Open pjbgf opened this issue 3 years ago • 2 comments

A new flag could be created to block the use of HTTP endpoints for acquiring sources. When enabled, the flag would not allow the use of the http scheme across all controller-level objects.

:memo: To do:

  • [ ] Disable HTTP scheme for GitRepository.
    • [ ] Disable managed transport redirect from HTTP to HTTPS.
  • [ ] Disable HTTP scheme for HelmRepository.
    • [ ] Default type.
    • [ ] OCI type.
  • [ ] Disable HTTP scheme for Bucket.

pjbgf avatar Jun 30 '22 12:06 pjbgf

note that, for helm sources at least, we can set the insecure flag. This, would prevent users from doing so.

souleb avatar Jun 30 '22 14:06 souleb

@souleb good point, that's like Bucket objects.

When the flag (mentioned here) is set, that would block at controller level any HTTP/insecure transport. Meaning that if a specific object (Helm/Bucket) tries to use spec.Insecure=true, or use an http:// endpoint, both would result in an error.

pjbgf avatar Jun 30 '22 15:06 pjbgf