[RFC-0010] Introduce feature gate

api/go.mod

@@ -4,7 +4,7 @@ go 1.24.0
 
 require (
 	github.com/fluxcd/pkg/apis/kustomize v1.10.0
-	github.com/fluxcd/pkg/apis/meta v1.11.0
+	github.com/fluxcd/pkg/apis/meta v1.12.0
 	k8s.io/apiextensions-apiserver v0.33.0
 	k8s.io/apimachinery v0.33.0
 	sigs.k8s.io/controller-runtime v0.20.4

api/go.sum

@@ -5,8 +5,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fluxcd/pkg/apis/kustomize v1.10.0 h1:47EeSzkQvlQZdH92vHMe2lK2iR8aOSEJq95avw5idts=
 github.com/fluxcd/pkg/apis/kustomize v1.10.0/go.mod h1:UsqMV4sqNa1Yg0pmTsdkHRJr7bafBOENIJoAN+3ezaQ=
-github.com/fluxcd/pkg/apis/meta v1.11.0 h1:h8q95k6ZEK1HCfsLkt8Np3i6ktb6ZzcWJ6hg++oc9w0=
-github.com/fluxcd/pkg/apis/meta v1.11.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI=
+github.com/fluxcd/pkg/apis/meta v1.12.0 h1:XW15TKZieC2b7MN8VS85stqZJOx+/b8jATQ/xTUhVYg=
+github.com/fluxcd/pkg/apis/meta v1.12.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI=
 github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
 github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=

go.mod

@@ -23,8 +23,8 @@ require (
 	github.com/fluxcd/pkg/apis/acl v0.7.0
 	github.com/fluxcd/pkg/apis/event v0.17.0
 	github.com/fluxcd/pkg/apis/kustomize v1.10.0
-	github.com/fluxcd/pkg/apis/meta v1.11.0
-	github.com/fluxcd/pkg/auth v0.12.0
+	github.com/fluxcd/pkg/apis/meta v1.12.0
+	github.com/fluxcd/pkg/auth v0.14.0
 	github.com/fluxcd/pkg/cache v0.9.0
 	github.com/fluxcd/pkg/http/fetch v0.16.0
 	github.com/fluxcd/pkg/kustomize v1.17.0

go.sum

@@ -186,10 +186,10 @@ github.com/fluxcd/pkg/apis/event v0.17.0 h1:foEINE++pCJlWVhWjYDXfkVmGKu8mQ4BDBlb
 github.com/fluxcd/pkg/apis/event v0.17.0/go.mod h1:0fLhLFiHlRTDKPDXdRnv+tS7mCMIQ0fJxnEfmvGM/5A=
 github.com/fluxcd/pkg/apis/kustomize v1.10.0 h1:47EeSzkQvlQZdH92vHMe2lK2iR8aOSEJq95avw5idts=
 github.com/fluxcd/pkg/apis/kustomize v1.10.0/go.mod h1:UsqMV4sqNa1Yg0pmTsdkHRJr7bafBOENIJoAN+3ezaQ=
-github.com/fluxcd/pkg/apis/meta v1.11.0 h1:h8q95k6ZEK1HCfsLkt8Np3i6ktb6ZzcWJ6hg++oc9w0=
-github.com/fluxcd/pkg/apis/meta v1.11.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI=
-github.com/fluxcd/pkg/auth v0.12.0 h1:35o0ziYMLZVgJwNvJBGsv/wd903B2fMagcrnm1ptUjc=
-github.com/fluxcd/pkg/auth v0.12.0/go.mod h1:gQD2VT5OhIR1E8ZTEsTaho3bDQZidr9P10smH/awcew=
+github.com/fluxcd/pkg/apis/meta v1.12.0 h1:XW15TKZieC2b7MN8VS85stqZJOx+/b8jATQ/xTUhVYg=
+github.com/fluxcd/pkg/apis/meta v1.12.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI=
+github.com/fluxcd/pkg/auth v0.14.0 h1:AA9nmbFzTN5jcGROJK51LvQoDetMrXJLAo4Sd6WHpFI=
+github.com/fluxcd/pkg/auth v0.14.0/go.mod h1:o91WIZZshLooBALXY/MVn0mmdUw3eATrqGXrG1M7nTE=
 github.com/fluxcd/pkg/cache v0.9.0 h1:EGKfOLMG3fOwWnH/4Axl5xd425mxoQbZzlZoLfd8PDk=
 github.com/fluxcd/pkg/cache v0.9.0/go.mod h1:jMwabjWfsC5lW8hE7NM3wtGNwSJ38Javx6EKbEi7INU=
 github.com/fluxcd/pkg/envsubst v1.4.0 h1:pYsb6wrmXOSfHXuXQHaaBBMt3LumhgCb8SMdBNAwV/U=

internal/controller/kustomization_configuration_error_test.go

@@ -29,14 +29,16 @@ import (
 
 	"github.com/fluxcd/pkg/apis/kustomize"
 	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/auth"
 	"github.com/fluxcd/pkg/runtime/conditions"
 	"github.com/fluxcd/pkg/testserver"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	"github.com/fluxcd/kustomize-controller/internal/decryptor"
 )
 
-func TestKustomizationReconciler_InvalidCELExpression(t *testing.T) {
+func TestKustomizationReconciler_ConfigurationError(t *testing.T) {
 	g := NewWithT(t)
 	id := "invalid-config-" + randStringRunes(5)
 	revision := "v1.0.0"
@@ -72,53 +74,143 @@ data: {}
 	err = applyGitRepository(repositoryName, artifact, revision)
 	g.Expect(err).NotTo(HaveOccurred())
 
-	kustomizationKey := types.NamespacedName{
-		Name:      fmt.Sprintf("invalid-config-%s", randStringRunes(5)),
-		Namespace: id,
-	}
-	kustomization := &kustomizev1.Kustomization{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      kustomizationKey.Name,
-			Namespace: kustomizationKey.Namespace,
-		},
-		Spec: kustomizev1.KustomizationSpec{
-			Interval: metav1.Duration{Duration: 2 * time.Minute},
-			Path:     "./",
-			SourceRef: kustomizev1.CrossNamespaceSourceReference{
-				Name:      repositoryName.Name,
-				Namespace: repositoryName.Namespace,
-				Kind:      sourcev1.GitRepositoryKind,
+	t.Run("invalid cel expression", func(t *testing.T) {
+		g := NewWithT(t)
+
+		kustomizationKey := types.NamespacedName{
+			Name:      fmt.Sprintf("invalid-config-%s", randStringRunes(5)),
+			Namespace: id,
+		}
+		kustomization := &kustomizev1.Kustomization{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      kustomizationKey.Name,
+				Namespace: kustomizationKey.Namespace,
 			},
-			TargetNamespace: id,
-			Prune:           true,
-			Timeout:         &metav1.Duration{Duration: time.Second},
-			Wait:            true,
-			HealthCheckExprs: []kustomize.CustomHealthCheck{{
-				APIVersion: "v1",
-				Kind:       "ConfigMap",
-				HealthCheckExpressions: kustomize.HealthCheckExpressions{
-					InProgress: "foo.",
-					Current:    "true",
+			Spec: kustomizev1.KustomizationSpec{
+				TargetNamespace: id,
+				Interval:        metav1.Duration{Duration: 2 * time.Minute},
+				SourceRef: kustomizev1.CrossNamespaceSourceReference{
+					Name:      repositoryName.Name,
+					Namespace: repositoryName.Namespace,
+					Kind:      sourcev1.GitRepositoryKind,
 				},
-			}},
-		},
-	}
+				Prune:   true,
+				Timeout: &metav1.Duration{Duration: time.Second},
+				Wait:    true,
+				HealthCheckExprs: []kustomize.CustomHealthCheck{{
+					APIVersion: "v1",
+					Kind:       "ConfigMap",
+					HealthCheckExpressions: kustomize.HealthCheckExpressions{
+						InProgress: "foo.",
+						Current:    "true",
+					},
+				}},
+			},
+		}
 
-	err = k8sClient.Create(context.Background(), kustomization)
-	g.Expect(err).NotTo(HaveOccurred())
+		err = k8sClient.Create(context.Background(), kustomization)
+		g.Expect(err).NotTo(HaveOccurred())
 
-	g.Eventually(func() bool {
-		_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-		return conditions.IsFalse(resultK, meta.ReadyCondition)
-	}, timeout, time.Second).Should(BeTrue())
-	logStatus(t, resultK)
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return conditions.IsFalse(resultK, meta.ReadyCondition)
+		}, timeout, time.Second).Should(BeTrue())
 
-	g.Expect(resultK.Status.ObservedGeneration).To(Equal(resultK.GetGeneration()))
+		g.Expect(resultK.Status.ObservedGeneration).To(Equal(resultK.GetGeneration()))
 
-	g.Expect(conditions.IsTrue(resultK, meta.StalledCondition)).To(BeTrue())
-	for _, cond := range []string{meta.ReadyCondition, meta.StalledCondition} {
-		g.Expect(conditions.GetReason(resultK, cond)).To(Equal(meta.InvalidCELExpressionReason))
-		g.Expect(conditions.GetMessage(resultK, cond)).To(ContainSubstring(
-			"failed to create custom status evaluator for healthchecks[0]: failed to parse the expression InProgress: failed to parse the CEL expression 'foo.': ERROR: <input>:1:5: Syntax error: no viable alternative at input '.'"))
-	}
+		g.Expect(conditions.IsTrue(resultK, meta.StalledCondition)).To(BeTrue())
+		for _, cond := range []string{meta.ReadyCondition, meta.StalledCondition} {
+			g.Expect(conditions.GetReason(resultK, cond)).To(Equal(meta.InvalidCELExpressionReason))
+			g.Expect(conditions.GetMessage(resultK, cond)).To(ContainSubstring(
+				"failed to create custom status evaluator for healthchecks[0]: failed to parse the expression InProgress: failed to parse the CEL expression 'foo.': ERROR: <input>:1:5: Syntax error: no viable alternative at input '.'"))
+		}
+	})
+
+	t.Run("object level workload identity feature gate disabled", func(t *testing.T) {
+		g := NewWithT(t)
+
+		kustomizationKey := types.NamespacedName{
+			Name:      fmt.Sprintf("invalid-config-%s", randStringRunes(5)),
+			Namespace: id,
+		}
+		kustomization := &kustomizev1.Kustomization{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      kustomizationKey.Name,
+				Namespace: kustomizationKey.Namespace,
+			},
+			Spec: kustomizev1.KustomizationSpec{
+				TargetNamespace: id,
+				Interval:        metav1.Duration{Duration: 2 * time.Minute},
+				SourceRef: kustomizev1.CrossNamespaceSourceReference{
+					Name:      repositoryName.Name,
+					Namespace: repositoryName.Namespace,
+					Kind:      sourcev1.GitRepositoryKind,
+				},
+				Prune: true,
+				Decryption: &kustomizev1.Decryption{
+					Provider:           decryptor.DecryptionProviderSOPS,
+					ServiceAccountName: "foo",
+				},
+			},
+		}
+
+		err = k8sClient.Create(context.Background(), kustomization)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return conditions.IsFalse(resultK, meta.ReadyCondition)
+		}, timeout, time.Second).Should(BeTrue())
+
+		// In this case the controller does not update the observed generation
+		// because if the feature gate is enabled then the generation of the
+		// object can be properly observed.
+		g.Expect(resultK.Status.ObservedGeneration).To(Equal(int64(-1)))
+
+		g.Expect(conditions.IsTrue(resultK, meta.StalledCondition)).To(BeTrue())
+		for _, cond := range []string{meta.ReadyCondition, meta.StalledCondition} {
+			g.Expect(conditions.GetReason(resultK, cond)).To(Equal(meta.FeatureGateDisabledReason))
+			g.Expect(conditions.GetMessage(resultK, cond)).To(ContainSubstring(
+				"to use spec.decryption.serviceAccountName for decryption authentication please enable the ObjectLevelWorkloadIdentity feature gate in the controller"))
+		}
+	})
+
+	t.Run("object level workload identity feature gate enabled", func(t *testing.T) {
+		g := NewWithT(t)
+
+		t.Setenv(auth.EnvVarEnableObjectLevelWorkloadIdentity, "true")
+
+		kustomizationKey := types.NamespacedName{
+			Name:      fmt.Sprintf("invalid-config-%s", randStringRunes(5)),
+			Namespace: id,
+		}
+		kustomization := &kustomizev1.Kustomization{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      kustomizationKey.Name,
+				Namespace: kustomizationKey.Namespace,
+			},
+			Spec: kustomizev1.KustomizationSpec{
+				TargetNamespace: id,
+				Interval:        metav1.Duration{Duration: 2 * time.Minute},
+				SourceRef: kustomizev1.CrossNamespaceSourceReference{
+					Name:      repositoryName.Name,
+					Namespace: repositoryName.Namespace,
+					Kind:      sourcev1.GitRepositoryKind,
+				},
+				Prune: true,
+				Decryption: &kustomizev1.Decryption{
+					Provider:           decryptor.DecryptionProviderSOPS,
+					ServiceAccountName: "foo",
+				},
+			},
+		}
+
+		err = k8sClient.Create(context.Background(), kustomization)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return conditions.IsTrue(resultK, meta.ReadyCondition)
+		}, timeout, time.Second).Should(BeTrue())
+	})
 }

internal/controller/kustomization_controller.go

@@ -52,6 +52,7 @@ import (
 	apiacl "github.com/fluxcd/pkg/apis/acl"
 	eventv1 "github.com/fluxcd/pkg/apis/event/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/auth"
 	"github.com/fluxcd/pkg/cache"
 	"github.com/fluxcd/pkg/http/fetch"
 	generator "github.com/fluxcd/pkg/kustomize"
@@ -246,6 +247,18 @@ func (r *KustomizationReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 		return ctrl.Result{}, nil
 	}
 
+	// Check object-level workload identity feature gate.
+	if d := obj.Spec.Decryption; d != nil && d.ServiceAccountName != "" && !auth.IsObjectLevelWorkloadIdentityEnabled() {
+		const gate = auth.FeatureGateObjectLevelWorkloadIdentity
+		const msgFmt = "to use spec.decryption.serviceAccountName for decryption authentication please enable the %s feature gate in the controller"
+		msg := fmt.Sprintf(msgFmt, gate)
+		conditions.MarkFalse(obj, meta.ReadyCondition, meta.FeatureGateDisabledReason, msgFmt, gate)
+		conditions.MarkStalled(obj, meta.FeatureGateDisabledReason, msgFmt, gate)
+		log.Error(auth.ErrObjectLevelWorkloadIdentityNotEnabled, msg)
+		r.event(obj, "", "", eventv1.EventSeverityError, msg, nil)
+		return ctrl.Result{}, nil
+	}
+
 	// Resolve the source reference and requeue the reconciliation if the source is not found.
 	artifactSource, err := r.getSource(ctx, obj)
 	if err != nil {

internal/features/features.go

@@ -18,7 +18,10 @@ limitations under the License.
 // and their default states.
 package features
 
-import feathelper "github.com/fluxcd/pkg/runtime/features"
+import (
+	"github.com/fluxcd/pkg/auth"
+	feathelper "github.com/fluxcd/pkg/runtime/features"
+)
 
 const (
 	// CacheSecretsAndConfigMaps controls whether Secrets and ConfigMaps should
@@ -68,6 +71,10 @@ var features = map[string]bool{
 	GroupChangeLog: false,
 }
 
+func init() {
+	auth.SetFeatureGates(features)
+}
+
 // FeatureGates contains a list of all supported feature gates and
 // their default values.
 func FeatureGates() map[string]bool {

main.go

@@ -37,6 +37,7 @@ import (
 
 	"github.com/fluxcd/cli-utils/pkg/kstatus/polling/clusterreader"
 	"github.com/fluxcd/cli-utils/pkg/kstatus/polling/engine"
+	"github.com/fluxcd/pkg/auth"
 	pkgcache "github.com/fluxcd/pkg/cache"
 	"github.com/fluxcd/pkg/runtime/acl"
 	runtimeClient "github.com/fluxcd/pkg/runtime/client"
@@ -136,6 +137,14 @@ func main() {
 		os.Exit(1)
 	}
 
+	switch enabled, err := features.Enabled(auth.FeatureGateObjectLevelWorkloadIdentity); {
+	case err != nil:
+		setupLog.Error(err, "unable to check feature gate "+auth.FeatureGateObjectLevelWorkloadIdentity)
+		os.Exit(1)
+	case enabled:
+		auth.EnableObjectLevelWorkloadIdentity()
+	}
+
 	if err := intervalJitterOptions.SetGlobalJitter(nil); err != nil {
 		setupLog.Error(err, "unable to set global jitter")
 		os.Exit(1)