When building OCI artifacts from directories containing symlinks (e.g.,
symlink trees created by Nix), the symlinked files are silently skipped
because the underlying archive logic only handles regular files and
directories. This results in empty or incomplete artifacts.
This change adds a --resolve-symlinks flag to both 'flux build artifact'
and 'flux push artifact' commands. When set, symlinks are resolved by
copying their target contents into a temporary directory before building
the artifact. This approach:
- Preserves backward compatibility (default behavior unchanged)
- Works with symlinks pointing outside the source directory
- Handles symlinked files and directories
- Cleans up the temporary directory after the build completes
Fixesfluxcd/flux2#5055
Signed-off-by: rohansood10 <rohansood10@users.noreply.github.com>
Update fluxcd/pkg/auth to v0.18.0 and simplify error handling for
GetArtifactRegistryCredentials() following the improvements made in
the library.
Similar to fluxcd/image-reflector-controller#786, this removes
unnecessary nil checks as the function now returns errors directly
for unsupported providers.
- Replace authentication code in push_artifact.go with loginWithProvider()
- Remove unnecessary authenticator nil check in oci.go
- Remove unused imports (errors, auth packages)
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
If applied, this commit will introduce a new `--insecure-repository`
flag to the following commands: `push artifacts`, `pull artifact`,
`diff artifact` and `list artifacts`. When used the flag will lead to
the option `crane.Insecure` being passed to the `crane` client allowing
the use of insecure repositories.
Signed-off-by: Matthieu Mottet <m.mottet@outlook.com>
This makes the pushed artifact have the exact same hash if the contents
are the same.
E.g
```
flux push artifact oci://repo/image:tag1 --source deploy --revision="test" --path=deploy --reproducible
flux push artifact oci://repo/image:tag2 --source deploy --revision="test" --path=deploy --reproducible
```
will both result in the same sha hash, tagged with `tag1` and `tag2`.
This is useful when producing flux artifacts in a monorepo setup where
you don't want to unnecessarily push new artifacts unless something has
actually changed.
Signed-off-by: frekw <fredrik@warnsberg.se>
I've noticed during CI, that the current command
already expected a configured Docker client to
push artifacts to authenticated registries.
Some users might not want to have the Docker client
in their process (like a CI job) or build an handcrafted
config.json file.
This would allow this kind of behavior:
```
flux push artifact oci://my-registry.dev/foo:v1 \
--source xxx \
--revision xxx \
--path . \
--creds $TOKEN # Authenticate via "Bearer $TOKEN" Authorization header
```
Or via Autologin:
```
flux push artifact oci://012345678901.dkr.ecr.us-east-1.amazonaws.com/foo:v1 \
--source xxx \
--revision xxx \
--path . \
--provider aws
```
This has been implemented for:
* flux push artifact
* flux list artifact
* flux tag artifact
* flux pull artifact
This will require another PR in https://github.com/fluxcd/pkg/pull/352
Signed-off-by: Adrien Fillon <adrien.fillon@manomano.com>
Implement build, push, pull and tag artifact commands.
For authentication purposes, all `flux <verb> artifact` commands are using the '~/.docker/config.json' config file and the Docker credential helpers.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
