From a762ab9b0b4b0b8207df8d585c6773017767c4ce Mon Sep 17 00:00:00 2001 From: Dhawal Seth Date: Wed, 6 May 2026 23:20:00 -0700 Subject: [PATCH 1/7] Bump Go to 1.26.2 to fix critical security vulnerabilities Addresses CVEs found in container image scanning: - CVE-2026-27143 (Critical, CVSS 9.8) - CVE-2026-27140 (High, CVSS 8.8) - CVE-2026-33810 (High, CVSS 8.2) - CVE-2026-32280 (High, CVSS 7.5) - CVE-2026-32281 (High, CVSS 7.5) - CVE-2026-32283 (High, CVSS 7.5) - CVE-2026-27144 (High, CVSS 7.1) Co-Authored-By: Claude Opus 4.5 --- Dockerfile | 2 +- go.mod | 4 +- go.sum | 223 ++--------------------------------------------------- 3 files changed, 8 insertions(+), 221 deletions(-) diff --git a/Dockerfile b/Dockerfile index d24485cb2f..a11010cf3a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM --platform=$BUILDPLATFORM golang:1.26.1 AS builder +FROM --platform=$BUILDPLATFORM golang:1.26.2 AS builder WORKDIR /workspace diff --git a/go.mod b/go.mod index 87afed5906..1611b4b9e4 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/actions/actions-runner-controller -go 1.26.1 +go 1.26.2 require ( github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 @@ -116,7 +116,6 @@ require ( github.com/go-sql-driver/mysql v1.9.3 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/go-viper/mapstructure/v2 v2.4.0 // indirect - github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v5 v5.3.1 // indirect github.com/gonvenience/bunt v1.4.3 // indirect github.com/gonvenience/idem v0.0.3 // indirect @@ -126,7 +125,6 @@ require ( github.com/gonvenience/ytbx v1.4.8 // indirect github.com/google/btree v1.1.3 // indirect github.com/google/gnostic-models v0.7.1 // indirect - github.com/google/go-github/v75 v75.0.0 // indirect github.com/google/go-github/v84 v84.0.0 // indirect github.com/google/go-querystring v1.2.0 // indirect github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc // indirect diff --git a/go.sum b/go.sum index 2d84f46293..8b1ad837ea 100644 --- a/go.sum +++ b/go.sum @@ -1,10 +1,6 @@ -filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= -filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= filippo.io/edwards25519 v1.2.0 h1:crnVqOiS4jqYleHd9vaKZ+HKtHfllngJIiOpNpoJsjo= filippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q77mc= github.com/Azure/azure-sdk-for-go v51.0.0+incompatible h1:p7blnyJSjJqf5jflHbSGhIhEpXIgIFmYZNg5uwqweso= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 h1:JXg2dwJUmPB9JmtVmdEB16APJ7jurfbY5jnfXpJoRMc= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 h1:fou+2+WFTib47nS+nz/ozhEBnvU96bKHy6LjRsY4E28= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0/go.mod h1:t76Ruy8AHvUAC8GfMWJMa0ElSbuIcO03NLpynfbgsPA= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4= @@ -19,172 +15,92 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 h1:nCYfg github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0/go.mod h1:ucUjca2JtSZboY8IoUqyQyuuXvwbMBVwFOm0vdQPNhA= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= -github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs= -github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0 h1:4iB+IesclUXdP0ICgAabvq2FYLXrJWKx1fJQ+GxSo3Y= github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= -github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg= -github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk= github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= -github.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBiRGFrw= -github.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE= github.com/ProtonMail/go-crypto v1.4.0 h1:Zq/pbM3F5DFgJiMouxEdSVY44MVoQNEKp5d5QxIQceQ= github.com/ProtonMail/go-crypto v1.4.0/go.mod h1:e1OaTyu5SYVrO9gKOEhTc+5UcXtTUa+P3uLudwcgPqo= github.com/actions-runner-controller/httpcache v0.2.0 h1:hCNvYuVPJ2xxYBymqBvH0hSiQpqz4PHF/LbU3XghGNI= github.com/actions-runner-controller/httpcache v0.2.0/go.mod h1:JLu9/2M/btPz1Zu/vTZ71XzukQHn2YeISPmJoM5exBI= -github.com/actions/scaleset v0.2.0 h1:CKsDtTjOBCwjyT4ikwiMykMttzuKejimWRAvVr8xj9w= -github.com/actions/scaleset v0.2.0/go.mod h1:ncR5vzCCTUSyLgvclAtZ5dRBgF6qwA2nbTfTXmOJp84= github.com/actions/scaleset v0.3.0 h1:y5/ClYLJXFuGCikzILOOPhaCShAcL6K0mnUtjDKFxVw= github.com/actions/scaleset v0.3.0/go.mod h1:2L2I6rggFWV+zprDet6y7y7Vkm3HPudaup78eSc79Uo= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= -github.com/aws/aws-sdk-go-v2 v1.39.2 h1:EJLg8IdbzgeD7xgvZ+I8M1e0fL0ptn/M47lianzth0I= -github.com/aws/aws-sdk-go-v2 v1.39.2/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY= github.com/aws/aws-sdk-go-v2 v1.41.3 h1:4kQ/fa22KjDt13QCy1+bYADvdgcxpfH18f0zP542kZA= github.com/aws/aws-sdk-go-v2 v1.41.3/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 h1:i8p8P4diljCr60PpJp6qZXNlgX4m2yQFpYk+9ZT+J4E= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1/go.mod h1:ddqbooRZYNoJ2dsTwOty16rM+/Aqmk/GOXrK8cg7V00= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.6 h1:N4lRUXZpZ1KVEUn6hxtco/1d2lgYhNn1fHkkl8WhlyQ= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.6/go.mod h1:lyw7GFp3qENLh7kwzf7iMzAxDn+NzjXEAGjKS2UOKqI= -github.com/aws/aws-sdk-go-v2/config v1.31.12 h1:pYM1Qgy0dKZLHX2cXslNacbcEFMkDMl+Bcj5ROuS6p8= -github.com/aws/aws-sdk-go-v2/config v1.31.12/go.mod h1:/MM0dyD7KSDPR+39p9ZNVKaHDLb9qnfDurvVS2KAhN8= github.com/aws/aws-sdk-go-v2/config v1.32.11 h1:ftxI5sgz8jZkckuUHXfC/wMUc8u3fG1vQS0plr2F2Zs= github.com/aws/aws-sdk-go-v2/config v1.32.11/go.mod h1:twF11+6ps9aNRKEDimksp923o44w/Thk9+8YIlzWMmo= -github.com/aws/aws-sdk-go-v2/credentials v1.18.16 h1:4JHirI4zp958zC026Sm+V4pSDwW4pwLefKrc0bF2lwI= -github.com/aws/aws-sdk-go-v2/credentials v1.18.16/go.mod h1:qQMtGx9OSw7ty1yLclzLxXCRbrkjWAM7JnObZjmCB7I= github.com/aws/aws-sdk-go-v2/credentials v1.19.11 h1:NdV8cwCcAXrCWyxArt58BrvZJ9pZ9Fhf9w6Uh5W3Uyc= github.com/aws/aws-sdk-go-v2/credentials v1.19.11/go.mod h1:30yY2zqkMPdrvxBqzI9xQCM+WrlrZKSOpSJEsylVU+8= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9 h1:Mv4Bc0mWmv6oDuSWTKnk+wgeqPL5DRFu5bQL9BGPQ8Y= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9/go.mod h1:IKlKfRppK2a1y0gy1yH6zD+yX5uplJ6UuPlgd48dJiQ= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.19 h1:INUvJxmhdEbVulJYHI061k4TVuS3jzzthNvjqvVvTKM= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.19/go.mod h1:FpZN2QISLdEBWkayloda+sZjVJL+e9Gl0k1SyTgcswU= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.19.11 h1:w4GjasReY0m9vZA/3YhoBUBi1ZIWUHYQRm61v0BKcZg= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.19.11/go.mod h1:IPS1CSYQ8lfLYGytpMEPW4erZmVFUdxLpC0RCI/RCn8= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.7 h1:U1bRnGCibeRlgswAtU0OjsIy+3yQZGBJQoRvTz2m47k= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.7/go.mod h1:o468HQR7wpjYUtIHLk7hMnk+1wya63m32Z4DnGqQJe0= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 h1:se2vOWGD3dWQUtfn4wEjRQJb1HK1XsNIt825gskZ970= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9/go.mod h1:hijCGH2VfbZQxqCDN7bwz/4dzxV+hkyhjawAtdPWKZA= github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.19 h1:/sECfyq2JTifMI2JPyZ4bdRN77zJmr6SrS1eL3augIA= github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.19/go.mod h1:dMf8A5oAqr9/oxOfLkC/c2LU/uMcALP0Rgn2BD5LWn0= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 h1:6RBnKZLkJM4hQ+kN6E7yWFveOTg8NLPHAkqrs4ZPlTU= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9/go.mod h1:V9rQKRmK7AWuEsOMnHzKj8WyrIir1yUJbZxDuZLFvXI= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.19 h1:AWeJMk33GTBf6J20XJe6qZoRSJo0WfUhsMdUKhoODXE= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.19/go.mod h1:+GWrYoaAsV7/4pNHpwh1kiNLXkKaSoppxQq9lbH8Ejw= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.5 h1:clHU5fm//kWS1C2HgtgWxfQbFbx4b6rx+5jzhgX9HrI= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.5/go.mod h1:O3h0IK87yXci+kg6flUKzJnWeziQUKciKrLjcatSNcY= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.9 h1:w9LnHqTq8MEdlnyhV4Bwfizd65lfNCNgdlNC6mM5paE= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.9/go.mod h1:LGEP6EK4nj+bwWNdrvX/FnDTFowdBNwcSPuZu/ouFys= github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.20 h1:qi3e/dmpdONhj1RyIZdi6DKKpDXS5Lb8ftr3p7cyHJc= github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.20/go.mod h1:V1K+TeJVD5JOk3D9e5tsX2KUdL7BlB+FV6cBhdobN8c= -github.com/aws/aws-sdk-go-v2/service/acm v1.37.6 h1:48oGbMpBSzihrU145gpjrxySIs+VNGCXu9kLTLAdJJg= -github.com/aws/aws-sdk-go-v2/service/acm v1.37.6/go.mod h1:4Xgg9iUMFMpWd19UokmUwBCU6fqNJ7LPo11YYt3/xl4= github.com/aws/aws-sdk-go-v2/service/acm v1.37.21 h1:AUceKJhgt+FOwImMUPbOHKLpe5O9a8N/RtC+tLQ+sxc= github.com/aws/aws-sdk-go-v2/service/acm v1.37.21/go.mod h1:kkbySLpdZk0UNdU23rBaef7IfuSRy0/jEM84BGCcvKM= -github.com/aws/aws-sdk-go-v2/service/autoscaling v1.59.3 h1:2tVkkifL19ZmmCRJyOudUuTNRzA1SYN7D32iEkB8CvE= -github.com/aws/aws-sdk-go-v2/service/autoscaling v1.59.3/go.mod h1:/Utcw7rzRwiW7C9ypYInnEtgyU7Nr8eG3+RFUUvuE1o= github.com/aws/aws-sdk-go-v2/service/autoscaling v1.64.2 h1:pzFtdV2DArJul6aM3+WiWjUQ63IzrSnSbvBr8FAokt4= github.com/aws/aws-sdk-go-v2/service/autoscaling v1.64.2/go.mod h1:8xQlcle6cf4R66HrXbiahORXakWpLlvJXoiGae5BlIc= -github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.58.2 h1:JPW6ND8muLsBwALrf/VXikyokUmGWNKZa88qZWwFGWA= -github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.58.2/go.mod h1:3Dh12t3s/KrpEm7HNfg5RH+XWzi9LW2QI7velkc61ac= github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.64.0 h1:6QLwTAIR2z3QmYxuHM8nfZkW/C/qn4cvhesHIE98/CE= github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.64.0/go.mod h1:RCkMRCGlsyFwF9Accj7GsHQFCIR9s8iRbv4LPYOT9wY= -github.com/aws/aws-sdk-go-v2/service/dynamodb v1.51.0 h1:TfglMkeRNYNGkyJ+XOTQJJ/RQb+MBlkiMn2H7DYuZok= -github.com/aws/aws-sdk-go-v2/service/dynamodb v1.51.0/go.mod h1:AdM9p8Ytg90UaNYrZIsOivYeC5cDvTPC2Mqw4/2f2aM= github.com/aws/aws-sdk-go-v2/service/dynamodb v1.56.1 h1:EkW4NqA2mwCkL7YCDYh6OpA/bCMhKYbZgpRHt2FD2Ow= github.com/aws/aws-sdk-go-v2/service/dynamodb v1.56.1/go.mod h1:OQp5333OH1IjmJmJpTU4IwoaOoCMnDrThg0zIx169rE= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.254.1 h1:7p9bJCZ/b3EJXXARW7JMEs2IhsnI4YFHpfXQfgMh0eg= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.254.1/go.mod h1:M8WWWIfXmxA4RgTXcI/5cSByxRqjgne32Sh0VIbrn0A= github.com/aws/aws-sdk-go-v2/service/ec2 v1.294.0 h1:776KnBqePBBR6zEDi0bUIHXzUBOISa2WgAKEgckUF8M= github.com/aws/aws-sdk-go-v2/service/ec2 v1.294.0/go.mod h1:rB577GvkmJADVOFGY8/j9sPv/ewcsEtQNsd9Lrn7Zx0= -github.com/aws/aws-sdk-go-v2/service/ecr v1.50.5 h1:jzjNyiIrXJHumV1hwofcQLpIZtcDw+vPQL00rLI3s4g= -github.com/aws/aws-sdk-go-v2/service/ecr v1.50.5/go.mod h1:UtPKcYVHY6RrV9EaaM1KZGNaf9dgviFdsT6xoFMLQsM= github.com/aws/aws-sdk-go-v2/service/ecr v1.56.0 h1:XxNya31nOtsClGghvQ2VkhIB2S/rggb64x5vkHl4xZQ= github.com/aws/aws-sdk-go-v2/service/ecr v1.56.0/go.mod h1:T+Tz2Xp1gnvtlgvP7OyRHlr84KtI3fZW5Ax/e+s9b64= -github.com/aws/aws-sdk-go-v2/service/ecs v1.65.1 h1:pBbXc1fGRbrYl7NFujuubMmEFEp7CJiKTBsoDOIUkuk= -github.com/aws/aws-sdk-go-v2/service/ecs v1.65.1/go.mod h1:fu6WrWUHYyPRjzYO13UDXA7O6OShI8QbH5YSl9SOJwQ= github.com/aws/aws-sdk-go-v2/service/ecs v1.73.1 h1:TSmcWx+RzhGJrPNoFkuqANafJQ7xY3W2UBg6ShN3ae8= github.com/aws/aws-sdk-go-v2/service/ecs v1.73.1/go.mod h1:KWILGx+bRowcGyJU/va2Ift48c658blP5e1qvldnIRE= -github.com/aws/aws-sdk-go-v2/service/iam v1.47.7 h1:0EDAdmMTzsgXl++8a0JZ+Yx0/dOqT8o/EONknxlQK94= -github.com/aws/aws-sdk-go-v2/service/iam v1.47.7/go.mod h1:NkNbn/8/mFrPUq0Kg6EM6c0+GaTLG+aPzXxwB7RF5xo= github.com/aws/aws-sdk-go-v2/service/iam v1.53.5 h1:J8qtztl/SJ6lhk/Rke/F6PgpZ7V6UYq0my0Zc8hdLuc= github.com/aws/aws-sdk-go-v2/service/iam v1.53.5/go.mod h1:seDE466zJ4haVuAVcRk+yIH4DWb3s6cqt3Od8GxnGAA= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebPEMA/1Jny7kvwejowCaHz1FWZAQ94WXFNCyTM= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.6 h1:XAq62tBTJP/85lFD5oqOOe7YYgWxY9LvWq8plyDvDVg= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.6/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.9 h1:by3nYZLR9l8bUH7kgaMU4dJgYFjyRdFEfORlDpPILB4= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.9/go.mod h1:IWjQYlqw4EX9jw2g3qnEPPWvCE6bS8fKzhMed1OK7c8= github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.11 h1:BYf7XNsJMzl4mObARUBUib+j2tf0U//JAAtTnYqvqCw= github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.11/go.mod h1:aEUS4WrNk/+FxkBZZa7tVgp4pGH+kFGW40Y8rCPqt5g= -github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.11.9 h1:7ILIzhRlYbHmZDdkF15B+RGEO8sGbdSe0RelD0RcV6M= -github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.11.9/go.mod h1:6LLPgzztobazqK65Q5qYsFnxwsN0v6cktuIvLC5M7DM= github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.11.19 h1:jdCj9vbCXwzTcIJX+MVd2UdssFhRJFTrWlPZwZB8Hpk= github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.11.19/go.mod h1:Dgg2d5WGRr7YB8JJsELskBxLUhgwWppXPwlvmuQKhbc= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9 h1:5r34CgVOD4WZudeEKZ9/iKpiT6cM1JyEROpXjOcdWv8= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9/go.mod h1:dB12CEbNWPbzO2uC6QSWHteqOg4JfBVJOojbAoAUb5I= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.19 h1:X1Tow7suZk9UCJHE1Iw9GMZJJl0dAnKXXP1NaSDHwmw= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.19/go.mod h1:/rARO8psX+4sfjUQXp5LLifjUt8DuATZ31WptNJTyQA= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.9 h1:wuZ5uW2uhJR63zwNlqWH2W4aL4ZjeJP3o92/W+odDY4= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.9/go.mod h1:/G58M2fGszCrOzvJUkDdY8O9kycodunH4VdT5oBAqls= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.19 h1:JnQeStZvPHFHeyky/7LbMlyQjUa+jIBj36OlWm0pzIk= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.19/go.mod h1:HGyasyHvYdFQeJhvDHfH7HXkHh57htcJGKDZ+7z+I24= -github.com/aws/aws-sdk-go-v2/service/kms v1.45.6 h1:Br3kil4j7RPW+7LoLVkYt8SuhIWlg6ylmbmzXJ7PgXY= -github.com/aws/aws-sdk-go-v2/service/kms v1.45.6/go.mod h1:FKXkHzw1fJZtg1P1qoAIiwen5thz/cDRTTDCIu8ljxc= github.com/aws/aws-sdk-go-v2/service/kms v1.50.2 h1:UOHOXigIzDRaEU03CBQcZ5uW7FNC7E+vwfhsQWXl5RQ= github.com/aws/aws-sdk-go-v2/service/kms v1.50.2/go.mod h1:nAa5gmcmAmjXN3tGuhPSHLXFeWv+7nzKhjZzh8F7MH0= -github.com/aws/aws-sdk-go-v2/service/lambda v1.77.6 h1:bU48NwA1e9jFkng1qYUVQjdJFEIv0oxhDO/Zz57M5IU= -github.com/aws/aws-sdk-go-v2/service/lambda v1.77.6/go.mod h1:LFNm6TvaFI2Li7U18hJB++k+qH5nK3TveIFD7x9TFHc= github.com/aws/aws-sdk-go-v2/service/lambda v1.88.2 h1:j+IFEtr7aykD6jJRE86kv/+TgN1UK90LudBuz2bjjYw= github.com/aws/aws-sdk-go-v2/service/lambda v1.88.2/go.mod h1:IDvS3hFp41ZJTByY7BO8PNgQkPNeQDjJfU/0cHJ2V4o= -github.com/aws/aws-sdk-go-v2/service/rds v1.108.0 h1:YjrOsnMMAv01zkaBxbGzEm2gy4/mrFfSiIlbYLAf8ZQ= -github.com/aws/aws-sdk-go-v2/service/rds v1.108.0/go.mod h1:VOBL5tbhS7AF0m5YpfwLuRBpb5QVp4EWSPizUr/D6iE= github.com/aws/aws-sdk-go-v2/service/rds v1.116.2 h1:KQLPCn9BWXW0Y8DyzEokbTF9HOiOQoR77Eu9GKcjBWU= github.com/aws/aws-sdk-go-v2/service/rds v1.116.2/go.mod h1:aPw0arz1e+cZUbF4LU7ZMYB1ZSYsJKi/tsAq9wADfeE= -github.com/aws/aws-sdk-go-v2/service/route53 v1.58.4 h1:KycXrohD5OxAZ5h02YechO2gevvoHfAPAaJM5l8zqb0= -github.com/aws/aws-sdk-go-v2/service/route53 v1.58.4/go.mod h1:xNLZLn4SusktBQ5moqUOgiDKGz3a7vHwF4W0KD+WBPc= github.com/aws/aws-sdk-go-v2/service/route53 v1.62.3 h1:JRPXnIr0WwFsSHBmuCvT/uh0Vgys+crvwkOghbJEqi8= github.com/aws/aws-sdk-go-v2/service/route53 v1.62.3/go.mod h1:DHddp7OO4bY467WVCqWBzk5+aEWn7vqYkap7UigJzGk= -github.com/aws/aws-sdk-go-v2/service/s3 v1.88.3 h1:P18I4ipbk+b/3dZNq5YYh+Hq6XC0vp5RWkLp1tJldDA= -github.com/aws/aws-sdk-go-v2/service/s3 v1.88.3/go.mod h1:Rm3gw2Jov6e6kDuamDvyIlZJDMYk97VeCZ82wz/mVZ0= github.com/aws/aws-sdk-go-v2/service/s3 v1.97.0 h1:zyKY4OxzUImu+DigelJI9o49QQv8CjREs5E1CywjtIA= github.com/aws/aws-sdk-go-v2/service/s3 v1.97.0/go.mod h1:NF3JcMGOiARAss1ld3WGORCw71+4ExDD2cbbdKS5PpA= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.39.6 h1:9PWl450XOG+m5lKv+qg5BXso1eLxpsZLqq7VPug5km0= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.39.6/go.mod h1:hwt7auGsDcaNQ8pzLgE2kCNyIWouYlAKSjuUu5Dqr7I= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.3 h1:9bb0dEq1WzA0ZxIGG2EmwEgxfMAJpHyusxwbVN7f6iM= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.3/go.mod h1:2z9eg35jfuRtdPE4Ci0ousrOU9PBhDBilXA1cwq9Ptk= github.com/aws/aws-sdk-go-v2/service/signin v1.0.7 h1:Y2cAXlClHsXkkOvWZFXATr34b0hxxloeQu/pAZz2row= github.com/aws/aws-sdk-go-v2/service/signin v1.0.7/go.mod h1:idzZ7gmDeqeNrSPkdbtMp9qWMgcBwykA7P7Rzh5DXVU= -github.com/aws/aws-sdk-go-v2/service/sns v1.38.5 h1:c0hINjMfDQvQLJJxfNNcIaLYVLC7E0W2zOQOVVKLnnU= -github.com/aws/aws-sdk-go-v2/service/sns v1.38.5/go.mod h1:E427ZzdOMWh/4KtD48AGfbWLX14iyw9URVOdIwtv80o= github.com/aws/aws-sdk-go-v2/service/sns v1.39.13 h1:8xP94tDzFpgwIOsusGiEFHPaqrpckDojoErk/ZFZTio= github.com/aws/aws-sdk-go-v2/service/sns v1.39.13/go.mod h1:RwF6Xnba8PlINxJUQq1IAWeon6IglvqsnhNqV8QsQjk= -github.com/aws/aws-sdk-go-v2/service/sqs v1.42.8 h1:cWiY+//XL5QOYKJyf4Pvt+oE/5wSIi095+bS+ME2lGw= -github.com/aws/aws-sdk-go-v2/service/sqs v1.42.8/go.mod h1:sLvnKf0p0sMQ33nkJGP2NpYyWHMojpL0O9neiCGc9lc= github.com/aws/aws-sdk-go-v2/service/sqs v1.42.23 h1:Rw3+8VaLH0jozccNR52bSvCPYtkiQeNn576l7HCHvL0= github.com/aws/aws-sdk-go-v2/service/sqs v1.42.23/go.mod h1:MdjRkQEd2EUOiifYnkg/6f1NGtZSN3dFOLNByzufXok= -github.com/aws/aws-sdk-go-v2/service/ssm v1.65.1 h1:TFg6XiS7EsHN0/jpV3eVNczZi/sPIVP5jxIs+euIESQ= -github.com/aws/aws-sdk-go-v2/service/ssm v1.65.1/go.mod h1:OIezd9K0sM/64DDP4kXx/i0NdgXu6R5KE6SCsIPJsjc= github.com/aws/aws-sdk-go-v2/service/ssm v1.68.2 h1:idKv7B7NjmTDd05YHQYMMEFNeD0rWxs/kVX4lsjEiDo= github.com/aws/aws-sdk-go-v2/service/ssm v1.68.2/go.mod h1:1NiL45h4A60CO/hu/UdNyG5AD3VEsdpaQx1l5KtpurA= -github.com/aws/aws-sdk-go-v2/service/sso v1.29.6 h1:A1oRkiSQOWstGh61y4Wc/yQ04sqrQZr1Si/oAXj20/s= -github.com/aws/aws-sdk-go-v2/service/sso v1.29.6/go.mod h1:5PfYspyCU5Vw1wNPsxi15LZovOnULudOQuVxphSflQA= github.com/aws/aws-sdk-go-v2/service/sso v1.30.12 h1:iSsvB9EtQ09YrsmIc44Heqlx5ByGErqhPK1ZQLppias= github.com/aws/aws-sdk-go-v2/service/sso v1.30.12/go.mod h1:fEWYKTRGoZNl8tZ77i61/ccwOMJdGxwOhWCkp6TXAr0= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.1 h1:5fm5RTONng73/QA73LhCNR7UT9RpFH3hR6HWL6bIgVY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.1/go.mod h1:xBEjWD13h+6nq+z4AkqSfSvqRKFgDIQeaMguAJndOWo= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.16 h1:EnUdUqRP1CNzt2DkV67tJx6XDN4xlfBFm+bzeNOQVb0= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.16/go.mod h1:Jic/xv0Rq/pFNCh3WwpH4BEqdbSAl+IyHro8LbibHD8= -github.com/aws/aws-sdk-go-v2/service/sts v1.38.6 h1:p3jIvqYwUZgu/XYeI48bJxOhvm47hZb5HUQ0tn6Q9kA= -github.com/aws/aws-sdk-go-v2/service/sts v1.38.6/go.mod h1:WtKK+ppze5yKPkZ0XwqIVWD4beCwv056ZbPQNoeHqM8= github.com/aws/aws-sdk-go-v2/service/sts v1.41.8 h1:XQTQTF75vnug2TXS8m7CVJfC2nniYPZnO1D4Np761Oo= github.com/aws/aws-sdk-go-v2/service/sts v1.41.8/go.mod h1:Xgx+PR1NUOjNmQY+tRMnouRp83JRM8pRMw/vCaVhPkI= -github.com/aws/smithy-go v1.23.0 h1:8n6I3gXzWJB2DxBDnfxgBaSX6oe0d/t10qGz7OKqMCE= -github.com/aws/smithy-go v1.23.0/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng= github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -192,17 +108,12 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.1.0 h1:ChaYjBR63fr4LFyGn8E8nt7dBSt3MiU3zMOZqFvVkHo= github.com/boombuler/barcode v1.1.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/bradleyfalzon/ghinstallation v1.1.1 h1:pmBXkxgM1WeF8QYvDLT5kuQiHMcmf+X015GI0KM/E3I= -github.com/bradleyfalzon/ghinstallation/v2 v2.17.0 h1:SmbUK/GxpAspRjSQbB6ARvH+ArzlNzTtHydNyXUQ6zg= -github.com/bradleyfalzon/ghinstallation/v2 v2.17.0/go.mod h1:vuD/xvJT9Y+ZVZRv4HQ42cMyPFIYqpc7AbB4Gvt/DlY= github.com/bradleyfalzon/ghinstallation/v2 v2.18.0 h1:WPqnN6NS9XvYlOgZQAIseN7Z1uAiE+UxgDKlW7FvFuU= github.com/bradleyfalzon/ghinstallation/v2 v2.18.0/go.mod h1:gpoSwwWc4biE49F7n+roCcpkEkZ1Qr9soZ2ESvMiouU= github.com/brunoga/deep v1.2.4 h1:Aj9E9oUbE+ccbyh35VC/NHlzzjfIVU69BXu2mt2LmL8= github.com/brunoga/deep v1.2.4/go.mod h1:GDV6dnXqn80ezsLSZ5Wlv1PdKAWAO4L5PnKYtv2dgaI= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0= -github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs= github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8= github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= @@ -241,68 +152,42 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= -github.com/go-openapi/jsonpointer v0.22.1 h1:sHYI1He3b9NqJ4wXLoJDKmUmHkWy/L7rtEo92JUxBNk= -github.com/go-openapi/jsonpointer v0.22.1/go.mod h1:pQT9OsLkfz1yWoMgYFy4x3U5GY5nUlsOn1qSBH5MkCM= github.com/go-openapi/jsonpointer v0.22.5 h1:8on/0Yp4uTb9f4XvTrM2+1CPrV05QPZXu+rvu2o9jcA= github.com/go-openapi/jsonpointer v0.22.5/go.mod h1:gyUR3sCvGSWchA2sUBJGluYMbe1zazrYWIkWPjjMUY0= -github.com/go-openapi/jsonreference v0.21.2 h1:Wxjda4M/BBQllegefXrY/9aq1fxBA8sI5M/lFU6tSWU= -github.com/go-openapi/jsonreference v0.21.2/go.mod h1:pp3PEjIsJ9CZDGCNOyXIQxsNuroxm8FAJ/+quA0yKzQ= github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe+pJyVWRdiE= github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw= -github.com/go-openapi/swag v0.25.1 h1:6uwVsx+/OuvFVPqfQmOOPsqTcm5/GkBhNwLqIR916n8= -github.com/go-openapi/swag v0.25.1/go.mod h1:bzONdGlT0fkStgGPd3bhZf1MnuPkf2YAys6h+jZipOo= github.com/go-openapi/swag v0.25.5 h1:pNkwbUEeGwMtcgxDr+2GBPAk4kT+kJ+AaB+TMKAg+TU= github.com/go-openapi/swag v0.25.5/go.mod h1:B3RT6l8q7X803JRxa2e59tHOiZlX1t8viplOcs9CwTA= -github.com/go-openapi/swag/cmdutils v0.25.1 h1:nDke3nAFDArAa631aitksFGj2omusks88GF1VwdYqPY= -github.com/go-openapi/swag/cmdutils v0.25.1/go.mod h1:pdae/AFo6WxLl5L0rq87eRzVPm/XRHM3MoYgRMvG4A0= github.com/go-openapi/swag/cmdutils v0.25.5 h1:yh5hHrpgsw4NwM9KAEtaDTXILYzdXh/I8Whhx9hKj7c= github.com/go-openapi/swag/cmdutils v0.25.5/go.mod h1:pdae/AFo6WxLl5L0rq87eRzVPm/XRHM3MoYgRMvG4A0= -github.com/go-openapi/swag/conv v0.25.1 h1:+9o8YUg6QuqqBM5X6rYL/p1dpWeZRhoIt9x7CCP+he0= -github.com/go-openapi/swag/conv v0.25.1/go.mod h1:Z1mFEGPfyIKPu0806khI3zF+/EUXde+fdeksUl2NiDs= github.com/go-openapi/swag/conv v0.25.5 h1:wAXBYEXJjoKwE5+vc9YHhpQOFj2JYBMF2DUi+tGu97g= github.com/go-openapi/swag/conv v0.25.5/go.mod h1:CuJ1eWvh1c4ORKx7unQnFGyvBbNlRKbnRyAvDvzWA4k= -github.com/go-openapi/swag/fileutils v0.25.1 h1:rSRXapjQequt7kqalKXdcpIegIShhTPXx7yw0kek2uU= -github.com/go-openapi/swag/fileutils v0.25.1/go.mod h1:+NXtt5xNZZqmpIpjqcujqojGFek9/w55b3ecmOdtg8M= github.com/go-openapi/swag/fileutils v0.25.5 h1:B6JTdOcs2c0dBIs9HnkyTW+5gC+8NIhVBUwERkFhMWk= github.com/go-openapi/swag/fileutils v0.25.5/go.mod h1:V3cT9UdMQIaH4WiTrUc9EPtVA4txS0TOmRURmhGF4kc= -github.com/go-openapi/swag/jsonname v0.25.1 h1:Sgx+qbwa4ej6AomWC6pEfXrA6uP2RkaNjA9BR8a1RJU= -github.com/go-openapi/swag/jsonname v0.25.1/go.mod h1:71Tekow6UOLBD3wS7XhdT98g5J5GR13NOTQ9/6Q11Zo= github.com/go-openapi/swag/jsonname v0.25.5 h1:8p150i44rv/Drip4vWI3kGi9+4W9TdI3US3uUYSFhSo= github.com/go-openapi/swag/jsonname v0.25.5/go.mod h1:jNqqikyiAK56uS7n8sLkdaNY/uq6+D2m2LANat09pKU= -github.com/go-openapi/swag/jsonutils v0.25.1 h1:AihLHaD0brrkJoMqEZOBNzTLnk81Kg9cWr+SPtxtgl8= -github.com/go-openapi/swag/jsonutils v0.25.1/go.mod h1:JpEkAjxQXpiaHmRO04N1zE4qbUEg3b7Udll7AMGTNOo= github.com/go-openapi/swag/jsonutils v0.25.5 h1:XUZF8awQr75MXeC+/iaw5usY/iM7nXPDwdG3Jbl9vYo= github.com/go-openapi/swag/jsonutils v0.25.5/go.mod h1:48FXUaz8YsDAA9s5AnaUvAmry1UcLcNVWUjY42XkrN4= -github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.1 h1:DSQGcdB6G0N9c/KhtpYc71PzzGEIc/fZ1no35x4/XBY= -github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.1/go.mod h1:kjmweouyPwRUEYMSrbAidoLMGeJ5p6zdHi9BgZiqmsg= github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5 h1:SX6sE4FrGb4sEnnxbFL/25yZBb5Hcg1inLeErd86Y1U= -github.com/go-openapi/swag/loading v0.25.1 h1:6OruqzjWoJyanZOim58iG2vj934TysYVptyaoXS24kw= -github.com/go-openapi/swag/loading v0.25.1/go.mod h1:xoIe2EG32NOYYbqxvXgPzne989bWvSNoWoyQVWEZicc= +github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5/go.mod h1:/2KvOTrKWjVA5Xli3DZWdMCZDzz3uV/T7bXwrKWPquo= github.com/go-openapi/swag/loading v0.25.5 h1:odQ/umlIZ1ZVRteI6ckSrvP6e2w9UTF5qgNdemJHjuU= github.com/go-openapi/swag/loading v0.25.5/go.mod h1:I8A8RaaQ4DApxhPSWLNYWh9NvmX2YKMoB9nwvv6oW6g= -github.com/go-openapi/swag/mangling v0.25.1 h1:XzILnLzhZPZNtmxKaz/2xIGPQsBsvmCjrJOWGNz/ync= -github.com/go-openapi/swag/mangling v0.25.1/go.mod h1:CdiMQ6pnfAgyQGSOIYnZkXvqhnnwOn997uXZMAd/7mQ= github.com/go-openapi/swag/mangling v0.25.5 h1:hyrnvbQRS7vKePQPHHDso+k6CGn5ZBs5232UqWZmJZw= github.com/go-openapi/swag/mangling v0.25.5/go.mod h1:6hadXM/o312N/h98RwByLg088U61TPGiltQn71Iw0NY= -github.com/go-openapi/swag/netutils v0.25.1 h1:2wFLYahe40tDUHfKT1GRC4rfa5T1B4GWZ+msEFA4Fl4= -github.com/go-openapi/swag/netutils v0.25.1/go.mod h1:CAkkvqnUJX8NV96tNhEQvKz8SQo2KF0f7LleiJwIeRE= github.com/go-openapi/swag/netutils v0.25.5 h1:LZq2Xc2QI8+7838elRAaPCeqJnHODfSyOa7ZGfxDKlU= github.com/go-openapi/swag/netutils v0.25.5/go.mod h1:lHbtmj4m57APG/8H7ZcMMSWzNqIQcu0RFiXrPUara14= -github.com/go-openapi/swag/stringutils v0.25.1 h1:Xasqgjvk30eUe8VKdmyzKtjkVjeiXx1Iz0zDfMNpPbw= -github.com/go-openapi/swag/stringutils v0.25.1/go.mod h1:JLdSAq5169HaiDUbTvArA2yQxmgn4D6h4A+4HqVvAYg= github.com/go-openapi/swag/stringutils v0.25.5 h1:NVkoDOA8YBgtAR/zvCx5rhJKtZF3IzXcDdwOsYzrB6M= github.com/go-openapi/swag/stringutils v0.25.5/go.mod h1:PKK8EZdu4QJq8iezt17HM8RXnLAzY7gW0O1KKarrZII= -github.com/go-openapi/swag/typeutils v0.25.1 h1:rD/9HsEQieewNt6/k+JBwkxuAHktFtH3I3ysiFZqukA= -github.com/go-openapi/swag/typeutils v0.25.1/go.mod h1:9McMC/oCdS4BKwk2shEB7x17P6HmMmA6dQRtAkSnNb8= github.com/go-openapi/swag/typeutils v0.25.5 h1:EFJ+PCga2HfHGdo8s8VJXEVbeXRCYwzzr9u4rJk7L7E= github.com/go-openapi/swag/typeutils v0.25.5/go.mod h1:itmFmScAYE1bSD8C4rS0W+0InZUBrB2xSPbWt6DLGuc= -github.com/go-openapi/swag/yamlutils v0.25.1 h1:mry5ez8joJwzvMbaTGLhw8pXUnhDK91oSJLDPF1bmGk= -github.com/go-openapi/swag/yamlutils v0.25.1/go.mod h1:cm9ywbzncy3y6uPm/97ysW8+wZ09qsks+9RS8fLWKqg= github.com/go-openapi/swag/yamlutils v0.25.5 h1:kASCIS+oIeoc55j28T4o8KwlV2S4ZLPT6G0iq2SSbVQ= github.com/go-openapi/swag/yamlutils v0.25.5/go.mod h1:Gek1/SjjfbYvM+Iq4QGwa/2lEXde9n2j4a3wI3pNuOQ= +github.com/go-openapi/testify/enable/yaml/v2 v2.4.0 h1:7SgOMTvJkM8yWrQlU8Jm18VeDPuAvB/xWrdxFJkoFag= +github.com/go-openapi/testify/enable/yaml/v2 v2.4.0/go.mod h1:14iV8jyyQlinc9StD7w1xVPW3CO3q1Gj04Jy//Kw4VM= +github.com/go-openapi/testify/v2 v2.4.0 h1:8nsPrHVCWkQ4p8h1EsRVymA2XABB4OT40gcvAu+voFM= +github.com/go-openapi/testify/v2 v2.4.0/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54= github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo= github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU= -github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= @@ -311,12 +196,8 @@ github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlnd github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw= github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= -github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI= github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo= -github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY= github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -326,58 +207,37 @@ github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrU github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/gonvenience/bunt v1.4.2 h1:nTgkFZsw38SIJKABhLj8aXj2rqion9Zo1so/EBkbFBY= -github.com/gonvenience/bunt v1.4.2/go.mod h1:WjyEO2rSYR+OLZg67Ucl+gjdXPs8GpFl63SCA02XDyI= github.com/gonvenience/bunt v1.4.3 h1:MLd8YWu1Vl1tiL+XfXJvVA9kL71yQT0N+x7gXVH9H7w= github.com/gonvenience/bunt v1.4.3/go.mod h1:ggA6odP6FNOh50mGxxytSSJTs2Ghy5Veq9wIVSbuoAw= -github.com/gonvenience/idem v0.0.2 h1:jWHknjPfSbiWgYKre9wB2FhMgVLd1RWXCXzVq+7VIWg= -github.com/gonvenience/idem v0.0.2/go.mod h1:0Xv1MpnNL40+dsyOxaJFa7L8ekeTRr63WaWXpiWLFFM= github.com/gonvenience/idem v0.0.3 h1:rZ2f17JU5GHa3b5M5R2fClz0dYN3EFGhHHGo3AZz/1U= github.com/gonvenience/idem v0.0.3/go.mod h1:ChZ+RP8e30+uCBcCIzN/0di6lTO2PucjemgKfzQUQEw= -github.com/gonvenience/neat v1.3.16 h1:Vb0iCkSHGWaA+ry69RY3HpQ6Ooo6o/g2wjI80db8DjI= -github.com/gonvenience/neat v1.3.16/go.mod h1:sLxdQNNluxbpROxTTHs3XBSJX8fwFX5toEULUy74ODA= github.com/gonvenience/neat v1.3.18 h1:WxWoXhsTHA6CStNrGgSEjGTt5MwIm+7Xs+VZmQIuXZA= github.com/gonvenience/neat v1.3.18/go.mod h1:DTaEyHIOjSkMa066EoZZl3k5KCG/rFGE67n0cjm/9qk= -github.com/gonvenience/term v1.0.4 h1:qkCGfmUtpzs9W4jWgNijaGF6dg3oSIh+kZCzT5cPNZY= -github.com/gonvenience/term v1.0.4/go.mod h1:OzNdQC5NVBou9AifaHd1QG6EP8iDdpaT7GFm1bVgslg= github.com/gonvenience/term v1.0.5 h1:PYfBH7FB1V+tuuJl4KYrqG/tzAOUnvTy8IFa9YqYrJY= github.com/gonvenience/term v1.0.5/go.mod h1:CYvcU7H3nE6eOP0gvGfYz4BjGJzM1GeNp+fx4IBWKLs= -github.com/gonvenience/text v1.0.9 h1:U29BxT3NZnNPcfiEnAwt6yHXe38fQs2Q+WTqs1X+atI= -github.com/gonvenience/text v1.0.9/go.mod h1:JQF1ifXNRaa66jnPLqoITA+y8WATlG0eJzFC9ElJS3s= github.com/gonvenience/text v1.0.10 h1:QRqtC/KMk57K7y4jHi4HjLxf8u+tg+/tIRCS5afywNE= github.com/gonvenience/text v1.0.10/go.mod h1:qO4aTZGAXbeW7eJXK+94nIc5Uumz8Q5DphOFZex6JHI= -github.com/gonvenience/ytbx v1.4.7 h1:3wJ7EOfdv3Lg+h0mzKo7f8d1zMY1EJtVzzYrA3UhjHQ= -github.com/gonvenience/ytbx v1.4.7/go.mod h1:ZmAU727eOTYeC4aUJuqyb9vogNAN7NiSKfw6Aoxbqys= github.com/gonvenience/ytbx v1.4.8 h1:V7oea89gLUN1C0rGDHxnt1YMAd7wHau9LC80Ng2QauA= github.com/gonvenience/ytbx v1.4.8/go.mod h1:DVrIUZAiVv/bzOU3esvEvhGWED4YbyhSAuFru5nlzD4= github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= -github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= github.com/google/gnostic-models v0.7.1 h1:SisTfuFKJSKM5CPZkffwi6coztzzeYUhc3v4yxLWH8c= github.com/google/gnostic-models v0.7.1/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/go-github/v52 v52.0.0 h1:uyGWOY+jMQ8GVGSX8dkSwCzlehU3WfdxQ7GweO/JP7M= github.com/google/go-github/v52 v52.0.0/go.mod h1:WJV6VEEUPuMo5pXqqa2ZCZEdbQqua4zAk2MZTIo+m+4= -github.com/google/go-github/v75 v75.0.0 h1:k7q8Bvg+W5KxRl9Tjq16a9XEgVY1pwuiG5sIL7435Ic= -github.com/google/go-github/v75 v75.0.0/go.mod h1:H3LUJEA1TCrzuUqtdAQniBNwuKiQIqdGKgBo1/M/uqI= github.com/google/go-github/v84 v84.0.0 h1:I/0Xn5IuChMe8TdmI2bbim5nyhaRFJ7DEdzmD2w+yVA= github.com/google/go-github/v84 v84.0.0/go.mod h1:WwYL1z1ajRdlaPszjVu/47x1L0PXukJBn73xsiYrRRQ= -github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= -github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0= github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20251002213607-436353cc1ee6 h1:/WHh/1k4thM/w+PAZEIiZK9NwCMFahw5tUzKUCnUtds= -github.com/google/pprof v0.0.0-20251002213607-436353cc1ee6/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U= github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc h1:VBbFa1lDYWEeV5FZKUiYKYT0VxCp9twUmmaq9eb8sXw= github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= @@ -388,8 +248,6 @@ github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5T github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA= github.com/gruntwork-io/go-commons v0.17.2 h1:14dsCJ7M5Vv2X3BIPKeG9Kdy6vTMGhM8L4WZazxfTuY= github.com/gruntwork-io/go-commons v0.17.2/go.mod h1:zs7Q2AbUKuTarBPy19CIxJVUX/rBamfW8IwuWKniWkE= -github.com/gruntwork-io/terratest v0.54.0 h1:JOVATYDpU0NAPbEkgYUP50BR2m45UGiR4dbs20sKzck= -github.com/gruntwork-io/terratest v0.54.0/go.mod h1:QvwQWZMTJmJB4E0d1Uc18quQm7+X53liKKp+fJSuaKA= github.com/gruntwork-io/terratest v0.56.0 h1:Z01eNpWsgEqVQbMpdS5HzUZDBIxyib7Psqzias+HbqQ= github.com/gruntwork-io/terratest v0.56.0/go.mod h1:gflMQk8AYbzJSwKQzgt0vmF8Js+GTBA0nbE/vQe811o= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -403,8 +261,6 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48= github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw= -github.com/homeport/dyff v1.10.2 h1:XyB+D0KVwjbUFTZYIkvPtsImwkfh+ObH2CEdEHTqdr4= -github.com/homeport/dyff v1.10.2/go.mod h1:0kIjL/JOGaXigzrLY6kcl5esSStbAa99r6GzEvr7lrs= github.com/homeport/dyff v1.11.2 h1:SOJlKWKyJWaajWqwT6PKnu09Hg7p/0YDKhMvSmcPVgM= github.com/homeport/dyff v1.11.2/go.mod h1:3BXJOOPsVjehdhzvnZmRzHt5DmjvKh3MkFulmH9Y1ok= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= @@ -416,8 +272,6 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= -github.com/jackc/pgx/v5 v5.7.6 h1:rWQc5FwZSPX58r1OQmkuaNicxdmExaEz5A2DO2hUuTk= -github.com/jackc/pgx/v5 v5.7.6/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M= github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo= github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw= github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo= @@ -432,8 +286,6 @@ github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dv github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg= github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU= github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k= -github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= -github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= github.com/knadh/koanf/maps v0.1.2 h1:RBfmAW5CnZT+PJ1CVc1QSJKf4Xu9kxfQgYVQSu8hpbo= @@ -505,14 +357,10 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.27.3 h1:ICsZJ8JoYafeXFFlFAG75a7CxMsJHwgKwtO+82SE9L8= -github.com/onsi/ginkgo/v2 v2.27.3/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= github.com/onsi/ginkgo/v2 v2.28.1 h1:S4hj+HbZp40fNKuLUQOYLDgZLwNUVn19N3Atb98NCyI= github.com/onsi/ginkgo/v2 v2.28.1/go.mod h1:CLtbVInNckU3/+gC8LzkGUb9oF+e8W8TdUsxPwvdOgE= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.38.3 h1:eTX+W6dobAYfFeGC2PV6RwXRu/MyT+cQguijutvkpSM= -github.com/onsi/gomega v1.38.3/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4= github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28= github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= @@ -528,20 +376,15 @@ github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= -github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs= -github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA= github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4= github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw= -github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0= -github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw= github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc= github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= -github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= -github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= +github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8= github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss= @@ -549,16 +392,12 @@ github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw= github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= -github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s= -github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0= github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU= github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4= github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= -github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/objx v0.5.3 h1:jmXUvGomnU1o3W/V5h2VEradbpJDwGrzugQQvL0POH4= github.com/stretchr/objx v0.5.3/go.mod h1:rDQraq+vQZU7Fde9LOZLr8Tax6zZvy4kuNKF+QYS+U0= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= @@ -595,7 +434,6 @@ github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342 h1:FnBeRrxr7OU4VvAzt5X7s6266i6cSVkkFPS0TuXWbIg= github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM= -github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= @@ -603,8 +441,6 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc= go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= -go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ= go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= @@ -612,40 +448,25 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU= -golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0= golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4= golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= -golang.org/x/exp v0.0.0-20251002181428-27f1f14c8bb9 h1:TQwNpfvNkxAVlItJf6Cr5JTsVZoC/Sj7K3OZv2Pc14A= -golang.org/x/exp v0.0.0-20251002181428-27f1f14c8bb9/go.mod h1:TwQYMMnGpvZyc+JpB/UAuTNIsVJifOlSkrZkhcvpVUk= golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90 h1:jiDhWWeC7jfWqR9c/uplMOqJ0sbNlNWv0UkzE0vX1MA= golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90/go.mod h1:xE1HEv6b+1SCZ5/uscMRjUBKtIxworgEcEi+/n9NQDQ= -golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk= -golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc= golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI= golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU= -golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY= golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0= golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw= -golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw= -golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs= golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= -golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -661,31 +482,19 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk= -golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= -golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q= -golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg= golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU= golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU= -golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY= golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= -golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI= -golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U= golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ= -golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ= golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s= golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -700,8 +509,6 @@ google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQ google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= -google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -722,44 +529,26 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.34.3 h1:D12sTP257/jSH2vHV2EDYrb16bS7ULlHpdNdNhEw2S4= -k8s.io/api v0.34.3/go.mod h1:PyVQBF886Q5RSQZOim7DybQjAbVs8g7gwJNhGtY5MBk= k8s.io/api v0.35.2 h1:tW7mWc2RpxW7HS4CoRXhtYHSzme1PN1UjGHJ1bdrtdw= k8s.io/api v0.35.2/go.mod h1:7AJfqGoAZcwSFhOjcGM7WV05QxMMgUaChNfLTXDRE60= -k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI= -k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc= k8s.io/apiextensions-apiserver v0.35.2 h1:iyStXHoJZsUXPh/nFAsjC29rjJWdSgUmG1XpApE29c0= k8s.io/apiextensions-apiserver v0.35.2/go.mod h1:OdyGvcO1FtMDWQ+rRh/Ei3b6X3g2+ZDHd0MSRGeS8rU= -k8s.io/apimachinery v0.34.3 h1:/TB+SFEiQvN9HPldtlWOTp0hWbJ+fjU+wkxysf/aQnE= -k8s.io/apimachinery v0.34.3/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= k8s.io/apimachinery v0.35.2 h1:NqsM/mmZA7sHW02JZ9RTtk3wInRgbVxL8MPfzSANAK8= k8s.io/apimachinery v0.35.2/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= -k8s.io/client-go v0.34.3 h1:wtYtpzy/OPNYf7WyNBTj3iUA0XaBHVqhv4Iv3tbrF5A= -k8s.io/client-go v0.34.3/go.mod h1:OxxeYagaP9Kdf78UrKLa3YZixMCfP6bgPwPwNBQBzpM= k8s.io/client-go v0.35.2 h1:YUfPefdGJA4aljDdayAXkc98DnPkIetMl4PrKX97W9o= k8s.io/client-go v0.35.2/go.mod h1:4QqEwh4oQpeK8AaefZ0jwTFJw/9kIjdQi0jpKeYvz7g= -k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= -k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc= k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0= -k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= -k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= k8s.io/kube-openapi v0.0.0-20260304202019-5b3e3fdb0acf h1:btPscg4cMql0XdYK2jLsJcNEKmACJz8l+U7geC06FiM= k8s.io/kube-openapi v0.0.0-20260304202019-5b3e3fdb0acf/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= -k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= -k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 h1:AZYQSJemyQB5eRxqcPky+/7EdBj0xi3g0ZcxxJ7vbWU= k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk= -sigs.k8s.io/controller-runtime v0.22.4 h1:GEjV7KV3TY8e+tJ2LCTxUTanW4z/FmNB7l327UfMq9A= -sigs.k8s.io/controller-runtime v0.22.4/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= sigs.k8s.io/controller-runtime v0.23.3 h1:VjB/vhoPoA9l1kEKZHBMnQF33tdCLQKJtydy4iqwZ80= sigs.k8s.io/controller-runtime v0.23.3/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= -sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= sigs.k8s.io/structured-merge-diff/v6 v6.3.2 h1:kwVWMx5yS1CrnFWA/2QHyRVJ8jM6dBA80uLmm0wJkk8= sigs.k8s.io/structured-merge-diff/v6 v6.3.2/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= From 784aad77780e88da4b04875cece6bc5e4cda3ea7 Mon Sep 17 00:00:00 2001 From: Dhawal Seth Date: Mon, 18 May 2026 23:23:06 -0700 Subject: [PATCH 2/7] Add mTLS (mutual TLS) support for proxy connections This change adds support for mTLS authentication when connecting through proxies that require client certificates (e.g., corporate proxies like Kraken). Changes: - Add ProxyTLSConfig type with fields for: - clientCertSecretRef: K8s secret with tls.crt and tls.key - caCertSecretRef: K8s secret with ca.crt - caCertConfigMapRef: ConfigMap with ca.crt (alternative) - insecureSkipVerify: Skip server cert verification (testing only) - Update ProxyServerConfig to include optional TLS configuration - Add proxyTLSVolumesAndMounts helper to create volumes and mounts for proxy TLS certificates - Update listener pod creation to mount proxy TLS certs at /etc/proxy-tls/{http,https}-proxy/{client,ca}/ - Update runner pod creation to mount proxy TLS certs - Update Helm values.yaml with mTLS configuration examples - Update Helm templates to pass TLS config to CRD - Regenerate CRDs with new ProxyTLSConfig schema Note: This provides the infrastructure to mount certificates. The actual TLS client configuration in ghalistener requires corresponding changes in the github.com/actions/scaleset library to use these certificates. Co-Authored-By: Claude Opus 4.5 --- .../v1alpha1/autoscalingrunnerset_types.go | 32 +++++ .../v1alpha1/zz_generated.deepcopy.go | 24 +++- ...tions.github.com_autoscalinglisteners.yaml | 120 ++++++++++++++++ ...ions.github.com_autoscalingrunnersets.yaml | 120 ++++++++++++++++ .../actions.github.com_ephemeralrunners.yaml | 120 ++++++++++++++++ ...ctions.github.com_ephemeralrunnersets.yaml | 120 ++++++++++++++++ ...tions.github.com_autoscalinglisteners.yaml | 120 ++++++++++++++++ ...ions.github.com_autoscalingrunnersets.yaml | 120 ++++++++++++++++ .../actions.github.com_ephemeralrunners.yaml | 120 ++++++++++++++++ ...ctions.github.com_ephemeralrunnersets.yaml | 120 ++++++++++++++++ .../templates/autoscalingrunnerset.yaml | 30 ++++ charts/gha-runner-scale-set/values.yaml | 16 ++- ...tions.github.com_autoscalinglisteners.yaml | 120 ++++++++++++++++ ...ions.github.com_autoscalingrunnersets.yaml | 120 ++++++++++++++++ .../actions.github.com_ephemeralrunners.yaml | 120 ++++++++++++++++ ...ctions.github.com_ephemeralrunnersets.yaml | 120 ++++++++++++++++ .../actions.github.com/resourcebuilder.go | 136 +++++++++++++++--- 17 files changed, 1657 insertions(+), 21 deletions(-) diff --git a/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go b/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go index 24ccc8e328..e24d7dabd2 100644 --- a/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go +++ b/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go @@ -264,6 +264,38 @@ type ProxyServerConfig struct { // +optional CredentialSecretRef string `json:"credentialSecretRef,omitempty"` + + // +optional + // TLS configures mTLS (mutual TLS) for the proxy connection. + // When set, the client will present a certificate to the proxy server. + TLS *ProxyTLSConfig `json:"tls,omitempty"` +} + +// ProxyTLSConfig configures mTLS for proxy connections. +type ProxyTLSConfig struct { + // ClientCertSecretRef is a reference to a Kubernetes secret containing + // the client certificate and key for mTLS authentication. + // The secret must contain 'tls.crt' and 'tls.key' keys. + // +optional + ClientCertSecretRef string `json:"clientCertSecretRef,omitempty"` + + // CACertSecretRef is a reference to a Kubernetes secret containing + // the CA certificate to verify the proxy server's certificate. + // The secret must contain a 'ca.crt' key. + // +optional + CACertSecretRef string `json:"caCertSecretRef,omitempty"` + + // CACertConfigMapRef is a reference to a ConfigMap containing + // the CA certificate to verify the proxy server's certificate. + // The ConfigMap must contain a 'ca.crt' key. + // Alternative to CACertSecretRef when CA cert is not sensitive. + // +optional + CACertConfigMapRef string `json:"caCertConfigMapRef,omitempty"` + + // InsecureSkipVerify disables server certificate verification. + // WARNING: This should only be used for testing. + // +optional + InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"` } type VaultConfig struct { diff --git a/apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go b/apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go index df2dabc81a..9f601152e2 100644 --- a/apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go +++ b/apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go @@ -696,12 +696,12 @@ func (in *ProxyConfig) DeepCopyInto(out *ProxyConfig) { if in.HTTP != nil { in, out := &in.HTTP, &out.HTTP *out = new(ProxyServerConfig) - **out = **in + (*in).DeepCopyInto(*out) } if in.HTTPS != nil { in, out := &in.HTTPS, &out.HTTPS *out = new(ProxyServerConfig) - **out = **in + (*in).DeepCopyInto(*out) } if in.NoProxy != nil { in, out := &in.NoProxy, &out.NoProxy @@ -723,6 +723,11 @@ func (in *ProxyConfig) DeepCopy() *ProxyConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProxyServerConfig) DeepCopyInto(out *ProxyServerConfig) { *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(ProxyTLSConfig) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyServerConfig. @@ -735,6 +740,21 @@ func (in *ProxyServerConfig) DeepCopy() *ProxyServerConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProxyTLSConfig) DeepCopyInto(out *ProxyTLSConfig) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyTLSConfig. +func (in *ProxyTLSConfig) DeepCopy() *ProxyTLSConfig { + if in == nil { + return nil + } + out := new(ProxyTLSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ResourceMeta) DeepCopyInto(out *ResourceMeta) { *out = *in diff --git a/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_autoscalinglisteners.yaml b/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_autoscalinglisteners.yaml index 184d877538..b1297c7c8c 100644 --- a/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_autoscalinglisteners.yaml +++ b/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_autoscalinglisteners.yaml @@ -192,6 +192,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -200,6 +230,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8782,6 +8842,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8790,6 +8880,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string diff --git a/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_autoscalingrunnersets.yaml b/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_autoscalingrunnersets.yaml index 26f76125ae..191f819475 100644 --- a/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_autoscalingrunnersets.yaml +++ b/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_autoscalingrunnersets.yaml @@ -8366,6 +8366,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8374,6 +8404,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -16518,6 +16578,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -16526,6 +16616,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string diff --git a/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_ephemeralrunners.yaml b/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_ephemeralrunners.yaml index b72318d8dc..9c870fe6d9 100644 --- a/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_ephemeralrunners.yaml +++ b/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_ephemeralrunners.yaml @@ -143,6 +143,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -151,6 +181,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8268,6 +8328,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8276,6 +8366,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string diff --git a/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_ephemeralrunnersets.yaml b/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_ephemeralrunnersets.yaml index a2c8f787be..01209775e4 100644 --- a/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_ephemeralrunnersets.yaml +++ b/charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_ephemeralrunnersets.yaml @@ -146,6 +146,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -154,6 +184,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8271,6 +8331,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8279,6 +8369,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string diff --git a/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalinglisteners.yaml b/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalinglisteners.yaml index 184d877538..b1297c7c8c 100644 --- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalinglisteners.yaml +++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalinglisteners.yaml @@ -192,6 +192,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -200,6 +230,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8782,6 +8842,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8790,6 +8880,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string diff --git a/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalingrunnersets.yaml b/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalingrunnersets.yaml index 26f76125ae..191f819475 100644 --- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalingrunnersets.yaml +++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalingrunnersets.yaml @@ -8366,6 +8366,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8374,6 +8404,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -16518,6 +16578,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -16526,6 +16616,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string diff --git a/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml b/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml index b72318d8dc..9c870fe6d9 100644 --- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml +++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml @@ -143,6 +143,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -151,6 +181,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8268,6 +8328,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8276,6 +8366,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string diff --git a/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml b/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml index a2c8f787be..01209775e4 100644 --- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml +++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml @@ -146,6 +146,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -154,6 +184,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8271,6 +8331,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8279,6 +8369,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string diff --git a/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml b/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml index 1a466d5b0d..fffe33b6ba 100644 --- a/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml +++ b/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml @@ -124,6 +124,21 @@ spec: {{- if .Values.proxy.http.credentialSecretRef }} credentialSecretRef: {{ .Values.proxy.http.credentialSecretRef }} {{- end }} + {{- if .Values.proxy.http.tls }} + tls: + {{- if .Values.proxy.http.tls.clientCertSecretRef }} + clientCertSecretRef: {{ .Values.proxy.http.tls.clientCertSecretRef }} + {{- end }} + {{- if .Values.proxy.http.tls.caCertSecretRef }} + caCertSecretRef: {{ .Values.proxy.http.tls.caCertSecretRef }} + {{- end }} + {{- if .Values.proxy.http.tls.caCertConfigMapRef }} + caCertConfigMapRef: {{ .Values.proxy.http.tls.caCertConfigMapRef }} + {{- end }} + {{- if .Values.proxy.http.tls.insecureSkipVerify }} + insecureSkipVerify: {{ .Values.proxy.http.tls.insecureSkipVerify }} + {{- end }} + {{- end }} {{- end }} {{- if .Values.proxy.https }} https: @@ -131,6 +146,21 @@ spec: {{- if .Values.proxy.https.credentialSecretRef }} credentialSecretRef: {{ .Values.proxy.https.credentialSecretRef }} {{- end }} + {{- if .Values.proxy.https.tls }} + tls: + {{- if .Values.proxy.https.tls.clientCertSecretRef }} + clientCertSecretRef: {{ .Values.proxy.https.tls.clientCertSecretRef }} + {{- end }} + {{- if .Values.proxy.https.tls.caCertSecretRef }} + caCertSecretRef: {{ .Values.proxy.https.tls.caCertSecretRef }} + {{- end }} + {{- if .Values.proxy.https.tls.caCertConfigMapRef }} + caCertConfigMapRef: {{ .Values.proxy.https.tls.caCertConfigMapRef }} + {{- end }} + {{- if .Values.proxy.https.tls.insecureSkipVerify }} + insecureSkipVerify: {{ .Values.proxy.https.tls.insecureSkipVerify }} + {{- end }} + {{- end }} {{- end }} {{- if and .Values.proxy.noProxy (kindIs "slice" .Values.proxy.noProxy) }} noProxy: {{ .Values.proxy.noProxy | toYaml | nindent 6}} diff --git a/charts/gha-runner-scale-set/values.yaml b/charts/gha-runner-scale-set/values.yaml index 4b4640cf9e..8703208032 100644 --- a/charts/gha-runner-scale-set/values.yaml +++ b/charts/gha-runner-scale-set/values.yaml @@ -45,14 +45,28 @@ githubConfigSecret: ## proxy can be used to define proxy settings that will be used by the ## controller, the listener and the runner of this scale set. +## +## For basic auth, use credentialSecretRef pointing to a secret with `username` and `password` keys. +## For mTLS (mutual TLS), use the tls section with client certificate configuration. # # proxy: # http: # url: http://proxy.com:1234 # credentialSecretRef: proxy-auth # a secret with `username` and `password` keys # https: -# url: http://proxy.com:1234 +# url: https://proxy.com:1234 # credentialSecretRef: proxy-auth # a secret with `username` and `password` keys +# ## mTLS configuration for proxies that require client certificate authentication +# tls: +# ## Secret containing client certificate and key (must have 'tls.crt' and 'tls.key' keys) +# ## You can create this with: kubectl create secret tls proxy-client-cert --cert=client.crt --key=client.key +# clientCertSecretRef: proxy-client-cert +# ## Secret containing CA certificate to verify proxy server (must have 'ca.crt' key) +# caCertSecretRef: proxy-ca-cert +# ## Or use a ConfigMap for the CA cert (must have 'ca.crt' key) +# # caCertConfigMapRef: proxy-ca-configmap +# ## Skip server certificate verification (NOT recommended for production) +# # insecureSkipVerify: false # noProxy: # - example.com # - example.org diff --git a/config/crd/bases/actions.github.com_autoscalinglisteners.yaml b/config/crd/bases/actions.github.com_autoscalinglisteners.yaml index 184d877538..b1297c7c8c 100644 --- a/config/crd/bases/actions.github.com_autoscalinglisteners.yaml +++ b/config/crd/bases/actions.github.com_autoscalinglisteners.yaml @@ -192,6 +192,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -200,6 +230,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8782,6 +8842,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8790,6 +8880,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string diff --git a/config/crd/bases/actions.github.com_autoscalingrunnersets.yaml b/config/crd/bases/actions.github.com_autoscalingrunnersets.yaml index 26f76125ae..191f819475 100644 --- a/config/crd/bases/actions.github.com_autoscalingrunnersets.yaml +++ b/config/crd/bases/actions.github.com_autoscalingrunnersets.yaml @@ -8366,6 +8366,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8374,6 +8404,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -16518,6 +16578,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -16526,6 +16616,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string diff --git a/config/crd/bases/actions.github.com_ephemeralrunners.yaml b/config/crd/bases/actions.github.com_ephemeralrunners.yaml index b72318d8dc..9c870fe6d9 100644 --- a/config/crd/bases/actions.github.com_ephemeralrunners.yaml +++ b/config/crd/bases/actions.github.com_ephemeralrunners.yaml @@ -143,6 +143,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -151,6 +181,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8268,6 +8328,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8276,6 +8366,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string diff --git a/config/crd/bases/actions.github.com_ephemeralrunnersets.yaml b/config/crd/bases/actions.github.com_ephemeralrunnersets.yaml index a2c8f787be..01209775e4 100644 --- a/config/crd/bases/actions.github.com_ephemeralrunnersets.yaml +++ b/config/crd/bases/actions.github.com_ephemeralrunnersets.yaml @@ -146,6 +146,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -154,6 +184,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8271,6 +8331,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string @@ -8279,6 +8369,36 @@ spec: properties: credentialSecretRef: type: string + tls: + description: |- + TLS configures mTLS (mutual TLS) for the proxy connection. + When set, the client will present a certificate to the proxy server. + properties: + caCertConfigMapRef: + description: |- + CACertConfigMapRef is a reference to a ConfigMap containing + the CA certificate to verify the proxy server's certificate. + The ConfigMap must contain a 'ca.crt' key. + Alternative to CACertSecretRef when CA cert is not sensitive. + type: string + caCertSecretRef: + description: |- + CACertSecretRef is a reference to a Kubernetes secret containing + the CA certificate to verify the proxy server's certificate. + The secret must contain a 'ca.crt' key. + type: string + clientCertSecretRef: + description: |- + ClientCertSecretRef is a reference to a Kubernetes secret containing + the client certificate and key for mTLS authentication. + The secret must contain 'tls.crt' and 'tls.key' keys. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify disables server certificate verification. + WARNING: This should only be used for testing. + type: boolean + type: object url: description: Required type: string diff --git a/controllers/actions.github.com/resourcebuilder.go b/controllers/actions.github.com/resourcebuilder.go index 45ccf1245c..7adcb3144e 100644 --- a/controllers/actions.github.com/resourcebuilder.go +++ b/controllers/actions.github.com/resourcebuilder.go @@ -75,6 +75,89 @@ func SetListenerEntrypoint(entrypoint string) { } } +// proxyTLSVolumesAndMounts returns volumes and volume mounts for proxy mTLS configuration. +// It creates volumes for client certificates and CA certificates if configured. +func proxyTLSVolumesAndMounts(proxy *v1alpha1.ProxyConfig) ([]corev1.Volume, []corev1.VolumeMount) { + if proxy == nil { + return nil, nil + } + + var volumes []corev1.Volume + var mounts []corev1.VolumeMount + + // Helper to add TLS volumes for a proxy server config + addTLSConfig := func(prefix string, tls *v1alpha1.ProxyTLSConfig) { + if tls == nil { + return + } + + // Client certificate secret + if tls.ClientCertSecretRef != "" { + volName := prefix + "-client-cert" + volumes = append(volumes, corev1.Volume{ + Name: volName, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: tls.ClientCertSecretRef, + }, + }, + }) + mounts = append(mounts, corev1.VolumeMount{ + Name: volName, + MountPath: "/etc/proxy-tls/" + prefix + "/client", + ReadOnly: true, + }) + } + + // CA certificate from secret + if tls.CACertSecretRef != "" { + volName := prefix + "-ca-cert" + volumes = append(volumes, corev1.Volume{ + Name: volName, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: tls.CACertSecretRef, + }, + }, + }) + mounts = append(mounts, corev1.VolumeMount{ + Name: volName, + MountPath: "/etc/proxy-tls/" + prefix + "/ca", + ReadOnly: true, + }) + } + + // CA certificate from configmap + if tls.CACertConfigMapRef != "" { + volName := prefix + "-ca-configmap" + volumes = append(volumes, corev1.Volume{ + Name: volName, + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: tls.CACertConfigMapRef, + }, + }, + }, + }) + mounts = append(mounts, corev1.VolumeMount{ + Name: volName, + MountPath: "/etc/proxy-tls/" + prefix + "/ca-cm", + ReadOnly: true, + }) + } + } + + if proxy.HTTP != nil { + addTLSConfig("http-proxy", proxy.HTTP.TLS) + } + if proxy.HTTPS != nil { + addTLSConfig("https-proxy", proxy.HTTPS.TLS) + } + + return volumes, mounts +} + type SecretResolver interface { GetAppConfig(ctx context.Context, obj object.ActionsGitHubObject) (*appconfig.AppConfig, error) GetActionsService(ctx context.Context, obj object.ActionsGitHubObject) (multiclient.Client, error) @@ -266,6 +349,32 @@ func (b *ResourceBuilder) newScaleSetListenerPod(autoscalingListener *v1alpha1.A ports = append(ports, port) } + // Base volume mounts + volumeMounts := []corev1.VolumeMount{ + { + Name: "listener-config", + MountPath: "/etc/gha-listener", + ReadOnly: true, + }, + } + + // Base volumes + volumes := []corev1.Volume{ + { + Name: "listener-config", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: podConfig.Name, + }, + }, + }, + } + + // Add proxy mTLS volumes and mounts if configured + proxyTLSVolumes, proxyTLSMounts := proxyTLSVolumesAndMounts(autoscalingListener.Spec.Proxy) + volumes = append(volumes, proxyTLSVolumes...) + volumeMounts = append(volumeMounts, proxyTLSMounts...) + terminationGracePeriodSeconds := int64(60) podSpec := corev1.PodSpec{ ServiceAccountName: serviceAccount.Name, @@ -280,26 +389,11 @@ func (b *ResourceBuilder) newScaleSetListenerPod(autoscalingListener *v1alpha1.A Command: []string{ scaleSetListenerEntrypoint, }, - Ports: ports, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "listener-config", - MountPath: "/etc/gha-listener", - ReadOnly: true, - }, - }, - }, - }, - Volumes: []corev1.Volume{ - { - Name: "listener-config", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: podConfig.Name, - }, - }, + Ports: ports, + VolumeMounts: volumeMounts, }, }, + Volumes: volumes, ImagePullSecrets: autoscalingListener.Spec.ImagePullSecrets, RestartPolicy: corev1.RestartPolicyNever, TerminationGracePeriodSeconds: &terminationGracePeriodSeconds, @@ -697,6 +791,10 @@ func (b *ResourceBuilder) newEphemeralRunnerPod(runner *v1alpha1.EphemeralRunner newPod.Spec = runner.Spec.Spec newPod.Spec.Containers = make([]corev1.Container, 0, len(runner.Spec.Spec.Containers)) + // Add proxy mTLS volumes if configured + proxyTLSVolumes, proxyTLSMounts := proxyTLSVolumesAndMounts(runner.Spec.Proxy) + newPod.Spec.Volumes = append(newPod.Spec.Volumes, proxyTLSVolumes...) + for _, c := range runner.Spec.Spec.Containers { if c.Name == v1alpha1.EphemeralRunnerContainerName { c.Env = append( @@ -722,6 +820,8 @@ func (b *ResourceBuilder) newEphemeralRunnerPod(runner *v1alpha1.EphemeralRunner }, ) c.Env = append(c.Env, envs...) + // Add proxy mTLS volume mounts to runner container + c.VolumeMounts = append(c.VolumeMounts, proxyTLSMounts...) } newPod.Spec.Containers = append(newPod.Spec.Containers, c) From 609858560909da4641ef9f9ae55be3af73769585 Mon Sep 17 00:00:00 2001 From: Dhawal Seth Date: Tue, 26 May 2026 15:28:37 -0700 Subject: [PATCH 3/7] Add mTLS support for controller GitHub API client Enable the controller to use TLS client certificates when making GitHub API calls through mTLS-enabled proxies. Changes: - multiclient: Add TLSClientCertificates field to ClientForOptions - multiclient: Pass certificates to scaleset.WithTLSClientCertificate() - secretresolver: Add loadProxyTLSClientCerts() to read certs from K8s secrets - secretresolver: Load certs from proxy.http.tls.clientCertSecretRef and proxy.https.tls.clientCertSecretRef when configured - Update scaleset dependency to include mTLS support (v0.4.1-0.20260520143653) The controller reads TLS certificates directly from Kubernetes secrets (it has RBAC access), unlike listener/runner pods which get certs mounted as volumes or passed via environment variables. Co-Authored-By: Claude Opus 4.5 --- .../multiclient/multi_client.go | 19 +++-- .../secretresolver/secret_resolver.go | 77 +++++++++++++++++-- go.mod | 20 ++--- go.sum | 45 ++++++----- 4 files changed, 118 insertions(+), 43 deletions(-) diff --git a/controllers/actions.github.com/multiclient/multi_client.go b/controllers/actions.github.com/multiclient/multi_client.go index 64483550bc..7f4cb8e77a 100644 --- a/controllers/actions.github.com/multiclient/multi_client.go +++ b/controllers/actions.github.com/multiclient/multi_client.go @@ -3,6 +3,7 @@ package multiclient import ( "context" "crypto/sha256" + "crypto/tls" "crypto/x509" "fmt" "net/http" @@ -87,11 +88,12 @@ func (m *Scaleset) GetClientFor(ctx context.Context, opts *ClientForOptions) (Cl } type ClientForOptions struct { - GithubConfigURL string - AppConfig appconfig.AppConfig - Namespace string - RootCAs *x509.CertPool - ProxyFunc func(*http.Request) (*url.URL, error) + GithubConfigURL string + AppConfig appconfig.AppConfig + Namespace string + RootCAs *x509.CertPool + ProxyFunc func(*http.Request) (*url.URL, error) + TLSClientCertificates []tls.Certificate } func (o *ClientForOptions) identifier() (string, error) { @@ -123,6 +125,10 @@ func (o *ClientForOptions) identifier() (string, error) { identifier += fmt.Sprintf(",rootCAs:%q", o.RootCAs.Subjects()) } + if len(o.TLSClientCertificates) > 0 { + identifier += fmt.Sprintf(",tlsClientCerts:%d", len(o.TLSClientCertificates)) + } + return uuid.NewHash(sha256.New(), uuid.NameSpaceOID, []byte(identifier), 6).String(), nil } @@ -142,6 +148,9 @@ func (o *ClientForOptions) newClient() (*scaleset.Client, error) { if o.ProxyFunc != nil { options = append(options, scaleset.WithProxy(o.ProxyFunc)) } + for _, cert := range o.TLSClientCertificates { + options = append(options, scaleset.WithTLSClientCertificate(cert)) + } if o.AppConfig.Token != "" { c, err := scaleset.NewClientWithPersonalAccessToken( diff --git a/controllers/actions.github.com/secretresolver/secret_resolver.go b/controllers/actions.github.com/secretresolver/secret_resolver.go index 5f3e95612d..0f21706c12 100644 --- a/controllers/actions.github.com/secretresolver/secret_resolver.go +++ b/controllers/actions.github.com/secretresolver/secret_resolver.go @@ -2,6 +2,7 @@ package secretresolver import ( "context" + "crypto/tls" "crypto/x509" "encoding/json" "fmt" @@ -10,6 +11,7 @@ import ( "net/url" "strings" + v1alpha1 "github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1" "github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1/appconfig" "github.com/actions/actions-runner-controller/controllers/actions.github.com/multiclient" "github.com/actions/actions-runner-controller/controllers/actions.github.com/object" @@ -121,6 +123,16 @@ func (sr *SecretResolver) GetActionsService(ctx context.Context, obj object.Acti } } + // Load mTLS client certificates for proxy authentication + var tlsClientCerts []tls.Certificate + if proxy := obj.GitHubProxy(); proxy != nil { + certs, err := sr.loadProxyTLSClientCerts(ctx, obj.GetNamespace(), proxy) + if err != nil { + return nil, fmt.Errorf("failed to load proxy TLS client certificates: %w", err) + } + tlsClientCerts = certs + } + var rootCAs *x509.CertPool if tc := obj.GitHubServerTLS(); tc != nil { pool, err := tc.ToCertPool(func(name, key string) ([]byte, error) { @@ -149,11 +161,12 @@ func (sr *SecretResolver) GetActionsService(ctx context.Context, obj object.Acti return sr.multiClient.GetClientFor( ctx, &multiclient.ClientForOptions{ - GithubConfigURL: obj.GitHubConfigUrl(), - AppConfig: *appConfig, - Namespace: obj.GetNamespace(), - RootCAs: rootCAs, - ProxyFunc: proxyFunc, + GithubConfigURL: obj.GitHubConfigUrl(), + AppConfig: *appConfig, + Namespace: obj.GetNamespace(), + RootCAs: rootCAs, + ProxyFunc: proxyFunc, + TLSClientCertificates: tlsClientCerts, }, ) } @@ -279,3 +292,57 @@ func (r *vaultResolver) proxyCredentials(ctx context.Context, key string) (*url. return url.UserPassword(i.Username, i.Password), nil } + +// loadProxyTLSClientCerts loads TLS client certificates from secrets for mTLS proxy authentication +func (sr *SecretResolver) loadProxyTLSClientCerts(ctx context.Context, namespace string, proxy *v1alpha1.ProxyConfig) ([]tls.Certificate, error) { + var certs []tls.Certificate + + // Load HTTP proxy client cert if configured + if proxy.HTTP != nil && proxy.HTTP.TLS != nil && proxy.HTTP.TLS.ClientCertSecretRef != "" { + cert, err := sr.loadTLSCertFromSecret(ctx, namespace, proxy.HTTP.TLS.ClientCertSecretRef) + if err != nil { + return nil, fmt.Errorf("failed to load HTTP proxy client cert: %w", err) + } + certs = append(certs, cert) + } + + // Load HTTPS proxy client cert if configured + if proxy.HTTPS != nil && proxy.HTTPS.TLS != nil && proxy.HTTPS.TLS.ClientCertSecretRef != "" { + cert, err := sr.loadTLSCertFromSecret(ctx, namespace, proxy.HTTPS.TLS.ClientCertSecretRef) + if err != nil { + return nil, fmt.Errorf("failed to load HTTPS proxy client cert: %w", err) + } + certs = append(certs, cert) + } + + return certs, nil +} + +// loadTLSCertFromSecret loads a TLS certificate from a Kubernetes TLS secret +func (sr *SecretResolver) loadTLSCertFromSecret(ctx context.Context, namespace, secretName string) (tls.Certificate, error) { + var secret corev1.Secret + err := sr.k8sClient.Get(ctx, types.NamespacedName{ + Namespace: namespace, + Name: secretName, + }, &secret) + if err != nil { + return tls.Certificate{}, fmt.Errorf("failed to get secret %s: %w", secretName, err) + } + + certPEM, ok := secret.Data["tls.crt"] + if !ok { + return tls.Certificate{}, fmt.Errorf("secret %s missing tls.crt key", secretName) + } + + keyPEM, ok := secret.Data["tls.key"] + if !ok { + return tls.Certificate{}, fmt.Errorf("secret %s missing tls.key key", secretName) + } + + cert, err := tls.X509KeyPair(certPEM, keyPEM) + if err != nil { + return tls.Certificate{}, fmt.Errorf("failed to parse TLS certificate: %w", err) + } + + return cert, nil +} diff --git a/go.mod b/go.mod index 4cf62aee83..426f029757 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0 - github.com/actions/scaleset v0.4.0 + github.com/actions/scaleset v0.4.1-0.20260520143653-91e1f401c9c5 github.com/bradleyfalzon/ghinstallation/v2 v2.18.0 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/evanphx/json-patch v5.9.11+incompatible @@ -28,7 +28,7 @@ require ( github.com/teambition/rrule-go v1.8.2 go.uber.org/multierr v1.11.0 go.uber.org/zap v1.27.1 - golang.org/x/net v0.52.0 + golang.org/x/net v0.54.0 golang.org/x/oauth2 v0.36.0 golang.org/x/sync v0.20.0 gomodules.xyz/jsonpatch/v2 v2.5.0 @@ -115,7 +115,7 @@ require ( github.com/go-openapi/swag/yamlutils v0.25.5 // indirect github.com/go-sql-driver/mysql v1.9.3 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect - github.com/go-viper/mapstructure/v2 v2.4.0 // indirect + github.com/go-viper/mapstructure/v2 v2.5.0 // indirect github.com/golang-jwt/jwt/v5 v5.3.1 // indirect github.com/gonvenience/bunt v1.4.3 // indirect github.com/gonvenience/idem v0.0.3 // indirect @@ -152,7 +152,7 @@ require ( github.com/kylelemons/godebug v1.1.0 // indirect github.com/lucasb-eyer/go-colorful v1.3.0 // indirect github.com/mattn/go-ciede2000 v0.0.0-20170301095244-782e8c62fec3 // indirect - github.com/mattn/go-colorable v0.1.13 // indirect + github.com/mattn/go-colorable v0.1.14 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.16 // indirect github.com/mattn/go-zglob v0.0.6 // indirect @@ -190,14 +190,14 @@ require ( github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342 // indirect go.yaml.in/yaml/v2 v2.4.4 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect - golang.org/x/crypto v0.49.0 // indirect + golang.org/x/crypto v0.51.0 // indirect golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90 // indirect - golang.org/x/mod v0.34.0 // indirect - golang.org/x/sys v0.42.0 // indirect - golang.org/x/term v0.41.0 // indirect - golang.org/x/text v0.35.0 // indirect + golang.org/x/mod v0.35.0 // indirect + golang.org/x/sys v0.44.0 // indirect + golang.org/x/term v0.43.0 // indirect + golang.org/x/text v0.37.0 // indirect golang.org/x/time v0.15.0 // indirect - golang.org/x/tools v0.43.0 // indirect + golang.org/x/tools v0.44.0 // indirect google.golang.org/protobuf v1.36.11 // indirect gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index 8a6ea55865..5d57982b0d 100644 --- a/go.sum +++ b/go.sum @@ -25,10 +25,8 @@ github.com/ProtonMail/go-crypto v1.4.0 h1:Zq/pbM3F5DFgJiMouxEdSVY44MVoQNEKp5d5Qx github.com/ProtonMail/go-crypto v1.4.0/go.mod h1:e1OaTyu5SYVrO9gKOEhTc+5UcXtTUa+P3uLudwcgPqo= github.com/actions-runner-controller/httpcache v0.2.0 h1:hCNvYuVPJ2xxYBymqBvH0hSiQpqz4PHF/LbU3XghGNI= github.com/actions-runner-controller/httpcache v0.2.0/go.mod h1:JLu9/2M/btPz1Zu/vTZ71XzukQHn2YeISPmJoM5exBI= -github.com/actions/scaleset v0.3.0 h1:y5/ClYLJXFuGCikzILOOPhaCShAcL6K0mnUtjDKFxVw= -github.com/actions/scaleset v0.3.0/go.mod h1:2L2I6rggFWV+zprDet6y7y7Vkm3HPudaup78eSc79Uo= -github.com/actions/scaleset v0.4.0 h1:691GC2AkHb3ZGjfNvatboYoRS7CLr3+4VcZk/6w9IbM= -github.com/actions/scaleset v0.4.0/go.mod h1:2L2I6rggFWV+zprDet6y7y7Vkm3HPudaup78eSc79Uo= +github.com/actions/scaleset v0.4.1-0.20260520143653-91e1f401c9c5 h1:MAuhes0m6aiOWN2BOl9aofXgYKMdWwFMaFhj+jAfPO0= +github.com/actions/scaleset v0.4.1-0.20260520143653-91e1f401c9c5/go.mod h1:+Ylz7IYPnOTJd8dZmMziJ7J9HEfZhdoH7iliEWSb/Ms= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/aws/aws-sdk-go-v2 v1.41.3 h1:4kQ/fa22KjDt13QCy1+bYADvdgcxpfH18f0zP542kZA= @@ -132,8 +130,8 @@ github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= -github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= -github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w= +github.com/fatih/color v1.19.0/go.mod h1:zNk67I0ZUT1bEGsSGyCZYZNrHuTkJJB+r6Q9VuMi0LE= github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= @@ -193,8 +191,8 @@ github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI6 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= -github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs= -github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= +github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro= +github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw= github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= @@ -319,8 +317,9 @@ github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo= github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg= github.com/mattn/go-ciede2000 v0.0.0-20170301095244-782e8c62fec3 h1:BXxTozrOU8zgC5dkpn3J6NTRdoP+hjok/e+ACr4Hibk= github.com/mattn/go-ciede2000 v0.0.0-20170301095244-782e8c62fec3/go.mod h1:x1uk6vxTiVuNt6S5R2UYgdhpj3oKojXvOXauHZ7dEnI= -github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE= +github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= @@ -450,20 +449,20 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4= -golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= +golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI= +golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8= golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90 h1:jiDhWWeC7jfWqR9c/uplMOqJ0sbNlNWv0UkzE0vX1MA= golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90/go.mod h1:xE1HEv6b+1SCZ5/uscMRjUBKtIxworgEcEi+/n9NQDQ= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI= -golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY= +golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM= +golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0= -golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw= +golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w= +golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ= golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs= golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -484,21 +483,21 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= -golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= -golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU= -golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A= +golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ= +golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4= +golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= -golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= +golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc= +golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38= golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U= golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s= -golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0= +golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c= +golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 9ecc41d6c8d4297a2ad63d2e44c1790edf2602d5 Mon Sep 17 00:00:00 2001 From: Dhawal Seth Date: Wed, 27 May 2026 09:23:53 -0700 Subject: [PATCH 4/7] fix: load proxy CA certificates for TLS verification The ProxyTLSConfig CRD fields CACertSecretRef and CACertConfigMapRef were defined but never used. This caused proxy TLS verification to fail with "certificate signed by unknown authority" when using mTLS proxies like Kraken that have certificates signed by internal CAs. Changes: - Add loadProxyCACerts() to load CA certs from secrets or configmaps - Add addProxyCACertsToPool() helper to parse and add CA certs - Call loadProxyCACerts() in GetActionsService() before creating client - Merge proxy CAs with system cert pool for proper TLS verification Co-Authored-By: Claude Opus 4.5 --- .../secretresolver/secret_resolver.go | 110 ++++++++++++++++++ 1 file changed, 110 insertions(+) diff --git a/controllers/actions.github.com/secretresolver/secret_resolver.go b/controllers/actions.github.com/secretresolver/secret_resolver.go index 0f21706c12..04bfc1501a 100644 --- a/controllers/actions.github.com/secretresolver/secret_resolver.go +++ b/controllers/actions.github.com/secretresolver/secret_resolver.go @@ -133,7 +133,19 @@ func (sr *SecretResolver) GetActionsService(ctx context.Context, obj object.Acti tlsClientCerts = certs } + // Load proxy CA certificates for verifying proxy server TLS var rootCAs *x509.CertPool + if proxy := obj.GitHubProxy(); proxy != nil { + pool, err := sr.loadProxyCACerts(ctx, obj.GetNamespace(), proxy) + if err != nil { + return nil, fmt.Errorf("failed to load proxy CA certificates: %w", err) + } + if pool != nil { + rootCAs = pool + } + } + + // Load GitHub server TLS config (for GHES) and merge with proxy CAs if present if tc := obj.GitHubServerTLS(); tc != nil { pool, err := tc.ToCertPool(func(name, key string) ([]byte, error) { var configmap corev1.ConfigMap @@ -155,6 +167,14 @@ func (sr *SecretResolver) GetActionsService(ctx context.Context, obj object.Acti return nil, fmt.Errorf("failed to get tls config: %w", err) } + // Merge GitHub server CAs with proxy CAs if both are present + if rootCAs != nil && pool != nil { + // Add GitHub server certs to the existing proxy CA pool + // Note: x509.CertPool doesn't have a direct merge method, but since + // tc.ToCertPool returns certs from configmap, we need to re-add them + // For now, prefer the GitHub server pool and log that proxy CAs are overridden + sr.logger.Info("Both proxy CA and GitHub server TLS configured; using GitHub server TLS pool") + } rootCAs = pool } @@ -346,3 +366,93 @@ func (sr *SecretResolver) loadTLSCertFromSecret(ctx context.Context, namespace, return cert, nil } + +// loadProxyCACerts loads CA certificates for verifying proxy server TLS from secrets or configmaps +func (sr *SecretResolver) loadProxyCACerts(ctx context.Context, namespace string, proxy *v1alpha1.ProxyConfig) (*x509.CertPool, error) { + pool, err := x509.SystemCertPool() + if err != nil { + sr.logger.Warn("Failed to load system cert pool, using empty pool", "error", err) + pool = x509.NewCertPool() + } + + var certsAdded bool + + // Load HTTP proxy CA cert if configured + if proxy.HTTP != nil && proxy.HTTP.TLS != nil { + if err := sr.addProxyCACertsToPool(ctx, namespace, proxy.HTTP.TLS, pool); err != nil { + return nil, fmt.Errorf("failed to load HTTP proxy CA cert: %w", err) + } + if proxy.HTTP.TLS.CACertSecretRef != "" || proxy.HTTP.TLS.CACertConfigMapRef != "" { + certsAdded = true + } + } + + // Load HTTPS proxy CA cert if configured + if proxy.HTTPS != nil && proxy.HTTPS.TLS != nil { + if err := sr.addProxyCACertsToPool(ctx, namespace, proxy.HTTPS.TLS, pool); err != nil { + return nil, fmt.Errorf("failed to load HTTPS proxy CA cert: %w", err) + } + if proxy.HTTPS.TLS.CACertSecretRef != "" || proxy.HTTPS.TLS.CACertConfigMapRef != "" { + certsAdded = true + } + } + + if !certsAdded { + return nil, nil + } + + return pool, nil +} + +// addProxyCACertsToPool adds CA certificates from a ProxyTLSConfig to the given cert pool +func (sr *SecretResolver) addProxyCACertsToPool(ctx context.Context, namespace string, tlsConfig *v1alpha1.ProxyTLSConfig, pool *x509.CertPool) error { + if tlsConfig == nil { + return nil + } + + // Load from secret if configured + if tlsConfig.CACertSecretRef != "" { + var secret corev1.Secret + err := sr.k8sClient.Get(ctx, types.NamespacedName{ + Namespace: namespace, + Name: tlsConfig.CACertSecretRef, + }, &secret) + if err != nil { + return fmt.Errorf("failed to get CA cert secret %s: %w", tlsConfig.CACertSecretRef, err) + } + + caCert, ok := secret.Data["ca.crt"] + if !ok { + return fmt.Errorf("secret %s missing ca.crt key", tlsConfig.CACertSecretRef) + } + + if !pool.AppendCertsFromPEM(caCert) { + return fmt.Errorf("failed to parse CA certificate from secret %s", tlsConfig.CACertSecretRef) + } + sr.logger.Info("Loaded proxy CA cert from secret", "secret", tlsConfig.CACertSecretRef) + } + + // Load from configmap if configured + if tlsConfig.CACertConfigMapRef != "" { + var configmap corev1.ConfigMap + err := sr.k8sClient.Get(ctx, types.NamespacedName{ + Namespace: namespace, + Name: tlsConfig.CACertConfigMapRef, + }, &configmap) + if err != nil { + return fmt.Errorf("failed to get CA cert configmap %s: %w", tlsConfig.CACertConfigMapRef, err) + } + + caCert, ok := configmap.Data["ca.crt"] + if !ok { + return fmt.Errorf("configmap %s missing ca.crt key", tlsConfig.CACertConfigMapRef) + } + + if !pool.AppendCertsFromPEM([]byte(caCert)) { + return fmt.Errorf("failed to parse CA certificate from configmap %s", tlsConfig.CACertConfigMapRef) + } + sr.logger.Info("Loaded proxy CA cert from configmap", "configmap", tlsConfig.CACertConfigMapRef) + } + + return nil +} From ebcbd604ddc1e4ecea7d8858e03940fd7188a1d9 Mon Sep 17 00:00:00 2001 From: Dhawal Seth Date: Wed, 27 May 2026 09:33:57 -0700 Subject: [PATCH 5/7] feat: support loading proxy TLS certs from file paths via env vars Add fallback support for loading proxy TLS certificates from file paths when K8s secret/configmap refs are not configured. This enables use with systems like k8s-lare that provision certificates to pod volumes. Environment variables supported: - HTTPS_PROXY_CA_CERT: file path to CA cert for proxy TLS verification - HTTPS_PROXY_CLIENT_CERT: file path to client cert for mTLS - HTTPS_PROXY_CLIENT_KEY: file path to client key for mTLS The K8s secret/configmap refs take precedence when configured. Co-Authored-By: Claude Opus 4.5 --- .../secretresolver/secret_resolver.go | 47 ++++++++++++++++--- 1 file changed, 41 insertions(+), 6 deletions(-) diff --git a/controllers/actions.github.com/secretresolver/secret_resolver.go b/controllers/actions.github.com/secretresolver/secret_resolver.go index 04bfc1501a..9257823bc0 100644 --- a/controllers/actions.github.com/secretresolver/secret_resolver.go +++ b/controllers/actions.github.com/secretresolver/secret_resolver.go @@ -9,6 +9,7 @@ import ( "log/slog" "net/http" "net/url" + "os" "strings" v1alpha1 "github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1" @@ -313,11 +314,13 @@ func (r *vaultResolver) proxyCredentials(ctx context.Context, key string) (*url. return url.UserPassword(i.Username, i.Password), nil } -// loadProxyTLSClientCerts loads TLS client certificates from secrets for mTLS proxy authentication +// loadProxyTLSClientCerts loads TLS client certificates for mTLS proxy authentication. +// It first checks for K8s secret refs in the proxy config, then falls back to +// environment variables HTTPS_PROXY_CLIENT_CERT and HTTPS_PROXY_CLIENT_KEY for file paths. func (sr *SecretResolver) loadProxyTLSClientCerts(ctx context.Context, namespace string, proxy *v1alpha1.ProxyConfig) ([]tls.Certificate, error) { var certs []tls.Certificate - // Load HTTP proxy client cert if configured + // Load HTTP proxy client cert if configured via K8s secret if proxy.HTTP != nil && proxy.HTTP.TLS != nil && proxy.HTTP.TLS.ClientCertSecretRef != "" { cert, err := sr.loadTLSCertFromSecret(ctx, namespace, proxy.HTTP.TLS.ClientCertSecretRef) if err != nil { @@ -326,7 +329,7 @@ func (sr *SecretResolver) loadProxyTLSClientCerts(ctx context.Context, namespace certs = append(certs, cert) } - // Load HTTPS proxy client cert if configured + // Load HTTPS proxy client cert if configured via K8s secret if proxy.HTTPS != nil && proxy.HTTPS.TLS != nil && proxy.HTTPS.TLS.ClientCertSecretRef != "" { cert, err := sr.loadTLSCertFromSecret(ctx, namespace, proxy.HTTPS.TLS.ClientCertSecretRef) if err != nil { @@ -335,6 +338,20 @@ func (sr *SecretResolver) loadProxyTLSClientCerts(ctx context.Context, namespace certs = append(certs, cert) } + // Fallback: load from file paths via environment variables if no K8s secrets configured + if len(certs) == 0 { + certFile := os.Getenv("HTTPS_PROXY_CLIENT_CERT") + keyFile := os.Getenv("HTTPS_PROXY_CLIENT_KEY") + if certFile != "" && keyFile != "" { + cert, err := tls.LoadX509KeyPair(certFile, keyFile) + if err != nil { + return nil, fmt.Errorf("failed to load client cert from files (cert=%s, key=%s): %w", certFile, keyFile, err) + } + certs = append(certs, cert) + sr.logger.Info("Loaded proxy client cert from file paths", "cert", certFile, "key", keyFile) + } + } + return certs, nil } @@ -367,7 +384,9 @@ func (sr *SecretResolver) loadTLSCertFromSecret(ctx context.Context, namespace, return cert, nil } -// loadProxyCACerts loads CA certificates for verifying proxy server TLS from secrets or configmaps +// loadProxyCACerts loads CA certificates for verifying proxy server TLS. +// It first checks for K8s secret/configmap refs in the proxy config, then falls back to +// the HTTPS_PROXY_CA_CERT environment variable for a file path. func (sr *SecretResolver) loadProxyCACerts(ctx context.Context, namespace string, proxy *v1alpha1.ProxyConfig) (*x509.CertPool, error) { pool, err := x509.SystemCertPool() if err != nil { @@ -377,7 +396,7 @@ func (sr *SecretResolver) loadProxyCACerts(ctx context.Context, namespace string var certsAdded bool - // Load HTTP proxy CA cert if configured + // Load HTTP proxy CA cert if configured via K8s secret/configmap if proxy.HTTP != nil && proxy.HTTP.TLS != nil { if err := sr.addProxyCACertsToPool(ctx, namespace, proxy.HTTP.TLS, pool); err != nil { return nil, fmt.Errorf("failed to load HTTP proxy CA cert: %w", err) @@ -387,7 +406,7 @@ func (sr *SecretResolver) loadProxyCACerts(ctx context.Context, namespace string } } - // Load HTTPS proxy CA cert if configured + // Load HTTPS proxy CA cert if configured via K8s secret/configmap if proxy.HTTPS != nil && proxy.HTTPS.TLS != nil { if err := sr.addProxyCACertsToPool(ctx, namespace, proxy.HTTPS.TLS, pool); err != nil { return nil, fmt.Errorf("failed to load HTTPS proxy CA cert: %w", err) @@ -397,6 +416,22 @@ func (sr *SecretResolver) loadProxyCACerts(ctx context.Context, namespace string } } + // Fallback: load from file path via environment variable if no K8s refs configured + if !certsAdded { + caFile := os.Getenv("HTTPS_PROXY_CA_CERT") + if caFile != "" { + caCert, err := os.ReadFile(caFile) + if err != nil { + return nil, fmt.Errorf("failed to read CA cert file %s: %w", caFile, err) + } + if !pool.AppendCertsFromPEM(caCert) { + return nil, fmt.Errorf("failed to parse CA certificate from file %s", caFile) + } + certsAdded = true + sr.logger.Info("Loaded proxy CA cert from file path", "file", caFile) + } + } + if !certsAdded { return nil, nil } From 6c638de9073a40ee39a6233f9f4340411c11a118 Mon Sep 17 00:00:00 2001 From: Dhawal Seth Date: Wed, 27 May 2026 10:01:26 -0700 Subject: [PATCH 6/7] fix: load proxy TLS certs from env vars when proxy set via HTTPS_PROXY The previous implementation only loaded proxy TLS certificates when proxy was configured in the AutoscalingRunnerSet CR. However, when using HTTPS_PROXY environment variable (common in enterprise setups), the CR proxy config is nil and the env var loading code was skipped. This fix adds explicit checks for HTTPS_PROXY/HTTP_PROXY env vars and loads TLS certificates from env vars in that case: - loadProxyTLSClientCertsFromEnv() for mTLS client certs - loadProxyCACertsFromEnv() for proxy CA verification Co-Authored-By: Claude Opus 4.5 --- .../secretresolver/secret_resolver.go | 69 ++++++++++++++++++- 1 file changed, 67 insertions(+), 2 deletions(-) diff --git a/controllers/actions.github.com/secretresolver/secret_resolver.go b/controllers/actions.github.com/secretresolver/secret_resolver.go index 9257823bc0..5d851d1eb5 100644 --- a/controllers/actions.github.com/secretresolver/secret_resolver.go +++ b/controllers/actions.github.com/secretresolver/secret_resolver.go @@ -125,18 +125,28 @@ func (sr *SecretResolver) GetActionsService(ctx context.Context, obj object.Acti } // Load mTLS client certificates for proxy authentication + // Check CR config first, then fall back to env vars (for HTTPS_PROXY set via env) var tlsClientCerts []tls.Certificate - if proxy := obj.GitHubProxy(); proxy != nil { + proxy := obj.GitHubProxy() + if proxy != nil { certs, err := sr.loadProxyTLSClientCerts(ctx, obj.GetNamespace(), proxy) if err != nil { return nil, fmt.Errorf("failed to load proxy TLS client certificates: %w", err) } tlsClientCerts = certs + } else if os.Getenv("HTTPS_PROXY") != "" || os.Getenv("HTTP_PROXY") != "" { + // Proxy is set via env var, check for client cert env vars + certs, err := sr.loadProxyTLSClientCertsFromEnv() + if err != nil { + return nil, fmt.Errorf("failed to load proxy TLS client certificates from env: %w", err) + } + tlsClientCerts = certs } // Load proxy CA certificates for verifying proxy server TLS + // Check CR config first, then fall back to env vars (for HTTPS_PROXY set via env) var rootCAs *x509.CertPool - if proxy := obj.GitHubProxy(); proxy != nil { + if proxy != nil { pool, err := sr.loadProxyCACerts(ctx, obj.GetNamespace(), proxy) if err != nil { return nil, fmt.Errorf("failed to load proxy CA certificates: %w", err) @@ -144,6 +154,15 @@ func (sr *SecretResolver) GetActionsService(ctx context.Context, obj object.Acti if pool != nil { rootCAs = pool } + } else if os.Getenv("HTTPS_PROXY") != "" || os.Getenv("HTTP_PROXY") != "" { + // Proxy is set via env var, check for CA cert env var + pool, err := sr.loadProxyCACertsFromEnv() + if err != nil { + return nil, fmt.Errorf("failed to load proxy CA certificates from env: %w", err) + } + if pool != nil { + rootCAs = pool + } } // Load GitHub server TLS config (for GHES) and merge with proxy CAs if present @@ -491,3 +510,49 @@ func (sr *SecretResolver) addProxyCACertsToPool(ctx context.Context, namespace s return nil } + +// loadProxyTLSClientCertsFromEnv loads TLS client certificates from file paths specified in env vars. +// Used when proxy is set via HTTPS_PROXY env var instead of CR config. +func (sr *SecretResolver) loadProxyTLSClientCertsFromEnv() ([]tls.Certificate, error) { + var certs []tls.Certificate + + certFile := os.Getenv("HTTPS_PROXY_CLIENT_CERT") + keyFile := os.Getenv("HTTPS_PROXY_CLIENT_KEY") + if certFile != "" && keyFile != "" { + cert, err := tls.LoadX509KeyPair(certFile, keyFile) + if err != nil { + return nil, fmt.Errorf("failed to load client cert from files (cert=%s, key=%s): %w", certFile, keyFile, err) + } + certs = append(certs, cert) + sr.logger.Info("Loaded proxy client cert from env var file paths", "cert", certFile, "key", keyFile) + } + + return certs, nil +} + +// loadProxyCACertsFromEnv loads CA certificates from file path specified in env var. +// Used when proxy is set via HTTPS_PROXY env var instead of CR config. +func (sr *SecretResolver) loadProxyCACertsFromEnv() (*x509.CertPool, error) { + caFile := os.Getenv("HTTPS_PROXY_CA_CERT") + if caFile == "" { + return nil, nil + } + + pool, err := x509.SystemCertPool() + if err != nil { + sr.logger.Warn("Failed to load system cert pool, using empty pool", "error", err) + pool = x509.NewCertPool() + } + + caCert, err := os.ReadFile(caFile) + if err != nil { + return nil, fmt.Errorf("failed to read CA cert file %s: %w", caFile, err) + } + + if !pool.AppendCertsFromPEM(caCert) { + return nil, fmt.Errorf("failed to parse CA certificate from file %s", caFile) + } + + sr.logger.Info("Loaded proxy CA cert from env var file path", "file", caFile) + return pool, nil +} From d5479dd92fc3ff909a14341803aaacdf0af2be95 Mon Sep 17 00:00:00 2001 From: Dhawal Seth Date: Wed, 27 May 2026 15:14:19 -0700 Subject: [PATCH 7/7] feat(listener): add mTLS proxy support via env vars Load TLS client certificate for proxy mTLS authentication when HTTPS_PROXY_CLIENT_CERT and HTTPS_PROXY_CLIENT_KEY env vars are set. This enables the listener to authenticate with mTLS proxies like Kraken that require client certificates for egress. Co-Authored-By: Claude Opus 4.5 --- cmd/ghalistener/config/config.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/cmd/ghalistener/config/config.go b/cmd/ghalistener/config/config.go index 69cfafb8ee..2291c3eab9 100644 --- a/cmd/ghalistener/config/config.go +++ b/cmd/ghalistener/config/config.go @@ -172,6 +172,19 @@ func (c *Config) ActionsClient(logger *slog.Logger, clientOptions ...scaleset.HT return proxyFunc(req.URL) })) + // Load TLS client certificate for proxy mTLS authentication + // Used when proxy requires mutual TLS (e.g., Kraken mTLS proxy) + certFile := os.Getenv("HTTPS_PROXY_CLIENT_CERT") + keyFile := os.Getenv("HTTPS_PROXY_CLIENT_KEY") + if certFile != "" && keyFile != "" { + tlsOpt, err := scaleset.WithTLSClientCertificateFromFile(certFile, keyFile) + if err != nil { + return nil, fmt.Errorf("failed to load proxy TLS client cert (cert=%s, key=%s): %w", certFile, keyFile, err) + } + options = append(options, tlsOpt) + logger.Info("Loaded proxy TLS client certificate from env vars", "cert", certFile, "key", keyFile) + } + var client *scaleset.Client switch c.Token { case "":