Acr login with sdk#18
Closed
dbalseiro wants to merge 24 commits into
Closed
Conversation
bumping knative.dev/client/pkg 81e768d...e622d63: > e622d63 upgrade to latest dependencies (# 2215) > 8c99918 upgrade to latest dependencies (# 2214) bumping knative.dev/serving dbaab46...29a43b6: > 29a43b6 Update net-kourier nightly (# 16595) Signed-off-by: Knative Automation <automation@knative.team>
Updated the comment for the readonly field in the Server struct to specify that it disables deploy and delete operations when set to true, enhancing code clarity and documentation accuracy.
Signed-off-by: Shrey327 <shreyansh.pathak273@gmail.com>
…knative#3707) The MCP server instructions were computed at New() time before Start() set the readonly flag. This meant the readonly warning was never included in instructions sent to MCP clients, even when the server was running in readonly mode. Pass WithReadonly(!writeEnabled) at construction time so the instructions correctly reflect the runtime readonly state. Signed-off-by: elvandlie@gmail.com <elvandlie@gmail.com>
* mcp: change DeleteInput.All from *string to *bool The All field in DeleteInput was typed as *string but the underlying func delete --all CLI flag is boolean. This caused the JSON schema to present a string field to MCP clients instead of a boolean, and passed the flag as --all true (two separate args) instead of --all. Change All to *bool and use appendBoolFlag instead of appendStringFlag. Signed-off-by: elvandlie@gmail.com <elvandlie@gmail.com> * mcp: update delete test to use bool for All field Signed-off-by: elvandlie@gmail.com <elvandlie@gmail.com> --------- Signed-off-by: elvandlie@gmail.com <elvandlie@gmail.com>
…oyment (knative#3718) * test: migrate testing registry from host container to in-cluster deployment Replace the standalone docker/podman registry container (localhost:50000) with an in-cluster Deployment + ClusterIP Service + Ingress exposed at registry.localtest.me. This eliminates host-side container management, ExternalName services, and Podman VM port forwarding. The registry pod uses hostPort:5000 so containerd on the Kind node can reach it at localhost:5000 via mirrors. Pods reach it via the ClusterIP Service. The host reaches it via Contour ingress. Add insecure registry support to the credential verification and docker push paths. CheckAuth, docker.Pusher, and NewCredentialsProvider now accept an insecure flag to use plain HTTP via name.Insecure instead of defaulting to HTTPS. The knative deployer's checkPullPermissions also respects RegistryInsecure. E2E tests set FUNC_REGISTRY_INSECURE=true when using the default registry.localtest.me. A dedicated TestRemote_Deploy_InClusterRegistry test verifies the in-cluster dialer tunneling path via registry.default.svc.cluster.local. hack/allow-insecure.tar updated to include *.localtest.me alongside *.cluster.local for buildah/podman insecure registry configuration. Signed-off-by: Matej Vašek <matejvasek@gmail.com> Co-Authored-By: Claude <noreply@anthropic.com> * test: registry.localtest.me insecure Signed-off-by: Matej Vašek <matejvasek@gmail.com> * e2e: use locally-built binary in CI config test Patch the generated GitHub workflow to symlink the locally-built func binary instead of downloading a release via functions-dev/action. The released binary lacks the insecure registry fix, causing pack builder tests (node, typescript, quarkus) to fail against registry.localtest.me. Signed-off-by: Matej Vašek <matejvasek@gmail.com> Co-Authored-By: Claude <noreply@anthropic.com> --------- Signed-off-by: Matej Vašek <matejvasek@gmail.com> Co-authored-by: Claude <noreply@anthropic.com>
Changed the comment in cmd/mcp.go to reflect the correct function name for gathering options, updating from runMCPServer to runMCPStart. This improves clarity for future enhancements related to MCP server configuration.
Change config file permissions from 0777 to 0600 and directory permissions from 0777 to 0755 to follow security best practices. Changes: - Config files now use 0600 (owner read/write only) - Config directories use 0755 (owner rwx, group/others rx) - Added tests to verify correct permissions are applied Security impact: - Prevents unauthorized users from reading sensitive config data - Prevents unauthorized modification of configuration - Follows industry standard (kubectl, docker, git use 0600) Fixes: Config files were world-readable and world-writable
Co-authored-by: Knative Automation <automation@knative.team>
…native#3759) The Server.readonly field is a plain bool with no synchronization. While the current stdio transport is single-client, the MCP SDK may dispatch tool calls on separate goroutines internally. Additionally, Start() writes to readonly while handler goroutines may concurrently read it, which is a data race under the Go memory model. Replace bool with sync/atomic.Bool for lock-free thread safety. All reads use Load() and all writes use Store(). Also add test coverage for the readonly rejection path in both the deploy and delete handlers. Signed-off-by: Elvand Lie <elvandlie@gmail.com> Signed-off-by: elvandlie@gmail.com <elvandlie@gmail.com>
knative#3760) The buildArgs function passes the prefix directly to exec.CommandContext via strings.Fields splitting. If a caller provides a WithPrefix value containing shell metacharacters (e.g. semicolons, pipes, backticks), the executor could run unintended commands. Add validation in WithPrefix to reject disallowed characters and empty/whitespace-only prefixes, panicking at construction time rather than silently accepting dangerous input. Signed-off-by: Elvand Lie <elvandlie@gmail.com> Signed-off-by: elvandlie@gmail.com <elvandlie@gmail.com>
* Add support for CloudEvents extensions in invoke command Introduces a new --extension/-e flag to the invoke command, allowing users to specify CloudEvents extensions as key=value pairs. The extensions are parsed and included in the InvokeMessage, and are set on the outgoing CloudEvent. Documentation is updated to reflect the new flag. * address feedback
* feat: add func logs command to stream function logs This adds a new 'func logs' command that streams logs from deployed functions, abstracting away the underlying service name and pod details. Features: - Stream logs for function in current directory - Stream logs by function name with --name flag - Filter logs by time with --since flag (e.g., 5m, 1h) - Support for custom namespace with --namespace flag - Graceful handling of Ctrl+C to stop log streaming The command uses the existing GetKServiceLogs functionality from the knative package, providing a user-friendly CLI interface for developers. Fixes knative#3521 * docs: add generated documentation for func logs command
This commit addresses issue knative#3516 where the PersistentVolumeClaim used for on-cluster builds was being reused without cleanup, causing 'No space left on device' errors after multiple builds. Changes: - Added DeletePersistentVolumeClaim() function to delete a single PVC - Added WaitForPVCDeletion() function to wait for complete PVC deletion - Modified createPipelinePersistentVolumeClaim() to delete existing PVC before creating a fresh one, ensuring clean workspace for each build - Updated tests to properly mock the new k8s functions The solution ensures that each build starts with a clean PVC by: 1. Checking if PVC exists 2. Deleting it if found (ignoring NotFound errors) 3. Waiting for complete deletion (not just Terminating state) 4. Creating a fresh PVC This approach is simpler and more reliable than trying to clean up the PVC contents while it's in use.
…native#3685) * Enhance config_envs_add tool with new test cases and documentation updates - Added unit tests for handling environment variables sourced from Secrets and ConfigMaps, covering both individual keys and all keys scenarios. - Updated the tool's description to clarify supported source types and precedence rules for the Value field. - Improved argument handling in the ConfigEnvsAddInput struct to ensure correct value templates are constructed based on provided inputs. - Enhanced test coverage for the config_envs_add functionality to validate expected behavior and error handling. * Refactor ConfigEnvsAddInput struct for improved clarity and consistency - Standardized formatting of struct fields in ConfigEnvsAddInput for better readability. - Updated test case for config_envs_add to ensure proper argument handling and maintain functionality. * Add validation tests for config_envs_add tool - Introduced new test cases to validate error handling for secretKey and configMapKey when provided without their corresponding names. - Added tests to ensure proper validation of secretName, secretKey, configMapName, and configMapKey against allowed character sets. - Enhanced the ConfigEnvsAddInput struct with a validate method to enforce input constraints before processing. - Updated the config_envs_add tool's functionality to return appropriate errors for invalid inputs, improving robustness and user feedback. * Enhance validation in config_envs_add tool - Added new validation checks to ensure that the `name` field is not set when importing all keys from a Secret or ConfigMap. - Implemented mutual exclusivity validation for `secretName` and `configMapName` to prevent simultaneous usage. - Updated the `ConfigEnvsAddInput` struct to reflect these validation rules, improving error handling and user feedback. - Introduced additional test cases to validate these new constraints and ensure proper error handling in various scenarios. * refactor(mcp): drop regex validation, make value/secret exclusive MCP layer was duplicating name validation with regexes that didn't match DNS-1123 (e.g. accepted apostrophes). Deferred to func CLI. Also replaced silent value/secretName precedence with an explicit error — silent drop is a footgun for LLM clients.
bumping knative.dev/client/pkg e622d63...95c16c5: > 95c16c5 upgrade to latest dependencies (# 2216) bumping knative.dev/serving 29a43b6...a4e653b: > a4e653b Update net-gateway-api nightly (# 16596) Signed-off-by: Knative Automation <automation@knative.team>
* Add func-operator integration to deploy command When deploying a function, automatically create or update a Function CR (functions.dev/v1alpha1) if the func-operator CRD is installed on the cluster. On first deploy, the CR is created with the git repository URL, branch, and path. On subsequent deploys, only the functions.knative.dev/last-deployed annotation is updated. - Add pkg/git/ with go-git based resolution of remote URL and branch - Add pkg/operator/ with Function CR sync logic and k8s client setup - Add WithPostDeploy client option to run post-deploy hooks - Add --manage flag (default true) to opt out with --manage=false - Wire operator sync via WithPostDeploy in deploy command - Git URL cascade: --git-url > tracking remote > origin - Branch cascade: --git-branch > current branch > "main" - Silently skip if CRD not installed; warn if no git remote found * Add integration test for operator sync across all deployers Add TestInt_OperatorSync to the shared deployer integration test helper. The test deploys a function with WithPostDeploy wired to operator.SyncFunctionCR, verifies the Function CR is created with the correct spec on first deploy, and confirms only the last-deployed annotation is updated on subsequent deploys. CR verification is skipped gracefully when the Function CRD is not installed. * Install func-operator in test cluster setup Add func-operator v0.2.1 to the cluster setup script so the Function CRD is available for integration tests. The operator is installed in parallel with other components during cluster allocation. * Strip credentials from git remote URLs in Function CR ResolveRemoteURL now removes userinfo (username and password) from HTTP/HTTPS remote URLs before returning them, preventing credentials from being stored in the Function CR spec. * Add registry credential support to Function CR sync When deploying to a private registry, resolve credentials via the existing CredentialsProvider, create a docker-registry K8s Secret, and set .spec.registry.authSecretRef on the Function CR so the func-operator can authenticate with the registry. * Fix CI failures in linter and unit tests - Check return value of AddToScheme (errcheck lint) - Make registry secret creation injectable for unit tests - Add git commit author in resolver tests for CI - Add FuncOperator to component-versions test expectations * Move operator CR sync into core Client.Deploy() Replace the CLI-level postDeploy hook with a FunctionSyncer interface in pkg/functions, implemented by pkg/operator.Syncer. This makes operator management available to all library users, not just the CLI. - Add FunctionSyncer interface and WithSyncer option to Client - Add ManagementDisabled field to DeploySpec (managed by default) - Create pkg/operator/syncer.go encapsulating git/registry resolution - Wire operator.NewSyncer in cmd/client.go NewClient() - Replace --manage flag with --management-disabled - Remove postDeploy hook, syncFunctionCR from cmd/deploy.go - Update integration test to use WithSyncer * Skip Function CR sync silently when no git remote is configured A user deploying without a git remote is an expected base case, not a warning-worthy condition. The operator sync now requires both the CRD to be installed and a git URL to be available before attempting to create or update a Function CR. * Distinguish CRD-not-found from real errors in hasFunctionCRD Previously all errors from ServerResourcesForGroupVersion were swallowed and treated as "CRD not present". Now only NotFound errors are treated as CRD absence; other errors are propagated so legitimate failures are not silently ignored. * Combine two loops in findExistingCR into one Merge the separate status-name and metadata-name lookups into a single pass over the list. Status name match still takes priority and returns immediately; metadata name match is remembered as a fallback. * Use func-operator GroupVersion constant instead of hardcoded string Replace the hardcoded "functions.dev/v1alpha1" string with v1alpha1.GroupVersion.String() in hasFunctionCRD, unit tests, and integration test helper. * Regenerate deploy command reference docs Update generated docs to reflect --manage being replaced by --management-disabled. * Regenerate func.yaml JSON schema Add ManagementDisabled field to the generated schema.
bumping knative.dev/eventing 43e651f...fdfff0b: > fdfff0b build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.95.0 to 1.97.3 (# 9051) Signed-off-by: Knative Automation <automation@knative.team>
Update docs to reflect current codebase state: fix broken link in rust.md, add missing packages to ARCHITECTURE.md code map, document scaffolding templates in CONTRIBUTING.md, update lifecycle.md to note Python implements lifecycle hooks, add TypeScript and CLI reference link to docs/README.md, and fix /health/rediness typo in Python templates.
…desync (knative#3758) The Server.Start() method unconditionally overrides the readonly state that was already set by WithReadonly() during construction. This creates a dual source of truth: instructions are computed from the readonly flag at construction time (in New()), but the actual enforcement value is overridden at Start() time. If a caller passes inconsistent values, the MCP instructions will tell the agent it is in read-only mode while the server actually permits deploy and delete operations, or vice versa. Fix by removing the writeEnabled parameter from Start() entirely. The readonly state is now set exclusively via WithReadonly() at construction time, which is also when instructions are computed. This ensures a single source of truth. Signed-off-by: Elvand Lie <elvandlie@gmail.com>
dbalseiro
force-pushed
the
acr-login-with-sdk
branch
from
6609dd8 to
f8eee8f
Compare
* Add Azure SDK and implement ACR Login * Unify credential loader interface with context support * Add Test. Ensure canceling context works
dbalseiro
force-pushed
the
acr-login-with-sdk
branch
from
f8eee8f to
36255ef
Compare
Collaborator
Author
|
OBE |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Just for running actions... no need to merge