Skip to content
This repository has been archived by the owner on Nov 1, 2022. It is now read-only.

Support Git over HTTPS with creds from env vars #2470

Merged
merged 5 commits into from
Sep 26, 2019
Merged

Support Git over HTTPS with creds from env vars #2470

merged 5 commits into from
Sep 26, 2019

Conversation

hiddeco
Copy link
Member

@hiddeco hiddeco commented Sep 24, 2019
edited
Loading

This is a rework of #2438, and fixes #2280.

This PR makes supplying HTTP(S) basic auth credentials in the
--git-url secure. Places where the full remote origin were logged
have been modified to only log the Remote.SafeURL() so that the
authentication key is never exposed in the logs.

Securely supplying the credentials without exposing them in the
Flux workload is possible by adding two environment variables (e.g.
GIT_AUTHUSER and GIT_AUTHKEY) to a Kubernetes secret, and using
Kubernetes mechanics to define them in the Flux pod by using an
envFrom. The variables can then be used in --git-url argument as
documented in the Kubernetes documentation1:
--git-url=https://$(GIT_AUTHUSER):$(GIT_AUTHKEY)@github.com/an/example.git

If the --git-url uses a HTTP(S) scheme; the generation of an SSH
private key and the setup of the SSH keyring is now disabled.

This includes changes to the documentation, (generated) example deployments and the Helm chart to offer full support.

stefanprodan
stefanprodan approved these changes Sep 24, 2019
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Awesome work on the docs!

@squaremo
Copy link
Member

squaremo commented Sep 25, 2019
edited
Loading

The doc updates are welcome, but some of the changes aren't much to do with supporting HTTPS -- can you split them into a separate commit, at least?

squaremo
squaremo reviewed Sep 25, 2019
View reviewed changes
chart/flux/README.md Show resolved Hide resolved
chart/flux/values.yaml Outdated Show resolved Hide resolved
cmd/fluxd/main.go Show resolved Hide resolved
docs/guides/use-git-https.md Outdated Show resolved Hide resolved
docs/guides/use-git-https.md Outdated Show resolved Hide resolved
go.mod Show resolved Hide resolved
pkg/git/operations.go Outdated Show resolved Hide resolved
@hiddeco hiddeco force-pushed the feature/git-https branch 2 times, most recently from 9bd017a to 95c0ad7 Compare September 25, 2019 13:59
squaremo
squaremo approved these changes Sep 26, 2019
View reviewed changes
Copy link
Member

@squaremo squaremo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you need to explain where <USER> comes from (see individual comment); that done, I think it's good to go.

docs/guides/use-git-https.md Outdated Show resolved Hide resolved
pkg/daemon/daemon.go Outdated Show resolved Hide resolved
@hiddeco hiddeco force-pushed the feature/git-https branch 2 times, most recently from e8c73bc to 4207293 Compare September 26, 2019 10:50
@hiddeco
Support Git over HTTPS with creds from env vars
4200850 
This commit makes supplying HTTP(S) basic auth credentials in the
`--git-url` secure. Places where the full remote origin were logged
have been modified to only log the `Remote.SafeURL()` so that the
authentication key is never exposed in the logs.

Securely supplying the credentials without exposing them in the
Flux workload is possible by adding two environment variables (e.g.
`GIT_AUTHUSER` and `GIT_AUTHKEY`) to a Kubernetes secret, and using
Kubernetes mechanics to define them in the Flux pod by using an
`envFrom`. The variables can then be used in `--git-url` argument as
documented in the Kubernetes documentation[1]:
`--git-url=https://$(GIT_AUTHUSER):$(GIT_AUTHKEY)@github.com/an/example.git`

If the `--git-url` uses a HTTP(S) scheme; the generation of an SSH
private key and the setup of the SSH keyring is now disabled.

Co-Authored-By: Vytautas Maciulskis <vyckou@gmail.com>

[1]: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#using-environment-variables-inside-of-your-config
@hiddeco
Document git over HTTPS in docs and deployment
35a9f64
@hiddeco
Support environment vars from a secret in chart
65422f4 
To make secure HTTPS configurations using Helm possible, by using
the defined environment variables from the `env.secretName` in the
`git.url`.
@hiddeco
Touch up styling of Helm chart README.md
fd89537
@hiddeco
Improve 'use git over HTTPS' guide
e48def6 
By adding links to various documentation pages from git vendors about
creating a personal access token.
@hiddeco hiddeco merged commit c7146c7 into master Sep 26, 2019
@hiddeco hiddeco deleted the feature/git-https branch September 26, 2019 12:15
@hiddeco hiddeco added this to the 1.15.0 milestone Oct 1, 2019
@ssimk0 ssimk0 mentioned this pull request Dec 6, 2019
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@squaremo squaremo squaremo approved these changes

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.15.0
Development

Successfully merging this pull request may close these issues.

https protocol for git support
3 participants
@hiddeco @squaremo @stefanprodan