Add custom CA validation for Git over HTTPS #283
Conversation
phillebaba
force-pushed
the
feature/self-signed-certs
branch
from
ccdc253
to
3ba0e6f
Compare
|
Need to add docs describing how to use this feature and its limitations. |
|
@phillebaba this is different from what I proposed in the issue, like HelmRepositories, the certs files are keys in the auth secret. Why introduce a new field in the API? |
|
Sorry I must have misunderstood you, I will change it to read all the data from the same secret. |
|
I don't see where are we loading the clientCert and clientKey. See https://github.com/fluxcd/image-reflector-controller/blob/main/controllers/imagerepository_controller.go#L281 for an example. |
|
This only implements CA validation so that you can use self signed certs. It does not implement client certificate authentication. |
phillebaba
force-pushed
the
feature/self-signed-certs
branch
from
3ba0e6f
to
3b894ce
Compare
| @@ -57,26 +61,49 @@ func (s *BasicAuth) Method(secret corev1.Secret) (*common.Auth, error) { | |||
| if d, ok := secret.Data["password"]; ok { | |||
| password = string(d) | |||
| } | |||
| if username == "" || password == "" { | |||
| return nil, fmt.Errorf("invalid '%s' secret data: required fields 'username' and 'password'", secret.Name) | |||
| if username != "" && password != "" { | |||
There was a problem hiding this comment.
This behavior change is needed as it should be possible to have cert validation on repositories with no authentication. This will change libgit2 behavior to not throw an error if username and password are missing if a secret is specified.
phillebaba
force-pushed
the
feature/self-signed-certs
branch
from
3b894ce
to
94a2e23
Compare
|
@phillebaba this doesn’t fixes the issue, it addresses only the CA, please change the description. Thanks |
|
Sure I will change it so it does not close the issue, as it only solved half of the issue. Has anyone requested client certificate authentication or is just a feature that is needed to match fluxv1 functionality. I do not think we will be able to implement the second half of the feature any time soon judging by this issue. |
phillebaba
changed the title
stefanprodan
changed the title
phillebaba
force-pushed
the
feature/self-signed-certs
branch
2 times, most recently
from
8abbc99
to
8a38d10
Compare
phillebaba
force-pushed
the
feature/self-signed-certs
branch
from
8a38d10
to
233d8d8
Compare
phillebaba
force-pushed
the
feature/self-signed-certs
branch
2 times, most recently
from
3b124f0
to
27dad1d
Compare
phillebaba
force-pushed
the
feature/self-signed-certs
branch
from
27dad1d
to
306880d
Compare
phillebaba
force-pushed
the
feature/self-signed-certs
branch
from
306880d
to
fb27457
Compare
phillebaba
force-pushed
the
feature/self-signed-certs
branch
from
fb27457
to
d5dd344
Compare
Signed-off-by: Philip Laine <philip.laine@gmail.com>
phillebaba
force-pushed
the
feature/self-signed-certs
branch
from
d5dd344
to
c063484
Compare
Adds the option to pass a
caFilevalue in the credential secret to allow the use of self signed certificates. This feature will only work with the libgit2 https transport implementation as it has a certificate callback which allows for custom x509 certificate validation when the system is not able to. All other implementations will return an error if a user attempts to set a value forcaFilein the secret.