libgit2: refactor feature managed transport usage

api/v1beta2/condition_types.go

@@ -100,4 +100,8 @@ const (
 
 	// CacheOperationFailedReason signals a failure in cache operation.
 	CacheOperationFailedReason string = "CacheOperationFailed"
+
+	// ControllerMisbehaviorReason signals a failure caused by misbehavior/
+	// UB of the controller.
+	ControllerMisbehaviorReason string = "ControllerMisbehavior"
 )

controllers/gitrepository_controller.go

@@ -55,7 +55,6 @@ import (
 	"github.com/fluxcd/source-controller/internal/reconcile/summarize"
 	"github.com/fluxcd/source-controller/internal/util"
 	"github.com/fluxcd/source-controller/pkg/git"
-	"github.com/fluxcd/source-controller/pkg/git/libgit2/managed"
 	"github.com/fluxcd/source-controller/pkg/git/strategy"
 	"github.com/fluxcd/source-controller/pkg/sourceignore"
 )
@@ -113,8 +112,9 @@ type GitRepositoryReconciler struct {
 	kuberecorder.EventRecorder
 	helper.Metrics
 
-	Storage        *Storage
-	ControllerName string
+	Storage                    *Storage
+	ControllerName             string
+	ManagedTransportRegistered bool
 
 	requeueDependency time.Duration
 	features          map[string]bool
@@ -142,7 +142,12 @@ func (r *GitRepositoryReconciler) SetupWithManagerAndOptions(mgr ctrl.Manager, o
 	}
 
 	// Check and enable gated features.
-	if oc, _ := features.Enabled(features.OptimizedGitClones); oc {
+	mt, _ := features.Enabled(features.GitManagedTransport)
+	if mt {
+		r.features[features.GitManagedTransport] = true
+	}
+	// OptimizedGitClones is only supported when GitManagedTransport is enabled.
+	if oc, _ := features.Enabled(features.OptimizedGitClones); oc && mt {
 		r.features[features.OptimizedGitClones] = true
 	}
 
@@ -714,6 +719,40 @@ func (r *GitRepositoryReconciler) gitCheckout(ctx context.Context,
 		checkoutOpts.SemVer = ref.SemVer
 	}
 
+	// managed GIT transport only affects the libgit2 implementation
+	if enabled, ok := r.features[features.GitManagedTransport]; ok && enabled &&
+		obj.Spec.GitImplementation == sourcev1.LibGit2Implementation {
+		// We return a stalling error if managed transport isn't registered and the related
+		// feature is enabled, since the controller can't recover from this.
+		if !r.ManagedTransportRegistered {
+			e := &serror.Stalling{
+				Err:    errors.New("invalid state: GitManagedTransport is enabled but managed transport isn't registered"),
+				Reason: sourcev1.ControllerMisbehaviorReason,
+			}
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+			return nil, e
+		}
+
+		// We set the TransportOptionsURL of this set of authentication options here by constructing
+		// a unique URL that won't clash in a multi tenant environment. This unique URL is used by
+		// libgit2 managed transport. This enables us to bypass the inbuilt credentials callback in
+		// libgit2, which is inflexible and unstable.
+		if strings.HasPrefix(obj.Spec.URL, "http") {
+			authOpts.TransportOptionsURL = fmt.Sprintf("http://%s/%s/%d", obj.Name, obj.UID, obj.Generation)
+		} else if strings.HasPrefix(obj.Spec.URL, "ssh") {
+			authOpts.TransportOptionsURL = fmt.Sprintf("ssh://%s/%s/%d", obj.Name, obj.UID, obj.Generation)
+		} else {
+			e := &serror.Stalling{
+				Err:    fmt.Errorf("git repository URL '%s' has invalid transport type, supported types are: http, https, ssh", obj.Spec.URL),
+				Reason: sourcev1.URLInvalidReason,
+			}
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+			return nil, e
+		}
+
+		checkoutOpts.Managed = true
+	}
+
 	// Only if the object has an existing artifact in storage, attempt to
 	// short-circuit clone operation. reconcileStorage has already verified
 	// that the artifact exists.
@@ -738,26 +777,6 @@ func (r *GitRepositoryReconciler) gitCheckout(ctx context.Context,
 		return nil, e
 	}
 
-	// managed GIT transport only affects the libgit2 implementation
-	if managed.Enabled() && obj.Spec.GitImplementation == sourcev1.LibGit2Implementation {
-		// We set the TransportOptionsURL of this set of authentication options here by constructing
-		// a unique URL that won't clash in a multi tenant environment. This unique URL is used by
-		// libgit2 managed transports. This enables us to bypass the inbuilt credentials callback in
-		// libgit2, which is inflexible and unstable.
-		if strings.HasPrefix(obj.Spec.URL, "http") {
-			authOpts.TransportOptionsURL = fmt.Sprintf("http://%s/%s/%d", obj.Name, obj.UID, obj.Generation)
-		} else if strings.HasPrefix(obj.Spec.URL, "ssh") {
-			authOpts.TransportOptionsURL = fmt.Sprintf("ssh://%s/%s/%d", obj.Name, obj.UID, obj.Generation)
-		} else {
-			e := &serror.Stalling{
-				Err:    fmt.Errorf("git repository URL '%s' has invalid transport type, supported types are: http, https, ssh", obj.Spec.URL),
-				Reason: sourcev1.URLInvalidReason,
-			}
-			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
-			return nil, e
-		}
-	}
-
 	commit, err := checkoutStrategy.Checkout(gitCtx, dir, obj.Spec.URL, authOpts)
 	if err != nil {
 		e := serror.NewGeneric(

controllers/gitrepository_controller_test.go

@@ -499,10 +499,11 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
 			}
 
 			r := &GitRepositoryReconciler{
-				Client:        builder.Build(),
-				EventRecorder: record.NewFakeRecorder(32),
-				Storage:       testStorage,
-				features:      features.FeatureGates(),
+				Client:                     builder.Build(),
+				EventRecorder:              record.NewFakeRecorder(32),
+				Storage:                    testStorage,
+				ManagedTransportRegistered: true,
+				features:                   features.FeatureGates(),
 			}
 
 			for _, i := range testGitImplementations {
@@ -697,10 +698,11 @@ func TestGitRepositoryReconciler_reconcileSource_checkoutStrategy(t *testing.T)
 	}
 
 	r := &GitRepositoryReconciler{
-		Client:        fakeclient.NewClientBuilder().WithScheme(runtime.NewScheme()).Build(),
-		EventRecorder: record.NewFakeRecorder(32),
-		Storage:       testStorage,
-		features:      features.FeatureGates(),
+		Client:                     fakeclient.NewClientBuilder().WithScheme(runtime.NewScheme()).Build(),
+		EventRecorder:              record.NewFakeRecorder(32),
+		Storage:                    testStorage,
+		ManagedTransportRegistered: true,
+		features:                   features.FeatureGates(),
 	}
 
 	for _, tt := range tests {
@@ -922,9 +924,10 @@ func TestGitRepositoryReconciler_reconcileArtifact(t *testing.T) {
 			resetChmod(tt.dir, 0o755, 0o644)
 
 			r := &GitRepositoryReconciler{
-				EventRecorder: record.NewFakeRecorder(32),
-				Storage:       testStorage,
-				features:      features.FeatureGates(),
+				EventRecorder:              record.NewFakeRecorder(32),
+				Storage:                    testStorage,
+				ManagedTransportRegistered: true,
+				features:                   features.FeatureGates(),
 			}
 
 			obj := &sourcev1.GitRepository{
@@ -1065,11 +1068,12 @@ func TestGitRepositoryReconciler_reconcileInclude(t *testing.T) {
 			}
 
 			r := &GitRepositoryReconciler{
-				Client:            builder.Build(),
-				EventRecorder:     record.NewFakeRecorder(32),
-				Storage:           storage,
-				requeueDependency: dependencyInterval,
-				features:          features.FeatureGates(),
+				Client:                     builder.Build(),
+				EventRecorder:              record.NewFakeRecorder(32),
+				Storage:                    storage,
+				ManagedTransportRegistered: true,
+				requeueDependency:          dependencyInterval,
+				features:                   features.FeatureGates(),
 			}
 
 			obj := &sourcev1.GitRepository{
@@ -1237,9 +1241,10 @@ func TestGitRepositoryReconciler_reconcileStorage(t *testing.T) {
 			}()
 
 			r := &GitRepositoryReconciler{
-				EventRecorder: record.NewFakeRecorder(32),
-				Storage:       testStorage,
-				features:      features.FeatureGates(),
+				EventRecorder:              record.NewFakeRecorder(32),
+				Storage:                    testStorage,
+				ManagedTransportRegistered: true,
+				features:                   features.FeatureGates(),
 			}
 
 			obj := &sourcev1.GitRepository{
@@ -1279,9 +1284,10 @@ func TestGitRepositoryReconciler_reconcileDelete(t *testing.T) {
 	g := NewWithT(t)
 
 	r := &GitRepositoryReconciler{
-		EventRecorder: record.NewFakeRecorder(32),
-		Storage:       testStorage,
-		features:      features.FeatureGates(),
+		EventRecorder:              record.NewFakeRecorder(32),
+		Storage:                    testStorage,
+		ManagedTransportRegistered: true,
+		features:                   features.FeatureGates(),
 	}
 
 	obj := &sourcev1.GitRepository{
@@ -1417,9 +1423,10 @@ func TestGitRepositoryReconciler_verifyCommitSignature(t *testing.T) {
 			}
 
 			r := &GitRepositoryReconciler{
-				EventRecorder: record.NewFakeRecorder(32),
-				Client:        builder.Build(),
-				features:      features.FeatureGates(),
+				EventRecorder:              record.NewFakeRecorder(32),
+				Client:                     builder.Build(),
+				ManagedTransportRegistered: true,
+				features:                   features.FeatureGates(),
 			}
 
 			obj := &sourcev1.GitRepository{
@@ -1558,10 +1565,11 @@ func TestGitRepositoryReconciler_ConditionsUpdate(t *testing.T) {
 			builder := fakeclient.NewClientBuilder().WithScheme(testEnv.GetScheme()).WithObjects(obj)
 
 			r := &GitRepositoryReconciler{
-				Client:        builder.Build(),
-				EventRecorder: record.NewFakeRecorder(32),
-				Storage:       testStorage,
-				features:      features.FeatureGates(),
+				Client:                     builder.Build(),
+				EventRecorder:              record.NewFakeRecorder(32),
+				Storage:                    testStorage,
+				ManagedTransportRegistered: true,
+				features:                   features.FeatureGates(),
 			}
 
 			key := client.ObjectKeyFromObject(obj)
@@ -1925,8 +1933,9 @@ func TestGitRepositoryReconciler_notify(t *testing.T) {
 			}
 
 			reconciler := &GitRepositoryReconciler{
-				EventRecorder: recorder,
-				features:      features.FeatureGates(),
+				EventRecorder:              recorder,
+				ManagedTransportRegistered: true,
+				features:                   features.FeatureGates(),
 			}
 			reconciler.notify(ctx, oldObj, newObj, tt.commit, tt.res, tt.resErr)
 

controllers/suite_test.go

@@ -190,35 +190,36 @@ func TestMain(m *testing.M) {
 	var err error
 	testServer, err = testserver.NewTempArtifactServer()
 	if err != nil {
-		panic(fmt.Sprintf("Failed to create a temporary storage server: %v", err))
+		panic(fmt.Sprintf("failed to create a temporary storage server: %v", err))
 	}
 	fmt.Println("Starting the test storage server")
 	testServer.Start()
 
 	testStorage, err = newTestStorage(testServer.HTTPServer)
 	if err != nil {
-		panic(fmt.Sprintf("Failed to create a test storage: %v", err))
+		panic(fmt.Sprintf("failed to create a test storage: %v", err))
 	}
 
 	testMetricsH = controller.MustMakeMetrics(testEnv)
 
 	testRegistryServer, err = setupRegistryServer(ctx)
 	if err != nil {
-		panic(fmt.Sprintf("Failed to create a test registry server: %v", err))
+		panic(fmt.Sprintf("failed to create a test registry server: %v", err))
 	}
 
 	fg := feathelper.FeatureGates{}
 	fg.SupportedFeatures(features.FeatureGates())
 	managed.InitManagedTransport(logr.Discard())
 
 	if err := (&GitRepositoryReconciler{
-		Client:        testEnv,
-		EventRecorder: record.NewFakeRecorder(32),
-		Metrics:       testMetricsH,
-		Storage:       testStorage,
-		features:      features.FeatureGates(),
+		Client:                     testEnv,
+		EventRecorder:              record.NewFakeRecorder(32),
+		Metrics:                    testMetricsH,
+		Storage:                    testStorage,
+		ManagedTransportRegistered: true,
+		features:                   features.FeatureGates(),
 	}).SetupWithManager(testEnv); err != nil {
-		panic(fmt.Sprintf("Failed to start GitRepositoryReconciler: %v", err))
+		panic(fmt.Sprintf("failed to start GitRepositoryReconciler: %v", err))
 	}
 
 	if err := (&BucketReconciler{
@@ -227,7 +228,7 @@ func TestMain(m *testing.M) {
 		Metrics:       testMetricsH,
 		Storage:       testStorage,
 	}).SetupWithManager(testEnv); err != nil {
-		panic(fmt.Sprintf("Failed to start BucketReconciler: %v", err))
+		panic(fmt.Sprintf("failed to start BucketReconciler: %v", err))
 	}
 
 	if err := (&HelmRepositoryReconciler{
@@ -237,7 +238,7 @@ func TestMain(m *testing.M) {
 		Getters:       testGetters,
 		Storage:       testStorage,
 	}).SetupWithManager(testEnv); err != nil {
-		panic(fmt.Sprintf("Failed to start HelmRepositoryReconciler: %v", err))
+		panic(fmt.Sprintf("failed to start HelmRepositoryReconciler: %v", err))
 	}
 
 	if err = (&HelmRepositoryOCIReconciler{
@@ -247,7 +248,7 @@ func TestMain(m *testing.M) {
 		Getters:                 testGetters,
 		RegistryClientGenerator: registry.ClientGenerator,
 	}).SetupWithManager(testEnv); err != nil {
-		panic(fmt.Sprintf("Failed to start HelmRepositoryOCIReconciler: %v", err))
+		panic(fmt.Sprintf("failed to start HelmRepositoryOCIReconciler: %v", err))
 	}
 
 	testCache = cache.New(5, 1*time.Second)
@@ -262,13 +263,13 @@ func TestMain(m *testing.M) {
 		TTL:           1 * time.Second,
 		CacheRecorder: cacheRecorder,
 	}).SetupWithManager(testEnv); err != nil {
-		panic(fmt.Sprintf("Failed to start HelmRepositoryReconciler: %v", err))
+		panic(fmt.Sprintf("failed to start HelmRepositoryReconciler: %v", err))
 	}
 
 	go func() {
 		fmt.Println("Starting the test environment")
 		if err := testEnv.Start(ctx); err != nil {
-			panic(fmt.Sprintf("Failed to start the test environment manager: %v", err))
+			panic(fmt.Sprintf("failed to start the test environment manager: %v", err))
 		}
 	}()
 	<-testEnv.Manager.Elected()
@@ -277,17 +278,17 @@ func TestMain(m *testing.M) {
 
 	fmt.Println("Stopping the test environment")
 	if err := testEnv.Stop(); err != nil {
-		panic(fmt.Sprintf("Failed to stop the test environment: %v", err))
+		panic(fmt.Sprintf("failed to stop the test environment: %v", err))
 	}
 
 	fmt.Println("Stopping the storage server")
 	testServer.Stop()
 	if err := os.RemoveAll(testServer.Root()); err != nil {
-		panic(fmt.Sprintf("Failed to remove storage server dir: %v", err))
+		panic(fmt.Sprintf("failed to remove storage server dir: %v", err))
 	}
 
 	if err := os.RemoveAll(testRegistryServer.workspaceDir); err != nil {
-		panic(fmt.Sprintf("Failed to remove registry workspace dir: %v", err))
+		panic(fmt.Sprintf("failed to remove registry workspace dir: %v", err))
 	}
 
 	os.Exit(code)

internal/features/features.go

@@ -65,11 +65,3 @@ func FeatureGates() map[string]bool {
 func Enabled(feature string) (bool, error) {
 	return feathelper.Enabled(feature)
 }
-
-// Disable disables the specified feature. If the feature is not
-// present, it's a no-op.
-func Disable(feature string) {
-	if _, ok := features[feature]; ok {
-		features[feature] = false
-	}
-}