Add cabundle tls support for git repo comms

.vscode/launch.json

@@ -23,13 +23,14 @@
             "program": "${workspaceFolder}/cmd/porch/main.go",
             "args": [
                 "--secure-port=9443",
-                "--v=7",
+                "--v=6",
                 "--standalone-debug-mode",
-                "--kubeconfig=${workspaceFolder}/deployments/local/kubeconfig",
+                "--kubeconfig=${userHome}/.kube/kind-porch-test",
                 "--cache-directory=${workspaceFolder}/.cache",
-                "--function-runner=192.168.8.202:9445"
+                "--function-runner=172.18.255.202:9445",
+                "--use-git-cabundle=true"
             ],
-            "cwd": "${workspaceFolder}"
+            "cwd": "${workspaceFolder}",
         },
         {
             "name": "Launch Func Client",

pkg/apiserver/apiserver.go

@@ -79,6 +79,7 @@ type ExtraConfig struct {
 	FunctionRunnerAddress string
 	DefaultImagePrefix    string
 	RepoSyncFrequency     time.Duration
+	UseGitCaBundle        bool
 }
 
 // Config defines the config for the apiserver
@@ -212,6 +213,7 @@ func (c completedConfig) New() (*PorchServer, error) {
 
 	resolverChain := []porch.Resolver{
 		porch.NewBasicAuthResolver(),
+		porch.NewCaBundleResolver(),
 		porch.NewGcloudWIResolver(coreV1Client, stsClient),
 	}
 
@@ -223,7 +225,7 @@ func (c completedConfig) New() (*PorchServer, error) {
 
 	watcherMgr := engine.NewWatcherManager()
 
-	cache := cache.NewCache(c.ExtraConfig.CacheDirectory, c.ExtraConfig.RepoSyncFrequency, cache.CacheOptions{
+	cache := cache.NewCache(c.ExtraConfig.CacheDirectory, c.ExtraConfig.RepoSyncFrequency, c.ExtraConfig.UseGitCaBundle, cache.CacheOptions{
 		CredentialResolver: credentialResolver,
 		UserInfoProvider:   userInfoProvider,
 		MetadataStore:      metadataStore,

pkg/cache/cache.go

@@ -51,6 +51,7 @@ type Cache struct {
 	metadataStore      meta.MetadataStore
 	repoSyncFrequency  time.Duration
 	objectNotifier     objectNotifier
+	useGitCaBundle     bool
 }
 
 type objectNotifier interface {
@@ -64,7 +65,7 @@ type CacheOptions struct {
 	ObjectNotifier     objectNotifier
 }
 
-func NewCache(cacheDir string, repoSyncFrequency time.Duration, opts CacheOptions) *Cache {
+func NewCache(cacheDir string, repoSyncFrequency time.Duration, useGitCaBundle bool, opts CacheOptions) *Cache {
 	return &Cache{
 		repositories:       make(map[string]*cachedRepository),
 		cacheDir:           cacheDir,
@@ -73,6 +74,7 @@ func NewCache(cacheDir string, repoSyncFrequency time.Duration, opts CacheOption
 		metadataStore:      opts.MetadataStore,
 		objectNotifier:     opts.ObjectNotifier,
 		repoSyncFrequency:  repoSyncFrequency,
+		useGitCaBundle:     useGitCaBundle,
 	}
 }
 
@@ -136,6 +138,7 @@ func (c *Cache) OpenRepository(ctx context.Context, repositorySpec *configapi.Re
 				CredentialResolver: c.credentialResolver,
 				UserInfoProvider:   c.userInfoProvider,
 				MainBranchStrategy: mbs,
+				UseGitCaBundle:     c.useGitCaBundle,
 			}); err != nil {
 				return nil, err
 			} else {

pkg/cache/cache_test.go

@@ -135,7 +135,7 @@ func openRepositoryFromArchive(t *testing.T, ctx context.Context, testPath, name
 	repo, address := git.ServeGitRepository(t, tarfile, tempdir)
 	metadataStore := createMetadataStoreFromArchive(t, "", "")
 
-	cache := NewCache(t.TempDir(), 60*time.Second, CacheOptions{
+	cache := NewCache(t.TempDir(), 60*time.Second, false, CacheOptions{
 		MetadataStore:  metadataStore,
 		ObjectNotifier: &fakecache.ObjectNotifier{},
 	})

pkg/cmd/server/start.go

@@ -56,6 +56,7 @@ type PorchServerOptions struct {
 	FunctionRunnerAddress    string
 	DefaultImagePrefix       string
 	RepoSyncFrequency        time.Duration
+	UseGitCaBundle           bool
 
 	SharedInformerFactory informers.SharedInformerFactory
 	StdOut                io.Writer
@@ -189,6 +190,7 @@ func (o *PorchServerOptions) Config() (*apiserver.Config, error) {
 			RepoSyncFrequency:     o.RepoSyncFrequency,
 			FunctionRunnerAddress: o.FunctionRunnerAddress,
 			DefaultImagePrefix:    o.DefaultImagePrefix,
+			UseGitCaBundle:        o.UseGitCaBundle,
 		},
 	}
 	return config, nil
@@ -234,5 +236,6 @@ func (o *PorchServerOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&o.FunctionRunnerAddress, "function-runner", "", "Address of the function runner gRPC service.")
 	fs.StringVar(&o.DefaultImagePrefix, "default-image-prefix", "gcr.io/kpt-fn/", "Default prefix for unqualified function names")
 	fs.StringVar(&o.CacheDirectory, "cache-directory", "", "Directory where Porch server stores repository and package caches.")
+	fs.BoolVar(&o.UseGitCaBundle, "use-git-cabundle", false, "Determine whether to use a user-defined CaBundle for TLS towards git.")
 	fs.DurationVar(&o.RepoSyncFrequency, "repo-sync-frequency", 60*time.Second, "Frequency in seconds at which registered repositories will be synced.")
 }

pkg/engine/clone_test.go

@@ -170,6 +170,11 @@ type credential struct {
 	username, password string
 }
 
+// ToString implements repository.Credential.
+func (c *credential) ToString() string {
+	panic("unimplemented")
+}
+
 func (c *credential) Valid() bool {
 	return true
 }

pkg/git/git.go

@@ -71,6 +71,7 @@ type GitRepositoryOptions struct {
 	CredentialResolver repository.CredentialResolver
 	UserInfoProvider   repository.UserInfoProvider
 	MainBranchStrategy MainBranchStrategy
+	UseGitCaBundle     bool
 }
 
 func OpenRepository(ctx context.Context, name, namespace string, spec *configapi.GitRepository, deployment bool, root string, opts GitRepositoryOptions) (GitRepository, error) {
@@ -138,6 +139,14 @@ func OpenRepository(ctx context.Context, name, namespace string, spec *configapi
 		deployment:         deployment,
 	}
 
+	if opts.UseGitCaBundle {
+		if caBundle, err := opts.CredentialResolver.ResolveCredential(ctx, namespace, namespace + "-ca-bundle"); err != nil {
+			klog.Errorf("failed to obtain caBundle from secret %s/%s: %v", namespace, namespace + "-ca-bundle", err)
+		} else {
+			repository.caBundle = []byte(caBundle.ToString())
+		}
+	}
+
 	if err := repository.fetchRemoteRepository(ctx); err != nil {
 		return nil, err
 	}
@@ -178,6 +187,9 @@ type gitRepository struct {
 	deletionProposedCache map[BranchName]bool
 
 	mutex sync.Mutex
+
+	// caBundle to use for TLS communication towards git
+	caBundle []byte
 }
 
 var _ GitRepository = &gitRepository{}
@@ -884,6 +896,7 @@ func (r *gitRepository) fetchRemoteRepository(ctx context.Context) error {
 			RemoteName: OriginName,
 			Auth:       auth,
 			Prune:      true,
+			CABundle:   r.caBundle,
 		})
 	}); err {
 	case nil: // OK
@@ -1007,6 +1020,7 @@ func (r *gitRepository) createPackageDeleteCommit(ctx context.Context, branch pl
 			RefSpecs:   []config.RefSpec{config.RefSpec(fmt.Sprintf("+%s:%s", local, branch))},
 			Auth:       auth,
 			Tags:       git.NoTags,
+			CABundle:   r.caBundle,
 		})
 	}); err {
 	case nil, git.NoErrAlreadyUpToDate:
@@ -1082,6 +1096,7 @@ func (r *gitRepository) pushAndCleanup(ctx context.Context, ph *pushRefSpecBuild
 			RequireRemoteRefs: require,
 			// TODO(justinsb): Need to ensure this is a compare-and-swap
 			Force: true,
+			CABundle:          r.caBundle,
 		})
 	}); err != nil {
 		return err
@@ -1609,6 +1624,7 @@ func (r *gitRepository) commitPackageToMain(ctx context.Context, d *gitPackageDr
 			RemoteName: OriginName,
 			RefSpecs:   []config.RefSpec{branch.ForceFetchSpec()},
 			Auth:       auth,
+			CABundle:   r.caBundle,
 		})
 	}); err {
 	case nil, git.NoErrAlreadyUpToDate:

pkg/registry/porch/secret.go

@@ -34,12 +34,15 @@ import (
 )
 
 const (
-	// Values for scret types supported by porch.
+	// Values for secret types supported by porch.
 	BasicAuthType            = core.SecretTypeBasicAuth
 	WorkloadIdentityAuthType = "kpt.dev/workload-identity-auth"
 
 	// Annotation used to specify the gsa for a ksa.
-	WIGCPSAAnnotation = "iam.gke.io/gcp-service-account"
+	WIGCPSAAnnotation        = "iam.gke.io/gcp-service-account"
+
+	//Secret.Data key required for the caBundle
+	CaBundleDataName         = "ca.crt"
 )
 
 func NewCredentialResolver(coreClient client.Reader, resolverChain []Resolver) repository.CredentialResolver {
@@ -123,6 +126,10 @@ type BasicAuthCredential struct {
 	Password string
 }
 
+func (b *BasicAuthCredential) ToString() string {
+	panic("unimplemented")
+}
+
 var _ repository.Credential = &BasicAuthCredential{}
 
 func (b *BasicAuthCredential) Valid() bool {
@@ -136,6 +143,42 @@ func (b *BasicAuthCredential) ToAuthMethod() transport.AuthMethod {
 	}
 }
 
+func NewCaBundleResolver() Resolver {
+	return &CaBundleResolver{}
+}
+
+var _ Resolver = &CaBundleResolver{}
+
+type CaBundleResolver struct{}
+
+func (c *CaBundleResolver) Resolve(_ context.Context, secret core.Secret) (repository.Credential, bool, error) {
+	if secret.Data[CaBundleDataName] == nil {
+		return nil, false, fmt.Errorf("CaBundle secret.Data key must be set as %s", CaBundleDataName)
+	}
+
+	return &CaBundleCredential{
+		CaBundle: string(secret.Data[CaBundleDataName]),
+	}, true, nil
+}
+
+type CaBundleCredential struct {
+	CaBundle string
+}
+
+func (c *CaBundleCredential) ToString() string {
+	return c.CaBundle
+}
+
+var _ repository.Credential = &CaBundleCredential{}
+
+func (c *CaBundleCredential) Valid() bool {
+	return true
+}
+
+func (c *CaBundleCredential) ToAuthMethod() transport.AuthMethod {
+	panic("unimplemented")
+}
+
 func NewGcloudWIResolver(corev1Client *corev1client.CoreV1Client, stsClient *stsv1.Service) Resolver {
 	return &GcloudWIResolver{
 		coreV1Client: corev1Client,
@@ -213,6 +256,10 @@ type GcloudWICredential struct {
 	token *oauth2.Token
 }
 
+func (b *GcloudWICredential) ToString() string {
+	panic("unimplemented")
+}
+
 var _ repository.Credential = &GcloudWICredential{}
 
 func (b *GcloudWICredential) Valid() bool {

pkg/repository/repository.go

@@ -225,6 +225,7 @@ type FunctionRepository interface {
 type Credential interface {
 	Valid() bool
 	ToAuthMethod() transport.AuthMethod
+	ToString() string
 }
 
 type CredentialResolver interface {