[RFC-007] Implement GitHub app authentication for git repositories in IAC

- Controller change to use the GitHub authentication information specified in Git Repository's `.spec.secretRef` to create the auth options to authenticate to git repositories when the `provider` field is set to `github`, - Tests for new `github` provider field in IAC - Updated docs to use GitHub Apps for authentication in image-automation-controller. Signed-off-by: Dipti Pai <diptipai89@outlook.com>
2024-10-31 14:26:05 -07:00 · 2024-10-31 14:26:05 -07:00 · f03a53d73e
parent 4bdd80f0d5
commit f03a53d73e
3 changed files with 114 additions and 9 deletions
--- a/docs/spec/v1beta2/imageupdateautomations.md
+++ b/docs/spec/v1beta2/imageupdateautomations.md
@ -257,6 +257,13 @@ patches:
              azure.workload.identity/use: "true"
 ```
 ##### GitHub
 If the provider is set to `github`, make sure the GitHub App is registered and
 installed with the necessary permissions and the github app secret is configured
 as described
 [here](https://fluxcd.io/flux/components/source/gitrepositories/#github).
 ### Git specification
 `.spec.git` is a required field to specify Git configurations related to source
--- a/internal/source/git.go
+++ b/internal/source/git.go
@ -32,6 +32,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/auth/azure"
 	"github.com/fluxcd/pkg/auth/github"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
@ -181,13 +182,30 @@ func getAuthOpts(ctx context.Context, c client.Client, repo *sourcev1.GitReposit
 		return nil, fmt.Errorf("failed to configure authentication options: %w", err)
 	}
-	if repo.GetProvider() == sourcev1.GitProviderAzure {
+	switch repo.GetProvider() {
 	case sourcev1.GitProviderAzure:
 		opts.ProviderOpts = &git.ProviderOptions{
 			Name: sourcev1.GitProviderAzure,
 			AzureOpts: []azure.OptFunc{
 				azure.WithAzureDevOpsScope(),
 			},
 		}
 	case sourcev1.GitProviderGitHub:
 		// if provider is github, but secret ref is not specified
 		if repo.Spec.SecretRef == nil {
 			return nil, fmt.Errorf("secretRef with github app data must be specified when provider is set to github: %w", ErrInvalidSourceConfiguration)
 		}
 		opts.ProviderOpts = &git.ProviderOptions{
 			Name: sourcev1.GitProviderGitHub,
 			GitHubOpts: []github.OptFunc{
 				github.WithAppData(data),
 			},
 		}
 	default:
 		// analyze secret, if it has github app data, perhaps provider should have been github.
 		if appID := data[github.AppIDKey]; len(appID) != 0 {
 			return nil, fmt.Errorf("secretRef '%s/%s' has github app data but provider is not set to github: %w", repo.GetNamespace(), repo.Spec.SecretRef.Name, ErrInvalidSourceConfiguration)
 		}
 	}
 	return opts, nil
--- a/internal/source/git_test.go
+++ b/internal/source/git_test.go
@ -18,6 +18,7 @@ package source
 import (
 	"context"
 	"errors"
 	"fmt"
 	"testing"
 	"time"
@ -34,6 +35,7 @@ import (
 	imagev1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 	"github.com/fluxcd/image-automation-controller/internal/testutil"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/auth/github"
 	"github.com/fluxcd/pkg/git"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
@ -141,49 +143,127 @@ func Test_getAuthOpts(t *testing.T) {
 func Test_getAuthOpts_providerAuth(t *testing.T) {
 	tests := []struct {
 		name                 string
 		url                  string
 		secret               *corev1.Secret
 		beforeFunc           func(obj *sourcev1.GitRepository)
 		wantProviderOptsName string
 		wantErr              error
 	}{
 		{
 			name: "azure provider",
 			url:  "https://dev.azure.com/foo/bar/_git/baz",
 			beforeFunc: func(obj *sourcev1.GitRepository) {
 				obj.Spec.Provider = sourcev1.GitProviderAzure
 			},
 			wantProviderOptsName: sourcev1.GitProviderAzure,
 		},
 		{
 			name: "github provider with no secret ref",
 			url:  "https://github.com/org/repo.git",
 			beforeFunc: func(obj *sourcev1.GitRepository) {
 				obj.Spec.Provider = sourcev1.GitProviderGitHub
 			},
 			wantProviderOptsName: sourcev1.GitProviderGitHub,
 			wantErr:              errors.New("secretRef with github app data must be specified when provider is set to github: invalid source configuration"),
 		},
 		{
 			name: "github provider with secret ref that does not exist",
 			url:  "https://github.com/org/repo.git",
 			beforeFunc: func(obj *sourcev1.GitRepository) {
 				obj.Spec.Provider = sourcev1.GitProviderGitHub
 				obj.Spec.SecretRef = &meta.LocalObjectReference{
 					Name: "githubAppSecret",
 				}
 			},
 			wantErr: errors.New("failed to get auth secret '/githubAppSecret': secrets \"githubAppSecret\" not found"),
 		},
 		{
 			name: "github provider with github app data in secret",
 			url:  "https://example.com/org/repo",
 			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "githubAppSecret",
 				},
 				Data: map[string][]byte{
 					github.AppIDKey:             []byte("123"),
 					github.AppInstallationIDKey: []byte("456"),
 					github.AppPrivateKey:        []byte("abc"),
 				},
 			},
 			beforeFunc: func(obj *sourcev1.GitRepository) {
 				obj.Spec.Provider = sourcev1.GitProviderGitHub
 				obj.Spec.SecretRef = &meta.LocalObjectReference{
 					Name: "githubAppSecret",
 				}
 			},
 			wantProviderOptsName: sourcev1.GitProviderGitHub,
 		},
 		{
 			name: "generic provider with github app data in secret",
 			url:  "https://example.com/org/repo",
 			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "githubAppSecret",
 				},
 				Data: map[string][]byte{
 					github.AppIDKey: []byte("123"),
 				},
 			},
 			beforeFunc: func(obj *sourcev1.GitRepository) {
 				obj.Spec.Provider = sourcev1.GitProviderGeneric
 				obj.Spec.SecretRef = &meta.LocalObjectReference{
 					Name: "githubAppSecret",
 				}
 			},
 			wantErr: errors.New("secretRef '/githubAppSecret' has github app data but provider is not set to github: invalid source configuration"),
 		},
 		{
 			name: "generic provider",
 			url:  "https://example.com/org/repo",
 			beforeFunc: func(obj *sourcev1.GitRepository) {
 				obj.Spec.Provider = sourcev1.GitProviderGeneric
 			},
 		},
 		{
 			name: "no provider",
 			url:  "https://example.com/org/repo",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			g := NewWithT(t)
 			clientBuilder := fakeclient.NewClientBuilder().
 				WithScheme(scheme.Scheme).
 				WithStatusSubresource(&sourcev1.GitRepository{})
 			if tt.secret != nil {
 				clientBuilder.WithObjects(tt.secret)
 			}
 			c := clientBuilder.Build()
 			obj := &sourcev1.GitRepository{
 				Spec: sourcev1.GitRepositorySpec{
-					URL: "https://dev.azure.com/foo/bar/_git/baz",
+					URL: tt.url,
 				},
 			}
 			if tt.beforeFunc != nil {
 				tt.beforeFunc(obj)
 			}
-			opts, err := getAuthOpts(context.TODO(), nil, obj)
+			opts, err := getAuthOpts(context.TODO(), c, obj)
-			g.Expect(err).ToNot(HaveOccurred())
+			if tt.wantErr != nil {
-			g.Expect(opts).ToNot(BeNil())
+				g.Expect(err).To(HaveOccurred())
-			if tt.wantProviderOptsName != "" {
+				g.Expect(err.Error()).To(ContainSubstring(tt.wantErr.Error()))
 				g.Expect(opts.ProviderOpts).ToNot(BeNil())
 				g.Expect(opts.ProviderOpts.Name).To(Equal(tt.wantProviderOptsName))
 			} else {
-				g.Expect(opts.ProviderOpts).To(BeNil())
+				g.Expect(err).ToNot(HaveOccurred())
 				g.Expect(opts).ToNot(BeNil())
 				if tt.wantProviderOptsName != "" {
 					g.Expect(opts.ProviderOpts).ToNot(BeNil())
 					g.Expect(opts.ProviderOpts.Name).To(Equal(tt.wantProviderOptsName))
 				} else {
 					g.Expect(opts.ProviderOpts).To(BeNil())
 				}
 			}
 		})
 	}