Implement Git HTTP authentication

This commit is contained in:
stefanprodan 2020-04-11 12:14:16 +03:00
parent e2d28296e1
commit bbc25c3de0
5 changed files with 75 additions and 1 deletions

View File

@ -43,4 +43,8 @@ const (
// URLInvalidReason represents the fact that a given source has an invalid URL.
URLInvalidReason string = "URLInvalid"
// AuthenticationFailedReason represents the fact that a given secret doesn't
// have the required fields or the provided credentials don't match.
AuthenticationFailedReason string = "AuthenticationFailed"
)

View File

@ -17,6 +17,7 @@ limitations under the License.
package v1alpha1
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
@ -27,6 +28,12 @@ type GitRepositorySpec struct {
// +required
URL string `json:"url"`
// The secret name containing the Git credentials.
// For HTTPS repositories the secret must contain username and password fields.
// For SSH repositories the secret must contain identity, identity.pub and known_hosts fields.
// +optional
SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`
// The interval at which to check for repository updates.
// +required
Interval metav1.Duration `json:"interval"`

View File

@ -21,6 +21,7 @@ limitations under the License.
package v1alpha1
import (
"k8s.io/api/core/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@ -101,6 +102,11 @@ func (in *GitRepositoryRef) DeepCopy() *GitRepositoryRef {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitRepositorySpec) DeepCopyInto(out *GitRepositorySpec) {
*out = *in
if in.SecretRef != nil {
in, out := &in.SecretRef, &out.SecretRef
*out = new(v1.LocalObjectReference)
**out = **in
}
out.Interval = in.Interval
if in.Reference != nil {
in, out := &in.Reference, &out.Reference

View File

@ -71,6 +71,17 @@ spec:
description: The git tag to checkout, takes precedence over branch.
type: string
type: object
secretRef:
description: The secret name containing the Git credentials. For HTTPS
repositories the secret must contain username and password fields.
For SSH repositories the secret must contain identity, identity.pub
and known_hosts fields.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
url:
description: The repository URL, can be a HTTP or SSH address.
pattern: ^(http|https|ssh)://

View File

@ -27,10 +27,13 @@ import (
"github.com/blang/semver"
"github.com/go-git/go-git/v5"
"github.com/go-git/go-git/v5/plumbing"
"github.com/go-git/go-git/v5/plumbing/transport"
"github.com/go-git/go-git/v5/plumbing/transport/http"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/event"
@ -150,6 +153,12 @@ func (r *GitRepositoryReconciler) sync(repository sourcev1.GitRepository) (sourc
}
}
auth, err := r.auth(repository)
if err != nil {
err = fmt.Errorf("auth error %w", err)
return NotReadyCondition(sourcev1.AuthenticationFailedReason, err.Error()), "", err
}
// create tmp dir
dir, err := ioutil.TempDir("", repository.Name)
if err != nil {
@ -161,7 +170,7 @@ func (r *GitRepositoryReconciler) sync(repository sourcev1.GitRepository) (sourc
// clone to tmp
repo, err := git.PlainClone(dir, false, &git.CloneOptions{
URL: repository.Spec.URL,
Auth: nil,
Auth: auth,
RemoteName: "origin",
ReferenceName: refName,
SingleBranch: true,
@ -319,3 +328,40 @@ func (r *GitRepositoryReconciler) gc(repository sourcev1.GitRepository) {
}
}
}
func (r *GitRepositoryReconciler) auth(repository sourcev1.GitRepository) (transport.AuthMethod, error) {
if repository.Spec.SecretRef == nil {
return nil, nil
}
name := types.NamespacedName{
Namespace: repository.GetNamespace(),
Name: repository.Spec.SecretRef.Name,
}
var secret corev1.Secret
err := r.Client.Get(context.TODO(), name, &secret)
if err != nil {
return nil, err
}
credentials := secret.Data
// extract HTTP credentials
if strings.HasPrefix(repository.Spec.URL, "http") {
auth := &http.BasicAuth{}
if username, ok := credentials["username"]; ok {
auth.Username = string(username)
} else {
return nil, fmt.Errorf("%s secret does not contain a username", repository.Spec.SecretRef.Name)
}
if password, ok := credentials["password"]; ok {
auth.Password = string(password)
} else {
return nil, fmt.Errorf("%s secret does not contain a password", repository.Spec.SecretRef.Name)
}
return auth, nil
}
return nil, nil
}