Implement Git HTTP authentication

api/v1alpha1/condition_types.go

@@ -43,4 +43,8 @@ const (
 
 	// URLInvalidReason represents the fact that a given source has an invalid URL.
 	URLInvalidReason string = "URLInvalid"
+
+	// AuthenticationFailedReason represents the fact that a given secret doesn't
+	// have the required fields or the provided credentials don't match.
+	AuthenticationFailedReason string = "AuthenticationFailed"
 )

api/v1alpha1/gitrepository_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -27,6 +28,12 @@ type GitRepositorySpec struct {
 	// +required
 	URL string `json:"url"`
 
+	// The secret name containing the Git credentials.
+	// For HTTPS repositories the secret must contain username and password fields.
+	// For SSH repositories the secret must contain identity, identity.pub and known_hosts fields.
+	// +optional
+	SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`
+
 	// The interval at which to check for repository updates.
 	// +required
 	Interval metav1.Duration `json:"interval"`

api/v1alpha1/zz_generated.deepcopy.go

@@ -21,6 +21,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"k8s.io/api/core/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -101,6 +102,11 @@ func (in *GitRepositoryRef) DeepCopy() *GitRepositoryRef {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GitRepositorySpec) DeepCopyInto(out *GitRepositorySpec) {
 	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(v1.LocalObjectReference)
+		**out = **in
+	}
 	out.Interval = in.Interval
 	if in.Reference != nil {
 		in, out := &in.Reference, &out.Reference

config/crd/bases/source.fluxcd.io_gitrepositories.yaml

@@ -71,6 +71,17 @@ spec:
                   description: The git tag to checkout, takes precedence over branch.
                   type: string
               type: object
+            secretRef:
+              description: The secret name containing the Git credentials. For HTTPS
+                repositories the secret must contain username and password fields.
+                For SSH repositories the secret must contain identity, identity.pub
+                and known_hosts fields.
+              properties:
+                name:
+                  description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    TODO: Add other useful fields. apiVersion, kind, uid?'
+                  type: string
+              type: object
             url:
               description: The repository URL, can be a HTTP or SSH address.
               pattern: ^(http|https|ssh)://

controllers/gitrepository_controller.go

@@ -27,10 +27,13 @@ import (
 	"github.com/blang/semver"
 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/plumbing"
+	"github.com/go-git/go-git/v5/plumbing/transport"
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/event"
@@ -150,6 +153,12 @@ func (r *GitRepositoryReconciler) sync(repository sourcev1.GitRepository) (sourc
 		}
 	}
 
+	auth, err := r.auth(repository)
+	if err != nil {
+		err = fmt.Errorf("auth error %w", err)
+		return NotReadyCondition(sourcev1.AuthenticationFailedReason, err.Error()), "", err
+	}
+
 	// create tmp dir
 	dir, err := ioutil.TempDir("", repository.Name)
 	if err != nil {
@@ -161,7 +170,7 @@ func (r *GitRepositoryReconciler) sync(repository sourcev1.GitRepository) (sourc
 	// clone to tmp
 	repo, err := git.PlainClone(dir, false, &git.CloneOptions{
 		URL:               repository.Spec.URL,
-		Auth:              nil,
+		Auth:              auth,
 		RemoteName:        "origin",
 		ReferenceName:     refName,
 		SingleBranch:      true,
@@ -319,3 +328,40 @@ func (r *GitRepositoryReconciler) gc(repository sourcev1.GitRepository) {
 		}
 	}
 }
+
+func (r *GitRepositoryReconciler) auth(repository sourcev1.GitRepository) (transport.AuthMethod, error) {
+	if repository.Spec.SecretRef == nil {
+		return nil, nil
+	}
+
+	name := types.NamespacedName{
+		Namespace: repository.GetNamespace(),
+		Name:      repository.Spec.SecretRef.Name,
+	}
+
+	var secret corev1.Secret
+	err := r.Client.Get(context.TODO(), name, &secret)
+	if err != nil {
+		return nil, err
+	}
+
+	credentials := secret.Data
+
+	// extract HTTP credentials
+	if strings.HasPrefix(repository.Spec.URL, "http") {
+		auth := &http.BasicAuth{}
+		if username, ok := credentials["username"]; ok {
+			auth.Username = string(username)
+		} else {
+			return nil, fmt.Errorf("%s secret does not contain a username", repository.Spec.SecretRef.Name)
+		}
+		if password, ok := credentials["password"]; ok {
+			auth.Password = string(password)
+		} else {
+			return nil, fmt.Errorf("%s secret does not contain a password", repository.Spec.SecretRef.Name)
+		}
+		return auth, nil
+	}
+
+	return nil, nil
+}