kubernetes
/
git-sync
mirror of https://github.com/kubernetes/git-sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Deprecate --ssh - it's not really needed 

As long as a repo uses SSH transport (user@host:path or ssh://...), SSH
is active.  This is true for the main repo or submodules.
This commit is contained in:
Tim Hockin 2023-09-21 19:39:56 -07:00
parent 32c3a0c2a7
commit 4ccf0633fb
5 changed files with 42 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
README.md
View File

@ -149,8 +149,8 @@ OPTIONS
--add-user, $GITSYNC_ADD_USER --add-user, $GITSYNC_ADD_USER
Add a record to /etc/passwd for the current UID/GID. This is Add a record to /etc/passwd for the current UID/GID. This is
needed to use SSH with an arbitrary UID (see --ssh). This assumes needed to use SSH with an arbitrary UID. This assumes that
that /etc/passwd is writable by the current UID. /etc/passwd is writable by the current UID.
--askpass-url <string>, $GITSYNC_ASKPASS_URL --askpass-url <string>, $GITSYNC_ASKPASS_URL
A URL to query for git credentials. The query must return success A URL to query for git credentials. The query must return success
@ -313,18 +313,15 @@ OPTIONS
details) which controls which files and directories will be checked details) which controls which files and directories will be checked
out. If not specified, the default is to check out the entire repo. out. If not specified, the default is to check out the entire repo.
--ssh, $GITSYNC_SSH
Use SSH for git authentication and operations.
--ssh-key-file <string>, $GITSYNC_SSH_KEY_FILE --ssh-key-file <string>, $GITSYNC_SSH_KEY_FILE
The SSH key(s) to use when using --ssh. This flag may be specified The SSH key(s) to use when using git over SSH. This flag may be
more than once and the environment variable will be parsed like specified more than once and the environment variable will be
PATH - using a colon (':') to separate elements. If not specified, parsed like PATH - using a colon (':') to separate elements. If
this defaults to "/etc/git-secret/ssh". not specified, this defaults to "/etc/git-secret/ssh".
--ssh-known-hosts, $GITSYNC_SSH_KNOWN_HOSTS --ssh-known-hosts, $GITSYNC_SSH_KNOWN_HOSTS
Enable SSH known_hosts verification when using --ssh. If not Enable SSH known_hosts verification when using git over SSH. If
specified, this defaults to true. not specified, this defaults to true.
--ssh-known-hosts-file <string>, $GITSYNC_SSH_KNOWN_HOSTS_FILE --ssh-known-hosts-file <string>, $GITSYNC_SSH_KNOWN_HOSTS_FILE
The known_hosts file to use when --ssh-known-hosts is specified. The known_hosts file to use when --ssh-known-hosts is specified.
@ -430,11 +427,11 @@ AUTHENTICATION
sync. sync.
SSH SSH
When --ssh (GITSYNC_SSH) is specified, the --ssh-key-file When an SSH transport is specified, the key(s) defined in
(GITSYNC_SSH_KEY_FILE) will be used. Users are strongly advised --ssh-key-file (GITSYNC_SSH_KEY_FILE) will be used. Users are
to also use --ssh-known-hosts (GITSYNC_SSH_KNOWN_HOSTS) and strongly advised to also use --ssh-known-hosts
--ssh-known-hosts-file (GITSYNC_SSH_KNOWN_HOSTS_FILE) when using (GITSYNC_SSH_KNOWN_HOSTS) and --ssh-known-hosts-file
SSH. (GITSYNC_SSH_KNOWN_HOSTS_FILE) when using SSH.
cookies cookies
When --cookie-file (GITSYNC_COOKIE_FILE) is specified, the When --cookie-file (GITSYNC_COOKIE_FILE) is specified, the

10
docs/ssh.md
View File

@ -69,11 +69,11 @@ Secret (e.g. "git-creds" used in both above examples).
## Step 3: Configure git-sync container ## Step 3: Configure git-sync container
In your git-sync container configuration, mount the Secret volume at In your git-sync container configuration, mount the Secret volume at
"/etc/git-secret". Ensure that the `--repo` flag (or the GITSYNC_REPO "/etc/git-secret". Ensure that the `--repo` flag (or the `GITSYNC_REPO`
environment variable) is set to use the SSH protocol (e.g. environment variable) is set to use the SSH protocol (e.g.
git@github.com/foo/bar) , and set the `--ssh` flags (or set GITSYNC_SSH to git@github.com/foo/bar). You will also need to set your container's
"true"). You will also need to set your container's `securityContext` to run `securityContext` to run as user ID "65533" which is created for running
as user ID "65533" which is created for running git-sync as non-root. git-sync as non-root.
```yaml ```yaml
# ... # ...
@ -81,7 +81,6 @@ as user ID "65533" which is created for running git-sync as non-root.
- name: git-sync - name: git-sync
image: registry.k8s.io/git-sync:v4.0.0 image: registry.k8s.io/git-sync:v4.0.0
args: args:
- "--ssh"
- "--repo=git@github.com:foo/bar" - "--repo=git@github.com:foo/bar"
- "--link=bar" - "--link=bar"
volumeMounts: volumeMounts:
@ -139,7 +138,6 @@ spec:
- name: git-sync - name: git-sync
image: registry.k8s.io/git-sync:v4.0.0 image: registry.k8s.io/git-sync:v4.0.0
args: args:
- "--ssh"
- "--repo=git@github.com:torvalds/linux" - "--repo=git@github.com:torvalds/linux"
- "--depth=1" - "--depth=1"
securityContext: securityContext:

76
main.go
View File

@ -451,9 +451,6 @@ func main() {
envString("", "GITSYNC_PASSWORD_FILE", "GIT_SYNC_PASSWORD_FILE"), envString("", "GITSYNC_PASSWORD_FILE", "GIT_SYNC_PASSWORD_FILE"),
"the file from which the password or personal access token for git auth will be sourced") "the file from which the password or personal access token for git auth will be sourced")
flSSH := pflag.Bool("ssh",
envBool(false, "GITSYNC_SSH", "GIT_SYNC_SSH"),
"use SSH for git operations")
flSSHKeyFiles := pflag.StringArray("ssh-key-file", flSSHKeyFiles := pflag.StringArray("ssh-key-file",
envStringArray("/etc/git-secret/ssh", "GITSYNC_SSH_KEY_FILE", "GIT_SYNC_SSH_KEY_FILE", "GIT_SSH_KEY_FILE"), envStringArray("/etc/git-secret/ssh", "GITSYNC_SSH_KEY_FILE", "GIT_SYNC_SSH_KEY_FILE", "GIT_SSH_KEY_FILE"),
"the SSH key(s) to use") "the SSH key(s) to use")
@ -508,6 +505,9 @@ func main() {
flDeprecatedRev := pflag.String("rev", envString("", "GIT_SYNC_REV"), flDeprecatedRev := pflag.String("rev", envString("", "GIT_SYNC_REV"),
"DEPRECATED: use --ref instead") "DEPRECATED: use --ref instead")
mustMarkDeprecated("rev", "use --ref instead") mustMarkDeprecated("rev", "use --ref instead")
_ = pflag.Bool("ssh", false,
"DEPRECATED: this flag is no longer necessary")
mustMarkDeprecated("ssh", "no longer necessary")
flDeprecatedSyncHookCommand := pflag.String("sync-hook-command", envString("", "GIT_SYNC_HOOK_COMMAND"), flDeprecatedSyncHookCommand := pflag.String("sync-hook-command", envString("", "GIT_SYNC_HOOK_COMMAND"),
"DEPRECATED: use --exechook-command instead") "DEPRECATED: use --exechook-command instead")
mustMarkDeprecated("sync-hook-command", "use --exechook-command instead") mustMarkDeprecated("sync-hook-command", "use --exechook-command instead")
@ -698,32 +698,6 @@ func main() {
} }
} }
if *flSSH {
if *flUsername != "" {
handleConfigError(log, true, "ERROR: only one of --ssh and --username may be specified")
}
if *flPassword != "" {
handleConfigError(log, true, "ERROR: only one of --ssh and --password may be specified")
}
if *flPasswordFile != "" {
handleConfigError(log, true, "ERROR: only one of --ssh and --password-file may be specified")
}
if *flAskPassURL != "" {
handleConfigError(log, true, "ERROR: only one of --ssh and --askpass-url may be specified")
}
if *flCookieFile {
handleConfigError(log, true, "ERROR: only one of --ssh and --cookie-file may be specified")
}
if len(*flSSHKeyFiles) == 0 {
handleConfigError(log, true, "ERROR: --ssh-key-file must be specified when --ssh is set")
}
if *flSSHKnownHosts {
if *flSSHKnownHostsFile == "" {
handleConfigError(log, true, "ERROR: --ssh-known-hosts-file must be specified when --ssh-known-hosts is set")
}
}
}
if *flHTTPBind == "" { if *flHTTPBind == "" {
if *flHTTPMetrics { if *flHTTPMetrics {
handleConfigError(log, true, "ERROR: --http-bind must be specified when --http-metrics is set") handleConfigError(log, true, "ERROR: --http-bind must be specified when --http-metrics is set")
@ -837,11 +811,10 @@ func main() {
} }
} }
if *flSSH { // If the --repo or any submodule uses SSH, we need to know which keys.
if err := git.SetupGitSSH(*flSSHKnownHosts, *flSSHKeyFiles, *flSSHKnownHostsFile); err != nil { if err := git.SetupGitSSH(*flSSHKnownHosts, *flSSHKeyFiles, *flSSHKnownHostsFile); err != nil {
log.Error(err, "can't set up git SSH", "keyFile", *flSSHKeyFiles, "knownHosts", *flSSHKnownHosts, "knownHostsFile", *flSSHKnownHostsFile) log.Error(err, "can't set up git SSH", "keyFile", *flSSHKeyFiles, "knownHosts", *flSSHKnownHosts, "knownHostsFile", *flSSHKnownHostsFile)
os.Exit(1) os.Exit(1)
}
} }
if *flCookieFile { if *flCookieFile {
@ -1955,16 +1928,10 @@ func (git *repoSync) SetupGitSSH(setupKnownHosts bool, pathsToSSHSecrets []strin
} }
for _, p := range pathsToSSHSecrets { for _, p := range pathsToSSHSecrets {
if _, err := os.Stat(p); err != nil {
return fmt.Errorf("can't access SSH key file %s: %w", p, err)
}
sshCmd += fmt.Sprintf(" -i %s", p) sshCmd += fmt.Sprintf(" -i %s", p)
} }
if setupKnownHosts { if setupKnownHosts {
if _, err := os.Stat(pathToSSHKnownHosts); err != nil {
return fmt.Errorf("can't access SSH known_hosts file %s: %w", pathToSSHKnownHosts, err)
}
sshCmd += fmt.Sprintf(" -o StrictHostKeyChecking=yes -o UserKnownHostsFile=%s", pathToSSHKnownHosts) sshCmd += fmt.Sprintf(" -o StrictHostKeyChecking=yes -o UserKnownHostsFile=%s", pathToSSHKnownHosts)
} else { } else {
sshCmd += " -o StrictHostKeyChecking=no" sshCmd += " -o StrictHostKeyChecking=no"
@ -2318,8 +2285,8 @@ OPTIONS
--add-user, $GITSYNC_ADD_USER --add-user, $GITSYNC_ADD_USER
Add a record to /etc/passwd for the current UID/GID. This is Add a record to /etc/passwd for the current UID/GID. This is
needed to use SSH with an arbitrary UID (see --ssh). This assumes needed to use SSH with an arbitrary UID. This assumes that
that /etc/passwd is writable by the current UID. /etc/passwd is writable by the current UID.
--askpass-url <string>, $GITSYNC_ASKPASS_URL --askpass-url <string>, $GITSYNC_ASKPASS_URL
A URL to query for git credentials. The query must return success A URL to query for git credentials. The query must return success
@ -2482,18 +2449,15 @@ OPTIONS
details) which controls which files and directories will be checked details) which controls which files and directories will be checked
out. If not specified, the default is to check out the entire repo. out. If not specified, the default is to check out the entire repo.
--ssh, $GITSYNC_SSH
Use SSH for git authentication and operations.
--ssh-key-file <string>, $GITSYNC_SSH_KEY_FILE --ssh-key-file <string>, $GITSYNC_SSH_KEY_FILE
The SSH key(s) to use when using --ssh. This flag may be specified The SSH key(s) to use when using git over SSH. This flag may be
more than once and the environment variable will be parsed like specified more than once and the environment variable will be
PATH - using a colon (':') to separate elements. If not specified, parsed like PATH - using a colon (':') to separate elements. If
this defaults to "/etc/git-secret/ssh". not specified, this defaults to "/etc/git-secret/ssh".
--ssh-known-hosts, $GITSYNC_SSH_KNOWN_HOSTS --ssh-known-hosts, $GITSYNC_SSH_KNOWN_HOSTS
Enable SSH known_hosts verification when using --ssh. If not Enable SSH known_hosts verification when using git over SSH. If
specified, this defaults to true. not specified, this defaults to true.
--ssh-known-hosts-file <string>, $GITSYNC_SSH_KNOWN_HOSTS_FILE --ssh-known-hosts-file <string>, $GITSYNC_SSH_KNOWN_HOSTS_FILE
The known_hosts file to use when --ssh-known-hosts is specified. The known_hosts file to use when --ssh-known-hosts is specified.
@ -2599,11 +2563,11 @@ AUTHENTICATION
sync. sync.
SSH SSH
When --ssh (GITSYNC_SSH) is specified, the --ssh-key-file When an SSH transport is specified, the key(s) defined in
(GITSYNC_SSH_KEY_FILE) will be used. Users are strongly advised --ssh-key-file (GITSYNC_SSH_KEY_FILE) will be used. Users are
to also use --ssh-known-hosts (GITSYNC_SSH_KNOWN_HOSTS) and strongly advised to also use --ssh-known-hosts
--ssh-known-hosts-file (GITSYNC_SSH_KNOWN_HOSTS_FILE) when using (GITSYNC_SSH_KNOWN_HOSTS) and --ssh-known-hosts-file
SSH. (GITSYNC_SSH_KNOWN_HOSTS_FILE) when using SSH.
cookies cookies
When --cookie-file (GITSYNC_COOKIE_FILE) is specified, the When --cookie-file (GITSYNC_COOKIE_FILE) is specified, the

3
test_e2e.sh
View File

@ -1713,7 +1713,6 @@ function e2e::auth_ssh() {
--repo="test@$IP:/git/repo" \ --repo="test@$IP:/git/repo" \
--root="$ROOT" \ --root="$ROOT" \
--link="link" \ --link="link" \
--ssh \
--ssh-known-hosts=false \ --ssh-known-hosts=false \
--ssh-key-file="/ssh/secret.2" --ssh-key-file="/ssh/secret.2"
assert_file_absent "$ROOT/link/file" assert_file_absent "$ROOT/link/file"
@ -1724,7 +1723,6 @@ function e2e::auth_ssh() {
--repo="test@$IP:/git/repo" \ --repo="test@$IP:/git/repo" \
--root="$ROOT" \ --root="$ROOT" \
--link="link" \ --link="link" \
--ssh \
--ssh-known-hosts=false \ --ssh-known-hosts=false \
--ssh-key-file="/ssh/secret.1" \ --ssh-key-file="/ssh/secret.1" \
--ssh-key-file="/ssh/secret.2" \ --ssh-key-file="/ssh/secret.2" \
@ -2724,7 +2722,6 @@ function e2e::submodule_sync_over_ssh_different_keys() {
--repo="test@$IP:/git/repo" \ --repo="test@$IP:/git/repo" \
--root="$ROOT" \ --root="$ROOT" \
--link="link" \ --link="link" \
--ssh \
--ssh-key-file="/ssh/secret.1" \ --ssh-key-file="/ssh/secret.1" \
--ssh-key-file="/ssh/secret.2" \ --ssh-key-file="/ssh/secret.2" \
--ssh-key-file="/ssh/secret.3" \ --ssh-key-file="/ssh/secret.3" \

5
v3-to-v4.md
View File

@ -107,6 +107,11 @@ the real intentions (e.g. "allow group write" does not mean "set everything to
0775"). The new `--group-write` flag should cover what people ACTUALLY are 0775"). The new `--group-write` flag should cover what people ACTUALLY are
trying to do. The `--change-permissions` flag is no longer supported. trying to do. The `--change-permissions` flag is no longer supported.
### SSH: `--ssh`
The old `--ssh` flag is no longer needed - the value of `--repo` determines
when SSH is used. It is still accepted but does nothing.
### Manual: `--man` ### Manual: `--man`
The new `--man` flag prints a man-page style help document and exits. The new `--man` flag prints a man-page style help document and exits.