Merge pull request #435 from thockin/release-3.x

Add option to read passwd from file (v3 branch)

README.md

@@ -107,7 +107,8 @@ docker run -d \
 | GIT_SYNC_WEBHOOK_TIMEOUT        | `--webhook-timeout`        | the timeout for the webhook                                                                                                                                                                                                                   | 1 (second)                    |
 | GIT_SYNC_WEBHOOK_BACKOFF        | `--webhook-backoff`        | the time to wait before retrying a failed webhook                                                                                                                                                                                             | 3 (seconds)                   |
 | GIT_SYNC_USERNAME               | `--username`               | the username to use for git auth                                                                                                                                                                                                              | ""                            |
-| GIT_SYNC_PASSWORD               | `--password`               | the password or [personal access token](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token) to use for git auth. (users should prefer env vars for passwords)                                                                                                                                                                 | ""                            |
+| GIT_SYNC_PASSWORD               | `--password`               | the password or [personal access token](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token) to use for git auth. (users should prefer --password-file or env vars for passwords)                                                                                                                                             | ""                            |
+| GIT_SYNC_PASSWORD_FILE          | `--password-file`          | the path to password file which contains password or personal access token (see --password)                                                                                                                                                   | ""                            |
 | GIT_SYNC_SSH                    | `--ssh`                    | use SSH for git operations                                                                                                                                                                                                                    | false                         |
 | GIT_SSH_KEY_FILE                | `--ssh-key-file`           | the SSH key to use                                                                                                                                                                                                                            | "/etc/git-secret/ssh"         |
 | GIT_KNOWN_HOSTS                 | `--ssh-known-hosts`        | enable SSH known_hosts verification                                                                                                                                                                                                           | true                          |

cmd/git-sync/main.go

@@ -42,6 +42,7 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/spf13/pflag"
 	"k8s.io/git-sync/pkg/pid1"
 	"k8s.io/git-sync/pkg/version"
 )
@@ -95,7 +96,9 @@ var flWebhookBackoff = flag.Duration("webhook-backoff", envDuration("GIT_SYNC_WE
 var flUsername = flag.String("username", envString("GIT_SYNC_USERNAME", ""),
 	"the username to use for git auth")
 var flPassword = flag.String("password", envString("GIT_SYNC_PASSWORD", ""),
-	"the password to use for git auth (users should prefer env vars for passwords)")
+	"the password to use for git auth (prefer --password-file or this env var)")
+var flPasswordFile = pflag.String("password-file", envString("GIT_SYNC_PASSWORD_FILE", ""),
+	"the file from which the password or personal access token for git auth will be sourced")
 
 var flSSH = flag.Bool("ssh", envBool("GIT_SYNC_SSH", false),
 	"use SSH for git operations")
@@ -402,6 +405,15 @@ func main() {
 		handleError(false, "ERROR: git executable %q not found: %v", *flGitCmd, err)
 	}
 
+	if *flPassword != "" && *flPasswordFile != "" {
+		handleError(false, "ERROR: only one of --password and --password-file may be specified")
+	}
+	if *flUsername != "" {
+		if *flPassword == "" && *flPasswordFile == "" {
+			handleError(true, "ERROR: --password or --password-file must be set when --username is specified")
+		}
+	}
+
 	if *flSSH {
 		if *flUsername != "" {
 			handleError(false, "ERROR: only one of --ssh and --username may be specified")
@@ -409,6 +421,9 @@ func main() {
 		if *flPassword != "" {
 			handleError(false, "ERROR: only one of --ssh and --password may be specified")
 		}
+		if *flPasswordFile != "" {
+			handleError(false, "ERROR: only one of --ssh and --password-file may be specified")
+		}
 		if *flAskPassURL != "" {
 			handleError(false, "ERROR: only one of --ssh and --askpass-url may be specified")
 		}
@@ -435,7 +450,15 @@ func main() {
 	// `git clone`, so initTimeout set to 30 seconds should be enough.
 	ctx, cancel := context.WithTimeout(context.Background(), initTimeout)
 
-	if *flUsername != "" && *flPassword != "" {
+	if *flUsername != "" {
+		if *flPasswordFile != "" {
+			passwordFileBytes, err := ioutil.ReadFile(*flPasswordFile)
+			if err != nil {
+				log.Error(err, "ERROR: can't read password file")
+				os.Exit(1)
+			}
+			*flPassword = string(passwordFileBytes)
+		}
 		if err := setupGitAuth(ctx, *flUsername, *flPassword, *flRepo); err != nil {
 			handleError(false, "ERROR: can't create .netrc file: %v", err)
 		}