Add option to read password from file

A new flag `--password-file` is added. This allows git-sync to read
password from file and this is considered as safer than reading from
env or flag directly.

Few more checks are added as well:

1. `--password` and `--password-file` can't be specified at the same
time.
1. If `--username` is specified, then one of `--password` or
`--password-file` must be specified.

README.md

@@ -183,8 +183,12 @@ OPTIONS
     --password <string>, $GIT_SYNC_PASSWORD
             The password or personal access token (see github docs) to use for
             git authentication (see --username).  NOTE: for security reasons,
-            users should prefer the environment variable for specifying the
+            users should prefer using a file for specifying the password (see
-            password.
+            --password-file).
+
+    --password-file <string>, $GIT_SYNC_PASSWORD_FILE
+            The path to password file which contains password or personal access
+            token (see --password).
 
     --period <duration>, $GIT_SYNC_PERIOD
             How long to wait between sync attempts.  This must be at least

cmd/git-sync/main.go

@@ -102,6 +102,8 @@ var flUsername = pflag.String("username", envString("GIT_SYNC_USERNAME", ""),
 	"the username to use for git auth")
 var flPassword = pflag.String("password", envString("GIT_SYNC_PASSWORD", ""),
 	"the password or personal access token to use for git auth (prefer env vars for passwords)")
+var flPasswordFile = pflag.String("password-file", envString("GIT_SYNC_PASSWORD_FILE", ""),
+	"the file from which the password or personal access token for git auth will be sourced")
 
 var flSSH = pflag.Bool("ssh", envBool("GIT_SYNC_SSH", false),
 	"use SSH for git operations")
@@ -473,6 +475,9 @@ func main() {
 		if *flPassword != "" {
 			handleError(false, "ERROR: only one of --ssh and --password may be specified")
 		}
+		if *flPasswordFile != "" {
+			handleError(false, "ERROR: only one of --ssh and --password-file may be specified")
+		}
 		if *flAskPassURL != "" {
 			handleError(false, "ERROR: only one of --ssh and --askpass-url may be specified")
 		}
@@ -489,6 +494,15 @@ func main() {
 		}
 	}
 
+	if *flPassword != "" && *flPasswordFile != "" {
+		handleError(false, "ERROR: only one of --password and --password-file may be specified")
+	}
+	if *flUsername != "" {
+		if *flPassword == "" && *flPasswordFile == "" {
+			handleError(true, "ERROR: --password or --password-file must be set when --username is specified")
+		}
+	}
+
 	// From here on, output goes through logging.
 	log.V(0).Info("starting up",
 		"pid", os.Getpid(),
@@ -545,7 +559,15 @@ func main() {
 	// `git clone`, so hopefully 30 seconds will be enough.
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 
-	if *flUsername != "" && *flPassword != "" {
+	if *flUsername != "" {
+		if *flPasswordFile != "" {
+			flPasswordFileBytes, err := ioutil.ReadFile(*flPasswordFile)
+			if err != nil {
+				log.Error(err, "ERROR: can't read password file")
+				os.Exit(1)
+			}
+			*flPassword = string(flPasswordFileBytes)
+		}
 		if err := git.SetupAuth(ctx, *flUsername, *flPassword); err != nil {
 			log.Error(err, "ERROR: can't set up git auth")
 			os.Exit(1)