diff --git a/cmd/git-sync/main.go b/cmd/git-sync/main.go index 5c9f8a6..bd64f4d 100644 --- a/cmd/git-sync/main.go +++ b/cmd/git-sync/main.go @@ -98,8 +98,8 @@ var flSSHKnownHostsFile = flag.String("ssh-known-hosts-file", envString("GIT_SSH var flCookieFile = flag.Bool("cookie-file", envBool("GIT_COOKIE_FILE", false), "use git cookiefile") -var flAuthURL = flag.String("auth-url", envString("GIT_SYNC_AUTH_URL", ""), - "the URL for git auth callback") +var flAskPassURL = flag.String("askpass-url", envString("GIT_ASKPASS_URL", ""), + "the URL for GIT_ASKPASS callback") var flGitCmd = flag.String("git", envString("GIT_SYNC_GIT", "git"), "the git command to run (subject to PATH search, mostly for testing)") @@ -236,7 +236,7 @@ func main() { os.Exit(1) } - if (*flUsername != "" || *flPassword != "" || *flCookieFile || *flAuthURL != "") && *flSSH { + if (*flUsername != "" || *flPassword != "" || *flCookieFile || *flAskPassURL != "") && *flSSH { fmt.Fprintf(os.Stderr, "ERROR: --ssh is set but --username, --password, --auth-url, or --cookie-file were provided\n") os.Exit(1) } @@ -266,9 +266,9 @@ func main() { } } - if *flAuthURL != "" { - if err := setupGitAuthURL(ctx); err != nil { - fmt.Fprintf(os.Stderr, "ERROR: can't set auth callback url: %v\n", err) + if *flAskPassURL != "" { + if err := setupGitAskPassURL(ctx); err != nil { + fmt.Fprintf(os.Stderr, "ERROR: failed to call ASKPASS callback URL: %v\n", err) os.Exit(1) } } @@ -325,7 +325,7 @@ func main() { for { start := time.Now() ctx, cancel := context.WithTimeout(context.Background(), time.Second*time.Duration(*flSyncTimeout)) - if changed, hash, err := syncRepo(ctx, *flRepo, *flBranch, *flRev, *flDepth, *flRoot, *flDest, *flAuthURL); err != nil { + if changed, hash, err := syncRepo(ctx, *flRepo, *flBranch, *flRev, *flDepth, *flRoot, *flDest, *flAskPassURL); err != nil { syncDuration.WithLabelValues("error").Observe(time.Since(start).Seconds()) syncCount.WithLabelValues("error").Inc() if *flMaxSyncFailures != -1 && failCount >= *flMaxSyncFailures { @@ -585,8 +585,8 @@ func syncRepo(ctx context.Context, repo, branch, rev string, depth int, gitRoot, if authUrl != "" { // For Auth Callback URL, the credentials behind is dynamic, it needs to be // re-fetched each time. - if err := setupGitAuthURL(ctx); err != nil { - return false, "", fmt.Errorf("can't set auth callback url: %v", err) + if err := setupGitAskPassURL(ctx); err != nil { + return false, "", fmt.Errorf("failed to call GIT_ASKPASS_URL: %v", err) } } @@ -775,11 +775,12 @@ func setupGitCookieFile(ctx context.Context) error { return nil } -// The expected output of the auth URL are: +// The expected ASKPASS callback output are below, +// see https://git-scm.com/docs/gitcredentials for more examples: // username=xxx@example.com // password=ya29.xxxyyyzzz -func setupGitAuthURL(ctx context.Context) error { - log.V(1).Info("configuring auth callback URL") +func setupGitAskPassURL(ctx context.Context) error { + log.V(1).Info("configuring GIT_ASKPASS_URL") var netClient = &http.Client{ Timeout: time.Second * 1, @@ -787,7 +788,7 @@ func setupGitAuthURL(ctx context.Context) error { return http.ErrUseLastResponse }, } - httpReq, err := http.NewRequestWithContext(ctx, "GET", *flAuthURL, nil) + httpReq, err := http.NewRequestWithContext(ctx, "GET", *flAskPassURL, nil) if err != nil { return fmt.Errorf("error create auth request: %v", err) } diff --git a/docs/auth-url.md b/docs/auth-url.md index 8ff5704..9f85ae0 100644 --- a/docs/auth-url.md +++ b/docs/auth-url.md @@ -1,26 +1,28 @@ # Using an Http Auth URL with git-sync -# Step 1: Create Auth Service +## Step 1: Create a GIT_ASKPASS HTTP Service -First, create a http service which can provide the username and password for the -git repo. +The GIT ASKPASS Service expose via HTTP and provide the answer to GIT_ASKPASS. -Example of the auth url output: +Example of the servcie's output, see more at https://git-scm.com/docs/gitcredentials -``` +```json username=xxx@example.com -password=ya29.xxxxyyyyzzzz +password=ya29.mysecret ``` -# Step 2: Configure git-sync container +## Step 2: Configure git-sync container -In your git-sync container configuration, specify the auth url. +In your git-sync container configuration, specify the GIT_ASKPASS_URL The credentials will pass in plain text, make sure the connection between git-sync -and auth server are secure. The recommended way is the auth server running within -the same pod as git-sync. +and GIT ASKPASS Service are secure. -``` +The recommended way is the ASKPASS Service running within the same pod as git-sync. + +See https://github.com/cydu-cloud/git-askpass-gce-node as a full example which use GCE Node Service Account credential to access Google Cloud Source Repo. + +```json { name: "git-sync", ... @@ -29,8 +31,8 @@ the same pod as git-sync. name: "GIT_SYNC_REPO", value: "https://source.developers.google.com/p/[GCP PROJECT ID]/r/[REPO NAME]" }, { - name: "GIT_SYNC_AUTH_URL", - value: "http://localhost:8080/gce_node_auth", + name: "GIT_ASKPASS_URL", + value: "http://localhost:9102/git_askpass", }, ... ] diff --git a/docs/cookie-file.md b/docs/cookie-file.md index e06408d..894cae3 100644 --- a/docs/cookie-file.md +++ b/docs/cookie-file.md @@ -2,27 +2,27 @@ Git-sync supports use of an HTTP Cookie File for accessing git content. -# Step 1: Create Secret +## Step 1: Create Secret First, create a secret file from the git cookie file you wish to use. Example: if the cookie-file is `~/.gitcookies`: -``` +```bash kubectl create secret generic git-cookie-file --from-file=cookie_file=~/.gitcookies ``` -Note that the key is `cookie_file`. This is the filename that git-sync will look +Note that the key is `cookie_file`. This is the filename that git-sync will look for. -# Step 2: Configure Pod/Deployment Volume +## Step 2: Configure Pod/Deployment Volume In your Pod or Deployment configuration, specify a Volume for mounting the cookie-file Secret. Make sure to set `secretName` to the same name you used to create the secret (`git-cookie-file` in the example above). -``` +```json volumes: [ { "name": "git-secret", @@ -34,7 +34,7 @@ volumes: [ ], ``` -# Step 3: Configure git-sync container +## Step 3: Configure git-sync container In your git-sync container configuration, mount your volume at "/etc/git-secret". Make sure to pass the `--cookie-file` flag or set the @@ -42,7 +42,7 @@ environment variable `GIT_COOKIE_FILE` to "true", and to use a git repo (`--repo` flag or `GIT_SYNC_REPO` env) is set to use a URL with the HTTP protocol. -``` +```json { name: "git-sync", ...