Rename to GIT_ASKPASS_URL and also update related examples.

2019-12-17 10:48:20 -08:00 · 2019-12-17 10:48:20 -08:00 · 67a0788aa2
parent 9cae624f8c
commit 67a0788aa2
3 changed files with 36 additions and 33 deletions
--- a/cmd/git-sync/main.go
+++ b/cmd/git-sync/main.go
@ -98,8 +98,8 @@ var flSSHKnownHostsFile = flag.String("ssh-known-hosts-file", envString("GIT_SSH
 var flCookieFile = flag.Bool("cookie-file", envBool("GIT_COOKIE_FILE", false),
 	"use git cookiefile")

-var flAuthURL = flag.String("auth-url", envString("GIT_SYNC_AUTH_URL", ""),
-	"the URL for git auth callback")
+var flAskPassURL = flag.String("askpass-url", envString("GIT_ASKPASS_URL", ""),
+	"the URL for GIT_ASKPASS callback")

 var flGitCmd = flag.String("git", envString("GIT_SYNC_GIT", "git"),
 	"the git command to run (subject to PATH search, mostly for testing)")
@ -236,7 +236,7 @@ func main() {
 		os.Exit(1)
 	}

-	if (*flUsername != "" || *flPassword != "" || *flCookieFile || *flAuthURL != "") && *flSSH {
+	if (*flUsername != "" || *flPassword != "" || *flCookieFile || *flAskPassURL != "") && *flSSH {
 		fmt.Fprintf(os.Stderr, "ERROR: --ssh is set but --username, --password, --auth-url, or --cookie-file were provided\n")
 		os.Exit(1)
 	}
@ -266,9 +266,9 @@ func main() {
 		}
 	}

-	if *flAuthURL != "" {
-		if err := setupGitAuthURL(ctx); err != nil {
-			fmt.Fprintf(os.Stderr, "ERROR: can't set auth callback url: %v\n", err)
+	if *flAskPassURL != "" {
+		if err := setupGitAskPassURL(ctx); err != nil {
+			fmt.Fprintf(os.Stderr, "ERROR: failed to call ASKPASS callback URL: %v\n", err)
 			os.Exit(1)
 		}
 	}
@ -325,7 +325,7 @@ func main() {
 	for {
 		start := time.Now()
 		ctx, cancel := context.WithTimeout(context.Background(), time.Second*time.Duration(*flSyncTimeout))
-		if changed, hash, err := syncRepo(ctx, *flRepo, *flBranch, *flRev, *flDepth, *flRoot, *flDest, *flAuthURL); err != nil {
+		if changed, hash, err := syncRepo(ctx, *flRepo, *flBranch, *flRev, *flDepth, *flRoot, *flDest, *flAskPassURL); err != nil {
 			syncDuration.WithLabelValues("error").Observe(time.Since(start).Seconds())
 			syncCount.WithLabelValues("error").Inc()
 			if *flMaxSyncFailures != -1 && failCount >= *flMaxSyncFailures {
@ -585,8 +585,8 @@ func syncRepo(ctx context.Context, repo, branch, rev string, depth int, gitRoot,
 	if authUrl != "" {
 		// For Auth Callback URL, the credentials behind is dynamic, it needs to be
 		// re-fetched each time.
-		if err := setupGitAuthURL(ctx); err != nil {
-			return false, "", fmt.Errorf("can't set auth callback url: %v", err)
+		if err := setupGitAskPassURL(ctx); err != nil {
+			return false, "", fmt.Errorf("failed to call GIT_ASKPASS_URL: %v", err)
 		}
 	}

@ -775,11 +775,12 @@ func setupGitCookieFile(ctx context.Context) error {
 	return nil
 }

-// The expected output of the auth URL are:
+// The expected ASKPASS callback output are below,
+// see https://git-scm.com/docs/gitcredentials for more examples:
 // username=xxx@example.com
 // password=ya29.xxxyyyzzz
-func setupGitAuthURL(ctx context.Context) error {
-	log.V(1).Info("configuring auth callback URL")
+func setupGitAskPassURL(ctx context.Context) error {
+	log.V(1).Info("configuring GIT_ASKPASS_URL")

 	var netClient = &http.Client{
 		Timeout: time.Second * 1,
@ -787,7 +788,7 @@ func setupGitAuthURL(ctx context.Context) error {
 			return http.ErrUseLastResponse
 		},
 	}
-	httpReq, err := http.NewRequestWithContext(ctx, "GET", *flAuthURL, nil)
+	httpReq, err := http.NewRequestWithContext(ctx, "GET", *flAskPassURL, nil)
 	if err != nil {
 		return fmt.Errorf("error create auth request: %v", err)
 	}
--- a/docs/auth-url.md
+++ b/docs/auth-url.md
@ -1,26 +1,28 @@
 # Using an Http Auth URL with git-sync

-# Step 1: Create Auth Service
+## Step 1: Create a GIT_ASKPASS HTTP Service

-First, create a http service which can provide the username and password for the
-git repo.
+The GIT ASKPASS Service expose via HTTP and provide the answer to GIT_ASKPASS.

-Example of the auth url output:
+Example of the servcie's output, see more at https://git-scm.com/docs/gitcredentials

-```
+```json
 username=xxx@example.com
-password=ya29.xxxxyyyyzzzz
+password=ya29.mysecret
 ```

-# Step 2: Configure git-sync container
+## Step 2: Configure git-sync container

-In your git-sync container configuration, specify the auth url.
+In your git-sync container configuration, specify the GIT_ASKPASS_URL

 The credentials will pass in plain text, make sure the connection between git-sync
-and auth server are secure. The recommended way is the auth server running within
-the same pod as git-sync.
+and GIT ASKPASS Service are secure.

-```
+The recommended way is the ASKPASS Service running within the same pod as git-sync.
+
+See https://github.com/cydu-cloud/git-askpass-gce-node as a full example which use GCE Node Service Account credential to access Google Cloud Source Repo.
+
+```json
 {
    name: "git-sync",
    ...
@ -29,8 +31,8 @@ the same pod as git-sync.
            name: "GIT_SYNC_REPO",
            value: "https://source.developers.google.com/p/[GCP PROJECT ID]/r/[REPO NAME]"
        }, {
-            name: "GIT_SYNC_AUTH_URL",
-            value: "http://localhost:8080/gce_node_auth",
+            name: "GIT_ASKPASS_URL",
+            value: "http://localhost:9102/git_askpass",
        },
    ...
    ]
--- a/docs/cookie-file.md
+++ b/docs/cookie-file.md
@ -2,27 +2,27 @@

 Git-sync supports use of an HTTP Cookie File for accessing git content.

-# Step 1: Create Secret
+## Step 1: Create Secret

 First, create a secret file from the git cookie file you wish to
 use.

 Example: if the cookie-file is `~/.gitcookies`:

-```
+```bash
 kubectl create secret generic git-cookie-file --from-file=cookie_file=~/.gitcookies
 ```

 Note that the key is `cookie_file`. This is the filename that git-sync will look
 for.

-# Step 2: Configure Pod/Deployment Volume
+## Step 2: Configure Pod/Deployment Volume

 In your Pod or Deployment configuration, specify a Volume for mounting the
 cookie-file Secret. Make sure to set `secretName` to the same name you used to
 create the secret (`git-cookie-file` in the example above).

-```
+```json
 volumes: [
    {
        "name": "git-secret",
@ -34,7 +34,7 @@ volumes: [
 ],
 ```

-# Step 3: Configure git-sync container
+## Step 3: Configure git-sync container

 In your git-sync container configuration, mount your volume at
 "/etc/git-secret". Make sure to pass the `--cookie-file` flag or set the
@ -42,7 +42,7 @@ environment variable `GIT_COOKIE_FILE` to "true", and to use a git repo
 (`--repo` flag or `GIT_SYNC_REPO` env) is set to use a URL with the HTTP
 protocol.

-```
+```json
 {
    name: "git-sync",
    ...