kubernetes
/
git-sync
mirror of https://github.com/kubernetes/git-sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #436 from thockin/master 

Small nits I found with password-file while porting #431
This commit is contained in:
Kubernetes Prow Robot 2021-07-06 00:22:18 -07:00 committed by GitHub
parent 83d9a44f4f 18947d3e37
commit 766682c5fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
cmd/git-sync/main.go
View File

@ -101,7 +101,7 @@ var flWebhookBackoff = pflag.Duration("webhook-backoff", envDuration("GIT_SYNC_W
var flUsername = pflag.String("username", envString("GIT_SYNC_USERNAME", ""), var flUsername = pflag.String("username", envString("GIT_SYNC_USERNAME", ""),
"the username to use for git auth") "the username to use for git auth")
var flPassword = pflag.String("password", envString("GIT_SYNC_PASSWORD", ""), var flPassword = pflag.String("password", envString("GIT_SYNC_PASSWORD", ""),
"the password or personal access token to use for git auth (prefer env vars for passwords)") "the password or personal access token to use for git auth (prefer --password-file or this env var)")
var flPasswordFile = pflag.String("password-file", envString("GIT_SYNC_PASSWORD_FILE", ""), var flPasswordFile = pflag.String("password-file", envString("GIT_SYNC_PASSWORD_FILE", ""),
"the file from which the password or personal access token for git auth will be sourced") "the file from which the password or personal access token for git auth will be sourced")
@ -468,6 +468,15 @@ func main() {
} }
} }
if *flPassword != "" && *flPasswordFile != "" {
handleError(false, "ERROR: only one of --password and --password-file may be specified")
}
if *flUsername != "" {
if *flPassword == "" && *flPasswordFile == "" {
handleError(true, "ERROR: --password or --password-file must be set when --username is specified")
}
}
if *flSSH { if *flSSH {
if *flUsername != "" { if *flUsername != "" {
handleError(false, "ERROR: only one of --ssh and --username may be specified") handleError(false, "ERROR: only one of --ssh and --username may be specified")
@ -494,15 +503,6 @@ func main() {
} }
} }
if *flPassword != "" && *flPasswordFile != "" {
handleError(false, "ERROR: only one of --password and --password-file may be specified")
}
if *flUsername != "" {
if *flPassword == "" && *flPasswordFile == "" {
handleError(true, "ERROR: --password or --password-file must be set when --username is specified")
}
}
// From here on, output goes through logging. // From here on, output goes through logging.
log.V(0).Info("starting up", log.V(0).Info("starting up",
"pid", os.Getpid(), "pid", os.Getpid(),
@ -561,12 +561,12 @@ func main() {
if *flUsername != "" { if *flUsername != "" {
if *flPasswordFile != "" { if *flPasswordFile != "" {
flPasswordFileBytes, err := ioutil.ReadFile(*flPasswordFile) passwordFileBytes, err := ioutil.ReadFile(*flPasswordFile)
if err != nil { if err != nil {
log.Error(err, "ERROR: can't read password file") log.Error(err, "ERROR: can't read password file")
os.Exit(1) os.Exit(1)
} }
*flPassword = string(flPasswordFileBytes) *flPassword = string(passwordFileBytes)
} }
if err := git.SetupAuth(ctx, *flUsername, *flPassword); err != nil { if err := git.SetupAuth(ctx, *flUsername, *flPassword); err != nil {
log.Error(err, "ERROR: can't set up git auth") log.Error(err, "ERROR: can't set up git auth")
@ -1733,8 +1733,13 @@ OPTIONS
--password <string>, $GIT_SYNC_PASSWORD --password <string>, $GIT_SYNC_PASSWORD
The password or personal access token (see github docs) to use for The password or personal access token (see github docs) to use for
git authentication (see --username). NOTE: for security reasons, git authentication (see --username). NOTE: for security reasons,
users should prefer the environment variable for specifying the users should prefer --password-file or $GIT_SYNC_PASSWORD for
password. specifying the password.
--password-file <string>, $GIT_SYNC_PASSWORD
The file from which the password or personal access token (see
github docs) to use for git authentication (see --username) will be
sourced.
--period <duration>, $GIT_SYNC_PERIOD --period <duration>, $GIT_SYNC_PERIOD
How long to wait between sync attempts. This must be at least How long to wait between sync attempts. This must be at least
@ -1787,7 +1792,8 @@ OPTIONS
it will take precedence. (default: 120s) it will take precedence. (default: 120s)
--username <string>, $GIT_SYNC_USERNAME --username <string>, $GIT_SYNC_USERNAME
The username to use for git authentication (see --password). The username to use for git authentication (see --password-file or
--password).
-v, --verbose <int> -v, --verbose <int>
Set the log verbosity level. Logs at this level and lower will be Set the log verbosity level. Logs at this level and lower will be
@ -1831,10 +1837,11 @@ AUTHENTICATION
and "git@example.com:repo" will try to use SSH. and "git@example.com:repo" will try to use SSH.
username/password username/password
The --username (GIT_SYNC_USERNAME) and --password The --username (GIT_SYNC_USERNAME) and --password-file
(GIT_SYNC_PASSWORD) flags will be used. To prevent password (GIT_SYNC_PASSWORD_FILE) or --password (GIT_SYNC_PASSWORD) flags
leaks, the GIT_SYNC_PASSWORD environment variable is almost always will be used. To prevent password leaks, the --password-file flag
preferred to the flag. or GIT_SYNC_PASSWORD environment variable is almost always
preferred to the --password flag.
A variant of this is --askpass-url (GIT_ASKPASS_URL), which A variant of this is --askpass-url (GIT_ASKPASS_URL), which
consults a URL (e.g. http://metadata) to get credentials on each consults a URL (e.g. http://metadata) to get credentials on each