kubernetes
/
git-sync
mirror of https://github.com/kubernetes/git-sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make all env var names GITSYNC_FOO 

Still support GIT_SYNC_FOO for compat.
This commit is contained in:
Tim Hockin 2023-02-23 21:32:31 -08:00
parent 5cc7160985
commit 7e6b429362
10 changed files with 243 additions and 212 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Dockerfile.in
View File

@ -15,7 +15,7 @@
# HOW TO USE THIS CONTAINER: # HOW TO USE THIS CONTAINER:
# #
# The only commandline argument (or env var) that is really required is # The only commandline argument (or env var) that is really required is
# `--repo` ($GIT_SYNC_REPO). Everything else is optional (run this with # `--repo` ($GITSYNC_REPO). Everything else is optional (run this with
# `--man` for details). # `--man` for details).
# #
# This container will run as UID:GID 65533:65533 by default. For most users, # This container will run as UID:GID 65533:65533 by default. For most users,
@ -23,7 +23,7 @@
# a) use the default UID/GID and mount a volume on /git writeable by those # a) use the default UID/GID and mount a volume on /git writeable by those
# b) set your own UID/GID and mount a volume on /git writeable by those # b) set your own UID/GID and mount a volume on /git writeable by those
# #
# If you mount a volume anywhere else, you must set `--root` ($GIT_SYNC_ROOT). # If you mount a volume anywhere else, you must set `--root` ($GITSYNC_ROOT).
# If you do not mount a volume, this will run but you can't access the results # If you do not mount a volume, this will run but you can't access the results
# (which might be useful for testing, but not much else). # (which might be useful for testing, but not much else).
# #
@ -36,7 +36,7 @@
# permissions. # permissions.
# #
# If you set any UID other than the default and want to use git over SSH, you # If you set any UID other than the default and want to use git over SSH, you
# should set `--add-user` ($GIT_SYNC_ADD_USER). # should set `--add-user` ($GITSYNC_ADD_USER).
############################################################################# #############################################################################
# First we prepare the image that we want, regardless of build layers. # First we prepare the image that we want, regardless of build layers.
@ -101,11 +101,11 @@ ENV HOME=/tmp
WORKDIR /tmp WORKDIR /tmp
# Default values for flags. # Default values for flags.
# Git-sync itself does not default the `--root` ($GIT_SYNC_ROOT) flag, but we # Git-sync itself does not default the `--root` ($GITSYNC_ROOT) flag, but we
# can set a default here, which makes the container image easier to use. The # can set a default here, which makes the container image easier to use. The
# permissions were set for the default git-sync UID and GID. If the user needs # permissions were set for the default git-sync UID and GID. If the user needs
# a different group or sets `--root` ($GIT_SYNC_ROOT), their values will # a different group or sets `--root` ($GITSYNC_ROOT), their values will
# override this, and we assume they are handling permissions themselves. # override this, and we assume they are handling permissions themselves.
ENV GIT_SYNC_ROOT=/git ENV GITSYNC_ROOT=/git
ENTRYPOINT ["/{ARG_BIN}"] ENTRYPOINT ["/{ARG_BIN}"]

98
README.md
View File

@ -130,40 +130,40 @@ OPTIONS
Many options can be specified as either a commandline flag or an environment Many options can be specified as either a commandline flag or an environment
variable. variable.
--add-user, $GIT_SYNC_ADD_USER --add-user, $GITSYNC_ADD_USER
Add a record to /etc/passwd for the current UID/GID. This is Add a record to /etc/passwd for the current UID/GID. This is
needed to use SSH with an arbitrary UID (see --ssh). This assumes needed to use SSH with an arbitrary UID (see --ssh). This assumes
that /etc/passwd is writable by the current UID. that /etc/passwd is writable by the current UID.
--askpass-url <string>, $GIT_SYNC_ASKPASS_URL --askpass-url <string>, $GITSYNC_ASKPASS_URL
A URL to query for git credentials. The query must return success A URL to query for git credentials. The query must return success
(200) and produce a series of key=value lines, including (200) and produce a series of key=value lines, including
"username=<value>" and "password=<value>". "username=<value>" and "password=<value>".
--change-permissions <int>, $GIT_SYNC_PERMISSIONS --change-permissions <int>, $GITSYNC_PERMISSIONS
Change permissions on the checked-out files to the specified mode. Change permissions on the checked-out files to the specified mode.
--cookie-file <string>, $GIT_SYNC_COOKIE_FILE --cookie-file <string>, $GITSYNC_COOKIE_FILE
Use a git cookiefile (/etc/git-secret/cookie_file) for Use a git cookiefile (/etc/git-secret/cookie_file) for
authentication. authentication.
--depth <int>, $GIT_SYNC_DEPTH --depth <int>, $GITSYNC_DEPTH
Create a shallow clone with history truncated to the specified Create a shallow clone with history truncated to the specified
number of commits. If not specified, this defaults to syncing a number of commits. If not specified, this defaults to syncing a
single commit. Setting this to 0 will sync the full history of the single commit. Setting this to 0 will sync the full history of the
repo. repo.
--error-file <string>, $GIT_SYNC_ERROR_FILE --error-file <string>, $GITSYNC_ERROR_FILE
The path to an optional file into which errors will be written. The path to an optional file into which errors will be written.
This may be an absolute path or a relative path, in which case it This may be an absolute path or a relative path, in which case it
is relative to --root. If it is relative to --root, the first path is relative to --root. If it is relative to --root, the first path
element may not start with a period. element may not start with a period.
--exechook-backoff <duration>, $GIT_SYNC_EXECHOOK_BACKOFF --exechook-backoff <duration>, $GITSYNC_EXECHOOK_BACKOFF
The time to wait before retrying a failed --exechook-command. If The time to wait before retrying a failed --exechook-command. If
not specified, this defaults to 3 seconds ("3s"). not specified, this defaults to 3 seconds ("3s").
--exechook-command <string>, $GIT_SYNC_EXECHOOK_COMMAND --exechook-command <string>, $GITSYNC_EXECHOOK_COMMAND
An optional command to be executed after syncing a new hash of the An optional command to be executed after syncing a new hash of the
remote repository. This command does not take any arguments and remote repository. This command does not take any arguments and
executes with the synced repo as its working directory. The executes with the synced repo as its working directory. The
@ -173,15 +173,15 @@ OPTIONS
This flag obsoletes --sync-hook-command, but if sync-hook-command This flag obsoletes --sync-hook-command, but if sync-hook-command
is specified, it will take precedence. is specified, it will take precedence.
--exechook-timeout <duration>, $GIT_SYNC_EXECHOOK_TIMEOUT --exechook-timeout <duration>, $GITSYNC_EXECHOOK_TIMEOUT
The timeout for the --exechook-command. If not specifid, this The timeout for the --exechook-command. If not specifid, this
defaults to 30 seconds ("30s"). defaults to 30 seconds ("30s").
--git <string>, $GIT_SYNC_GIT --git <string>, $GITSYNC_GIT
The git command to run (subject to PATH search, mostly for The git command to run (subject to PATH search, mostly for
testing). This defaults to "git". testing). This defaults to "git".
--git-config <string>, $GIT_SYNC_GIT_CONFIG --git-config <string>, $GITSYNC_GIT_CONFIG
Additional git config options in a comma-separated 'key:val' Additional git config options in a comma-separated 'key:val'
format. The parsed keys and values are passed to 'git config' and format. The parsed keys and values are passed to 'git config' and
must be valid syntax for that command. must be valid syntax for that command.
@ -199,7 +199,7 @@ OPTIONS
quoted values commas may be escaped, but are not required to be. quoted values commas may be escaped, but are not required to be.
Any other escape sequence is an error. Any other escape sequence is an error.
--git-gc <string>, $GIT_SYNC_GIT_GC --git-gc <string>, $GITSYNC_GIT_GC
The git garbage collection behavior: one of "auto", "always", The git garbage collection behavior: one of "auto", "always",
"aggressive", or "off". If not specified, this defaults to "aggressive", or "off". If not specified, this defaults to
"auto". "auto".
@ -215,7 +215,7 @@ OPTIONS
-h, --help -h, --help
Print help text and exit. Print help text and exit.
--http-bind <string>, $GIT_SYNC_HTTP_BIND --http-bind <string>, $GITSYNC_HTTP_BIND
The bind address (including port) for git-sync's HTTP endpoint. If The bind address (including port) for git-sync's HTTP endpoint. If
not specified, the HTTP endpoint is not enabled. not specified, the HTTP endpoint is not enabled.
@ -223,15 +223,15 @@ OPTIONS
":1234": listen on any IP, port 1234 ":1234": listen on any IP, port 1234
"127.0.0.1:1234": listen on localhost, port 1234 "127.0.0.1:1234": listen on localhost, port 1234
--http-metrics, $GIT_SYNC_HTTP_METRICS --http-metrics, $GITSYNC_HTTP_METRICS
Enable metrics on git-sync's HTTP endpoint. Requires --http-bind Enable metrics on git-sync's HTTP endpoint. Requires --http-bind
to be specified. to be specified.
--http-pprof, $GIT_SYNC_HTTP_PPROF --http-pprof, $GITSYNC_HTTP_PPROF
Enable the pprof debug endpoints on git-sync's HTTP endpoint. Enable the pprof debug endpoints on git-sync's HTTP endpoint.
Requires --http-bind to be specified. Requires --http-bind to be specified.
--link <string>, $GIT_SYNC_LINK --link <string>, $GITSYNC_LINK
The path to at which to create a symlink which points to the The path to at which to create a symlink which points to the
current git directory, at the currently synced hash. This may be current git directory, at the currently synced hash. This may be
an absolute path or a relative path, in which case it is relative an absolute path or a relative path, in which case it is relative
@ -244,91 +244,91 @@ OPTIONS
--man --man
Print this manual and exit. Print this manual and exit.
--max-failures <int>, $GIT_SYNC_MAX_FAILURES --max-failures <int>, $GITSYNC_MAX_FAILURES
The number of consecutive failures allowed before aborting (the The number of consecutive failures allowed before aborting (the
first sync must succeed), Setting this to a negative value will first sync must succeed), Setting this to a negative value will
retry forever after the initial sync. If not specified, this retry forever after the initial sync. If not specified, this
defaults to 0, meaning any sync failure will terminate git-sync. defaults to 0, meaning any sync failure will terminate git-sync.
--one-time, $GIT_SYNC_ONE_TIME --one-time, $GITSYNC_ONE_TIME
Exit after one sync. Exit after one sync.
--password <string>, $GIT_SYNC_PASSWORD --password <string>, $GITSYNC_PASSWORD
The password or personal access token (see github docs) to use for The password or personal access token (see github docs) to use for
git authentication (see --username). NOTE: for security reasons, git authentication (see --username). NOTE: for security reasons,
users should prefer --password-file or $GIT_SYNC_PASSWORD_FILE for users should prefer --password-file or $GITSYNC_PASSWORD_FILE for
specifying the password. specifying the password.
--password-file <string>, $GIT_SYNC_PASSWORD_FILE --password-file <string>, $GITSYNC_PASSWORD_FILE
The file from which the password or personal access token (see The file from which the password or personal access token (see
github docs) to use for git authentication (see --username) will be github docs) to use for git authentication (see --username) will be
read. read.
--period <duration>, $GIT_SYNC_PERIOD --period <duration>, $GITSYNC_PERIOD
How long to wait between sync attempts. This must be at least How long to wait between sync attempts. This must be at least
10ms. This flag obsoletes --wait, but if --wait is specified, it 10ms. This flag obsoletes --wait, but if --wait is specified, it
will take precedence. If not specified, this defaults to 10 will take precedence. If not specified, this defaults to 10
seconds ("10s"). seconds ("10s").
--ref <string>, $GIT_SYNC_REF --ref <string>, $GITSYNC_REF
The git revision (branch, tag, or hash) to check out. If not The git revision (branch, tag, or hash) to check out. If not
specified, this defaults to "HEAD" (of the upstream repo's default specified, this defaults to "HEAD" (of the upstream repo's default
branch). branch).
--repo <string>, $GIT_SYNC_REPO --repo <string>, $GITSYNC_REPO
The git repository to sync. This flag is required. The git repository to sync. This flag is required.
--root <string>, $GIT_SYNC_ROOT --root <string>, $GITSYNC_ROOT
The root directory for git-sync operations, under which --link will The root directory for git-sync operations, under which --link will
be created. This must be a path that either a) does not exist (it be created. This must be a path that either a) does not exist (it
will be created); b) is an empty directory; or c) is a directory will be created); b) is an empty directory; or c) is a directory
which can be emptied by removing all of the contents. This flag is which can be emptied by removing all of the contents. This flag is
required. required.
--sparse-checkout-file <string>, $GIT_SYNC_SPARSE_CHECKOUT_FILE --sparse-checkout-file <string>, $GITSYNC_SPARSE_CHECKOUT_FILE
The path to a git sparse-checkout file (see git documentation for The path to a git sparse-checkout file (see git documentation for
details) which controls which files and directories will be checked details) which controls which files and directories will be checked
out. If not specified, the default is to check out the entire repo. out. If not specified, the default is to check out the entire repo.
--ssh, $GIT_SYNC_SSH --ssh, $GITSYNC_SSH
Use SSH for git authentication and operations. Use SSH for git authentication and operations.
--ssh-key-file <string>, $GIT_SYNC_SSH_KEY_FILE --ssh-key-file <string>, $GITSYNC_SSH_KEY_FILE
The SSH key to use when using --ssh. If not specified, this The SSH key to use when using --ssh. If not specified, this
defaults to "/etc/git-secret/ssh". defaults to "/etc/git-secret/ssh".
--ssh-known-hosts, $GIT_SYNC_KNOWN_HOSTS --ssh-known-hosts, $GITSYNC_SSH_KNOWN_HOSTS
Enable SSH known_hosts verification when using --ssh. If not Enable SSH known_hosts verification when using --ssh. If not
specified, this defaults to true. specified, this defaults to true.
--ssh-known-hosts-file <string>, $GIT_SYNC_SSH_KNOWN_HOSTS_FILE --ssh-known-hosts-file <string>, $GITSYNC_SSH_KNOWN_HOSTS_FILE
The known_hosts file to use when --ssh-known-hosts is specified. The known_hosts file to use when --ssh-known-hosts is specified.
If not specified, this defaults to "/etc/git-secret/known_hosts". If not specified, this defaults to "/etc/git-secret/known_hosts".
--submodules <string>, $GIT_SYNC_SUBMODULES --submodules <string>, $GITSYNC_SUBMODULES
The git submodule behavior: one of "recursive", "shallow", or The git submodule behavior: one of "recursive", "shallow", or
"off". If not specified, this defaults to "recursive". "off". If not specified, this defaults to "recursive".
--sync-on-signal <string>, $GIT_SYNC_SYNC_ON_SIGNAL --sync-on-signal <string>, $GITSYNC_SYNC_ON_SIGNAL
Indicates that a sync attempt should occur upon receipt of the Indicates that a sync attempt should occur upon receipt of the
specified signal name (e.g. SIGHUP) or number (e.g. 1). If a sync specified signal name (e.g. SIGHUP) or number (e.g. 1). If a sync
is already in progress, another sync will be triggered as soon as is already in progress, another sync will be triggered as soon as
the current one completes. If not specified, signals will not the current one completes. If not specified, signals will not
trigger syncs. trigger syncs.
--sync-timeout <duration>, $GIT_SYNC_SYNC_TIMEOUT --sync-timeout <duration>, $GITSYNC_SYNC_TIMEOUT
The total time allowed for one complete sync. This must be at least The total time allowed for one complete sync. This must be at least
10ms. This flag obsoletes --timeout, but if --timeout is specified, 10ms. This flag obsoletes --timeout, but if --timeout is specified,
it will take precedence. If not specified, this defaults to 120 it will take precedence. If not specified, this defaults to 120
seconds ("120s"). seconds ("120s").
--touch-file <string>, $GIT_SYNC_TOUCH_FILE --touch-file <string>, $GITSYNC_TOUCH_FILE
The path to an optional file which will be touched whenever a sync The path to an optional file which will be touched whenever a sync
completes. This may be an absolute path or a relative path, in completes. This may be an absolute path or a relative path, in
which case it is relative to --root. If it is relative to --root, which case it is relative to --root. If it is relative to --root,
the first path element may not start with a period. the first path element may not start with a period.
--username <string>, $GIT_SYNC_USERNAME --username <string>, $GITSYNC_USERNAME
The username to use for git authentication (see --password-file or The username to use for git authentication (see --password-file or
--password). --password).
@ -339,23 +339,23 @@ OPTIONS
--version --version
Print the version and exit. Print the version and exit.
--webhook-backoff <duration>, $GIT_SYNC_WEBHOOK_BACKOFF --webhook-backoff <duration>, $GITSYNC_WEBHOOK_BACKOFF
The time to wait before retrying a failed --webhook-url. If not The time to wait before retrying a failed --webhook-url. If not
specified, this defaults to 3 seconds ("3s"). specified, this defaults to 3 seconds ("3s").
--webhook-method <string>, $GIT_SYNC_WEBHOOK_METHOD --webhook-method <string>, $GITSYNC_WEBHOOK_METHOD
The HTTP method for the --webhook-url. If not specified, this defaults to "POST". The HTTP method for the --webhook-url. If not specified, this defaults to "POST".
--webhook-success-status <int>, $GIT_SYNC_WEBHOOK_SUCCESS_STATUS --webhook-success-status <int>, $GITSYNC_WEBHOOK_SUCCESS_STATUS
The HTTP status code indicating a successful --webhook-url. Setting The HTTP status code indicating a successful --webhook-url. Setting
this to 0 disables success checks, which makes webhooks this to 0 disables success checks, which makes webhooks
"fire-and-forget". If not specified, this defaults to 200. "fire-and-forget". If not specified, this defaults to 200.
--webhook-timeout <duration>, $GIT_SYNC_WEBHOOK_TIMEOUT --webhook-timeout <duration>, $GITSYNC_WEBHOOK_TIMEOUT
The timeout for the --webhook-url. If not specified, this defaults The timeout for the --webhook-url. If not specified, this defaults
to 1 second ("1s"). to 1 second ("1s").
--webhook-url <string>, $GIT_SYNC_WEBHOOK_URL --webhook-url <string>, $GITSYNC_WEBHOOK_URL
A URL for optional webhook notifications when syncs complete. The A URL for optional webhook notifications when syncs complete. The
header 'Gitsync-Hash' will be set to the git hash that was synced. header 'Gitsync-Hash' will be set to the git hash that was synced.
@ -375,25 +375,25 @@ AUTHENTICATION
and "git@example.com:repo" will try to use SSH. and "git@example.com:repo" will try to use SSH.
username/password username/password
The --username (GIT_SYNC_USERNAME) and --password-file The --username (GITSYNC_USERNAME) and --password-file
(GIT_SYNC_PASSWORD_FILE) or --password (GIT_SYNC_PASSWORD) flags (GITSYNC_PASSWORD_FILE) or --password (GITSYNC_PASSWORD) flags
will be used. To prevent password leaks, the --password-file flag will be used. To prevent password leaks, the --password-file flag
or GIT_SYNC_PASSWORD environment variable is almost always or GITSYNC_PASSWORD environment variable is almost always
preferred to the --password flag. preferred to the --password flag.
A variant of this is --askpass-url (GIT_SYNC_ASKPASS_URL), which A variant of this is --askpass-url (GITSYNC_ASKPASS_URL), which
consults a URL (e.g. http://metadata) to get credentials on each consults a URL (e.g. http://metadata) to get credentials on each
sync. sync.
SSH SSH
When --ssh (GIT_SYNC_SSH) is specified, the --ssh-key-file When --ssh (GITSYNC_SSH) is specified, the --ssh-key-file
(GIT_SYNC_SSH_KEY_FILE) will be used. Users are strongly advised (GITSYNC_SSH_KEY_FILE) will be used. Users are strongly advised
to also use --ssh-known-hosts (GIT_SYNC_KNOWN_HOSTS) and to also use --ssh-known-hosts (GITSYNC_SSH_KNOWN_HOSTS) and
--ssh-known-hosts-file (GIT_SYNC_SSH_KNOWN_HOSTS_FILE) when using --ssh-known-hosts-file (GITSYNC_SSH_KNOWN_HOSTS_FILE) when using
SSH. SSH.
cookies cookies
When --cookie-file (GIT_SYNC_COOKIE_FILE) is specified, the When --cookie-file (GITSYNC_COOKIE_FILE) is specified, the
associated cookies can contain authentication information. associated cookies can contain authentication information.
HOOKS HOOKS

303
cmd/git-sync/main.go
View File

@ -56,110 +56,110 @@ var flManual = pflag.Bool("man", false, "print the full manual and exit")
var flVerbose = pflag.IntP("verbose", "v", 0, var flVerbose = pflag.IntP("verbose", "v", 0,
"logs at this V level and lower will be printed") "logs at this V level and lower will be printed")
var flRepo = pflag.String("repo", envString("GIT_SYNC_REPO", ""), var flRepo = pflag.String("repo", envString("", "GITSYNC_REPO", "GIT_SYNC_REPO"),
"the git repository to sync (required)") "the git repository to sync (required)")
var flRef = pflag.String("ref", envString("GIT_SYNC_REF", "HEAD"), var flRef = pflag.String("ref", envString("HEAD", "GITSYNC_REF"),
"the git revision (branch, tag, or hash) to sync") "the git revision (branch, tag, or hash) to sync")
var flDepth = pflag.Int("depth", envInt("GIT_SYNC_DEPTH", 1), var flDepth = pflag.Int("depth", envInt(1, "GITSYNC_DEPTH", "GIT_SYNC_DEPTH"),
"create a shallow clone with history truncated to the specified number of commits") "create a shallow clone with history truncated to the specified number of commits")
var flSubmodules = pflag.String("submodules", envString("GIT_SYNC_SUBMODULES", "recursive"), var flSubmodules = pflag.String("submodules", envString("recursive", "GITSYNC_SUBMODULES", "GIT_SYNC_SUBMODULES"),
"git submodule behavior: one of 'recursive', 'shallow', or 'off'") "git submodule behavior: one of 'recursive', 'shallow', or 'off'")
var flRoot = pflag.String("root", envString("GIT_SYNC_ROOT", ""), var flRoot = pflag.String("root", envString("", "GITSYNC_ROOT", "GIT_SYNC_ROOT"),
"the root directory for git-sync operations (required)") "the root directory for git-sync operations (required)")
var flLink = pflag.String("link", envString("GIT_SYNC_LINK", ""), var flLink = pflag.String("link", envString("", "GITSYNC_LINK", "GIT_SYNC_LINK"),
"the path (absolute or relative to --root) at which to create a symlink to the directory holding the checked-out files (defaults to the leaf dir of --repo)") "the path (absolute or relative to --root) at which to create a symlink to the directory holding the checked-out files (defaults to the leaf dir of --repo)")
var flErrorFile = pflag.String("error-file", envString("GIT_SYNC_ERROR_FILE", ""), var flErrorFile = pflag.String("error-file", envString("", "GITSYNC_ERROR_FILE", "GIT_SYNC_ERROR_FILE"),
"the path (absolute or relative to --root) to an optional file into which errors will be written (defaults to disabled)") "the path (absolute or relative to --root) to an optional file into which errors will be written (defaults to disabled)")
var flPeriod = pflag.Duration("period", envDuration("GIT_SYNC_PERIOD", 10*time.Second), var flPeriod = pflag.Duration("period", envDuration(10*time.Second, "GITSYNC_PERIOD", "GIT_SYNC_PERIOD"),
"how long to wait between syncs, must be >= 10ms; --wait overrides this") "how long to wait between syncs, must be >= 10ms; --wait overrides this")
var flSyncTimeout = pflag.Duration("sync-timeout", envDuration("GIT_SYNC_SYNC_TIMEOUT", 120*time.Second), var flSyncTimeout = pflag.Duration("sync-timeout", envDuration(120*time.Second, "GITSYNC_SYNC_TIMEOUT", "GIT_SYNC_SYNC_TIMEOUT"),
"the total time allowed for one complete sync, must be >= 10ms; --timeout overrides this") "the total time allowed for one complete sync, must be >= 10ms; --timeout overrides this")
var flOneTime = pflag.Bool("one-time", envBool("GIT_SYNC_ONE_TIME", false), var flOneTime = pflag.Bool("one-time", envBool(false, "GITSYNC_ONE_TIME", "GIT_SYNC_ONE_TIME"),
"exit after the first sync") "exit after the first sync")
var flSyncOnSignal = pflag.String("sync-on-signal", envString("GIT_SYNC_SYNC_ON_SIGNAL", ""), var flSyncOnSignal = pflag.String("sync-on-signal", envString("", "GITSYNC_SYNC_ON_SIGNAL", "GIT_SYNC_SYNC_ON_SIGNAL"),
"sync on receipt of the specified signal (e.g. SIGHUP)") "sync on receipt of the specified signal (e.g. SIGHUP)")
var flMaxFailures = pflag.Int("max-failures", envInt("GIT_SYNC_MAX_FAILURES", 0), var flMaxFailures = pflag.Int("max-failures", envInt(0, "GITSYNC_MAX_FAILURES", "GIT_SYNC_MAX_FAILURES"),
"the number of consecutive failures allowed before aborting (the first sync must succeed, -1 will retry forever") "the number of consecutive failures allowed before aborting (the first sync must succeed, -1 will retry forever")
var flChmod = pflag.Int("change-permissions", envInt("GIT_SYNC_PERMISSIONS", 0), var flChmod = pflag.Int("change-permissions", envInt(0, "GITSYNC_PERMISSIONS", "GIT_SYNC_PERMISSIONS"),
"optionally change permissions on the checked-out files to the specified mode") "optionally change permissions on the checked-out files to the specified mode")
var flTouchFile = pflag.String("touch-file", envString("GIT_SYNC_TOUCH_FILE", ""), var flTouchFile = pflag.String("touch-file", envString("", "GITSYNC_TOUCH_FILE", "GIT_SYNC_TOUCH_FILE"),
"the path (absolute or relative to --root) to an optional file which will be touched whenever a sync completes (defaults to disabled)") "the path (absolute or relative to --root) to an optional file which will be touched whenever a sync completes (defaults to disabled)")
var flSparseCheckoutFile = pflag.String("sparse-checkout-file", envString("GIT_SYNC_SPARSE_CHECKOUT_FILE", ""), var flSparseCheckoutFile = pflag.String("sparse-checkout-file", envString("", "GITSYNC_SPARSE_CHECKOUT_FILE", "GIT_SYNC_SPARSE_CHECKOUT_FILE"),
"the path to a sparse-checkout file") "the path to a sparse-checkout file")
var flExechookCommand = pflag.String("exechook-command", envString("GIT_SYNC_EXECHOOK_COMMAND", ""), var flExechookCommand = pflag.String("exechook-command", envString("", "GITSYNC_EXECHOOK_COMMAND", "GIT_SYNC_EXECHOOK_COMMAND"),
"an optional command to be run when syncs complete") "an optional command to be run when syncs complete")
var flExechookTimeout = pflag.Duration("exechook-timeout", envDuration("GIT_SYNC_EXECHOOK_TIMEOUT", time.Second*30), var flExechookTimeout = pflag.Duration("exechook-timeout", envDuration(30*time.Second, "GITSYNC_EXECHOOK_TIMEOUT", "GIT_SYNC_EXECHOOK_TIMEOUT"),
"the timeout for the exechook") "the timeout for the exechook")
var flExechookBackoff = pflag.Duration("exechook-backoff", envDuration("GIT_SYNC_EXECHOOK_BACKOFF", time.Second*3), var flExechookBackoff = pflag.Duration("exechook-backoff", envDuration(3*time.Second, "GITSYNC_EXECHOOK_BACKOFF", "GIT_SYNC_EXECHOOK_BACKOFF"),
"the time to wait before retrying a failed exechook") "the time to wait before retrying a failed exechook")
var flWebhookURL = pflag.String("webhook-url", envString("GIT_SYNC_WEBHOOK_URL", ""), var flWebhookURL = pflag.String("webhook-url", envString("", "GITSYNC_WEBHOOK_URL", "GIT_SYNC_WEBHOOK_URL"),
"a URL for optional webhook notifications when syncs complete") "a URL for optional webhook notifications when syncs complete")
var flWebhookMethod = pflag.String("webhook-method", envString("GIT_SYNC_WEBHOOK_METHOD", "POST"), var flWebhookMethod = pflag.String("webhook-method", envString("POST", "GITSYNC_WEBHOOK_METHOD", "GIT_SYNC_WEBHOOK_METHOD"),
"the HTTP method for the webhook") "the HTTP method for the webhook")
var flWebhookStatusSuccess = pflag.Int("webhook-success-status", envInt("GIT_SYNC_WEBHOOK_SUCCESS_STATUS", 200), var flWebhookStatusSuccess = pflag.Int("webhook-success-status", envInt(200, "GITSYNC_WEBHOOK_SUCCESS_STATUS", "GIT_SYNC_WEBHOOK_SUCCESS_STATUS"),
"the HTTP status code indicating a successful webhook (0 disables success checks") "the HTTP status code indicating a successful webhook (0 disables success checks")
var flWebhookTimeout = pflag.Duration("webhook-timeout", envDuration("GIT_SYNC_WEBHOOK_TIMEOUT", time.Second), var flWebhookTimeout = pflag.Duration("webhook-timeout", envDuration(1*time.Second, "GITSYNC_WEBHOOK_TIMEOUT", "GIT_SYNC_WEBHOOK_TIMEOUT"),
"the timeout for the webhook") "the timeout for the webhook")
var flWebhookBackoff = pflag.Duration("webhook-backoff", envDuration("GIT_SYNC_WEBHOOK_BACKOFF", time.Second*3), var flWebhookBackoff = pflag.Duration("webhook-backoff", envDuration(3*time.Second, "GITSYNC_WEBHOOK_BACKOFF", "GIT_SYNC_WEBHOOK_BACKOFF"),
"the time to wait before retrying a failed webhook") "the time to wait before retrying a failed webhook")
var flUsername = pflag.String("username", envString("GIT_SYNC_USERNAME", ""), var flUsername = pflag.String("username", envString("", "GITSYNC_USERNAME", "GIT_SYNC_USERNAME"),
"the username to use for git auth") "the username to use for git auth")
var flPassword = pflag.String("password", envString("GIT_SYNC_PASSWORD", ""), var flPassword = pflag.String("password", envString("", "GITSYNC_PASSWORD", "GIT_SYNC_PASSWORD"),
"the password or personal access token to use for git auth (prefer --password-file or this env var)") "the password or personal access token to use for git auth (prefer --password-file or this env var)")
var flPasswordFile = pflag.String("password-file", envString("GIT_SYNC_PASSWORD_FILE", ""), var flPasswordFile = pflag.String("password-file", envString("", "GITSYNC_PASSWORD_FILE", "GIT_SYNC_PASSWORD_FILE"),
"the file from which the password or personal access token for git auth will be sourced") "the file from which the password or personal access token for git auth will be sourced")
var flSSH = pflag.Bool("ssh", envBool("GIT_SYNC_SSH", false), var flSSH = pflag.Bool("ssh", envBool(false, "GITSYNC_SSH", "GIT_SYNC_SSH"),
"use SSH for git operations") "use SSH for git operations")
var flSSHKeyFile = pflag.String("ssh-key-file", envMultiString([]string{"GIT_SYNC_SSH_KEY_FILE", "GIT_SSH_KEY_FILE"}, "/etc/git-secret/ssh"), var flSSHKeyFile = pflag.String("ssh-key-file", envString("/etc/git-secret/ssh", "GITSYNC_SSH_KEY_FILE", "GIT_SYNC_SSH_KEY_FILE", "GIT_SSH_KEY_FILE"),
"the SSH key to use") "the SSH key to use")
var flSSHKnownHosts = pflag.Bool("ssh-known-hosts", envMultiBool([]string{"GIT_SYNC_KNOWN_HOSTS", "GIT_KNOWN_HOSTS"}, true), var flSSHKnownHosts = pflag.Bool("ssh-known-hosts", envBool(true, "GITSYNC_SSH_KNOWN_HOSTS", "GIT_SYNC_KNOWN_HOSTS", "GIT_KNOWN_HOSTS"),
"enable SSH known_hosts verification") "enable SSH known_hosts verification")
var flSSHKnownHostsFile = pflag.String("ssh-known-hosts-file", envMultiString([]string{"GIT_SYNC_SSH_KNOWN_HOSTS_FILE", "GIT_SSH_KNOWN_HOSTS_FILE"}, "/etc/git-secret/known_hosts"), var flSSHKnownHostsFile = pflag.String("ssh-known-hosts-file", envString("/etc/git-secret/known_hosts", "GITSYNC_SSH_KNOWN_HOSTS_FILE", "GIT_SYNC_SSH_KNOWN_HOSTS_FILE", "GIT_SSH_KNOWN_HOSTS_FILE"),
"the known_hosts file to use") "the known_hosts file to use")
var flAddUser = pflag.Bool("add-user", envBool("GIT_SYNC_ADD_USER", false), var flAddUser = pflag.Bool("add-user", envBool(false, "GITSYNC_ADD_USER", "GIT_SYNC_ADD_USER"),
"add a record to /etc/passwd for the current UID/GID (needed to use SSH with an arbitrary UID)") "add a record to /etc/passwd for the current UID/GID (needed to use SSH with an arbitrary UID)")
var flCookieFile = pflag.Bool("cookie-file", envMultiBool([]string{"GIT_SYNC_COOKIE_FILE", "GIT_COOKIE_FILE"}, false), var flCookieFile = pflag.Bool("cookie-file", envBool(false, "GITSYNC_COOKIE_FILE", "GIT_SYNC_COOKIE_FILE", "GIT_COOKIE_FILE"),
"use a git cookiefile (/etc/git-secret/cookie_file) for authentication") "use a git cookiefile (/etc/git-secret/cookie_file) for authentication")
var flAskPassURL = pflag.String("askpass-url", envMultiString([]string{"GIT_SYNC_ASKPASS_URL", "GIT_ASKPASS_URL"}, ""), var flAskPassURL = pflag.String("askpass-url", envString("", "GITSYNC_ASKPASS_URL", "GIT_SYNC_ASKPASS_URL", "GIT_ASKPASS_URL"),
"a URL to query for git credentials (username=<value> and password=<value>)") "a URL to query for git credentials (username=<value> and password=<value>)")
var flGitCmd = pflag.String("git", envString("GIT_SYNC_GIT", "git"), var flGitCmd = pflag.String("git", envString("git", "GITSYNC_GIT", "GIT_SYNC_GIT"),
"the git command to run (subject to PATH search, mostly for testing)") "the git command to run (subject to PATH search, mostly for testing)")
var flGitConfig = pflag.String("git-config", envString("GIT_SYNC_GIT_CONFIG", ""), var flGitConfig = pflag.String("git-config", envString("", "GITSYNC_GIT_CONFIG", "GIT_SYNC_GIT_CONFIG"),
"additional git config options in 'section.var1:val1,\"section.sub.var2\":\"val2\"' format") "additional git config options in 'section.var1:val1,\"section.sub.var2\":\"val2\"' format")
var flGitGC = pflag.String("git-gc", envString("GIT_SYNC_GIT_GC", "always"), var flGitGC = pflag.String("git-gc", envString("always", "GITSYNC_GIT_GC", "GIT_SYNC_GIT_GC"),
"git garbage collection behavior: one of 'auto', 'always', 'aggressive', or 'off'") "git garbage collection behavior: one of 'auto', 'always', 'aggressive', or 'off'")
var flHTTPBind = pflag.String("http-bind", envString("GIT_SYNC_HTTP_BIND", ""), var flHTTPBind = pflag.String("http-bind", envString("", "GITSYNC_HTTP_BIND", "GIT_SYNC_HTTP_BIND"),
"the bind address (including port) for git-sync's HTTP endpoint") "the bind address (including port) for git-sync's HTTP endpoint")
var flHTTPMetrics = pflag.Bool("http-metrics", envBool("GIT_SYNC_HTTP_METRICS", false), var flHTTPMetrics = pflag.Bool("http-metrics", envBool(false, "GITSYNC_HTTP_METRICS", "GIT_SYNC_HTTP_METRICS"),
"enable metrics on git-sync's HTTP endpoint") "enable metrics on git-sync's HTTP endpoint")
var flHTTPprof = pflag.Bool("http-pprof", envBool("GIT_SYNC_HTTP_PPROF", false), var flHTTPprof = pflag.Bool("http-pprof", envBool(false, "GITSYNC_HTTP_PPROF", "GIT_SYNC_HTTP_PPROF"),
"enable the pprof debug endpoints on git-sync's HTTP endpoint") "enable the pprof debug endpoints on git-sync's HTTP endpoint")
// Obsolete flags, kept for compat. // Obsolete flags, kept for compat.
var flBranch = pflag.String("branch", envString("GIT_SYNC_BRANCH", ""), var flBranch = pflag.String("branch", envString("", "GIT_SYNC_BRANCH"),
"DEPRECATED: use --ref instead") "DEPRECATED: use --ref instead")
var flRev = pflag.String("rev", envString("GIT_SYNC_REV", ""), var flRev = pflag.String("rev", envString("", "GIT_SYNC_REV"),
"DEPRECATED: use --ref instead") "DEPRECATED: use --ref instead")
var flWait = pflag.Float64("wait", envFloat("GIT_SYNC_WAIT", 0), var flWait = pflag.Float64("wait", envFloat(0, "GIT_SYNC_WAIT"),
"DEPRECATED: use --period instead") "DEPRECATED: use --period instead")
var flTimeout = pflag.Int("timeout", envInt("GIT_SYNC_TIMEOUT", 0), var flTimeout = pflag.Int("timeout", envInt(0, "GIT_SYNC_TIMEOUT"),
"DEPRECATED: use --sync-timeout instead") "DEPRECATED: use --sync-timeout instead")
var flDest = pflag.String("dest", envString("GIT_SYNC_DEST", ""), var flDest = pflag.String("dest", envString("", "GIT_SYNC_DEST"),
"DEPRECATED: use --link instead") "DEPRECATED: use --link instead")
var flSyncHookCommand = pflag.String("sync-hook-command", envString("GIT_SYNC_HOOK_COMMAND", ""), var flSyncHookCommand = pflag.String("sync-hook-command", envString("", "GIT_SYNC_HOOK_COMMAND"),
"DEPRECATED: use --exechook-command instead") "DEPRECATED: use --exechook-command instead")
var flMaxSyncFailures = pflag.Int("max-sync-failures", envInt("GIT_SYNC_MAX_SYNC_FAILURES", 0), var flMaxSyncFailures = pflag.Int("max-sync-failures", envInt(0, "GIT_SYNC_MAX_SYNC_FAILURES"),
"DEPRECATED: use --max-failures instead") "DEPRECATED: use --max-failures instead")
var flOldSkoolVerbose = pflag.Int("v", -1, var flOldSkoolVerbose = pflag.Int("v", -1,
"DEPRECATED: use -v or --verbose instead") "DEPRECATED: use -v or --verbose instead")
@ -223,114 +223,135 @@ func init() {
prometheus.MustRegister(askpassCount) prometheus.MustRegister(askpassCount)
} }
func envString(key, def string) string { func envString(def string, key string, alts ...string) string {
if val := os.Getenv(key); val != "" { if val := os.Getenv(key); val != "" {
return val return val
} }
return def for _, alt := range alts {
} if val := os.Getenv(alt); val != "" {
fmt.Fprintf(os.Stderr, "env %s has been deprecated, use %s instead\n", alt, key)
func envMultiString(keys []string, def string) string {
for i, key := range keys {
if val := os.Getenv(key); val != "" {
if i != 0 {
fmt.Fprintf(os.Stderr, "env %s has been deprecated, use %s instead\n", key, keys[0])
}
return val return val
} }
} }
return def return def
} }
func envBoolOrError(key string, def bool) (bool, error) { func envBoolOrError(def bool, key string, alts ...string) (bool, error) {
if val := os.Getenv(key); val != "" { parse := func(val string) (bool, error) {
parsed, err := strconv.ParseBool(val) parsed, err := strconv.ParseBool(val)
if err == nil { if err == nil {
return parsed, nil return parsed, nil
} }
return false, fmt.Errorf("ERROR: invalid bool env %s=%q: %v\n", key, val, err) return false, fmt.Errorf("ERROR: invalid bool env %s=%q: %v\n", key, val, err)
} }
if val := os.Getenv(key); val != "" {
return parse(val)
}
for _, alt := range alts {
if val := os.Getenv(key); val != "" {
fmt.Fprintf(os.Stderr, "env %s has been deprecated, use %s instead\n", alt, key)
return parse(val)
}
}
return def, nil return def, nil
} }
func envBool(key string, def bool) bool { func envBool(def bool, key string, alts ...string) bool {
val, err := envBoolOrError(key, def) val, err := envBoolOrError(def, key, alts...)
if err != nil { if err != nil {
fmt.Fprintln(os.Stderr, err) fmt.Fprintln(os.Stderr, err)
os.Exit(1) os.Exit(1)
return false
} }
return val return val
} }
func envMultiBool(keys []string, def bool) bool { func envIntOrError(def int, key string, alts ...string) (int, error) {
for i, key := range keys { parse := func(val string) (int, error) {
if val := os.Getenv(key); val != "" {
parsed, err := strconv.ParseBool(val)
if err == nil {
if i != 0 {
fmt.Fprintf(os.Stderr, "env %s has been deprecated, use %s instead\n", key, keys[0])
}
return parsed
}
fmt.Fprintf(os.Stderr, "ERROR: invalid bool env %s=%q: %v\n", key, val, err)
os.Exit(1)
}
}
return def
}
func envIntOrError(key string, def int) (int, error) {
if val := os.Getenv(key); val != "" {
parsed, err := strconv.ParseInt(val, 0, 0) parsed, err := strconv.ParseInt(val, 0, 0)
if err == nil { if err == nil {
return int(parsed), nil return int(parsed), nil
} }
return 0, fmt.Errorf("ERROR: invalid int env %s=%q: %v\n", key, val, err) return 0, fmt.Errorf("ERROR: invalid int env %s=%q: %v\n", key, val, err)
} }
if val := os.Getenv(key); val != "" {
return parse(val)
}
for _, alt := range alts {
if val := os.Getenv(key); val != "" {
fmt.Fprintf(os.Stderr, "env %s has been deprecated, use %s instead\n", alt, key)
return parse(val)
}
}
return def, nil return def, nil
} }
func envInt(key string, def int) int { func envInt(def int, key string, alts ...string) int {
val, err := envIntOrError(key, def) val, err := envIntOrError(def, key, alts...)
if err != nil { if err != nil {
fmt.Fprintln(os.Stderr, err) fmt.Fprintln(os.Stderr, err)
os.Exit(1) os.Exit(1)
return 0
} }
return val return val
} }
func envFloatOrError(key string, def float64) (float64, error) { func envFloatOrError(def float64, key string, alts ...string) (float64, error) {
if val := os.Getenv(key); val != "" { parse := func(val string) (float64, error) {
parsed, err := strconv.ParseFloat(val, 64) parsed, err := strconv.ParseFloat(val, 64)
if err == nil { if err == nil {
return parsed, nil return parsed, nil
} }
return 0, fmt.Errorf("ERROR: invalid float env %s=%q: %v\n", key, val, err) return 0, fmt.Errorf("ERROR: invalid float env %s=%q: %v\n", key, val, err)
} }
if val := os.Getenv(key); val != "" {
return parse(val)
}
for _, alt := range alts {
if val := os.Getenv(key); val != "" {
fmt.Fprintf(os.Stderr, "env %s has been deprecated, use %s instead\n", alt, key)
return parse(val)
}
}
return def, nil return def, nil
} }
func envFloat(key string, def float64) float64 { func envFloat(def float64, key string, alts ...string) float64 {
val, err := envFloatOrError(key, def) val, err := envFloatOrError(def, key, alts...)
if err != nil { if err != nil {
fmt.Fprintln(os.Stderr, err) fmt.Fprintln(os.Stderr, err)
os.Exit(1) os.Exit(1)
return 0
} }
return val return val
} }
func envDurationOrError(key string, def time.Duration) (time.Duration, error) { func envDurationOrError(def time.Duration, key string, alts ...string) (time.Duration, error) {
if val := os.Getenv(key); val != "" { parse := func(val string) (time.Duration, error) {
parsed, err := time.ParseDuration(val) parsed, err := time.ParseDuration(val)
if err == nil { if err == nil {
return parsed, nil return parsed, nil
} }
return 0, fmt.Errorf("ERROR: invalid duration env %s=%q: %v\n", key, val, err) return 0, fmt.Errorf("ERROR: invalid duration env %s=%q: %v\n", key, val, err)
} }
if val := os.Getenv(key); val != "" {
return parse(val)
}
for _, alt := range alts {
if val := os.Getenv(key); val != "" {
fmt.Fprintf(os.Stderr, "env %s has been deprecated, use %s instead\n", alt, key)
return parse(val)
}
}
return def, nil return def, nil
} }
func envDuration(key string, def time.Duration) time.Duration { func envDuration(def time.Duration, key string, alts ...string) time.Duration {
val, err := envDurationOrError(key, def) val, err := envDurationOrError(def, key, alts...)
if err != nil { if err != nil {
fmt.Fprintln(os.Stderr, err) fmt.Fprintln(os.Stderr, err)
os.Exit(1) os.Exit(1)
return 0
} }
return val return val
} }
@ -968,9 +989,15 @@ func logSafeArgs(args []string) []string {
func logSafeEnv(env []string) []string { func logSafeEnv(env []string) []string {
ret := make([]string, len(env)) ret := make([]string, len(env))
for i, ev := range env { for i, ev := range env {
if strings.HasPrefix(ev, "GITSYNC_PASSWORD=") {
ev = "GITSYNC_PASSWORD=" + redactedString
}
if strings.HasPrefix(ev, "GIT_SYNC_PASSWORD=") { if strings.HasPrefix(ev, "GIT_SYNC_PASSWORD=") {
ev = "GIT_SYNC_PASSWORD=" + redactedString ev = "GIT_SYNC_PASSWORD=" + redactedString
} }
if strings.HasPrefix(ev, "GITSYNC_REPO=") {
ev = "GITSYNC_REPO=" + redactURL(ev[14:])
}
if strings.HasPrefix(ev, "GIT_SYNC_REPO=") { if strings.HasPrefix(ev, "GIT_SYNC_REPO=") {
ev = "GIT_SYNC_REPO=" + redactURL(ev[14:]) ev = "GIT_SYNC_REPO=" + redactURL(ev[14:])
} }
@ -2059,40 +2086,40 @@ OPTIONS
Many options can be specified as either a commandline flag or an environment Many options can be specified as either a commandline flag or an environment
variable. variable.
--add-user, $GIT_SYNC_ADD_USER --add-user, $GITSYNC_ADD_USER
Add a record to /etc/passwd for the current UID/GID. This is Add a record to /etc/passwd for the current UID/GID. This is
needed to use SSH with an arbitrary UID (see --ssh). This assumes needed to use SSH with an arbitrary UID (see --ssh). This assumes
that /etc/passwd is writable by the current UID. that /etc/passwd is writable by the current UID.
--askpass-url <string>, $GIT_SYNC_ASKPASS_URL --askpass-url <string>, $GITSYNC_ASKPASS_URL
A URL to query for git credentials. The query must return success A URL to query for git credentials. The query must return success
(200) and produce a series of key=value lines, including (200) and produce a series of key=value lines, including
"username=<value>" and "password=<value>". "username=<value>" and "password=<value>".
--change-permissions <int>, $GIT_SYNC_PERMISSIONS --change-permissions <int>, $GITSYNC_PERMISSIONS
Change permissions on the checked-out files to the specified mode. Change permissions on the checked-out files to the specified mode.
--cookie-file <string>, $GIT_SYNC_COOKIE_FILE --cookie-file <string>, $GITSYNC_COOKIE_FILE
Use a git cookiefile (/etc/git-secret/cookie_file) for Use a git cookiefile (/etc/git-secret/cookie_file) for
authentication. authentication.
--depth <int>, $GIT_SYNC_DEPTH --depth <int>, $GITSYNC_DEPTH
Create a shallow clone with history truncated to the specified Create a shallow clone with history truncated to the specified
number of commits. If not specified, this defaults to syncing a number of commits. If not specified, this defaults to syncing a
single commit. Setting this to 0 will sync the full history of the single commit. Setting this to 0 will sync the full history of the
repo. repo.
--error-file <string>, $GIT_SYNC_ERROR_FILE --error-file <string>, $GITSYNC_ERROR_FILE
The path to an optional file into which errors will be written. The path to an optional file into which errors will be written.
This may be an absolute path or a relative path, in which case it This may be an absolute path or a relative path, in which case it
is relative to --root. If it is relative to --root, the first path is relative to --root. If it is relative to --root, the first path
element may not start with a period. element may not start with a period.
--exechook-backoff <duration>, $GIT_SYNC_EXECHOOK_BACKOFF --exechook-backoff <duration>, $GITSYNC_EXECHOOK_BACKOFF
The time to wait before retrying a failed --exechook-command. If The time to wait before retrying a failed --exechook-command. If
not specified, this defaults to 3 seconds ("3s"). not specified, this defaults to 3 seconds ("3s").
--exechook-command <string>, $GIT_SYNC_EXECHOOK_COMMAND --exechook-command <string>, $GITSYNC_EXECHOOK_COMMAND
An optional command to be executed after syncing a new hash of the An optional command to be executed after syncing a new hash of the
remote repository. This command does not take any arguments and remote repository. This command does not take any arguments and
executes with the synced repo as its working directory. The following executes with the synced repo as its working directory. The following
@ -2102,15 +2129,15 @@ OPTIONS
This flag obsoletes --sync-hook-command, but if sync-hook-command This flag obsoletes --sync-hook-command, but if sync-hook-command
is specified, it will take precedence. is specified, it will take precedence.
--exechook-timeout <duration>, $GIT_SYNC_EXECHOOK_TIMEOUT --exechook-timeout <duration>, $GITSYNC_EXECHOOK_TIMEOUT
The timeout for the --exechook-command. If not specifid, this The timeout for the --exechook-command. If not specifid, this
defaults to 30 seconds ("30s"). defaults to 30 seconds ("30s").
--git <string>, $GIT_SYNC_GIT --git <string>, $GITSYNC_GIT
The git command to run (subject to PATH search, mostly for The git command to run (subject to PATH search, mostly for
testing). This defaults to "git". testing). This defaults to "git".
--git-config <string>, $GIT_SYNC_GIT_CONFIG --git-config <string>, $GITSYNC_GIT_CONFIG
Additional git config options in a comma-separated 'key:val' Additional git config options in a comma-separated 'key:val'
format. The parsed keys and values are passed to 'git config' and format. The parsed keys and values are passed to 'git config' and
must be valid syntax for that command. must be valid syntax for that command.
@ -2128,7 +2155,7 @@ OPTIONS
quoted values commas may be escaped, but are not required to be. quoted values commas may be escaped, but are not required to be.
Any other escape sequence is an error. Any other escape sequence is an error.
--git-gc <string>, $GIT_SYNC_GIT_GC --git-gc <string>, $GITSYNC_GIT_GC
The git garbage collection behavior: one of "auto", "always", The git garbage collection behavior: one of "auto", "always",
"aggressive", or "off". If not specified, this defaults to "aggressive", or "off". If not specified, this defaults to
"auto". "auto".
@ -2144,7 +2171,7 @@ OPTIONS
-h, --help -h, --help
Print help text and exit. Print help text and exit.
--http-bind <string>, $GIT_SYNC_HTTP_BIND --http-bind <string>, $GITSYNC_HTTP_BIND
The bind address (including port) for git-sync's HTTP endpoint. If The bind address (including port) for git-sync's HTTP endpoint. If
not specified, the HTTP endpoint is not enabled. not specified, the HTTP endpoint is not enabled.
@ -2152,15 +2179,15 @@ OPTIONS
":1234": listen on any IP, port 1234 ":1234": listen on any IP, port 1234
"127.0.0.1:1234": listen on localhost, port 1234 "127.0.0.1:1234": listen on localhost, port 1234
--http-metrics, $GIT_SYNC_HTTP_METRICS --http-metrics, $GITSYNC_HTTP_METRICS
Enable metrics on git-sync's HTTP endpoint. Requires --http-bind Enable metrics on git-sync's HTTP endpoint. Requires --http-bind
to be specified. to be specified.
--http-pprof, $GIT_SYNC_HTTP_PPROF --http-pprof, $GITSYNC_HTTP_PPROF
Enable the pprof debug endpoints on git-sync's HTTP endpoint. Enable the pprof debug endpoints on git-sync's HTTP endpoint.
Requires --http-bind to be specified. Requires --http-bind to be specified.
--link <string>, $GIT_SYNC_LINK --link <string>, $GITSYNC_LINK
The path to at which to create a symlink which points to the The path to at which to create a symlink which points to the
current git directory, at the currently synced hash. This may be current git directory, at the currently synced hash. This may be
an absolute path or a relative path, in which case it is relative an absolute path or a relative path, in which case it is relative
@ -2173,91 +2200,91 @@ OPTIONS
--man --man
Print this manual and exit. Print this manual and exit.
--max-failures <int>, $GIT_SYNC_MAX_FAILURES --max-failures <int>, $GITSYNC_MAX_FAILURES
The number of consecutive failures allowed before aborting (the The number of consecutive failures allowed before aborting (the
first sync must succeed), Setting this to a negative value will first sync must succeed), Setting this to a negative value will
retry forever after the initial sync. If not specified, this retry forever after the initial sync. If not specified, this
defaults to 0, meaning any sync failure will terminate git-sync. defaults to 0, meaning any sync failure will terminate git-sync.
--one-time, $GIT_SYNC_ONE_TIME --one-time, $GITSYNC_ONE_TIME
Exit after one sync. Exit after one sync.
--password <string>, $GIT_SYNC_PASSWORD --password <string>, $GITSYNC_PASSWORD
The password or personal access token (see github docs) to use for The password or personal access token (see github docs) to use for
git authentication (see --username). NOTE: for security reasons, git authentication (see --username). NOTE: for security reasons,
users should prefer --password-file or $GIT_SYNC_PASSWORD_FILE for users should prefer --password-file or $GITSYNC_PASSWORD_FILE for
specifying the password. specifying the password.
--password-file <string>, $GIT_SYNC_PASSWORD_FILE --password-file <string>, $GITSYNC_PASSWORD_FILE
The file from which the password or personal access token (see The file from which the password or personal access token (see
github docs) to use for git authentication (see --username) will be github docs) to use for git authentication (see --username) will be
read. read.
--period <duration>, $GIT_SYNC_PERIOD --period <duration>, $GITSYNC_PERIOD
How long to wait between sync attempts. This must be at least How long to wait between sync attempts. This must be at least
10ms. This flag obsoletes --wait, but if --wait is specified, it 10ms. This flag obsoletes --wait, but if --wait is specified, it
will take precedence. If not specified, this defaults to 10 will take precedence. If not specified, this defaults to 10
seconds ("10s"). seconds ("10s").
--ref <string>, $GIT_SYNC_REF --ref <string>, $GITSYNC_REF
The git revision (branch, tag, or hash) to check out. If not The git revision (branch, tag, or hash) to check out. If not
specified, this defaults to "HEAD" (of the upstream repo's default specified, this defaults to "HEAD" (of the upstream repo's default
branch). branch).
--repo <string>, $GIT_SYNC_REPO --repo <string>, $GITSYNC_REPO
The git repository to sync. This flag is required. The git repository to sync. This flag is required.
--root <string>, $GIT_SYNC_ROOT --root <string>, $GITSYNC_ROOT
The root directory for git-sync operations, under which --link will The root directory for git-sync operations, under which --link will
be created. This must be a path that either a) does not exist (it be created. This must be a path that either a) does not exist (it
will be created); b) is an empty directory; or c) is a directory will be created); b) is an empty directory; or c) is a directory
which can be emptied by removing all of the contents. This flag is which can be emptied by removing all of the contents. This flag is
required. required.
--sparse-checkout-file <string>, $GIT_SYNC_SPARSE_CHECKOUT_FILE --sparse-checkout-file <string>, $GITSYNC_SPARSE_CHECKOUT_FILE
The path to a git sparse-checkout file (see git documentation for The path to a git sparse-checkout file (see git documentation for
details) which controls which files and directories will be checked details) which controls which files and directories will be checked
out. If not specified, the default is to check out the entire repo. out. If not specified, the default is to check out the entire repo.
--ssh, $GIT_SYNC_SSH --ssh, $GITSYNC_SSH
Use SSH for git authentication and operations. Use SSH for git authentication and operations.
--ssh-key-file <string>, $GIT_SYNC_SSH_KEY_FILE --ssh-key-file <string>, $GITSYNC_SSH_KEY_FILE
The SSH key to use when using --ssh. If not specified, this The SSH key to use when using --ssh. If not specified, this
defaults to "/etc/git-secret/ssh". defaults to "/etc/git-secret/ssh".
--ssh-known-hosts, $GIT_SYNC_KNOWN_HOSTS --ssh-known-hosts, $GITSYNC_SSH_KNOWN_HOSTS
Enable SSH known_hosts verification when using --ssh. If not Enable SSH known_hosts verification when using --ssh. If not
specified, this defaults to true. specified, this defaults to true.
--ssh-known-hosts-file <string>, $GIT_SYNC_SSH_KNOWN_HOSTS_FILE --ssh-known-hosts-file <string>, $GITSYNC_SSH_KNOWN_HOSTS_FILE
The known_hosts file to use when --ssh-known-hosts is specified. The known_hosts file to use when --ssh-known-hosts is specified.
If not specified, this defaults to "/etc/git-secret/known_hosts". If not specified, this defaults to "/etc/git-secret/known_hosts".
--submodules <string>, $GIT_SYNC_SUBMODULES --submodules <string>, $GITSYNC_SUBMODULES
The git submodule behavior: one of "recursive", "shallow", or The git submodule behavior: one of "recursive", "shallow", or
"off". If not specified, this defaults to "recursive". "off". If not specified, this defaults to "recursive".
--sync-on-signal <string>, $GIT_SYNC_SYNC_ON_SIGNAL --sync-on-signal <string>, $GITSYNC_SYNC_ON_SIGNAL
Indicates that a sync attempt should occur upon receipt of the Indicates that a sync attempt should occur upon receipt of the
specified signal name (e.g. SIGHUP) or number (e.g. 1). If a sync specified signal name (e.g. SIGHUP) or number (e.g. 1). If a sync
is already in progress, another sync will be triggered as soon as is already in progress, another sync will be triggered as soon as
the current one completes. If not specified, signals will not the current one completes. If not specified, signals will not
trigger syncs. trigger syncs.
--sync-timeout <duration>, $GIT_SYNC_SYNC_TIMEOUT --sync-timeout <duration>, $GITSYNC_SYNC_TIMEOUT
The total time allowed for one complete sync. This must be at least The total time allowed for one complete sync. This must be at least
10ms. This flag obsoletes --timeout, but if --timeout is specified, 10ms. This flag obsoletes --timeout, but if --timeout is specified,
it will take precedence. If not specified, this defaults to 120 it will take precedence. If not specified, this defaults to 120
seconds ("120s"). seconds ("120s").
--touch-file <string>, $GIT_SYNC_TOUCH_FILE --touch-file <string>, $GITSYNC_TOUCH_FILE
The path to an optional file which will be touched whenever a sync The path to an optional file which will be touched whenever a sync
completes. This may be an absolute path or a relative path, in completes. This may be an absolute path or a relative path, in
which case it is relative to --root. If it is relative to --root, which case it is relative to --root. If it is relative to --root,
the first path element may not start with a period. the first path element may not start with a period.
--username <string>, $GIT_SYNC_USERNAME --username <string>, $GITSYNC_USERNAME
The username to use for git authentication (see --password-file or The username to use for git authentication (see --password-file or
--password). --password).
@ -2268,23 +2295,23 @@ OPTIONS
--version --version
Print the version and exit. Print the version and exit.
--webhook-backoff <duration>, $GIT_SYNC_WEBHOOK_BACKOFF --webhook-backoff <duration>, $GITSYNC_WEBHOOK_BACKOFF
The time to wait before retrying a failed --webhook-url. If not The time to wait before retrying a failed --webhook-url. If not
specified, this defaults to 3 seconds ("3s"). specified, this defaults to 3 seconds ("3s").
--webhook-method <string>, $GIT_SYNC_WEBHOOK_METHOD --webhook-method <string>, $GITSYNC_WEBHOOK_METHOD
The HTTP method for the --webhook-url. If not specified, this defaults to "POST". The HTTP method for the --webhook-url. If not specified, this defaults to "POST".
--webhook-success-status <int>, $GIT_SYNC_WEBHOOK_SUCCESS_STATUS --webhook-success-status <int>, $GITSYNC_WEBHOOK_SUCCESS_STATUS
The HTTP status code indicating a successful --webhook-url. Setting The HTTP status code indicating a successful --webhook-url. Setting
this to 0 disables success checks, which makes webhooks this to 0 disables success checks, which makes webhooks
"fire-and-forget". If not specified, this defaults to 200. "fire-and-forget". If not specified, this defaults to 200.
--webhook-timeout <duration>, $GIT_SYNC_WEBHOOK_TIMEOUT --webhook-timeout <duration>, $GITSYNC_WEBHOOK_TIMEOUT
The timeout for the --webhook-url. If not specified, this defaults The timeout for the --webhook-url. If not specified, this defaults
to 1 second ("1s"). to 1 second ("1s").
--webhook-url <string>, $GIT_SYNC_WEBHOOK_URL --webhook-url <string>, $GITSYNC_WEBHOOK_URL
A URL for optional webhook notifications when syncs complete. The A URL for optional webhook notifications when syncs complete. The
header 'Gitsync-Hash' will be set to the git hash that was synced. header 'Gitsync-Hash' will be set to the git hash that was synced.
@ -2304,25 +2331,25 @@ AUTHENTICATION
and "git@example.com:repo" will try to use SSH. and "git@example.com:repo" will try to use SSH.
username/password username/password
The --username (GIT_SYNC_USERNAME) and --password-file The --username (GITSYNC_USERNAME) and --password-file
(GIT_SYNC_PASSWORD_FILE) or --password (GIT_SYNC_PASSWORD) flags (GITSYNC_PASSWORD_FILE) or --password (GITSYNC_PASSWORD) flags
will be used. To prevent password leaks, the --password-file flag will be used. To prevent password leaks, the --password-file flag
or GIT_SYNC_PASSWORD environment variable is almost always or GITSYNC_PASSWORD environment variable is almost always
preferred to the --password flag. preferred to the --password flag.
A variant of this is --askpass-url (GIT_SYNC_ASKPASS_URL), which A variant of this is --askpass-url (GITSYNC_ASKPASS_URL), which
consults a URL (e.g. http://metadata) to get credentials on each consults a URL (e.g. http://metadata) to get credentials on each
sync. sync.
SSH SSH
When --ssh (GIT_SYNC_SSH) is specified, the --ssh-key-file When --ssh (GITSYNC_SSH) is specified, the --ssh-key-file
(GIT_SYNC_SSH_KEY_FILE) will be used. Users are strongly advised (GITSYNC_SSH_KEY_FILE) will be used. Users are strongly advised
to also use --ssh-known-hosts (GIT_SYNC_KNOWN_HOSTS) and to also use --ssh-known-hosts (GITSYNC_SSH_KNOWN_HOSTS) and
--ssh-known-hosts-file (GIT_SYNC_SSH_KNOWN_HOSTS_FILE) when using --ssh-known-hosts-file (GITSYNC_SSH_KNOWN_HOSTS_FILE) when using
SSH. SSH.
cookies cookies
When --cookie-file (GIT_SYNC_COOKIE_FILE) is specified, the When --cookie-file (GITSYNC_COOKIE_FILE) is specified, the
associated cookies can contain authentication information. associated cookies can contain authentication information.
HOOKS HOOKS

10
cmd/git-sync/main_test.go
View File

@ -50,7 +50,7 @@ func TestEnvBool(t *testing.T) {
for _, testCase := range cases { for _, testCase := range cases {
os.Setenv(testKey, testCase.value) os.Setenv(testKey, testCase.value)
val, err := envBoolOrError(testKey, testCase.def) val, err := envBoolOrError(testCase.def, testKey)
if err != nil && !testCase.err { if err != nil && !testCase.err {
t.Fatalf("%q: unexpected error: %v", testCase.value, err) t.Fatalf("%q: unexpected error: %v", testCase.value, err)
} }
@ -81,7 +81,7 @@ func TestEnvString(t *testing.T) {
for _, testCase := range cases { for _, testCase := range cases {
os.Setenv(testKey, testCase.value) os.Setenv(testKey, testCase.value)
val := envString(testKey, testCase.def) val := envString(testCase.def, testKey)
if val != testCase.exp { if val != testCase.exp {
t.Fatalf("%q: expected %v but %v returned", testCase.value, testCase.exp, val) t.Fatalf("%q: expected %v but %v returned", testCase.value, testCase.exp, val)
} }
@ -104,7 +104,7 @@ func TestEnvInt(t *testing.T) {
for _, testCase := range cases { for _, testCase := range cases {
os.Setenv(testKey, testCase.value) os.Setenv(testKey, testCase.value)
val, err := envIntOrError(testKey, testCase.def) val, err := envIntOrError(testCase.def, testKey)
if err != nil && !testCase.err { if err != nil && !testCase.err {
t.Fatalf("%q: unexpected error: %v", testCase.value, err) t.Fatalf("%q: unexpected error: %v", testCase.value, err)
} }
@ -132,7 +132,7 @@ func TestEnvFloat(t *testing.T) {
for _, testCase := range cases { for _, testCase := range cases {
os.Setenv(testKey, testCase.value) os.Setenv(testKey, testCase.value)
val, err := envFloatOrError(testKey, testCase.def) val, err := envFloatOrError(testCase.def, testKey)
if err != nil && !testCase.err { if err != nil && !testCase.err {
t.Fatalf("%q: unexpected error: %v", testCase.value, err) t.Fatalf("%q: unexpected error: %v", testCase.value, err)
} }
@ -160,7 +160,7 @@ func TestEnvDuration(t *testing.T) {
for _, testCase := range cases { for _, testCase := range cases {
os.Setenv(testKey, testCase.value) os.Setenv(testKey, testCase.value)
val, err := envDurationOrError(testKey, testCase.def) val, err := envDurationOrError(testCase.def, testKey)
if err != nil && !testCase.err { if err != nil && !testCase.err {
t.Fatalf("%q: unexpected error: %v", testCase.value, err) t.Fatalf("%q: unexpected error: %v", testCase.value, err)
} }

4
demo/config/deployment.yaml
View File

@ -19,9 +19,9 @@ spec:
- name: markdown - name: markdown
mountPath: /tmp/git mountPath: /tmp/git
env: env:
- name: GIT_SYNC_REPO - name: GITSYNC_REPO
value: https://github.com/kubernetes/git-sync.git value: https://github.com/kubernetes/git-sync.git
- name: GIT_SYNC_LINK - name: GITSYNC_LINK
value: git-sync value: git-sync
- name: hugo - name: hugo
image: registry.k8s.io/hugo image: registry.k8s.io/hugo

4
docs/askpass-url.md
View File

@ -24,8 +24,8 @@ See the askpass e2e test as an example.
name: "git-sync" name: "git-sync"
... ...
env: env:
- name: "GIT_SYNC_REPO", - name: "GITSYNC_REPO",
value: "https://source.developers.google.com/p/[GCP PROJECT ID]/r/[REPO NAME]" value: "https://source.developers.google.com/p/[GCP PROJECT ID]/r/[REPO NAME]"
- name: "GIT_SYNC_ASKPASS_URL", - name: "GITSYNC_ASKPASS_URL",
value: "http://localhost:9102/git_askpass", value: "http://localhost:9102/git_askpass",
``` ```

8
docs/cookie-file.md
View File

@ -34,17 +34,17 @@ volumes:
In your git-sync container configuration, mount your volume at In your git-sync container configuration, mount your volume at
"/etc/git-secret". Make sure to pass the `--cookie-file` flag or set the "/etc/git-secret". Make sure to pass the `--cookie-file` flag or set the
environment variable `GIT_SYNC_COOKIE_FILE` to "true", and to use a git repo environment variable `GITSYNC_COOKIE_FILE` to "true", and to use a git repo
(`--repo` flag or `GIT_SYNC_REPO` env) is set to use a URL with the HTTP (`--repo` flag or `GITSYNC_REPO` env) is set to use a URL with the HTTP
protocol. protocol.
```yaml ```yaml
name: "git-sync" name: "git-sync"
... ...
env: env:
- name: GIT_SYNC_REPO - name: GITSYNC_REPO
value: https://github.com/kubernetes/kubernetes.git value: https://github.com/kubernetes/kubernetes.git
- name: GIT_SYNC_COOKIE_FILE - name: GITSYNC_COOKIE_FILE
value: true value: true
volumeMounts: volumeMounts:
- name: git-secret - name: git-secret

4
docs/ssh.md
View File

@ -69,9 +69,9 @@ Secret (e.g. "git-creds" used in both above examples).
## Step 3: Configure git-sync container ## Step 3: Configure git-sync container
In your git-sync container configuration, mount the Secret volume at In your git-sync container configuration, mount the Secret volume at
"/etc/git-secret". Ensure that the `--repo` flag (or the GIT_SYNC_REPO "/etc/git-secret". Ensure that the `--repo` flag (or the GITSYNC_REPO
environment variable) is set to use the SSH protocol (e.g. environment variable) is set to use the SSH protocol (e.g.
git@github.com/foo/bar) , and set the `--ssh` flags (or set GIT_SYNC_SSH to git@github.com/foo/bar) , and set the `--ssh` flags (or set GITSYNC_SSH to
"true"). You will also need to set your container's `securityContext` to run "true"). You will also need to set your container's `securityContext` to run
as user ID "65533" which is created for running git-sync as non-root. as user ID "65533" which is created for running git-sync as non-root.

6
test_e2e.sh
View File

@ -1568,7 +1568,7 @@ function e2e::exechook_fail_retry() {
} }
############################################## ##############################################
# Test exechook-success with GIT_SYNC_ONE_TIME # Test exechook-success with --one-time
############################################## ##############################################
function e2e::exechook_success_once() { function e2e::exechook_success_once() {
# First sync # First sync
@ -1576,7 +1576,6 @@ function e2e::exechook_success_once() {
git -C "$REPO" commit -qam "$FUNCNAME 1" git -C "$REPO" commit -qam "$FUNCNAME 1"
GIT_SYNC \ GIT_SYNC \
--period=100ms \
--one-time \ --one-time \
--repo="file://$REPO" \ --repo="file://$REPO" \
--root="$ROOT" \ --root="$ROOT" \
@ -1593,7 +1592,7 @@ function e2e::exechook_success_once() {
} }
############################################## ##############################################
# Test exechook-fail with GIT_SYNC_ONE_TIME # Test exechook-fail with --one-time
############################################## ##############################################
function e2e::exechook_fail_once() { function e2e::exechook_fail_once() {
cat /dev/null > "$RUNLOG" cat /dev/null > "$RUNLOG"
@ -1605,7 +1604,6 @@ function e2e::exechook_fail_once() {
( (
set +o errexit set +o errexit
GIT_SYNC \ GIT_SYNC \
--period=100ms \
--one-time \ --one-time \
--repo="file://$REPO" \ --repo="file://$REPO" \
--root="$ROOT" \ --root="$ROOT" \

6
v3-to-v4.md
View File

@ -95,6 +95,12 @@ specified.
The new `--man` flag prints a man-page style help document and exits. The new `--man` flag prints a man-page style help document and exits.
## Env vars
Most flags can also be configured by environment variables. In v3 the
variables all start with `GIT_SYNC_`. In v4 they all start with `GITSYNC_`,
though the old names are still accepted for compatibility.
## Defaults ## Defaults
### Depth ### Depth