The previous (v3) sync loop betrays my lack of understanding about git.
It tried to codify my archaic mental model (e.g. --branch and --rev
being disting things) and was ultimately a patchwork of corner-cases
evolved over a few years.
This commit is less of a "diff" and more of a "rewrite".
The new logic is simpler and more efficient. It does not `git clone`
ever. It does not differentiate the first sync from subsequent syncs.
It uses `git fetch` to get the exact SHA and then makes a worktree from
that.
The new `--ref` flag replaces both `--rev` and `--branch`, though it
will use those if specified. In fact, almost all of the e2e tests
passed without change - using --ref and --branch!
I will follow this commit up with more cleanups and e2es.
Problem: Previously all of Kubernetes' image hosting has been out of gcr.io. There were significant egress costs associated with this when images were pulled from entities outside gcp. Refer to https://github.com/kubernetes/k8s.io/wiki/New-Registry-url-for-Kubernetes-(registry.k8s.io)
Solution: As highlighted at KubeCon NA 2022 k8s infra SIG update, the replacement for k8s.gcr.io which is registry.k8s.io is now ready for mainstream use and the old k8s.gcr.io has been formally deprecated and projects are requested to migrate off it. This commit migrates remaining references for kubernetes/git-sync to registry.k8s.io.
Signed-off-by: James Blair <mail@jamesblair.net>
It specifies a HTTP URL which will return username&password which will
be used to authenticate access to the git repo.
This is mainly used for git repo accecpt dynamic password (for example
oauth bare token). Because the dynamic password might expire very soon,
so it's added to the main syncRepo loop.
Typical usage case is work with a sidecar called gce-node-auth on GKE,
it uses the GCE service account's oauth token as password to access
Cloud Source Repo.
Please see the repo below for how it worked.
https://github.com/cydu-cloud/gce-node-auth/blob/master/git-sync-with-gce-node-auth.yaml
* Create a git-sync user to run as, with an entry in /etc/passwd and
writable homedir
* Remove our own validation of key perms - let SSH do that.
* Update docs,
Add an option to specify a git http cookie file in the k8s yaml
that will be configured as the global git cookie file in the git-sync
client.
This is a useful access mechanism for some some hosted repositories
where SSH and passwords are not easily available, such as Google Cloud
Source Repositories.
Tim Hockin
James Blair
David Karlsen
Marco Micera
Chuanying Du
Philippe Dupont
Eugene Chung
Bryce Cronkite-Ratcliff
Hanlin Wang
Pieter Lange
Steve Jernigan
Aman