3eb34e058c
Prior to this, it would fail if the 2nd SHA wasn't in the local repo. Now it doesn't care what the local SHA for rev is, it only cares what is checked out at HEAD. Also deref tags on ls-remote The short story: `ls-remote` for a tag gets us the SHA of the tag, but `rev-parse HEAD` gets us the SHA of the commit to which that tag is attached. Those are never equal, so we detect "update needed" every loop. Now we ask `ls-remote` for the rev and the dereferenced rev. If that rev is a branch, the deref does nothing. If that rev is a tag it produces both results. ls-remote does its own sort, so the deref (if found) comes after the non-deref. This means that, in both cases, the last line is the one we want. |
||
|---|---|---|
| _test_tools | ||
| build | ||
| cmd/git-sync | ||
| demo | ||
| docs | ||
| pkg | ||
| vendor | ||
| .gitallowed | ||
| .gitignore | ||
| CONTRIBUTING.md | ||
| Dockerfile.in | ||
| LICENSE | ||
| Makefile | ||
| OWNERS | ||
| README.md | ||
| RELEASING.md | ||
| SECURITY.md | ||
| SECURITY_CONTACTS | ||
| askpass_git.sh | ||
| code-of-conduct.md | ||
| go.mod | ||
| go.sum | ||
| slow_git_clone.sh | ||
| slow_git_fetch.sh | ||
| test_e2e.sh | ||
| test_exechook_command.sh | ||
| test_exechook_command_fail.sh | ||
| test_exechook_command_fail_with_sleep.sh | ||
| test_exechook_command_with_sleep.sh | ||
| tools.go | ||
README.md
git-sync
git-sync is a simple command that pulls a git repository into a local directory. It is a perfect "sidecar" container in Kubernetes - it can periodically pull files down from a repository so that an application can consume them.
git-sync can pull one time, or on a regular interval. It can pull from the
HEAD of a branch, from a git tag, or from a specific git hash. It will only
re-pull if the target of the run has changed in the upstream repository. When
it re-pulls, it updates the destination directory atomically. In order to do
this, it uses a git worktree in a subdirectory of the --root and flips a
symlink.
git-sync can pull over HTTP(S) (with authentication or not) or SSH.
git-sync can also be configured to make a webhook call upon successful git repo synchronization. The call is made after the symlink is updated.
Building it
We use docker buildx to build images.
# build the container
make container REGISTRY=registry VERSION=tag
# build the container behind a proxy
make container REGISTRY=registry VERSION=tag \
HTTP_PROXY=http://<proxy_address>:<proxy_port> \
HTTPS_PROXY=https://<proxy_address>:<proxy_port>
# build the container for an OS/arch other than the current (e.g. you are on
# MacOS and want to run on Linux)
make container REGISTRY=registry VERSION=tag \
GOOS=linux GOARCH=amd64
Usage
# make a directory (owned by you) for the volume
export DIR="/tmp/git-data"
mkdir -p $DIR
# run the container (as your own UID)
docker run -d \
-v $DIR:/tmp/git \
-u$(id -u):$(id -g) \
registry/git-sync:tag \
--repo=https://github.com/kubernetes/git-sync \
--branch=master \
--wait=30
# run an nginx container to serve the content
docker run -d \
-p 8080:80 \
-v $DIR:/usr/share/nginx/html \
nginx
Webhooks
Webhooks are executed asynchronously from the main git-sync process. If a webhook-url is configured,
when a change occurs to the local git checkout a call is sent using the method defined in webhook-method
(default to POST). git-sync will continually attempt this webhook call until it succeeds (based on webhook-success-status).
If unsuccessful, git-sync will wait webhook-backoff (default 3s) before re-attempting the webhook call.
Usage
A webhook is configured using a set of CLI flags. At its most basic only webhook-url needs to be set.
docker run -d \
-v $DIR:/tmp/git \
registry/git-sync:tag \
--repo=https://github.com/kubernetes/git-sync \
--branch=master \
--wait=30 \
--webhook-url="http://localhost:9090/-/reload"
Primary flags
| Flag | Environment Variable | Default | Description |
|---|---|---|---|
--repo |
GIT_SYNC_REPO | (required) | the git repository to clone |
--branch |
GIT_SYNC_BRANCH | "master" | the git branch to check out |
--rev |
GIT_SYNC_REV | "HEAD" | the git revision (tag or hash) to check out |
--root |
GIT_SYNC_ROOT | "$HOME/git" | the root directory for git-sync operations, under which --dest will be created |
--dest |
GIT_SYNC_DEST | "" | the name of (a symlink to) a directory in which to check-out files under --root (defaults to the leaf dir of --repo) |
--wait |
GIT_SYNC_WAIT | 1 (second) | the number of seconds between syncs |
--one-time |
GIT_SYNC_ONE_TIME | false | exit after the first sync |
--max-sync-failures |
GIT_SYNC_MAX_SYNC_FAILURES | 0 | the number of consecutive failures allowed before aborting (the first sync must succeed, -1 will retry forever after the initial sync) |
-v |
(none) | "" | log level for V logs |
Flags which control how git runs
| Flag | Environment Variable | Default | Description |
|---|---|---|---|
--depth |
GIT_SYNC_DEPTH | 0 | use a shallow clone with a history truncated to the specified number of commits |
--submodules |
GIT_SYNC_SUBMODULES | recursive | git submodule behavior: one of 'recursive', 'shallow', or 'off' |
--timeout |
GIT_SYNC_TIMEOUT | 120 | the max number of seconds allowed for a complete sync |
--sparse-checkout-file |
GIT_SYNC_SPARSE_CHECKOUT_FILE | "" | the location of an optional sparse-checkout file, same syntax as a .gitignore file. |
--git-config |
GIT_SYNC_GIT_CONFIG | "" | additional git config options in 'key1:val1,key2:val2' format |
--git-gc |
GIT_SYNC_GIT_GC | "auto" | git garbage collection behavior: one of 'auto', 'always', 'aggressive', or 'off' |
--git |
GIT_SYNC_GIT | "git" | the git command to run (subject to PATH search, mostly for testing |
Flags which configure authentication
| Flag | Environment Variable | Default | Description |
|---|---|---|---|
--username |
GIT_SYNC_USERNAME | "" | the username to use for git auth |
--password |
GIT_SYNC_PASSWORD | "" | the password or personal access token to use for git auth. (users should prefer --password-file or env vars for passwords) |
--password-file |
GIT_SYNC_PASSWORD_FILE | "" | the path to password file which contains password or personal access token (see --password) |
--ssh |
GIT_SYNC_SSH | false | use SSH for git operations |
--ssh-key-file |
GIT_SSH_KEY_FILE | "/etc/git-secret/ssh" | the SSH key to use |
--ssh-known-hosts |
GIT_KNOWN_HOSTS | true | enable SSH known_hosts verification |
--ssh-known-hosts-file |
GIT_SSH_KNOWN_HOSTS_FILE | "/etc/git-secret/known_hosts" | the known_hosts file to use |
--add-user |
GIT_SYNC_ADD_USER | false | add a record to /etc/passwd for the current UID/GID (needed to use SSH with a different UID) |
--cookie-file |
GIT_COOKIE_FILE | false | use git cookiefile |
--askpass-url |
GIT_ASKPASS_URL | "" | the URL to query for a username and password for git auth |
Flags which configure hooks
| Flag | Environment Variable | Default | Description |
|---|---|---|---|
--exechook-command |
GIT_SYNC_EXECHOOK_COMMAND | "" | the command executed with the syncing repository as its working directory after syncing a new hash of the remote repository. it is subject to the sync time out and will extend period between syncs. (doesn't support the command arguments) |
--exechook-timeout |
GIT_SYNC_EXECHOOK_TIMEOUT | 30 (seconds) | the timeout for the sync hook command |
--exechook-backoff |
GIT_SYNC_EXECHOOK_BACKOFF | 3 (seconds) | the time to wait before retrying a failed sync hook command |
--webhook-url |
GIT_SYNC_WEBHOOK_URL | "" | the URL for a webhook notification when syncs complete |
--webhook-method |
GIT_SYNC_WEBHOOK_METHOD | "POST" | the HTTP method for the webhook |
--webhook-success-status |
GIT_SYNC_WEBHOOK_SUCCESS_STATUS | 200 | the HTTP status code indicating a successful webhook (-1 disables success checks to make webhooks fire-and-forget) |
--webhook-timeout |
GIT_SYNC_WEBHOOK_TIMEOUT | 1 (second) | the timeout for the webhook |
--webhook-backoff |
GIT_SYNC_WEBHOOK_BACKOFF | 3 (seconds) | the time to wait before retrying a failed webhook |
Flags which configure observability
| Flag | Environment Variable | Default | Description |
|---|---|---|---|
--http-bind |
GIT_SYNC_HTTP_BIND | "" | the bind address (including port) for git-sync's HTTP endpoint |
--http-metrics |
GIT_SYNC_HTTP_METRICS | true | enable metrics on git-sync's HTTP endpoint |
--http-pprof |
GIT_SYNC_HTTP_PPROF | false | enable the pprof debug endpoints on git-sync's HTTP endpoint |
Other flags
| Flag | Environment Variable | Default | Description |
|---|---|---|---|
--change-permissions |
GIT_SYNC_PERMISSIONS | 0 | the file permissions to apply to the checked-out files (0 will not change permissions at all) |
--error-file |
GIT_SYNC_ERROR_FILE | "" | the name of a file into which errors will be written under --root |