Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Support Git over HTTPS with creds from env vars #2470
This PR makes supplying HTTP(S) basic auth credentials in the
Securely supplying the credentials without exposing them in the
This includes changes to the documentation, (generated) example deployments and the Helm chart to offer full support.
This commit makes supplying HTTP(S) basic auth credentials in the `--git-url` secure. Places where the full remote origin were logged have been modified to only log the `Remote.SafeURL()` so that the authentication key is never exposed in the logs. Securely supplying the credentials without exposing them in the Flux workload is possible by adding two environment variables (e.g. `GIT_AUTHUSER` and `GIT_AUTHKEY`) to a Kubernetes secret, and using Kubernetes mechanics to define them in the Flux pod by using an `envFrom`. The variables can then be used in `--git-url` argument as documented in the Kubernetes documentation: `--git-url=https://$(GIT_AUTHUSER):$(GIT_AUTHKEY)@github.com/an/example.git` If the `--git-url` uses a HTTP(S) scheme; the generation of an SSH private key and the setup of the SSH keyring is now disabled. Co-Authored-By: Vytautas Maciulskis <firstname.lastname@example.org> : https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#using-environment-variables-inside-of-your-config
By adding links to various documentation pages from git vendors about creating a personal access token.
To make secure HTTPS configurations using Helm possible, by using the defined environment variables from the `env.secretName` in the `git.url`.