Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Git over HTTPS with creds from env vars #2470

Merged
merged 5 commits into from Sep 26, 2019
Merged

Conversation

@hiddeco
Copy link
Member

hiddeco commented Sep 24, 2019

This is a rework of #2438, and fixes #2280.

This PR makes supplying HTTP(S) basic auth credentials in the
--git-url secure. Places where the full remote origin were logged
have been modified to only log the Remote.SafeURL() so that the
authentication key is never exposed in the logs.

Securely supplying the credentials without exposing them in the
Flux workload is possible by adding two environment variables (e.g.
GIT_AUTHUSER and GIT_AUTHKEY) to a Kubernetes secret, and using
Kubernetes mechanics to define them in the Flux pod by using an
envFrom. The variables can then be used in --git-url argument as
documented in the Kubernetes documentation1:
--git-url=https://$(GIT_AUTHUSER):$(GIT_AUTHKEY)@github.com/an/example.git

If the --git-url uses a HTTP(S) scheme; the generation of an SSH
private key and the setup of the SSH keyring is now disabled.


This includes changes to the documentation, (generated) example deployments and the Helm chart to offer full support.

@hiddeco hiddeco force-pushed the feature/git-https branch from 23251a9 to 7c68c1b Sep 24, 2019
@hiddeco hiddeco requested review from squaremo and stefanprodan Sep 24, 2019
Copy link
Member

stefanprodan left a comment

LGTM

Awesome work on the docs!

@hiddeco hiddeco force-pushed the feature/git-https branch from 7c68c1b to 2b44c21 Sep 25, 2019
@squaremo

This comment has been minimized.

Copy link
Member

squaremo commented Sep 25, 2019

The doc updates are welcome, but some of the changes aren't much to do with supporting HTTPS -- can you split them into a separate commit, at least?

chart/flux/README.md Show resolved Hide resolved
chart/flux/values.yaml Outdated Show resolved Hide resolved
cmd/fluxd/main.go Show resolved Hide resolved
docs/guides/use-git-https.md Outdated Show resolved Hide resolved
docs/guides/use-git-https.md Outdated Show resolved Hide resolved
go.mod Show resolved Hide resolved
pkg/git/operations.go Outdated Show resolved Hide resolved
@hiddeco hiddeco force-pushed the feature/git-https branch 2 times, most recently from 9bd017a to 95c0ad7 Sep 25, 2019
@hiddeco hiddeco requested a review from squaremo Sep 26, 2019
Copy link
Member

squaremo left a comment

I think you need to explain where <USER> comes from (see individual comment); that done, I think it's good to go.

docs/guides/use-git-https.md Outdated Show resolved Hide resolved
pkg/daemon/daemon.go Outdated Show resolved Hide resolved
@hiddeco hiddeco force-pushed the feature/git-https branch 2 times, most recently from e8c73bc to 4207293 Sep 26, 2019
hiddeco added 5 commits Sep 24, 2019
This commit makes supplying HTTP(S) basic auth credentials in the
`--git-url` secure. Places where the full remote origin were logged
have been modified to only log the `Remote.SafeURL()` so that the
authentication key is never exposed in the logs.

Securely supplying the credentials without exposing them in the
Flux workload is possible by adding two environment variables (e.g.
`GIT_AUTHUSER` and `GIT_AUTHKEY`) to a Kubernetes secret, and using
Kubernetes mechanics to define them in the Flux pod by using an
`envFrom`. The variables can then be used in `--git-url` argument as
documented in the Kubernetes documentation[1]:
`--git-url=https://$(GIT_AUTHUSER):$(GIT_AUTHKEY)@github.com/an/example.git`

If the `--git-url` uses a HTTP(S) scheme; the generation of an SSH
private key and the setup of the SSH keyring is now disabled.

Co-Authored-By: Vytautas Maciulskis <vyckou@gmail.com>

[1]: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#using-environment-variables-inside-of-your-config
By adding links to various documentation pages from git vendors about
creating a personal access token.
To make secure HTTPS configurations using Helm possible, by using
the defined environment variables from the `env.secretName` in the
`git.url`.
@hiddeco hiddeco force-pushed the feature/git-https branch from 4207293 to e48def6 Sep 26, 2019
@hiddeco hiddeco merged commit c7146c7 into master Sep 26, 2019
2 checks passed
2 checks passed
ci/circleci: build Your tests passed on CircleCI!
Details
ci/circleci: helm Your tests passed on CircleCI!
Details
@hiddeco hiddeco deleted the feature/git-https branch Sep 26, 2019
@hiddeco hiddeco added this to the 1.15.0 milestone Oct 1, 2019
@ssimk0 ssimk0 mentioned this pull request Dec 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.