Support GIT_ASKPASS_URL callback #216

cydu-cloud · 2019-12-17T19:05:46Z

GIT_ASKPASS_URL callback support external HTTP Service to provide password and username to access Git Repo.

See https://github.com/cydu-cloud/git-askpass-gce-node as end to end test which enables git-sync access GCP Cloud Source Repo with service account's oauth bear token.

See https://git-scm.com/docs/gitcredentials for more about the GIT_ASKPASS protocols.

It specifies a HTTP URL which will return username&password which will be used to authenticate access to the git repo. This is mainly used for git repo accecpt dynamic password (for example oauth bare token). Because the dynamic password might expire very soon, so it's added to the main syncRepo loop. Typical usage case is work with a sidecar called gce-node-auth on GKE, it uses the GCE service account's oauth token as password to access Cloud Source Repo. Please see the repo below for how it worked. https://github.com/cydu-cloud/gce-node-auth/blob/master/git-sync-with-gce-node-auth.yaml

k8s-ci-robot · 2019-12-17T19:05:52Z

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
If you have done the above and are still having issues with the CLA being reported as unsigned, please log a ticket with the Linux Foundation Helpdesk: https://support.linuxfoundation.org/
Should you encounter any issues with the Linux Foundation Helpdesk, send a message to the backup e-mail support address at: login-issues@jira.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

k8s-ci-robot · 2019-12-17T19:05:55Z

Welcome @cydu-cloud!

It looks like this is your first PR to kubernetes/git-sync 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/git-sync has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

cydu-cloud · 2019-12-17T19:09:20Z

I signed it

cydu-cloud · 2019-12-17T19:21:39Z

I signed it

cydu-cloud · 2019-12-17T19:25:52Z

/assign @thockin

rcolline · 2019-12-17T19:57:13Z

docs/askpass-url.md

+
+The recommended way is the ASKPASS Service running within the same pod as git-sync.
+
+See <https://github.com/cydu-cloud/git-askpass-gce-node> as a full example which use GCE Node Service Account credential to access Google Cloud Source Repo.


We should find a better place to put this.. maybe GoogleCloudPlatform's repo?

Can we cook down an e2e test that can be set up and run locally? E.g. spin up a git server and an HTTP server, tell git-sync to pull the password from the HTTP server.

test_e2e.sh should cover this

For the e2e test, it depends on askpass_git test I just created in another PR, don't want the PR grow into too big, can I add it as follow up PR? This won't hurt any existing functionality even the callbalk is broken.

For GoogleCloudPlatform's repo, it might take a while to setup, need to go through some process.

I don't want to e2e against GCP. I want to set up a local git repo that demands user/pass and a local HTTP server which serves the content. I am working on a more complex SSH example - will link it here, hopefully helps you with infra

For "local git repo that demands user/pass", trying to use askpass_git as I did for user/pass e2e test, the git credential fill is exactly what git do when demands user/pass, so the simulation should be very good enough for the test here.
Removed the reference docs to gcp. It's purely local e2e test right now.

Thanks for the SSH example, I can not image any better way to do it for SSH, but for user/pass, I personally prefer askpass_git a bit more since it's light and easier to debug/maintain.

Make sense?

Sorry for the growing PR, I just manually merged the askpass_git from #217.

thockin

Overall this looks great - is an e2e test possible?

docs/askpass-url.md

docs/cookie-file.md

docs/askpass-url.md

thockin · 2019-12-18T23:48:18Z

docs/askpass-url.md

+
+The recommended way is the ASKPASS Service running within the same pod as git-sync.
+
+See <https://github.com/cydu-cloud/git-askpass-gce-node> as a full example which use GCE Node Service Account credential to access Google Cloud Source Repo.


I don't want to e2e against GCP. I want to set up a local git repo that demands user/pass and a local HTTP server which serves the content. I am working on a more complex SSH example - will link it here, hopefully helps you with infra

thockin · 2019-12-19T00:43:32Z

See #218 for e2e infra ideas (last commit)

test_e2e.sh

thockin

Also, please squash commits

test_e2e.sh

thockin

Thanks!

/lgtm
/approve

k8s-ci-robot · 2019-12-20T00:33:22Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [thockin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

cydu-cloud added 3 commits December 16, 2019 23:45

Rename to GIT_ASKPASS_URL and also update related examples.

67a0788

update docs from auth-url to askpass-url

6c6c354

k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Dec 17, 2019

k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Dec 17, 2019

k8s-ci-robot requested review from stp-ip and thockin December 17, 2019 19:06

fix docs link

1f67515

update some docs to retrigger the scan

34daaef

k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Dec 17, 2019

k8s-ci-robot assigned thockin Dec 17, 2019

rcolline reviewed Dec 17, 2019

View reviewed changes

thockin reviewed Dec 17, 2019

View reviewed changes

cydu-cloud added 2 commits December 18, 2019 10:52

fix docs

c57553a

fix comments

31f276d

thockin reviewed Dec 18, 2019

View reviewed changes

cydu-cloud added 2 commits December 18, 2019 20:05

manually merge kubernetes#217

b0bdc02

add e2e test for askpasswd_url

d8d9ff7

thockin reviewed Dec 19, 2019

View reviewed changes

test_e2e.sh Outdated Show resolved Hide resolved

cydu-cloud and others added 2 commits December 18, 2019 22:11

Merge branch 'master' into master

27864c3

use random port for nc

0b0f0a6

thockin reviewed Dec 19, 2019

View reviewed changes

test_e2e.sh Outdated Show resolved Hide resolved

use free port

0851cc5

thockin reviewed Dec 20, 2019

View reviewed changes

test_e2e.sh Show resolved Hide resolved

thockin reviewed Dec 20, 2019

View reviewed changes

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 20, 2019

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 20, 2019

k8s-ci-robot merged commit d8928aa into kubernetes:master Dec 20, 2019


		The recommended way is the ASKPASS Service running within the same pod as git-sync.

		See <https://github.com/cydu-cloud/git-askpass-gce-node> as a full example which use GCE Node Service Account credential to access Google Cloud Source Repo.

Support GIT_ASKPASS_URL callback #216

Support GIT_ASKPASS_URL callback #216

Uh oh!

Conversation

cydu-cloud commented Dec 17, 2019

Uh oh!

k8s-ci-robot commented Dec 17, 2019

Uh oh!

k8s-ci-robot commented Dec 17, 2019

Uh oh!

cydu-cloud commented Dec 17, 2019

Uh oh!

cydu-cloud commented Dec 17, 2019

Uh oh!

cydu-cloud commented Dec 17, 2019

Uh oh!

rcolline Dec 17, 2019

Choose a reason for hiding this comment

Uh oh!

thockin Dec 17, 2019

Choose a reason for hiding this comment

Uh oh!

cydu-cloud Dec 18, 2019

Choose a reason for hiding this comment

Uh oh!

thockin Dec 18, 2019

Choose a reason for hiding this comment

Uh oh!

cydu-cloud Dec 19, 2019

Choose a reason for hiding this comment

Uh oh!

thockin left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

thockin Dec 18, 2019

Choose a reason for hiding this comment

Uh oh!

thockin commented Dec 19, 2019

Uh oh!

Uh oh!

thockin left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

thockin left a comment

Choose a reason for hiding this comment

Uh oh!

k8s-ci-robot commented Dec 20, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants