@@ -62,6 +62,7 @@ import (
6262 sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
6363 "github.com/fluxcd/source-controller/pkg/git"
6464 gitlibgit2 "github.com/fluxcd/source-controller/pkg/git/libgit2"
65+ "github.com/fluxcd/source-controller/pkg/git/libgit2/managed"
6566 gitstrat "github.com/fluxcd/source-controller/pkg/git/strategy"
6667
6768 imagev1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
@@ -247,6 +248,34 @@ func (r *ImageUpdateAutomationReconciler) Reconcile(ctx context.Context, req ctr
247248 return failWithError (err )
248249 }
249250
251+ repositoryURL := origin .Spec .URL
252+ if managed .Enabled () {
253+ // At present only HTTP connections have the ability to define remote options.
254+ // Although this can be easily extended by ensuring that the fake URL below uses the
255+ // target ssh scheme, and the libgit2/managed/ssh.go pulls that information accordingly.
256+ //
257+ // This is due to the fact the key libgit2 remote callbacks do not take place for HTTP
258+ // whilst most still work for SSH.
259+ if strings .HasPrefix (repositoryURL , "http" ) {
260+ if access .auth != nil && len (access .auth .CAFile ) > 0 {
261+ // Due to the lack of the callback feature, a fake target URL is created to allow
262+ // for the smart sub transport be able to pick the options specific for this
263+ // GitRepository object.
264+ // The URL should use unique information that do not collide in a multi tenant
265+ // deployment.
266+ repositoryURL = fmt .Sprintf ("http://%s/%s/%d" , auto .Name , auto .UID , auto .Generation )
267+ managed .AddTransportOptions (repositoryURL ,
268+ managed.TransportOptions {
269+ TargetURL : repositoryURL ,
270+ CABundle : access .auth .CAFile ,
271+ })
272+
273+ // We remove the options from memory, to avoid accumulating unused options over time.
274+ defer managed .RemoveTransportOptions (repositoryURL )
275+ }
276+ }
277+ }
278+
250279 // Use the git operations timeout for the repo.
251280 cloneCtx , cancel := context .WithTimeout (ctx , origin .Spec .Timeout .Duration )
252281 defer cancel ()
@@ -470,12 +499,6 @@ func (r *ImageUpdateAutomationReconciler) automationsForImagePolicy(obj client.O
470499 return reqs
471500}
472501
473- // --- git ops
474-
475- // Note: libgit2 is always used for network operations; for cloning,
476- // it will do a non-shallow clone, and for anything else, it doesn't
477- // matter what is used.
478-
479502type repoAccess struct {
480503 auth * git.AuthOptions
481504 url string
@@ -544,7 +567,8 @@ func switchBranch(repo *libgit2.Repository, pushBranch string) error {
544567 }
545568 defer head .Free ()
546569
547- _ , err = repo .CreateBranch (pushBranch , head , false )
570+ branch , err := repo .CreateBranch (pushBranch , head , false )
571+ defer branch .Free ()
548572 return err
549573 }
550574
@@ -652,6 +676,7 @@ func commitChangedManifests(tracelog logr.Logger, repo *libgit2.Repository, absR
652676 if err != nil {
653677 return "" , err
654678 }
679+ defer commit .Free ()
655680
656681 signedCommitID , err := commit .WithSignatureUsing (func (commitContent string ) (string , string , error ) {
657682 cipherText := new (bytes.Buffer )
@@ -677,7 +702,7 @@ func commitChangedManifests(tracelog logr.Logger, repo *libgit2.Repository, absR
677702 }
678703 defer newHead .Free ()
679704
680- _ , err = repo .References .Create (
705+ ref , err : =repo .References .Create (
681706 newHead .Name (),
682707 signedCommit .Id (),
683708 true ,
@@ -686,6 +711,7 @@ func commitChangedManifests(tracelog logr.Logger, repo *libgit2.Repository, absR
686711 if err != nil {
687712 return "" , err
688713 }
714+ defer ref .Free ()
689715
690716 return signedCommitID .String (), nil
691717}
0 commit comments