Skip to content

Add support for mTLS to GitHub App transport #947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 14, 2025
Merged

Add support for mTLS to GitHub App transport #947

merged 1 commit into from
Aug 14, 2025

Conversation

abhijith-darshan
Copy link
Contributor

If ca.crt or caFile is available in the GitHub App secret, a TLS config with user provided certs is appended to system cert pool and passed to the underlying GitHub App transport.

related to -

fluxcd/pkg#999
fluxcd/source-controller#1860

@abhijith-darshan
Copy link
Contributor Author

abhijith-darshan commented Aug 13, 2025
edited
Loading

tested on GitHub Enterprise with mTLS GitHub App credentials -

Note

source-controller was built and run from fluxcd/source-controller#1860

Screenhost

image

Logs

{"level":"info","ts":"2025-08-13T15:17:25.412+0200","logger":"setup","msg":"starting manager"}
{"level":"info","ts":"2025-08-13T15:17:25.413+0200","logger":"controller-runtime.metrics","msg":"Starting metrics server"}
{"level":"info","ts":"2025-08-13T15:17:25.413+0200","msg":"starting server","name":"health probe","addr":"[::]:9440"}
{"level":"info","ts":"2025-08-13T15:17:25.413+0200","logger":"controller-runtime.metrics","msg":"Serving metrics server","bindAddress":":8080","secure":false}
{"level":"info","ts":"2025-08-13T15:17:25.514+0200","msg":"Starting EventSource","controller":"imageupdateautomation","controllerGroup":"image.toolkit.fluxcd.io","controllerKind":"ImageUpdateAutomation","source":"kind source: *v1beta2.ImageUpdateAutomation"}
{"level":"info","ts":"2025-08-13T15:17:25.514+0200","msg":"Starting EventSource","controller":"imageupdateautomation","controllerGroup":"image.toolkit.fluxcd.io","controllerKind":"ImageUpdateAutomation","source":"kind source: *v1.GitRepository"}
{"level":"info","ts":"2025-08-13T15:17:25.514+0200","msg":"Starting EventSource","controller":"imageupdateautomation","controllerGroup":"image.toolkit.fluxcd.io","controllerKind":"ImageUpdateAutomation","source":"kind source: *v1beta2.ImagePolicy"}
{"level":"info","ts":"2025-08-13T15:17:25.615+0200","msg":"Starting Controller","controller":"imageupdateautomation","controllerGroup":"image.toolkit.fluxcd.io","controllerKind":"ImageUpdateAutomation"}
{"level":"info","ts":"2025-08-13T15:17:25.615+0200","msg":"Starting workers","controller":"imageupdateautomation","controllerGroup":"image.toolkit.fluxcd.io","controllerKind":"ImageUpdateAutomation","worker count":4}
{"level":"info","ts":"2025-08-13T15:17:44.791+0200","msg":"metadata.finalizers: \"finalizers.fluxcd.io\": prefer a domain-qualified finalizer name to avoid accidental conflicts with other finalizer writers","controller":"imageupdateautomation","controllerGroup":"image.toolkit.fluxcd.io","controllerKind":"ImageUpdateAutomation","ImageUpdateAutomation":{"name":"podinfo-update","namespace":"flux-system"},"namespace":"flux-system","name":"podinfo-update","reconcileID":"74bbc70f-d99b-4be0-a182-3d16dfd009b1"}
{"level":"info","ts":"2025-08-13T15:17:46.690+0200","msg":"repository up-to-date","controller":"imageupdateautomation","controllerGroup":"image.toolkit.fluxcd.io","controllerKind":"ImageUpdateAutomation","ImageUpdateAutomation":{"name":"podinfo-update","namespace":"flux-system"},"namespace":"flux-system","name":"podinfo-update","reconcileID":"a6e9294a-4d36-4ff7-b716-e7683ac56a61"}
{"level":"info","ts":"2025-08-13T15:19:55.738+0200","msg":"no change since last reconciliation","controller":"imageupdateautomation","controllerGroup":"image.toolkit.fluxcd.io","controllerKind":"ImageUpdateAutomation","ImageUpdateAutomation":{"name":"podinfo-update","namespace":"flux-system"},"namespace":"flux-system","name":"podinfo-update","reconcileID":"d8e48fef-0972-4f0a-ab2e-0528a68496c8"}
{"level":"info","ts":"2025-08-13T15:28:04.990+0200","msg":"no change since last reconciliation","controller":"imageupdateautomation","controllerGroup":"image.toolkit.fluxcd.io","controllerKind":"ImageUpdateAutomation","ImageUpdateAutomation":{"name":"podinfo-update","namespace":"flux-system"},"namespace":"flux-system","name":"podinfo-update","reconcileID":"35d78f57-fae3-41a9-a627-edaec5ebb731"}
{"level":"info","ts":"2025-08-13T15:31:00.189+0200","logger":"controller-runtime.cache","msg":"Warning: watch ended with error","reflector":"pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285","type":"*v1.GitRepository","err":"an error on the server (\"unable to decode an event from the watch stream: http2: client connection lost\") has prevented the request from succeeding"}
{"level":"info","ts":"2025-08-13T15:31:00.189+0200","logger":"controller-runtime.cache","msg":"Warning: watch ended with error","reflector":"pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285","type":"*v1beta2.ImagePolicy","err":"an error on the server (\"unable to decode an event from the watch stream: http2: client connection lost\") has prevented the request from succeeding"}
{"level":"info","ts":"2025-08-13T15:31:00.189+0200","msg":"no change since last reconciliation","controller":"imageupdateautomation","controllerGroup":"image.toolkit.fluxcd.io","controllerKind":"ImageUpdateAutomation","ImageUpdateAutomation":{"name":"podinfo-update","namespace":"flux-system"},"namespace":"flux-system","name":"podinfo-update","reconcileID":"e2b73d1f-3ba4-4002-b61d-60cfba4b676d"}
{"level":"error","ts":"2025-08-13T15:41:58.382+0200","msg":"failed to update source: failed to push to remote: authorization failed: Permission to teaser/podinfo.git denied to gitops[bot].","controller":"imageupdateautomation","controllerGroup":"image.toolkit.fluxcd.io","controllerKind":"ImageUpdateAutomation","ImageUpdateAutomation":{"name":"podinfo-update","namespace":"flux-system"},"namespace":"flux-system","name":"podinfo-update","reconcileID":"830558a2-6396-44a1-8bb3-f09562c5662b","error":"GitOperationFailed"}
{"level":"error","ts":"2025-08-13T15:41:58.397+0200","msg":"Reconciler error","controller":"imageupdateautomation","controllerGroup":"image.toolkit.fluxcd.io","controllerKind":"ImageUpdateAutomation","ImageUpdateAutomation":{"name":"podinfo-update","namespace":"flux-system"},"namespace":"flux-system","name":"podinfo-update","reconcileID":"830558a2-6396-44a1-8bb3-f09562c5662b","error":"failed to update source: failed to push to remote: authorization failed: Permission to teaser/podinfo.git denied to gitops[bot]."}
{"level":"info","ts":"2025-08-13T15:43:22.524+0200","msg":"pushed commit '0120fd9' to branch 'main'\nUpdate from image update automation","controller":"imageupdateautomation","controllerGroup":"image.toolkit.fluxcd.io","controllerKind":"ImageUpdateAutomation","ImageUpdateAutomation":{"name":"podinfo-update","namespace":"flux-system"},"namespace":"flux-system","name":"podinfo-update","reconcileID":"6750bf8f-ac6d-4b5f-b4b5-6c4b9bfc1c3e"}

The errors in logs is due to missing permissions on the GitHub App initially.

@abhijith-darshan abhijith-darshan marked this pull request as ready for review August 13, 2025 13:54
@abhijith-darshan abhijith-darshan mentioned this pull request Aug 13, 2025
Merged
stefanprodan
stefanprodan reviewed Aug 13, 2025
View reviewed changes
matheuscscp
matheuscscp reviewed Aug 13, 2025
View reviewed changes
@abhijith-darshan
(chore): adds tls config for GitHub App auth
57516b1 
this commit ensures that if ca.crt or caFile is available in the github app secret, a tls config with user provided certs is appended to system cert pool and passed to the underlying http transport

Signed-off-by: abhijith-darshan <[email protected]>

(chore): keeps implementation in-sync with source-controller

Signed-off-by: abhijith-darshan <[email protected]>

(chore): inline proxy detection

This commit removes getProxyOpts(...) helper func and uses pkg/runtime/secrets to retrieve proxy information from secret reference

Signed-off-by: abhijith-darshan <[email protected]>

(chore): remove err formatting for secrets.ProxyURLFromSecretRef

Signed-off-by: abhijith-darshan <[email protected]>
@stefanprodan stefanprodan added area/security Security related issues and PRs area/git Git related issues and pull requests labels Aug 13, 2025
matheuscscp
matheuscscp approved these changes Aug 13, 2025
View reviewed changes
Copy link
Member

@matheuscscp matheuscscp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 🚀

@stefanprodan stefanprodan merged commit 6955dea into fluxcd:main Aug 14, 2025
9 checks passed
@abhijith-darshan abhijith-darshan mentioned this pull request Aug 15, 2025
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matheuscscp matheuscscp matheuscscp approved these changes

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees
No one assigned
Labels
area/git Git related issues and pull requests area/security Security related issues and PRs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@abhijith-darshan @matheuscscp @stefanprodan