(chore): adds tls config for GitHub App auth

this commit ensures that if ca.crt or caFile is available in the github app secret, a tls config with user provided certs is appended to system cert pool and passed to the underlying http transport

Signed-off-by: abhijith-darshan <[email protected]>

(chore): update target URL for TLSConfigFromSecret

this commit ensures that the target URL for runtime/secrets.TLSConfigFromSecret has the scheme and host

Signed-off-by: abhijith-darshan <[email protected]>

(chore): adds test scenarios

this commit adds test scenarios for mTLS GitHub app in reconcile source auth strategy

Signed-off-by: abhijith-darshan <[email protected]>

(chore): use runtime/secrets authMethods

this commit ensures that GitHubApp secret resolution happens via pkg/runtime/secrets

Signed-off-by: abhijith-darshan <[email protected]>

(chore): update docs

Signed-off-by: abhijith-darshan <[email protected]>

(chore): adds github app data check

this commit ensures that when provider is github and no github app data is present in the secret, it will error out with invalid configuration

Signed-off-by: abhijith-darshan <[email protected]>

Author: abhijith-darshan

docs/spec/v1/gitrepositories.md

@@ -357,6 +357,8 @@ same pattern.
 - The private key that was generated in the pre-requisites.
 - (Optional) GitHub Enterprise Server users can set the base URL to
   `http(s)://HOSTNAME/api/v3`.
+- (Optional) If GitHub Enterprise Server uses a private CA, include its bundle (root and any intermediates) in `ca.crt`.
+  If the `ca.crt` is specified, then it will be used for TLS verification for all API / Git over `HTTPS` requests to the GitHub Enterprise Server.
 
 ```yaml
 apiVersion: v1
@@ -372,6 +374,10 @@ stringData:
     ...
     -----END RSA PRIVATE KEY-----
   githubAppBaseURL: "<github-enterprise-api-url>" #optional, required only for GitHub Enterprise Server users
+  ca.crt: | #optional, for GitHub Enterprise Server users
+    -----BEGIN CERTIFICATE-----
+    ...
+    -----END CERTIFICATE-----
 ```
 
 Alternatively, the Flux CLI can be used to automatically create the secret with

go.mod

@@ -30,15 +30,15 @@ require (
 	github.com/fluxcd/pkg/apis/meta v1.18.0
 	github.com/fluxcd/pkg/auth v0.21.0
 	github.com/fluxcd/pkg/cache v0.10.0
-	github.com/fluxcd/pkg/git v0.34.0
-	github.com/fluxcd/pkg/git/gogit v0.37.0
+	github.com/fluxcd/pkg/git v0.35.0
+	github.com/fluxcd/pkg/git/gogit v0.38.0
 	github.com/fluxcd/pkg/gittestserver v0.18.0
 	github.com/fluxcd/pkg/helmtestserver v0.26.0
 	github.com/fluxcd/pkg/http/transport v0.6.0
 	github.com/fluxcd/pkg/lockedfile v0.6.0
 	github.com/fluxcd/pkg/masktoken v0.7.0
 	github.com/fluxcd/pkg/oci v0.51.0
-	github.com/fluxcd/pkg/runtime v0.78.0
+	github.com/fluxcd/pkg/runtime v0.79.0
 	github.com/fluxcd/pkg/sourceignore v0.13.0
 	github.com/fluxcd/pkg/ssh v0.20.0
 	github.com/fluxcd/pkg/tar v0.13.0

go.sum

@@ -382,10 +382,10 @@ github.com/fluxcd/pkg/auth v0.21.0 h1:ckAQqP12wuptXEkMY18SQKWEY09m9e6yI0mEMsDV15
 github.com/fluxcd/pkg/auth v0.21.0/go.mod h1:MXmpsXT97c874HCw5hnfqFUP7TsG8/Ss1vFrk8JccfM=
 github.com/fluxcd/pkg/cache v0.10.0 h1:M+OGDM4da1cnz7q+sZSBtkBJHpiJsLnKVmR9OdMWxEY=
 github.com/fluxcd/pkg/cache v0.10.0/go.mod h1:pPXRzQUDQagsCniuOolqVhnAkbNgYOg8d2cTliPs7ME=
-github.com/fluxcd/pkg/git v0.34.0 h1:qTViWkfpEDnjzySyKRKliqUeGj/DznqlkmPhaDNIsFY=
-github.com/fluxcd/pkg/git v0.34.0/go.mod h1:F9Asm3MlLW4uZx3FF92+bqho+oktdMdnTn/QmXe56NE=
-github.com/fluxcd/pkg/git/gogit v0.37.0 h1:JINylFYpwrxS3MCu5Ei+g6XPgxbs5lv9PppIYYr07KY=
-github.com/fluxcd/pkg/git/gogit v0.37.0/go.mod h1:X7YzW5mb4srA05h4SpL2OEGEHq02tbXQF5DPJen9hlc=
+github.com/fluxcd/pkg/git v0.35.0 h1:mAauhsdfxNW4yQdXviVlvcN/uCGGG0+6p5D1+HFZI9w=
+github.com/fluxcd/pkg/git v0.35.0/go.mod h1:F9Asm3MlLW4uZx3FF92+bqho+oktdMdnTn/QmXe56NE=
+github.com/fluxcd/pkg/git/gogit v0.38.0 h1:222KmjpKf9pxqi8rAtm1omDcpGTY4JkahLrAwZ3AcwU=
+github.com/fluxcd/pkg/git/gogit v0.38.0/go.mod h1:kHStdfd/AtkH5ED0UEWP2tmMGnfxg1GG92D29M+lRJ0=
 github.com/fluxcd/pkg/gittestserver v0.18.0 h1:jkuLmzWFfq+v1ziI0LspZrUzc5WzCO98BaWb8OVRPtk=
 github.com/fluxcd/pkg/gittestserver v0.18.0/go.mod h1:2wDLqUkPuixk/8pGQdef9ewaGJXf7Z+xHDVq8PIFG4E=
 github.com/fluxcd/pkg/helmtestserver v0.26.0 h1:gKw1MGqWwN94nzs2yg3WKgMxi1RqqlDZXlGziaNCcv4=
@@ -398,8 +398,8 @@ github.com/fluxcd/pkg/masktoken v0.7.0 h1:pitmyOg2pUVdW+nn2Lk/xqm2TaA08uxvOC0ns3
 github.com/fluxcd/pkg/masktoken v0.7.0/go.mod h1:Lc1uoDjO1GY6+YdkK+ZqqBIBWquyV58nlSJ5S1N1IYU=
 github.com/fluxcd/pkg/oci v0.51.0 h1:9oYnm+T4SCVSBif9gn80ALJkMGSERabVMDJiaMIdr7Y=
 github.com/fluxcd/pkg/oci v0.51.0/go.mod h1:5J6IhHoDVYCVeBEC+4E3nPeKh7d0kjJ8IEL6NVCiTx4=
-github.com/fluxcd/pkg/runtime v0.78.0 h1:xwNZqnazmgURGuLiHDbzST6BI5K9fvZuNS4eMVY35Es=
-github.com/fluxcd/pkg/runtime v0.78.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
+github.com/fluxcd/pkg/runtime v0.79.0 h1:9tv79EiQDx/QJH9mYDd9kZ9WybCVWBUGoiBHij+eKkc=
+github.com/fluxcd/pkg/runtime v0.79.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
 github.com/fluxcd/pkg/sourceignore v0.13.0 h1:ZvkzX2WsmyZK9cjlqOFFW1onHVzhPZIqDbCh96rPqbU=
 github.com/fluxcd/pkg/sourceignore v0.13.0/go.mod h1:Z9H1GoBx0ljOhptnzoV0PL6Nd/UzwKcSphP27lqb4xI=
 github.com/fluxcd/pkg/ssh v0.20.0 h1:Ak0laIYIc/L8lEfqls/LDWRW8wYPESGaravQsCRGLb8=

internal/controller/gitrepository_controller.go

@@ -31,6 +31,7 @@ import (
 	authutils "github.com/fluxcd/pkg/auth/utils"
 	"github.com/fluxcd/pkg/git/github"
 	"github.com/fluxcd/pkg/runtime/logger"
+	"github.com/fluxcd/pkg/runtime/secrets"
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -621,10 +622,11 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 // transport.ProxyOptions object using those settings and then returns it.
 func (r *GitRepositoryReconciler) getProxyOpts(ctx context.Context, proxySecretName,
 	proxySecretNamespace string) (*transport.ProxyOptions, *url.URL, error) {
-	proxyData, err := r.getSecretData(ctx, proxySecretName, proxySecretNamespace)
+	secret, err := r.getSecret(ctx, proxySecretName, proxySecretNamespace)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to get proxy secret '%s/%s': %w", proxySecretNamespace, proxySecretName, err)
 	}
+	proxyData := secret.Data
 	b, ok := proxyData["address"]
 	if !ok {
 		return nil, nil, fmt.Errorf("invalid proxy secret '%s/%s': key 'address' is missing", proxySecretNamespace, proxySecretName)
@@ -659,10 +661,11 @@ func (r *GitRepositoryReconciler) getProxyOpts(ctx context.Context, proxySecretN
 // URL and returns it.
 func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1.GitRepository,
 	u url.URL, proxyURL *url.URL) (*git.AuthOptions, error) {
+	var secret *corev1.Secret
 	var authData map[string][]byte
 	if obj.Spec.SecretRef != nil {
 		var err error
-		authData, err = r.getSecretData(ctx, obj.Spec.SecretRef.Name, obj.GetNamespace())
+		secret, err = r.getSecret(ctx, obj.Spec.SecretRef.Name, obj.GetNamespace())
 		if err != nil {
 			e := serror.NewGeneric(
 				fmt.Errorf("failed to get secret '%s/%s': %w", obj.GetNamespace(), obj.Spec.SecretRef.Name, err),
@@ -671,6 +674,7 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
 			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			return nil, e
 		}
+		authData = secret.Data
 	}
 
 	// Configure authentication strategy to access the source
@@ -717,24 +721,38 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
 			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			return nil, e
 		}
-
+		targetURL := fmt.Sprintf("%s://%s", u.Scheme, u.Host)
+		authMethods, err := secrets.AuthMethodsFromSecret(ctx, secret, secrets.WithTargetURL(targetURL), secrets.WithTLSSystemCertPool())
+		if err != nil {
+			return nil, err
+		}
+		if !authMethods.HasGitHubAppData() {
+			e := serror.NewStalling(
+				fmt.Errorf("secretRef with github app data must be specified when provider is set to github"),
+				sourcev1.InvalidProviderConfigurationReason,
+			)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+			return nil, e
+		}
 		getCreds = func() (*authutils.GitCredentials, error) {
-			var opts []github.OptFunc
+			var appOpts []github.OptFunc
 
-			if len(authData) > 0 {
-				opts = append(opts, github.WithAppData(authData))
-			}
+			appOpts = append(appOpts, github.WithAppData(authMethods.GitHubAppData))
 
 			if proxyURL != nil {
-				opts = append(opts, github.WithProxyURL(proxyURL))
+				appOpts = append(appOpts, github.WithProxyURL(proxyURL))
 			}
 
 			if r.TokenCache != nil {
-				opts = append(opts, github.WithCache(r.TokenCache, sourcev1.GitRepositoryKind,
+				appOpts = append(appOpts, github.WithCache(r.TokenCache, sourcev1.GitRepositoryKind,
 					obj.GetName(), obj.GetNamespace(), cache.OperationReconcile))
 			}
 
-			username, password, err := github.GetCredentials(ctx, opts...)
+			if authMethods.HasTLS() {
+				appOpts = append(appOpts, github.WithTLSConfig(authMethods.TLS))
+			}
+
+			username, password, err := github.GetCredentials(ctx, appOpts...)
 			if err != nil {
 				return nil, err
 			}
@@ -771,16 +789,16 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
 	return opts, nil
 }
 
-func (r *GitRepositoryReconciler) getSecretData(ctx context.Context, name, namespace string) (map[string][]byte, error) {
+func (r *GitRepositoryReconciler) getSecret(ctx context.Context, name, namespace string) (*corev1.Secret, error) {
 	key := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
-	var secret corev1.Secret
-	if err := r.Client.Get(ctx, key, &secret); err != nil {
-		return nil, err
+	secret := &corev1.Secret{}
+	if err := r.Client.Get(ctx, key, secret); err != nil {
+		return nil, fmt.Errorf("failed to get secret '%s/%s': %w", namespace, name, err)
 	}
-	return secret.Data, nil
+	return secret, nil
 }
 
 // reconcileArtifact archives a new Artifact to the Storage, if the current

internal/controller/gitrepository_controller_test.go

@@ -18,6 +18,7 @@ package controller
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
@@ -348,6 +349,8 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
 		server           options
 		secret           *corev1.Secret
 		beforeFunc       func(obj *sourcev1.GitRepository)
+		secretFunc       func(secret *corev1.Secret, baseURL string)
+		middlewareFunc   gittestserver.HTTPMiddleware
 		want             sreconcile.Result
 		wantErr          bool
 		assertConditions []metav1.Condition
@@ -527,6 +530,85 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
 				*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "foo"),
 			},
 		},
+		{
+			name:     "mTLS GitHub App without ca.crt makes FetchFailed=True",
+			protocol: "https",
+			server: options{
+				publicKey:  tlsPublicKey,
+				privateKey: tlsPrivateKey,
+				ca:         tlsCA,
+			},
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Name: "gh-app-no-ca"},
+				Data: map[string][]byte{
+					github.KeyAppID:             []byte("123"),
+					github.KeyAppInstallationID: []byte("456"),
+					github.KeyAppPrivateKey:     sshtestdata.PEMBytes["rsa"],
+				},
+			},
+			beforeFunc: func(obj *sourcev1.GitRepository) {
+				obj.Spec.Provider = sourcev1.GitProviderGitHub
+				obj.Spec.SecretRef = &meta.LocalObjectReference{Name: "gh-app-no-ca"}
+				conditions.MarkReconciling(obj, meta.ProgressingReason, "foo")
+				conditions.MarkUnknown(obj, meta.ReadyCondition, meta.ProgressingWithRetryReason, "foo")
+			},
+			secretFunc: func(secret *corev1.Secret, baseURL string) {
+				secret.Data[github.KeyAppBaseURL] = []byte(baseURL + "/api/v3")
+			},
+			wantErr: true,
+			assertConditions: []metav1.Condition{
+				// should record a FetchFailedCondition due to TLS handshake
+				*conditions.TrueCondition(sourcev1.FetchFailedCondition, sourcev1.AuthenticationFailedReason, "x509: "),
+				*conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingReason, "foo"),
+				*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingWithRetryReason, "foo"),
+			},
+		},
+		{
+			name:     "mTLS GitHub App with ca.crt makes Reconciling=True",
+			protocol: "https",
+			server: options{
+				publicKey:  tlsPublicKey,
+				privateKey: tlsPrivateKey,
+				ca:         tlsCA,
+				username:   github.AccessTokenUsername,
+				password:   "some-enterprise-token",
+			},
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Name: "gh-app-ca"},
+				Data: map[string][]byte{
+					github.KeyAppID:             []byte("123"),
+					github.KeyAppInstallationID: []byte("456"),
+					github.KeyAppPrivateKey:     sshtestdata.PEMBytes["rsa"],
+				},
+			},
+			beforeFunc: func(obj *sourcev1.GitRepository) {
+				obj.Spec.Provider = sourcev1.GitProviderGitHub
+				obj.Spec.SecretRef = &meta.LocalObjectReference{Name: "gh-app-ca"}
+			},
+			secretFunc: func(secret *corev1.Secret, baseURL string) {
+				secret.Data[github.KeyAppBaseURL] = []byte(baseURL + "/api/v3")
+				secret.Data["ca.crt"] = tlsCA
+			},
+			middlewareFunc: func(handler http.Handler) http.Handler {
+				return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+					if strings.HasPrefix(r.URL.Path, "/api/v3/app/installations/") {
+						w.WriteHeader(http.StatusOK)
+						tok := &github.AppToken{
+							Token:     "some-enterprise-token",
+							ExpiresAt: time.Now().Add(time.Hour),
+						}
+						_ = json.NewEncoder(w).Encode(tok)
+					}
+					handler.ServeHTTP(w, r)
+				})
+			},
+			wantErr: false,
+			want:    sreconcile.ResultSuccess,
+			assertConditions: []metav1.Condition{
+				*conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
+				*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
+			},
+		},
 		// TODO: Add test case for HTTPS with bearer token auth secret. It
 		// depends on gitkit to have support for bearer token based
 		// authentication.
@@ -695,6 +777,10 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
 			defer os.RemoveAll(server.Root())
 			server.AutoCreate()
 
+			if tt.middlewareFunc != nil {
+				server.AddHTTPMiddlewares(tt.middlewareFunc)
+			}
+
 			repoPath := "/test.git"
 			localRepo, err := initGitRepo(server, "testdata/git/repository", git.DefaultBranch, repoPath)
 			g.Expect(err).NotTo(HaveOccurred())
@@ -739,6 +825,10 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
 				tt.beforeFunc(obj)
 			}
 
+			if tt.secretFunc != nil {
+				tt.secretFunc(secret, server.HTTPAddress())
+			}
+
 			clientBuilder := fakeclient.NewClientBuilder().
 				WithScheme(testEnv.GetScheme()).
 				WithStatusSubresource(&sourcev1.GitRepository{})