Skip to content

Commit aae442d

Browse files
abhijith-darshanabhijith-darshan
committed
(chore): adds tls config for GitHub App auth
this commit ensures that if ca.crt or caFile is available in the github app secret, a tls config with user provided certs is appended to system cert pool and passed to the underlying http transport Signed-off-by: abhijith-darshan <[email protected]>
1 parent c2b572b commit aae442d

File tree

3 files changed

+35
-18
lines changed

3 files changed

+35
-18
lines changed

go.mod

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,8 +30,8 @@ require (
3030
github.com/fluxcd/pkg/apis/meta v1.18.0
3131
github.com/fluxcd/pkg/auth v0.21.0
3232
github.com/fluxcd/pkg/cache v0.10.0
33-
github.com/fluxcd/pkg/git v0.34.0
34-
github.com/fluxcd/pkg/git/gogit v0.37.0
33+
github.com/fluxcd/pkg/git v0.35.0
34+
github.com/fluxcd/pkg/git/gogit v0.38.0
3535
github.com/fluxcd/pkg/gittestserver v0.18.0
3636
github.com/fluxcd/pkg/helmtestserver v0.26.0
3737
github.com/fluxcd/pkg/http/transport v0.6.0

go.sum

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -382,10 +382,10 @@ github.com/fluxcd/pkg/auth v0.21.0 h1:ckAQqP12wuptXEkMY18SQKWEY09m9e6yI0mEMsDV15
382382
github.com/fluxcd/pkg/auth v0.21.0/go.mod h1:MXmpsXT97c874HCw5hnfqFUP7TsG8/Ss1vFrk8JccfM=
383383
github.com/fluxcd/pkg/cache v0.10.0 h1:M+OGDM4da1cnz7q+sZSBtkBJHpiJsLnKVmR9OdMWxEY=
384384
github.com/fluxcd/pkg/cache v0.10.0/go.mod h1:pPXRzQUDQagsCniuOolqVhnAkbNgYOg8d2cTliPs7ME=
385-
github.com/fluxcd/pkg/git v0.34.0 h1:qTViWkfpEDnjzySyKRKliqUeGj/DznqlkmPhaDNIsFY=
386-
github.com/fluxcd/pkg/git v0.34.0/go.mod h1:F9Asm3MlLW4uZx3FF92+bqho+oktdMdnTn/QmXe56NE=
387-
github.com/fluxcd/pkg/git/gogit v0.37.0 h1:JINylFYpwrxS3MCu5Ei+g6XPgxbs5lv9PppIYYr07KY=
388-
github.com/fluxcd/pkg/git/gogit v0.37.0/go.mod h1:X7YzW5mb4srA05h4SpL2OEGEHq02tbXQF5DPJen9hlc=
385+
github.com/fluxcd/pkg/git v0.35.0 h1:mAauhsdfxNW4yQdXviVlvcN/uCGGG0+6p5D1+HFZI9w=
386+
github.com/fluxcd/pkg/git v0.35.0/go.mod h1:F9Asm3MlLW4uZx3FF92+bqho+oktdMdnTn/QmXe56NE=
387+
github.com/fluxcd/pkg/git/gogit v0.38.0 h1:222KmjpKf9pxqi8rAtm1omDcpGTY4JkahLrAwZ3AcwU=
388+
github.com/fluxcd/pkg/git/gogit v0.38.0/go.mod h1:kHStdfd/AtkH5ED0UEWP2tmMGnfxg1GG92D29M+lRJ0=
389389
github.com/fluxcd/pkg/gittestserver v0.18.0 h1:jkuLmzWFfq+v1ziI0LspZrUzc5WzCO98BaWb8OVRPtk=
390390
github.com/fluxcd/pkg/gittestserver v0.18.0/go.mod h1:2wDLqUkPuixk/8pGQdef9ewaGJXf7Z+xHDVq8PIFG4E=
391391
github.com/fluxcd/pkg/helmtestserver v0.26.0 h1:gKw1MGqWwN94nzs2yg3WKgMxi1RqqlDZXlGziaNCcv4=

internal/controller/gitrepository_controller.go

Lines changed: 29 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ import (
3131
authutils "github.com/fluxcd/pkg/auth/utils"
3232
"github.com/fluxcd/pkg/git/github"
3333
"github.com/fluxcd/pkg/runtime/logger"
34+
"github.com/fluxcd/pkg/runtime/secrets"
3435
"github.com/go-git/go-git/v5/plumbing/transport"
3536
corev1 "k8s.io/api/core/v1"
3637
"k8s.io/apimachinery/pkg/runtime"
@@ -621,10 +622,11 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
621622
// transport.ProxyOptions object using those settings and then returns it.
622623
func (r *GitRepositoryReconciler) getProxyOpts(ctx context.Context, proxySecretName,
623624
proxySecretNamespace string) (*transport.ProxyOptions, *url.URL, error) {
624-
proxyData, err := r.getSecretData(ctx, proxySecretName, proxySecretNamespace)
625+
secret, err := r.getSecret(ctx, proxySecretName, proxySecretNamespace)
625626
if err != nil {
626627
return nil, nil, fmt.Errorf("failed to get proxy secret '%s/%s': %w", proxySecretNamespace, proxySecretName, err)
627628
}
629+
proxyData := secret.Data
628630
b, ok := proxyData["address"]
629631
if !ok {
630632
return nil, nil, fmt.Errorf("invalid proxy secret '%s/%s': key 'address' is missing", proxySecretNamespace, proxySecretName)
@@ -659,10 +661,11 @@ func (r *GitRepositoryReconciler) getProxyOpts(ctx context.Context, proxySecretN
659661
// URL and returns it.
660662
func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1.GitRepository,
661663
u url.URL, proxyURL *url.URL) (*git.AuthOptions, error) {
664+
var secret *corev1.Secret
662665
var authData map[string][]byte
663666
if obj.Spec.SecretRef != nil {
664667
var err error
665-
authData, err = r.getSecretData(ctx, obj.Spec.SecretRef.Name, obj.GetNamespace())
668+
secret, err = r.getSecret(ctx, obj.Spec.SecretRef.Name, obj.GetNamespace())
666669
if err != nil {
667670
e := serror.NewGeneric(
668671
fmt.Errorf("failed to get secret '%s/%s': %w", obj.GetNamespace(), obj.Spec.SecretRef.Name, err),
@@ -671,6 +674,7 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
671674
conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
672675
return nil, e
673676
}
677+
authData = secret.Data
674678
}
675679

676680
// Configure authentication strategy to access the source
@@ -719,22 +723,35 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
719723
}
720724

721725
getCreds = func() (*authutils.GitCredentials, error) {
722-
var opts []github.OptFunc
726+
var appOpts []github.OptFunc
723727

724728
if len(authData) > 0 {
725-
opts = append(opts, github.WithAppData(authData))
729+
appOpts = append(appOpts, github.WithAppData(authData))
726730
}
727731

728732
if proxyURL != nil {
729-
opts = append(opts, github.WithProxyURL(proxyURL))
733+
appOpts = append(appOpts, github.WithProxyURL(proxyURL))
730734
}
731735

732736
if r.TokenCache != nil {
733-
opts = append(opts, github.WithCache(r.TokenCache, sourcev1.GitRepositoryKind,
737+
appOpts = append(appOpts, github.WithCache(r.TokenCache, sourcev1.GitRepositoryKind,
734738
obj.GetName(), obj.GetNamespace(), cache.OperationReconcile))
735739
}
736740

737-
username, password, err := github.GetCredentials(ctx, opts...)
741+
if len(opts.CAFile) > 0 {
742+
tlsConfig, err := secrets.TLSConfigFromSecret(ctx, secret, u.Host, secrets.WithSystemCertPool())
743+
if err != nil {
744+
e := serror.NewStalling(
745+
fmt.Errorf("failed to configure TLS from secret '%s/%s': %w", obj.GetNamespace(), obj.Spec.SecretRef.Name, err),
746+
sourcev1.AuthenticationFailedReason,
747+
)
748+
conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
749+
return nil, e
750+
}
751+
appOpts = append(appOpts, github.WithTLSConfig(tlsConfig))
752+
}
753+
754+
username, password, err := github.GetCredentials(ctx, appOpts...)
738755
if err != nil {
739756
return nil, err
740757
}
@@ -771,16 +788,16 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
771788
return opts, nil
772789
}
773790

774-
func (r *GitRepositoryReconciler) getSecretData(ctx context.Context, name, namespace string) (map[string][]byte, error) {
791+
func (r *GitRepositoryReconciler) getSecret(ctx context.Context, name, namespace string) (*corev1.Secret, error) {
775792
key := types.NamespacedName{
776793
Namespace: namespace,
777794
Name: name,
778795
}
779-
var secret corev1.Secret
780-
if err := r.Client.Get(ctx, key, &secret); err != nil {
781-
return nil, err
796+
secret := &corev1.Secret{}
797+
if err := r.Client.Get(ctx, key, secret); err != nil {
798+
return nil, fmt.Errorf("failed to get secret '%s/%s': %w", namespace, name, err)
782799
}
783-
return secret.Data, nil
800+
return secret, nil
784801
}
785802

786803
// reconcileArtifact archives a new Artifact to the Storage, if the current

0 commit comments

Comments
 (0)