Skip to content

Commit

Permalink
gitrepo: add support for specifying CA data via ca.crt
Browse files Browse the repository at this point in the history 
Check the auth secret for the `ca.crt` key for CA certificate data.
`ca.crt` takes precdence over `caFile`.

Signed-off-by: Sanskar Jaiswal <[email protected]>
  • Loading branch information
@aryan9600
aryan9600 committed Aug 17, 2023
1 parent cee804b commit f0585d5
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 6 deletions.
7 changes: 4 additions & 3 deletions docs/spec/v1/gitrepositories.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,8 +161,9 @@ data:
#### HTTPS Certificate Authority

To provide a Certificate Authority to trust while connecting with a Git
repository over HTTPS, the referenced Secret can contain a `.data.caFile`
value.
repository over HTTPS, the referenced Secret's `.data` can contain a `ca.crt`
or `caFile` key. `ca.crt` takes precedence over `caFile`, i.e. if both keys
are present, the value of `ca.crt` will be taken into consideration.

```yaml
---
Expand All @@ -173,7 +174,7 @@ metadata:
namespace: default
type: Opaque
data:
caFile: <BASE64>
ca.crt: <BASE64>
```

#### SSH authentication
Expand Down
4 changes: 3 additions & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ replace github.com/opencontainers/go-digest => github.com/opencontainers/go-dige
// Check again when oras.land/oras-go is updated, which is a dependency of Helm.
replace github.com/docker/docker => github.com/docker/docker v23.0.6+incompatible

replace github.com/fluxcd/pkg/git => github.com/fluxcd/pkg/git v0.12.5-0.20230817140615-66fe41a41294

require (
cloud.google.com/go/storage v1.31.0
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1
Expand All @@ -27,7 +29,7 @@ require (
github.com/docker/go-units v0.5.0
github.com/fluxcd/pkg/apis/event v0.5.2
github.com/fluxcd/pkg/apis/meta v1.1.2
github.com/fluxcd/pkg/git v0.12.4
github.com/fluxcd/pkg/git v0.12.5-0.20230817140615-66fe41a41294
github.com/fluxcd/pkg/git/gogit v0.12.1
github.com/fluxcd/pkg/gittestserver v0.8.5
github.com/fluxcd/pkg/helmtestserver v0.13.2
Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -393,8 +393,8 @@ github.com/fluxcd/pkg/apis/event v0.5.2 h1:WtnCOeWglf7wR3dpyiWxb1JtYkw1G5OXcERb1
github.com/fluxcd/pkg/apis/event v0.5.2/go.mod h1:5l6SSxVTkqrXrYjgEqAajOOHkl4x0TPocAuSdu+3AEs=
github.com/fluxcd/pkg/apis/meta v1.1.2 h1:Unjo7hxadtB2dvGpeFqZZUdsjpRA08YYSBb7dF2WIAM=
github.com/fluxcd/pkg/apis/meta v1.1.2/go.mod h1:BHQyRHCskGMEDf6kDGbgQ+cyiNpUHbLsCOsaMYM2maI=
github.com/fluxcd/pkg/git v0.12.4 h1:COuVYUL+gqMOYAm6oD32Vwcmy/8WVsT/nMk8ps0lpJI=
github.com/fluxcd/pkg/git v0.12.4/go.mod h1:rKB1puk7sbC4AYF1oZDBrkvu3cr0aibkd4I5yNbxSQg=
github.com/fluxcd/pkg/git v0.12.5-0.20230817140615-66fe41a41294 h1:S3BGp89TNABBE17pb5n8WkijOCQkX6n2G30Nb/fXCj8=
github.com/fluxcd/pkg/git v0.12.5-0.20230817140615-66fe41a41294/go.mod h1:rKB1puk7sbC4AYF1oZDBrkvu3cr0aibkd4I5yNbxSQg=
github.com/fluxcd/pkg/git/gogit v0.12.1 h1:06jzHOTntYN5xCSQvyFXtLXdqoP8crLh7VYgtXS9+wo=
github.com/fluxcd/pkg/git/gogit v0.12.1/go.mod h1:Z4Ysp8VifKTvWpjJMKncJsgb2iBqHuIeK80VGjlU41Y=
github.com/fluxcd/pkg/gittestserver v0.8.5 h1:EGqDF4240xPRgW1FFrQAs0Du7fZb8OGXC5qKDIqyXD8=
Expand Down
1 change: 1 addition & 0 deletions internal/controller/gitrepository_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -646,6 +646,7 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
if err != nil {
return nil, err
}

return authOpts, nil
}

Expand Down
26 changes: 26 additions & 0 deletions internal/controller/gitrepository_controller_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -386,6 +386,32 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
},
},
{
name: "HTTPS with CAFile secret with both ca.crt and caFile keys makes Reconciling=True and ignores caFile",
protocol: "https",
server: options{
publicKey: tlsPublicKey,
privateKey: tlsPrivateKey,
ca: tlsCA,
},
secret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "ca-file",
},
Data: map[string][]byte{
"ca.crt": tlsCA,
"caFile": []byte("invalid"),
},
},
beforeFunc: func(obj *sourcev1.GitRepository) {
obj.Spec.SecretRef = &meta.LocalObjectReference{Name: "ca-file"}
},
want: sreconcile.ResultSuccess,
assertConditions: []metav1.Condition{
*conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
},
},
{
name: "HTTPS with invalid CAFile secret makes CheckoutFailed=True and returns error",
protocol: "https",
Expand Down

0 comments on commit f0585d5

Please sign in to comment.