fluxcd · hiddeco · Sep 26, 2019 · Sep 4, 2019 · Sep 26, 2019
diff --git a/cmd/fluxd/main.go b/cmd/fluxd/main.go
@@ -613,7 +613,6 @@ func main() {
 		SigningKey:  *gitSigningKey,
 		SetAuthor:   *gitSetAuthor,
 		SkipMessage: *gitSkipMessage,
-		GitSecret:   *gitSecret,
 	}
 
 	repo := git.NewRepo(gitRemote, git.PollInterval(*gitPollInterval), git.Timeout(*gitTimeout), git.Branch(*gitBranch), git.IsReadOnly(*gitReadonly))
@@ -694,6 +693,7 @@ func main() {
 		JobStatusCache:            &job.StatusCache{Size: 100},
 		Logger:                    log.With(logger, "component", "daemon"),
 		ManifestGenerationEnabled: *manifestGeneration,
+		GitSecretEnabled:          *gitSecret,
 		LoopVars: &daemon.LoopVars{
 			SyncInterval:        *syncInterval,
 			SyncState:           syncProvider,

diff --git a/pkg/daemon/daemon.go b/pkg/daemon/daemon.go
@@ -55,6 +55,7 @@ type Daemon struct {
 	EventWriter               event.EventWriter
 	Logger                    log.Logger
 	ManifestGenerationEnabled bool
+	GitSecretEnabled          bool
 	// bookkeeping
 	*LoopVars
 }
@@ -659,6 +660,11 @@ func (d *Daemon) WithWorkingClone(ctx context.Context, fn func(*git.Checkout) er
 		return err
 	}
 	defer co.Clean()
+	if d.GitSecretEnabled {
+		if err := co.SecretUnseal(ctx); err != nil {
+			return err
+		}
+	}
 	return fn(co)
 }
 
@@ -675,6 +681,11 @@ func (d *Daemon) WithReadonlyClone(ctx context.Context, fn func(*git.Export) err
 		return err
 	}
 	defer co.Clean()
+	if d.GitSecretEnabled {
+		if err := co.SecretUnseal(ctx); err != nil {
+			return err
+		}
+	}
 	return fn(co)
 }
 

diff --git a/pkg/daemon/sync.go b/pkg/daemon/sync.go
@@ -49,6 +49,15 @@ func (d *Daemon) Sync(ctx context.Context, started time.Time, newRevision string
 	cancel()
 	defer working.Clean()
 
+	// Unseal any secrets if enabled
+	if d.GitSecretEnabled {
+		ctxt, cancel := context.WithTimeout(ctx, d.GitTimeout)
+		if err := working.SecretUnseal(ctxt); err != nil {
+			return err
+		}
+		cancel()
+	}
+
 	// Retrieve change set of commits we need to sync
 	c, err := getChangeSet(ctx, ratchet, newRevision, d.Repo, d.GitTimeout, d.GitConfig.Paths)
 	if err != nil {

diff --git a/pkg/git/export.go b/pkg/git/export.go
@@ -32,12 +32,17 @@ func (r *Repo) Export(ctx context.Context, ref string) (*Export, error) {
 	return &Export{dir}, nil
 }
 
+// SecretUnseal unseals git secrets in the clone.
+func (e *Export) SecretUnseal(ctx context.Context) error {
+	return secretUnseal(ctx, e.Dir())
+}
+
 // ChangedFiles does a git diff listing changed files
-func (c *Export) ChangedFiles(ctx context.Context, sinceRef string, paths []string) ([]string, error) {
-	list, err := changed(ctx, c.Dir(), sinceRef, paths)
+func (e *Export) ChangedFiles(ctx context.Context, sinceRef string, paths []string) ([]string, error) {
+	list, err := changed(ctx, e.Dir(), sinceRef, paths)
 	if err == nil {
 		for i, file := range list {
-			list[i] = filepath.Join(c.Dir(), file)
+			list[i] = filepath.Join(e.Dir(), file)
 		}
 	}
 	return list, err

diff --git a/pkg/git/operations.go b/pkg/git/operations.go
@@ -81,7 +81,11 @@ func mirror(ctx context.Context, workingDir, repoURL string) (path string, err e
 
 func checkout(ctx context.Context, workingDir, ref string) error {
 	args := []string{"checkout", ref, "--"}
-	return execGitCmd(ctx, args, gitCmdConfig{dir: workingDir})
+	err := execGitCmd(ctx, args, gitCmdConfig{dir: workingDir})
+	if err != nil {
+		return err
+	}
+	return nil
 }
 
 func add(ctx context.Context, workingDir, path string) error {

diff --git a/pkg/git/working.go b/pkg/git/working.go
@@ -22,7 +22,6 @@ type Config struct {
 	SigningKey  string
 	SetAuthor   bool
 	SkipMessage string
-	GitSecret   bool
 }
 
 // Checkout is a local working clone of the remote repo. It is
@@ -101,12 +100,6 @@ func (r *Repo) Clone(ctx context.Context, conf Config) (*Checkout, error) {
 	}
 	r.mu.RUnlock()
 
-	if conf.GitSecret {
-		if err := secretUnseal(ctx, repoDir); err != nil {
-			return nil, err
-		}
-	}
-
 	return &Checkout{
 		Export:       &Export{dir: repoDir},
 		upstream:     upstream,