Skip to content
This repository has been archived by the owner on Nov 1, 2022. It is now read-only.

Using https protocol not require ssh config #2438

Closed
wants to merge 4 commits into from
Closed

Using https protocol not require ssh config #2438

wants to merge 4 commits into from

Conversation

vyckou
Copy link
Contributor

@vyckou vyckou commented Sep 9, 2019

Following changes would allow:

  • native support for git remote using HTTPS transport, using username and password for git clone, by using git-apikey and git-user arguments.
  • usage of git-apikey and git-user arguments together with https transport, will skip ssh key pair creation
  • will hide potential secrets in logs
  • by using git-apikey argument and HTTPS transport, forces to remove username/password from git-url argument. That is done intentionally, as git-apikey should be treated not as config map, but as secret

@vyckou
mask potential secrets in logging for remote URLs
2aee709
@vyckou
added comment, about NewNopSSHKeyRing usage
45733c0
@vyckou
added git-apikey argument:
b80bec1 
* this argument and logics makes possible to use https transport for git remote. If git-apikey argument is supplied - ssh private/public key generation will be skipped (as key auth is no longer in use)
* added logics forces not to use username:password in git-url argument, as apikey better keep separate and treat is as secret, instead of simple configmap
added example for git-url, that https transport also can be used
@vyckou
added APIKey element for git.Config
892c88b
@vyckou vyckou mentioned this pull request Sep 9, 2019
Closed
@linuxbsdfreak
Copy link

linuxbsdfreak commented Sep 11, 2019
edited
Loading

@vyckou.

At the moment i am testing the following with https for connecting to github by configuring the values.yaml for the flux helm chart

git:
  url: "https://[email protected]/username/gitops-helm-release.git"

I also see that the API Key is displayed in the flux-helm-operator pod logs

My Questions:

  • What do i need to change in the future while configuring flux ?
  • Does the logging of the API_TOKEN not happen anymore after the fix?

Appreciate your feedback.

@hiddeco
Copy link
Member

hiddeco commented Sep 11, 2019

@linuxbsdfreak with a build from this PR, you would provide the HTTPS address to the --git-url flag and supply the token using the --git-apikey flag.

To make use of this in the chart, it would require changes to the chart to make it easy to use as it does not know about this flag at the moment. For the time being, it is however possible to supply it manually by utilizing the additionalArgs value.

@vyckou
Copy link
Contributor Author

vyckou commented Sep 11, 2019

@linuxbsdfreak, @hiddeco is right, provide

--git-url=https://github.com/username/gitops-helm-release.git
--git-apikey=GITHUB_API_TOKEN

despite that, you need to provide --git-user=GITHUB_USER_FOR_API
otherwise, url parsers and SafeURL() function wont be able to identify GITHUB_API_TOKEN as secret, and it will treat as username. As a result you will continue to see the API_TOKEN in the logs

"https://[email protected]/username/gitops-helm-release.git" GITHUB_API_TOKEN by default will be treated as username and only in structure
"https://GITHUB_USERNAME:[email protected]/username/gitops-helm-release.git" GITHUB_API_TOKEN is treated as password

I am not using helm charts, therefore simply forgot to tackle that part. Will try to align that too.

@stefanprodan stefanprodan mentioned this pull request Sep 18, 2019
Closed
hiddeco
hiddeco reviewed Sep 24, 2019
View reviewed changes
cmd/fluxd/main.go
}

if parsedGitURL.User.Username() != "" {
logger.Log("err", "Set git username not in git-url, but use git-user argument instead")
Copy link
Member

@hiddeco hiddeco Sep 24, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The --git-user is not used in the way you think it is used, or at least, this implementation does not take into account that it is used as the full name of the user (i.e. John Doe <[email protected]>) during commit. While I think GitHub does some behind-the-scene parsing to still get this information presented in their UI based on the GitHub username, the data in git will be off.

However, given that we want this feature in in a short timeframe, I will volunteer to make the required changes.

@squaremo
Copy link
Member

Is it possible to interpolate an env entry into the --git-url value? That might obviate the extra arguments -- you could just put the authkey into a secret and mount that to get the env entry. (This would be better than supplying it as an argument, too.)

@hiddeco hiddeco mentioned this pull request Sep 24, 2019
Merged
@hiddeco
Copy link
Member

hiddeco commented Sep 24, 2019
edited
Loading

Closing this as it has been superseded by above PR.

I have added you in as a co-author in my version @vyckou, as it is a rework of your work, hope this softens the pain of me closing this. 🌷

@hiddeco hiddeco closed this Sep 24, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@hiddeco hiddeco hiddeco left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vyckou @linuxbsdfreak @hiddeco @squaremo