diff --git a/cmd/flux/create_secret_git.go b/cmd/flux/create_secret_git.go index a9330cff..9865cbc9 100644 --- a/cmd/flux/create_secret_git.go +++ b/cmd/flux/create_secret_git.go @@ -88,6 +88,7 @@ type secretGitFlags struct { rsaBits flags.RSAKeyBits ecdsaCurve flags.ECDSACurve caFile string + caCrtFile string privateKeyFile string bearerToken string } @@ -102,6 +103,7 @@ func init() { createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description()) createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description()) createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates") + createSecretGitCmd.Flags().StringVar(&secretGitArgs.caCrtFile, "ca-crt-file", "", "path to TLS CA certificate file used for validating self-signed certificates; takes precedence over --ca-file") createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server") createSecretGitCmd.Flags().StringVar(&secretGitArgs.bearerToken, "bearer-token", "", "bearer authentication token") @@ -160,12 +162,18 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error { if secretGitArgs.username != "" && secretGitArgs.password != "" && secretGitArgs.bearerToken != "" { return fmt.Errorf("user credentials and bearer token cannot be used together") } - if secretGitArgs.caFile != "" { - caBundle, err := os.ReadFile(secretGitArgs.caFile) + + // --ca-crt-file takes precedence over --ca-file. + if secretGitArgs.caCrtFile != "" { + opts.CACrt, err = os.ReadFile(secretGitArgs.caCrtFile) + if err != nil { + return fmt.Errorf("unable to read TLS CA file: %w", err) + } + } else if secretGitArgs.caFile != "" { + opts.CAFile, err = os.ReadFile(secretGitArgs.caFile) if err != nil { return fmt.Errorf("unable to read TLS CA file: %w", err) } - opts.CAFile = caBundle } default: return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme) diff --git a/cmd/flux/create_secret_git_test.go b/cmd/flux/create_secret_git_test.go index bdf2431d..d4c84d0d 100644 --- a/cmd/flux/create_secret_git_test.go +++ b/cmd/flux/create_secret_git_test.go @@ -1,10 +1,21 @@ package main import ( + "fmt" + "os" "testing" ) func TestCreateGitSecret(t *testing.T) { + file, err := os.CreateTemp(t.TempDir(), "ca-crt") + if err != nil { + t.Fatal("could not create CA certificate file") + } + _, err = file.Write([]byte("ca-data")) + if err != nil { + t.Fatal("could not write to CA certificate file") + } + tests := []struct { name string args string @@ -35,6 +46,11 @@ func TestCreateGitSecret(t *testing.T) { args: "create secret git bearer-token-auth --url=https://github.com/stefanprodan/podinfo --bearer-token=ghp_baR2qnFF0O41WlucePL3udt2N9vVZS4R0hAS --namespace=my-namespace --export", assert: assertGoldenFile("testdata/create_secret/git/git-bearer-token.yaml"), }, + { + name: "git authentication with CA certificate", + args: fmt.Sprintf("create secret git ca-crt --url=https://github.com/stefanprodan/podinfo --password=my-password --username=my-username --ca-crt-file=%s --namespace=my-namespace --export", file.Name()), + assert: assertGoldenFile("testdata/create_secret/git/secret-ca-crt.yaml"), + }, { name: "git authentication with basic auth and bearer token", args: "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=aaa --password=zzzz --bearer-token=aaaa --namespace=my-namespace --export", diff --git a/cmd/flux/testdata/create_secret/git/secret-ca-crt.yaml b/cmd/flux/testdata/create_secret/git/secret-ca-crt.yaml new file mode 100644 index 00000000..958bd45f --- /dev/null +++ b/cmd/flux/testdata/create_secret/git/secret-ca-crt.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: ca-crt + namespace: my-namespace +stringData: + ca.crt: ca-data + password: my-password + username: my-username +