diff --git a/cmd/flux/create_secret_git.go b/cmd/flux/create_secret_git.go index d24faadc..e7410ea8 100644 --- a/cmd/flux/create_secret_git.go +++ b/cmd/flux/create_secret_git.go @@ -34,8 +34,7 @@ import ( var createSecretGitCmd = &cobra.Command{ Use: "git [name]", Short: "Create or update a Kubernetes secret for Git authentication", - Long: ` -The create secret git command generates a Kubernetes secret with Git credentials. + Long: `The create secret git command generates a Kubernetes secret with Git credentials. For Git over SSH, the host and SSH keys are automatically generated and stored in the secret. For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.`, Example: ` # Create a Git SSH authentication secret using an ECDSA P-521 curve public key @@ -45,6 +44,12 @@ For Git over HTTP/S, the provided basic authentication credentials are stored in --ssh-key-algorithm=ecdsa \ --ssh-ecdsa-curve=p521 + # Create a Git SSH authentication secret with a passwordless private key from file + # The public SSH host key will still be gathered from the host + flux create secret git podinfo-auth \ + --url=ssh://git@github.com/stefanprodan/podinfo \ + --private-key-file=./private.key + # Create a secret for a Git repository using basic authentication flux create secret git podinfo-auth \ --url=https://github.com/stefanprodan/podinfo \ @@ -65,19 +70,19 @@ For Git over HTTP/S, the provided basic authentication credentials are stored in --export > podinfo-auth.yaml sops --encrypt --encrypted-regex '^(data|stringData)$' \ - --in-place podinfo-auth.yaml -`, + --in-place podinfo-auth.yaml`, RunE: createSecretGitCmdRun, } type secretGitFlags struct { - url string - username string - password string - keyAlgorithm flags.PublicKeyAlgorithm - rsaBits flags.RSAKeyBits - ecdsaCurve flags.ECDSACurve - caFile string + url string + username string + password string + keyAlgorithm flags.PublicKeyAlgorithm + rsaBits flags.RSAKeyBits + ecdsaCurve flags.ECDSACurve + caFile string + privateKeyFile string } var secretGitArgs = NewSecretGitFlags() @@ -90,6 +95,7 @@ func init() { createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description()) createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description()) createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates") + createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server") createSecretCmd.AddCommand(createSecretGitCmd) } @@ -130,6 +136,7 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error { switch u.Scheme { case "ssh": opts.SSHHostname = u.Host + opts.PrivateKeyPath = secretGitArgs.privateKeyFile opts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(secretGitArgs.keyAlgorithm) opts.RSAKeyBits = int(secretGitArgs.rsaBits) opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve diff --git a/cmd/flux/create_source_git.go b/cmd/flux/create_source_git.go index 0741b968..0a87610f 100644 --- a/cmd/flux/create_source_git.go +++ b/cmd/flux/create_source_git.go @@ -49,19 +49,19 @@ type sourceGitFlags struct { semver string username string password string - caFile string keyAlgorithm flags.PublicKeyAlgorithm keyRSABits flags.RSAKeyBits keyECDSACurve flags.ECDSACurve secretRef string gitImplementation flags.GitImplementation + caFile string + privateKeyFile string } var createSourceGitCmd = &cobra.Command{ Use: "git [name]", Short: "Create or update a GitRepository source", - Long: ` -The create source git command generates a GitRepository resource and waits for it to sync. + Long: `The create source git command generates a GitRepository resource and waits for it to sync. For Git over SSH, host and SSH keys are automatically generated and stored in a Kubernetes secret. For private Git repositories, the basic authentication credentials are stored in a Kubernetes secret.`, Example: ` # Create a source from a public Git repository master branch @@ -69,7 +69,7 @@ For private Git repositories, the basic authentication credentials are stored in --url=https://github.com/stefanprodan/podinfo \ --branch=master - # Create a source from a Git repository pinned to specific git tag + # Create a source for a Git repository pinned to specific git tag flux create source git podinfo \ --url=https://github.com/stefanprodan/podinfo \ --tag="3.2.3" @@ -79,12 +79,12 @@ For private Git repositories, the basic authentication credentials are stored in --url=https://github.com/stefanprodan/podinfo \ --tag-semver=">=3.2.0 <3.3.0" - # Create a source from a Git repository using SSH authentication + # Create a source for a Git repository using SSH authentication flux create source git podinfo \ --url=ssh://git@github.com/stefanprodan/podinfo \ --branch=master - # Create a source from a Git repository using SSH authentication and an + # Create a source for a Git repository using SSH authentication and an # ECDSA P-521 curve public key flux create source git podinfo \ --url=ssh://git@github.com/stefanprodan/podinfo \ @@ -92,12 +92,19 @@ For private Git repositories, the basic authentication credentials are stored in --ssh-key-algorithm=ecdsa \ --ssh-ecdsa-curve=p521 - # Create a source from a Git repository using basic authentication + # Create a source for a Git repository using SSH authentication and a + # passwordless private key from file + # The public SSH host key will still be gathered from the host + flux create source git podinfo \ + --url=ssh://git@github.com/stefanprodan/podinfo \ + --branch=master \ + --private-key-file=./private.key + + # Create a source for a Git repository using basic authentication flux create source git podinfo \ --url=https://github.com/stefanprodan/podinfo \ --username=username \ - --password=password -`, + --password=password`, RunE: createSourceGitCmdRun, } @@ -116,6 +123,7 @@ func init() { createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials") createSourceGitCmd.Flags().Var(&sourceGitArgs.gitImplementation, "git-implementation", sourceGitArgs.gitImplementation.Description()) createSourceGitCmd.Flags().StringVar(&sourceGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates, requires libgit2") + createSourceGitCmd.Flags().StringVar(&sourceGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server") createSourceCmd.AddCommand(createSourceGitCmd) } @@ -216,6 +224,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error { switch u.Scheme { case "ssh": secretOpts.SSHHostname = u.Host + secretOpts.PrivateKeyPath = sourceGitArgs.privateKeyFile secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(sourceGitArgs.keyAlgorithm) secretOpts.RSAKeyBits = int(sourceGitArgs.keyRSABits) secretOpts.ECDSACurve = sourceGitArgs.keyECDSACurve.Curve diff --git a/docs/cmd/flux_create_secret_git.md b/docs/cmd/flux_create_secret_git.md index d9a1ca98..d70c8fc1 100644 --- a/docs/cmd/flux_create_secret_git.md +++ b/docs/cmd/flux_create_secret_git.md @@ -7,7 +7,6 @@ Create or update a Kubernetes secret for Git authentication ### Synopsis - The create secret git command generates a Kubernetes secret with Git credentials. For Git over SSH, the host and SSH keys are automatically generated and stored in the secret. For Git over HTTP/S, the provided basic authentication credentials are stored in the secret. @@ -26,6 +25,12 @@ flux create secret git [name] [flags] --ssh-key-algorithm=ecdsa \ --ssh-ecdsa-curve=p521 + # Create a Git SSH authentication secret with a passwordless private key from file + # The public SSH host key will still be gathered from the host + flux create secret git podinfo-auth \ + --url=ssh://git@github.com/stefanprodan/podinfo \ + --private-key-file=./private.key + # Create a secret for a Git repository using basic authentication flux create secret git podinfo-auth \ --url=https://github.com/stefanprodan/podinfo \ @@ -47,7 +52,6 @@ flux create secret git [name] [flags] sops --encrypt --encrypted-regex '^(data|stringData)$' \ --in-place podinfo-auth.yaml - ``` ### Options @@ -56,6 +60,7 @@ flux create secret git [name] [flags] --ca-file string path to TLS CA file used for validating self-signed certificates -h, --help help for git -p, --password string basic authentication password + --private-key-file string path to a passwordless private key file used for authenticating to the Git SSH server --ssh-ecdsa-curve ecdsaCurve SSH ECDSA public key curve (p256, p384, p521) (default p384) --ssh-key-algorithm publicKeyAlgorithm SSH public key algorithm (rsa, ecdsa, ed25519) (default rsa) --ssh-rsa-bits rsaKeyBits SSH RSA public key bit size (multiplies of 8) (default 2048) diff --git a/docs/cmd/flux_create_source_git.md b/docs/cmd/flux_create_source_git.md index 963425f8..e84455f2 100644 --- a/docs/cmd/flux_create_source_git.md +++ b/docs/cmd/flux_create_source_git.md @@ -7,7 +7,6 @@ Create or update a GitRepository source ### Synopsis - The create source git command generates a GitRepository resource and waits for it to sync. For Git over SSH, host and SSH keys are automatically generated and stored in a Kubernetes secret. For private Git repositories, the basic authentication credentials are stored in a Kubernetes secret. @@ -24,7 +23,7 @@ flux create source git [name] [flags] --url=https://github.com/stefanprodan/podinfo \ --branch=master - # Create a source from a Git repository pinned to specific git tag + # Create a source for a Git repository pinned to specific git tag flux create source git podinfo \ --url=https://github.com/stefanprodan/podinfo \ --tag="3.2.3" @@ -34,12 +33,12 @@ flux create source git [name] [flags] --url=https://github.com/stefanprodan/podinfo \ --tag-semver=">=3.2.0 <3.3.0" - # Create a source from a Git repository using SSH authentication + # Create a source for a Git repository using SSH authentication flux create source git podinfo \ --url=ssh://git@github.com/stefanprodan/podinfo \ --branch=master - # Create a source from a Git repository using SSH authentication and an + # Create a source for a Git repository using SSH authentication and an # ECDSA P-521 curve public key flux create source git podinfo \ --url=ssh://git@github.com/stefanprodan/podinfo \ @@ -47,12 +46,19 @@ flux create source git [name] [flags] --ssh-key-algorithm=ecdsa \ --ssh-ecdsa-curve=p521 - # Create a source from a Git repository using basic authentication + # Create a source for a Git repository using SSH authentication and a + # passwordless private key from file + # The public SSH host key will still be gathered from the host + flux create source git podinfo \ + --url=ssh://git@github.com/stefanprodan/podinfo \ + --branch=master \ + --private-key-file=./private.key + + # Create a source for a Git repository using basic authentication flux create source git podinfo \ --url=https://github.com/stefanprodan/podinfo \ --username=username \ --password=password - ``` ### Options @@ -63,6 +69,7 @@ flux create source git [name] [flags] --git-implementation gitImplementation the Git implementation to use, available options are: (go-git, libgit2) -h, --help help for git -p, --password string basic authentication password + --private-key-file string path to a passwordless private key file used for authenticating to the Git SSH server --secret-ref string the name of an existing secret containing SSH or basic credentials --ssh-ecdsa-curve ecdsaCurve SSH ECDSA public key curve (p256, p384, p521) (default p384) --ssh-key-algorithm publicKeyAlgorithm SSH public key algorithm (rsa, ecdsa, ed25519) (default rsa)