Mirrors/flux2
1
0
Fork 0
mirror of synced 2026-02-06 19:05:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow supplying PK from file for Git source/secret

Browse Source 
This commit adds support for supplying a path to an existing private
key file to both the `flux create secret git` and `flux create source
git` commands.

If a path is given, any private key generation configuration options
are ignored by the manifest generator. The SSH host will however still
be scanned for server keys.

Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit is contained in:
Hidde Beydals
2021-03-25 18:34:28 +01:00
parent 63a210a0b2
commit 4750d0d81c
4 changed files with 56 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
cmd/flux/create_secret_git.go
View File

@@ -34,8 +34,7 @@ import (
var createSecretGitCmd = &cobra.Command{ var createSecretGitCmd = &cobra.Command{
Use: "git [name]", Use: "git [name]",
Short: "Create or update a Kubernetes secret for Git authentication", Short: "Create or update a Kubernetes secret for Git authentication",
Long: ` Long: `The create secret git command generates a Kubernetes secret with Git credentials.
The create secret git command generates a Kubernetes secret with Git credentials.
For Git over SSH, the host and SSH keys are automatically generated and stored in the secret. For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.`, For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.`,
Example: ` # Create a Git SSH authentication secret using an ECDSA P-521 curve public key Example: ` # Create a Git SSH authentication secret using an ECDSA P-521 curve public key
@@ -45,6 +44,12 @@ For Git over HTTP/S, the provided basic authentication credentials are stored in
--ssh-key-algorithm=ecdsa \ --ssh-key-algorithm=ecdsa \
--ssh-ecdsa-curve=p521 --ssh-ecdsa-curve=p521
# Create a Git SSH authentication secret with a passwordless private key from file
# The public SSH host key will still be gathered from the host
flux create secret git podinfo-auth \
--url=ssh://git@github.com/stefanprodan/podinfo \
--private-key-file=./private.key
# Create a secret for a Git repository using basic authentication # Create a secret for a Git repository using basic authentication
flux create secret git podinfo-auth \ flux create secret git podinfo-auth \
--url=https://github.com/stefanprodan/podinfo \ --url=https://github.com/stefanprodan/podinfo \
@@ -65,19 +70,19 @@ For Git over HTTP/S, the provided basic authentication credentials are stored in
--export > podinfo-auth.yaml --export > podinfo-auth.yaml
sops --encrypt --encrypted-regex '^(data|stringData)$' \ sops --encrypt --encrypted-regex '^(data|stringData)$' \
--in-place podinfo-auth.yaml --in-place podinfo-auth.yaml`,
`,
RunE: createSecretGitCmdRun, RunE: createSecretGitCmdRun,
} }
type secretGitFlags struct { type secretGitFlags struct {
url string url string
username string username string
password string password string
keyAlgorithm flags.PublicKeyAlgorithm keyAlgorithm flags.PublicKeyAlgorithm
rsaBits flags.RSAKeyBits rsaBits flags.RSAKeyBits
ecdsaCurve flags.ECDSACurve ecdsaCurve flags.ECDSACurve
caFile string caFile string
privateKeyFile string
} }
var secretGitArgs = NewSecretGitFlags() var secretGitArgs = NewSecretGitFlags()
@@ -90,6 +95,7 @@ func init() {
createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description()) createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description())
createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description()) createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates") createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
createSecretCmd.AddCommand(createSecretGitCmd) createSecretCmd.AddCommand(createSecretGitCmd)
} }
@@ -130,6 +136,7 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
switch u.Scheme { switch u.Scheme {
case "ssh": case "ssh":
opts.SSHHostname = u.Host opts.SSHHostname = u.Host
opts.PrivateKeyPath = secretGitArgs.privateKeyFile
opts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(secretGitArgs.keyAlgorithm) opts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(secretGitArgs.keyAlgorithm)
opts.RSAKeyBits = int(secretGitArgs.rsaBits) opts.RSAKeyBits = int(secretGitArgs.rsaBits)
opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve

27
cmd/flux/create_source_git.go
View File

@@ -49,19 +49,19 @@ type sourceGitFlags struct {
semver string semver string
username string username string
password string password string
caFile string
keyAlgorithm flags.PublicKeyAlgorithm keyAlgorithm flags.PublicKeyAlgorithm
keyRSABits flags.RSAKeyBits keyRSABits flags.RSAKeyBits
keyECDSACurve flags.ECDSACurve keyECDSACurve flags.ECDSACurve
secretRef string secretRef string
gitImplementation flags.GitImplementation gitImplementation flags.GitImplementation
caFile string
privateKeyFile string
} }
var createSourceGitCmd = &cobra.Command{ var createSourceGitCmd = &cobra.Command{
Use: "git [name]", Use: "git [name]",
Short: "Create or update a GitRepository source", Short: "Create or update a GitRepository source",
Long: ` Long: `The create source git command generates a GitRepository resource and waits for it to sync.
The create source git command generates a GitRepository resource and waits for it to sync.
For Git over SSH, host and SSH keys are automatically generated and stored in a Kubernetes secret. For Git over SSH, host and SSH keys are automatically generated and stored in a Kubernetes secret.
For private Git repositories, the basic authentication credentials are stored in a Kubernetes secret.`, For private Git repositories, the basic authentication credentials are stored in a Kubernetes secret.`,
Example: ` # Create a source from a public Git repository master branch Example: ` # Create a source from a public Git repository master branch
@@ -69,7 +69,7 @@ For private Git repositories, the basic authentication credentials are stored in
--url=https://github.com/stefanprodan/podinfo \ --url=https://github.com/stefanprodan/podinfo \
--branch=master --branch=master
# Create a source from a Git repository pinned to specific git tag # Create a source for a Git repository pinned to specific git tag
flux create source git podinfo \ flux create source git podinfo \
--url=https://github.com/stefanprodan/podinfo \ --url=https://github.com/stefanprodan/podinfo \
--tag="3.2.3" --tag="3.2.3"
@@ -79,12 +79,12 @@ For private Git repositories, the basic authentication credentials are stored in
--url=https://github.com/stefanprodan/podinfo \ --url=https://github.com/stefanprodan/podinfo \
--tag-semver=">=3.2.0 <3.3.0" --tag-semver=">=3.2.0 <3.3.0"
# Create a source from a Git repository using SSH authentication # Create a source for a Git repository using SSH authentication
flux create source git podinfo \ flux create source git podinfo \
--url=ssh://git@github.com/stefanprodan/podinfo \ --url=ssh://git@github.com/stefanprodan/podinfo \
--branch=master --branch=master
# Create a source from a Git repository using SSH authentication and an # Create a source for a Git repository using SSH authentication and an
# ECDSA P-521 curve public key # ECDSA P-521 curve public key
flux create source git podinfo \ flux create source git podinfo \
--url=ssh://git@github.com/stefanprodan/podinfo \ --url=ssh://git@github.com/stefanprodan/podinfo \
@@ -92,12 +92,19 @@ For private Git repositories, the basic authentication credentials are stored in
--ssh-key-algorithm=ecdsa \ --ssh-key-algorithm=ecdsa \
--ssh-ecdsa-curve=p521 --ssh-ecdsa-curve=p521
# Create a source from a Git repository using basic authentication # Create a source for a Git repository using SSH authentication and a
# passwordless private key from file
# The public SSH host key will still be gathered from the host
flux create source git podinfo \
--url=ssh://git@github.com/stefanprodan/podinfo \
--branch=master \
--private-key-file=./private.key
# Create a source for a Git repository using basic authentication
flux create source git podinfo \ flux create source git podinfo \
--url=https://github.com/stefanprodan/podinfo \ --url=https://github.com/stefanprodan/podinfo \
--username=username \ --username=username \
--password=password --password=password`,
`,
RunE: createSourceGitCmdRun, RunE: createSourceGitCmdRun,
} }
@@ -116,6 +123,7 @@ func init() {
createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials") createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials")
createSourceGitCmd.Flags().Var(&sourceGitArgs.gitImplementation, "git-implementation", sourceGitArgs.gitImplementation.Description()) createSourceGitCmd.Flags().Var(&sourceGitArgs.gitImplementation, "git-implementation", sourceGitArgs.gitImplementation.Description())
createSourceGitCmd.Flags().StringVar(&sourceGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates, requires libgit2") createSourceGitCmd.Flags().StringVar(&sourceGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates, requires libgit2")
createSourceGitCmd.Flags().StringVar(&sourceGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
createSourceCmd.AddCommand(createSourceGitCmd) createSourceCmd.AddCommand(createSourceGitCmd)
} }
@@ -216,6 +224,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
switch u.Scheme { switch u.Scheme {
case "ssh": case "ssh":
secretOpts.SSHHostname = u.Host secretOpts.SSHHostname = u.Host
secretOpts.PrivateKeyPath = sourceGitArgs.privateKeyFile
secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(sourceGitArgs.keyAlgorithm) secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(sourceGitArgs.keyAlgorithm)
secretOpts.RSAKeyBits = int(sourceGitArgs.keyRSABits) secretOpts.RSAKeyBits = int(sourceGitArgs.keyRSABits)
secretOpts.ECDSACurve = sourceGitArgs.keyECDSACurve.Curve secretOpts.ECDSACurve = sourceGitArgs.keyECDSACurve.Curve

9
docs/cmd/flux_create_secret_git.md
View File

@@ -7,7 +7,6 @@ Create or update a Kubernetes secret for Git authentication
### Synopsis ### Synopsis
The create secret git command generates a Kubernetes secret with Git credentials. The create secret git command generates a Kubernetes secret with Git credentials.
For Git over SSH, the host and SSH keys are automatically generated and stored in the secret. For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
For Git over HTTP/S, the provided basic authentication credentials are stored in the secret. For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.
@@ -26,6 +25,12 @@ flux create secret git [name] [flags]
--ssh-key-algorithm=ecdsa \ --ssh-key-algorithm=ecdsa \
--ssh-ecdsa-curve=p521 --ssh-ecdsa-curve=p521
# Create a Git SSH authentication secret with a passwordless private key from file
# The public SSH host key will still be gathered from the host
flux create secret git podinfo-auth \
--url=ssh://git@github.com/stefanprodan/podinfo \
--private-key-file=./private.key
# Create a secret for a Git repository using basic authentication # Create a secret for a Git repository using basic authentication
flux create secret git podinfo-auth \ flux create secret git podinfo-auth \
--url=https://github.com/stefanprodan/podinfo \ --url=https://github.com/stefanprodan/podinfo \
@@ -47,7 +52,6 @@ flux create secret git [name] [flags]
sops --encrypt --encrypted-regex '^(data|stringData)$' \ sops --encrypt --encrypted-regex '^(data|stringData)$' \
--in-place podinfo-auth.yaml --in-place podinfo-auth.yaml
``` ```
### Options ### Options
@@ -56,6 +60,7 @@ flux create secret git [name] [flags]
--ca-file string path to TLS CA file used for validating self-signed certificates --ca-file string path to TLS CA file used for validating self-signed certificates
-h, --help help for git -h, --help help for git
-p, --password string basic authentication password -p, --password string basic authentication password
--private-key-file string path to a passwordless private key file used for authenticating to the Git SSH server
--ssh-ecdsa-curve ecdsaCurve SSH ECDSA public key curve (p256, p384, p521) (default p384) --ssh-ecdsa-curve ecdsaCurve SSH ECDSA public key curve (p256, p384, p521) (default p384)
--ssh-key-algorithm publicKeyAlgorithm SSH public key algorithm (rsa, ecdsa, ed25519) (default rsa) --ssh-key-algorithm publicKeyAlgorithm SSH public key algorithm (rsa, ecdsa, ed25519) (default rsa)
--ssh-rsa-bits rsaKeyBits SSH RSA public key bit size (multiplies of 8) (default 2048) --ssh-rsa-bits rsaKeyBits SSH RSA public key bit size (multiplies of 8) (default 2048)

19
docs/cmd/flux_create_source_git.md
View File

@@ -7,7 +7,6 @@ Create or update a GitRepository source
### Synopsis ### Synopsis
The create source git command generates a GitRepository resource and waits for it to sync. The create source git command generates a GitRepository resource and waits for it to sync.
For Git over SSH, host and SSH keys are automatically generated and stored in a Kubernetes secret. For Git over SSH, host and SSH keys are automatically generated and stored in a Kubernetes secret.
For private Git repositories, the basic authentication credentials are stored in a Kubernetes secret. For private Git repositories, the basic authentication credentials are stored in a Kubernetes secret.
@@ -24,7 +23,7 @@ flux create source git [name] [flags]
--url=https://github.com/stefanprodan/podinfo \ --url=https://github.com/stefanprodan/podinfo \
--branch=master --branch=master
# Create a source from a Git repository pinned to specific git tag # Create a source for a Git repository pinned to specific git tag
flux create source git podinfo \ flux create source git podinfo \
--url=https://github.com/stefanprodan/podinfo \ --url=https://github.com/stefanprodan/podinfo \
--tag="3.2.3" --tag="3.2.3"
@@ -34,12 +33,12 @@ flux create source git [name] [flags]
--url=https://github.com/stefanprodan/podinfo \ --url=https://github.com/stefanprodan/podinfo \
--tag-semver=">=3.2.0 <3.3.0" --tag-semver=">=3.2.0 <3.3.0"
# Create a source from a Git repository using SSH authentication # Create a source for a Git repository using SSH authentication
flux create source git podinfo \ flux create source git podinfo \
--url=ssh://git@github.com/stefanprodan/podinfo \ --url=ssh://git@github.com/stefanprodan/podinfo \
--branch=master --branch=master
# Create a source from a Git repository using SSH authentication and an # Create a source for a Git repository using SSH authentication and an
# ECDSA P-521 curve public key # ECDSA P-521 curve public key
flux create source git podinfo \ flux create source git podinfo \
--url=ssh://git@github.com/stefanprodan/podinfo \ --url=ssh://git@github.com/stefanprodan/podinfo \
@@ -47,12 +46,19 @@ flux create source git [name] [flags]
--ssh-key-algorithm=ecdsa \ --ssh-key-algorithm=ecdsa \
--ssh-ecdsa-curve=p521 --ssh-ecdsa-curve=p521
# Create a source from a Git repository using basic authentication # Create a source for a Git repository using SSH authentication and a
# passwordless private key from file
# The public SSH host key will still be gathered from the host
flux create source git podinfo \
--url=ssh://git@github.com/stefanprodan/podinfo \
--branch=master \
--private-key-file=./private.key
# Create a source for a Git repository using basic authentication
flux create source git podinfo \ flux create source git podinfo \
--url=https://github.com/stefanprodan/podinfo \ --url=https://github.com/stefanprodan/podinfo \
--username=username \ --username=username \
--password=password --password=password
``` ```
### Options ### Options
@@ -63,6 +69,7 @@ flux create source git [name] [flags]
--git-implementation gitImplementation the Git implementation to use, available options are: (go-git, libgit2) --git-implementation gitImplementation the Git implementation to use, available options are: (go-git, libgit2)
-h, --help help for git -h, --help help for git
-p, --password string basic authentication password -p, --password string basic authentication password
--private-key-file string path to a passwordless private key file used for authenticating to the Git SSH server
--secret-ref string the name of an existing secret containing SSH or basic credentials --secret-ref string the name of an existing secret containing SSH or basic credentials
--ssh-ecdsa-curve ecdsaCurve SSH ECDSA public key curve (p256, p384, p521) (default p384) --ssh-ecdsa-curve ecdsaCurve SSH ECDSA public key curve (p256, p384, p521) (default p384)
--ssh-key-algorithm publicKeyAlgorithm SSH public key algorithm (rsa, ecdsa, ed25519) (default rsa) --ssh-key-algorithm publicKeyAlgorithm SSH public key algorithm (rsa, ecdsa, ed25519) (default rsa)