Create secret with bearer-token
Signed-off-by: Santosh Kaluskar <dtshbl@gmail.com>
This commit is contained in:
Santosh Kaluskar
@@ -37,7 +37,7 @@ var createSecretGitCmd = &cobra.Command{
|
|||||||
Short: "Create or update a Kubernetes secret for Git authentication",
|
Short: "Create or update a Kubernetes secret for Git authentication",
|
||||||
Long: `The create secret git command generates a Kubernetes secret with Git credentials.
|
Long: `The create secret git command generates a Kubernetes secret with Git credentials.
|
||||||
For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
|
For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
|
||||||
For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.`,
|
For Git over HTTP/S, the provided basic authentication credentials or bearer authentication token are stored in the secret.`,
|
||||||
Example: ` # Create a Git SSH authentication secret using an ECDSA P-521 curve public key
|
Example: ` # Create a Git SSH authentication secret using an ECDSA P-521 curve public key
|
||||||
|
|
||||||
flux create secret git podinfo-auth \
|
flux create secret git podinfo-auth \
|
||||||
@@ -87,6 +87,7 @@ type secretGitFlags struct {
|
|||||||
ecdsaCurve flags.ECDSACurve
|
ecdsaCurve flags.ECDSACurve
|
||||||
caFile string
|
caFile string
|
||||||
privateKeyFile string
|
privateKeyFile string
|
||||||
|
bearerToken string
|
||||||
}
|
}
|
||||||
|
|
||||||
var secretGitArgs = NewSecretGitFlags()
|
var secretGitArgs = NewSecretGitFlags()
|
||||||
@@ -100,6 +101,7 @@ func init() {
|
|||||||
createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
|
createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
|
||||||
createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
|
createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
|
||||||
createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
|
createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
|
||||||
|
createSecretGitCmd.Flags().StringVar(&secretGitArgs.bearerToken, "bearer-token", "", "bearer authentication token")
|
||||||
|
|
||||||
createSecretCmd.AddCommand(createSecretGitCmd)
|
createSecretCmd.AddCommand(createSecretGitCmd)
|
||||||
}
|
}
|
||||||
@@ -147,11 +149,15 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
|
|||||||
opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve
|
opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve
|
||||||
opts.Password = secretGitArgs.password
|
opts.Password = secretGitArgs.password
|
||||||
case "http", "https":
|
case "http", "https":
|
||||||
if secretGitArgs.username == "" || secretGitArgs.password == "" {
|
if (secretGitArgs.username == "" || secretGitArgs.password == "") && secretGitArgs.bearerToken == "" {
|
||||||
return fmt.Errorf("for Git over HTTP/S the username and password are required")
|
return fmt.Errorf("for Git over HTTP/S the username and password, or a bearer token is required")
|
||||||
}
|
}
|
||||||
opts.Username = secretGitArgs.username
|
opts.Username = secretGitArgs.username
|
||||||
opts.Password = secretGitArgs.password
|
opts.Password = secretGitArgs.password
|
||||||
|
opts.BearerToken = secretGitArgs.bearerToken
|
||||||
|
if secretGitArgs.username != "" && secretGitArgs.password != "" && secretGitArgs.bearerToken != "" {
|
||||||
|
return fmt.Errorf("user credentials and bearer token cannot be used together")
|
||||||
|
}
|
||||||
if secretGitArgs.caFile != "" {
|
if secretGitArgs.caFile != "" {
|
||||||
caBundle, err := os.ReadFile(secretGitArgs.caFile)
|
caBundle, err := os.ReadFile(secretGitArgs.caFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@@ -30,6 +30,16 @@ func TestCreateGitSecret(t *testing.T) {
|
|||||||
args: "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa-password.private --password=password --namespace=my-namespace --export",
|
args: "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa-password.private --password=password --namespace=my-namespace --export",
|
||||||
assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret-password.yaml"),
|
assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret-password.yaml"),
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "git authentication with bearer token",
|
||||||
|
args: "create secret git bearer-token-auth --url=https://github.com/stefanprodan/podinfo --bearer-token=ghp_baR2qnFF0O41WlucePL3udt2N9vVZS4R0hAS --namespace=my-namespace --export",
|
||||||
|
assert: assertGoldenFile("testdata/create_secret/git/git-bearer-token.yaml"),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "git authentication with basic auth and bearer token",
|
||||||
|
args: "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=aaa --password=zzzz --bearer-token=aaaa --namespace=my-namespace --export",
|
||||||
|
assert: assertError("user credentials and bearer token cannot be used together"),
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
|
|||||||
9
cmd/flux/testdata/create_secret/git/git-bearer-token.yaml
vendored
Normal file
9
cmd/flux/testdata/create_secret/git/git-bearer-token.yaml
vendored
Normal file
@@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: bearer-token-auth
|
||||||
|
namespace: my-namespace
|
||||||
|
stringData:
|
||||||
|
bearerToken: ghp_baR2qnFF0O41WlucePL3udt2N9vVZS4R0hAS
|
||||||
|
|
||||||
@@ -39,6 +39,7 @@ const (
|
|||||||
PrivateKeySecretKey = "identity"
|
PrivateKeySecretKey = "identity"
|
||||||
PublicKeySecretKey = "identity.pub"
|
PublicKeySecretKey = "identity.pub"
|
||||||
KnownHostsSecretKey = "known_hosts"
|
KnownHostsSecretKey = "known_hosts"
|
||||||
|
BearerTokenKey = "bearerToken"
|
||||||
)
|
)
|
||||||
|
|
||||||
type Options struct {
|
type Options struct {
|
||||||
@@ -58,6 +59,7 @@ type Options struct {
|
|||||||
KeyFile []byte
|
KeyFile []byte
|
||||||
TargetPath string
|
TargetPath string
|
||||||
ManifestFile string
|
ManifestFile string
|
||||||
|
BearerToken string
|
||||||
}
|
}
|
||||||
|
|
||||||
func MakeDefaultOptions() Options {
|
func MakeDefaultOptions() Options {
|
||||||
@@ -72,5 +74,6 @@ func MakeDefaultOptions() Options {
|
|||||||
CertFile: []byte{},
|
CertFile: []byte{},
|
||||||
KeyFile: []byte{},
|
KeyFile: []byte{},
|
||||||
ManifestFile: "secret.yaml",
|
ManifestFile: "secret.yaml",
|
||||||
|
BearerToken: "",
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -152,6 +152,9 @@ func buildSecret(keypair *ssh.KeyPair, hostKey, caFile, certFile, keyFile, docke
|
|||||||
secret.StringData[UsernameSecretKey] = options.Username
|
secret.StringData[UsernameSecretKey] = options.Username
|
||||||
secret.StringData[PasswordSecretKey] = options.Password
|
secret.StringData[PasswordSecretKey] = options.Password
|
||||||
}
|
}
|
||||||
|
if options.BearerToken != "" {
|
||||||
|
secret.StringData[BearerTokenKey] = options.BearerToken
|
||||||
|
}
|
||||||
|
|
||||||
if len(caFile) != 0 {
|
if len(caFile) != 0 {
|
||||||
secret.StringData[CAFileSecretKey] = string(caFile)
|
secret.StringData[CAFileSecretKey] = string(caFile)
|
||||||
|
|||||||
Reference in New Issue
Block a user