Mirrors
/
flux2
mirror of https://github.com/fluxcd/flux2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add caFile to create source/secret git commands

Browse Source 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
pull/910/head
Stefan Prodan 4 years ago
parent 9d70e09a57
commit aa533b28fb
No known key found for this signature in database
GPG Key ID: 3299AEB0E4085BAF
5 changed files with 78 additions and 51 deletions
Show Stats Download Patch File Download Diff File

2
cmd/flux/bootstrap.go
Unescape Escape View File

@ -264,7 +264,7 @@ func shouldCreateDeployKey(ctx context.Context, kubeClient client.Client, namesp
} }
func generateDeployKey(ctx context.Context, kubeClient client.Client, url *url.URL, namespace string) (string, error) { func generateDeployKey(ctx context.Context, kubeClient client.Client, url *url.URL, namespace string) (string, error) {
pair, err := generateKeyPair(ctx, sourceArgs.GitKeyAlgorithm, sourceArgs.GitRSABits, sourceArgs.GitECDSACurve) pair, err := generateKeyPair(ctx, sourceGitArgs.keyAlgorithm, sourceGitArgs.keyRSABits, sourceGitArgs.keyECDSACurve)
if err != nil { if err != nil {
return "", err return "", err
} }

13
cmd/flux/create_secret_git.go
Unescape Escape View File

@ -20,6 +20,7 @@ import (
"context" "context"
"crypto/elliptic" "crypto/elliptic"
"fmt" "fmt"
"io/ioutil"
"net/url" "net/url"
"time" "time"
@ -76,6 +77,7 @@ type secretGitFlags struct {
keyAlgorithm flags.PublicKeyAlgorithm keyAlgorithm flags.PublicKeyAlgorithm
rsaBits flags.RSAKeyBits rsaBits flags.RSAKeyBits
ecdsaCurve flags.ECDSACurve ecdsaCurve flags.ECDSACurve
caFile string
} }
var secretGitArgs = NewSecretGitFlags() var secretGitArgs = NewSecretGitFlags()
@ -87,6 +89,7 @@ func init() {
createSecretGitCmd.Flags().Var(&secretGitArgs.keyAlgorithm, "ssh-key-algorithm", secretGitArgs.keyAlgorithm.Description()) createSecretGitCmd.Flags().Var(&secretGitArgs.keyAlgorithm, "ssh-key-algorithm", secretGitArgs.keyAlgorithm.Description())
createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description()) createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description())
createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description()) createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
createSecretCmd.AddCommand(createSecretGitCmd) createSecretCmd.AddCommand(createSecretGitCmd)
} }
@ -147,11 +150,19 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
return fmt.Errorf("for Git over HTTP/S the username and password are required") return fmt.Errorf("for Git over HTTP/S the username and password are required")
} }
// TODO: add cert data when it's implemented in source-controller
secret.StringData = map[string]string{ secret.StringData = map[string]string{
"username": secretGitArgs.username, "username": secretGitArgs.username,
"password": secretGitArgs.password, "password": secretGitArgs.password,
} }
if secretGitArgs.caFile != "" {
ca, err := ioutil.ReadFile(secretGitArgs.caFile)
if err != nil {
return fmt.Errorf("failed to read CA file '%s': %w", secretGitArgs.caFile, err)
}
secret.StringData["caFile"] = string(ca)
}
default: default:
return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme) return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
} }

112
cmd/flux/create_source_git.go
Unescape Escape View File

@ -41,19 +41,19 @@ import (
"github.com/fluxcd/flux2/internal/utils" "github.com/fluxcd/flux2/internal/utils"
) )
type SourceGitFlags struct { type sourceGitFlags struct {
GitURL string url string
GitBranch string branch string
GitTag string tag string
GitSemver string semver string
GitUsername string username string
GitPassword string password string
caFile string
GitKeyAlgorithm flags.PublicKeyAlgorithm keyAlgorithm flags.PublicKeyAlgorithm
GitRSABits flags.RSAKeyBits keyRSABits flags.RSAKeyBits
GitECDSACurve flags.ECDSACurve keyECDSACurve flags.ECDSACurve
GitSecretRef string secretRef string
GitImplementation flags.GitImplementation gitImplementation flags.GitImplementation
} }
var createSourceGitCmd = &cobra.Command{ var createSourceGitCmd = &cobra.Command{
@ -100,29 +100,30 @@ For private Git repositories, the basic authentication credentials are stored in
RunE: createSourceGitCmdRun, RunE: createSourceGitCmdRun,
} }
var sourceArgs = NewSourceGitFlags() var sourceGitArgs = newSourceGitFlags()
func init() { func init() {
createSourceGitCmd.Flags().StringVar(&sourceArgs.GitURL, "url", "", "git address, e.g. ssh://git@host/org/repository") createSourceGitCmd.Flags().StringVar(&sourceGitArgs.url, "url", "", "git address, e.g. ssh://git@host/org/repository")
createSourceGitCmd.Flags().StringVar(&sourceArgs.GitBranch, "branch", "master", "git branch") createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "master", "git branch")
createSourceGitCmd.Flags().StringVar(&sourceArgs.GitTag, "tag", "", "git tag") createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
createSourceGitCmd.Flags().StringVar(&sourceArgs.GitSemver, "tag-semver", "", "git tag semver range") createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
createSourceGitCmd.Flags().StringVarP(&sourceArgs.GitUsername, "username", "u", "", "basic authentication username") createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
createSourceGitCmd.Flags().StringVarP(&sourceArgs.GitPassword, "password", "p", "", "basic authentication password") createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
createSourceGitCmd.Flags().Var(&sourceArgs.GitKeyAlgorithm, "ssh-key-algorithm", sourceArgs.GitKeyAlgorithm.Description()) createSourceGitCmd.Flags().Var(&sourceGitArgs.keyAlgorithm, "ssh-key-algorithm", sourceGitArgs.keyAlgorithm.Description())
createSourceGitCmd.Flags().Var(&sourceArgs.GitRSABits, "ssh-rsa-bits", sourceArgs.GitRSABits.Description()) createSourceGitCmd.Flags().Var(&sourceGitArgs.keyRSABits, "ssh-rsa-bits", sourceGitArgs.keyRSABits.Description())
createSourceGitCmd.Flags().Var(&sourceArgs.GitECDSACurve, "ssh-ecdsa-curve", sourceArgs.GitECDSACurve.Description()) createSourceGitCmd.Flags().Var(&sourceGitArgs.keyECDSACurve, "ssh-ecdsa-curve", sourceGitArgs.keyECDSACurve.Description())
createSourceGitCmd.Flags().StringVarP(&sourceArgs.GitSecretRef, "secret-ref", "", "", "the name of an existing secret containing SSH or basic credentials") createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials")
createSourceGitCmd.Flags().Var(&sourceArgs.GitImplementation, "git-implementation", sourceArgs.GitImplementation.Description()) createSourceGitCmd.Flags().Var(&sourceGitArgs.gitImplementation, "git-implementation", sourceGitArgs.gitImplementation.Description())
createSourceGitCmd.Flags().StringVar(&sourceGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates, requires libgit2")
createSourceCmd.AddCommand(createSourceGitCmd) createSourceCmd.AddCommand(createSourceGitCmd)
} }
func NewSourceGitFlags() SourceGitFlags { func newSourceGitFlags() sourceGitFlags {
return SourceGitFlags{ return sourceGitFlags{
GitKeyAlgorithm: "rsa", keyAlgorithm: "rsa",
GitRSABits: 2048, keyRSABits: 2048,
GitECDSACurve: flags.ECDSACurve{Curve: elliptic.P384()}, keyECDSACurve: flags.ECDSACurve{Curve: elliptic.P384()},
} }
} }
@ -132,17 +133,21 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
} }
name := args[0] name := args[0]
if sourceArgs.GitURL == "" { if sourceGitArgs.url == "" {
return fmt.Errorf("url is required") return fmt.Errorf("url is required")
} }
if sourceGitArgs.gitImplementation.String() != sourcev1.LibGit2Implementation && sourceGitArgs.caFile != "" {
return fmt.Errorf("specifing a CA file requires --git-implementation=%s", sourcev1.LibGit2Implementation)
}
tmpDir, err := ioutil.TempDir("", name) tmpDir, err := ioutil.TempDir("", name)
if err != nil { if err != nil {
return err return err
} }
defer os.RemoveAll(tmpDir) defer os.RemoveAll(tmpDir)
u, err := url.Parse(sourceArgs.GitURL) u, err := url.Parse(sourceGitArgs.url)
if err != nil { if err != nil {
return fmt.Errorf("git URL parse failed: %w", err) return fmt.Errorf("git URL parse failed: %w", err)
} }
@ -159,7 +164,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
Labels: sourceLabels, Labels: sourceLabels,
}, },
Spec: sourcev1.GitRepositorySpec{ Spec: sourcev1.GitRepositorySpec{
URL: sourceArgs.GitURL, URL: sourceGitArgs.url,
Interval: metav1.Duration{ Interval: metav1.Duration{
Duration: createArgs.interval, Duration: createArgs.interval,
}, },
@ -167,22 +172,22 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
}, },
} }
if sourceArgs.GitImplementation != "" { if sourceGitArgs.gitImplementation != "" {
gitRepository.Spec.GitImplementation = sourceArgs.GitImplementation.String() gitRepository.Spec.GitImplementation = sourceGitArgs.gitImplementation.String()
} }
if sourceArgs.GitSemver != "" { if sourceGitArgs.semver != "" {
gitRepository.Spec.Reference.SemVer = sourceArgs.GitSemver gitRepository.Spec.Reference.SemVer = sourceGitArgs.semver
} else if sourceArgs.GitTag != "" { } else if sourceGitArgs.tag != "" {
gitRepository.Spec.Reference.Tag = sourceArgs.GitTag gitRepository.Spec.Reference.Tag = sourceGitArgs.tag
} else { } else {
gitRepository.Spec.Reference.Branch = sourceArgs.GitBranch gitRepository.Spec.Reference.Branch = sourceGitArgs.branch
} }
if createArgs.export { if createArgs.export {
if sourceArgs.GitSecretRef != "" { if sourceGitArgs.secretRef != "" {
gitRepository.Spec.SecretRef = &meta.LocalObjectReference{ gitRepository.Spec.SecretRef = &meta.LocalObjectReference{
Name: sourceArgs.GitSecretRef, Name: sourceGitArgs.secretRef,
} }
} }
return exportGit(gitRepository) return exportGit(gitRepository)
@ -198,11 +203,11 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
withAuth := false withAuth := false
// TODO(hidde): move all auth prep to separate func? // TODO(hidde): move all auth prep to separate func?
if sourceArgs.GitSecretRef != "" { if sourceGitArgs.secretRef != "" {
withAuth = true withAuth = true
} else if u.Scheme == "ssh" { } else if u.Scheme == "ssh" {
logger.Generatef("generating deploy key pair") logger.Generatef("generating deploy key pair")
pair, err := generateKeyPair(ctx, sourceArgs.GitKeyAlgorithm, sourceArgs.GitRSABits, sourceArgs.GitECDSACurve) pair, err := generateKeyPair(ctx, sourceGitArgs.keyAlgorithm, sourceGitArgs.keyRSABits, sourceGitArgs.keyECDSACurve)
if err != nil { if err != nil {
return err return err
} }
@ -240,7 +245,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
return err return err
} }
withAuth = true withAuth = true
} else if sourceArgs.GitUsername != "" && sourceArgs.GitPassword != "" { } else if sourceGitArgs.username != "" && sourceGitArgs.password != "" {
logger.Actionf("applying secret with basic auth credentials") logger.Actionf("applying secret with basic auth credentials")
secret := corev1.Secret{ secret := corev1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
@ -249,10 +254,19 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
Labels: sourceLabels, Labels: sourceLabels,
}, },
StringData: map[string]string{ StringData: map[string]string{
"username": sourceArgs.GitUsername, "username": sourceGitArgs.username,
"password": sourceArgs.GitPassword, "password": sourceGitArgs.password,
}, },
} }
if sourceGitArgs.caFile != "" {
ca, err := ioutil.ReadFile(sourceGitArgs.caFile)
if err != nil {
return fmt.Errorf("failed to read CA file '%s': %w", sourceGitArgs.caFile, err)
}
secret.StringData["caFile"] = string(ca)
}
if err := upsertSecret(ctx, kubeClient, secret); err != nil { if err := upsertSecret(ctx, kubeClient, secret); err != nil {
return err return err
} }
@ -267,8 +281,8 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
if withAuth { if withAuth {
secretName := name secretName := name
if sourceArgs.GitSecretRef != "" { if sourceGitArgs.secretRef != "" {
secretName = sourceArgs.GitSecretRef secretName = sourceGitArgs.secretRef
} }
gitRepository.Spec.SecretRef = &meta.LocalObjectReference{ gitRepository.Spec.SecretRef = &meta.LocalObjectReference{
Name: secretName, Name: secretName,

1
docs/cmd/flux_create_secret_git.md
Unescape Escape View File

@ -50,6 +50,7 @@ flux create secret git [name] [flags]
### Options ### Options
``` ```
--ca-file string path to TLS CA file used for validating self-signed certificates
-h, --help help for git -h, --help help for git
-p, --password string basic authentication password -p, --password string basic authentication password
--ssh-ecdsa-curve ecdsaCurve SSH ECDSA public key curve (p256, p384, p521) (default p384) --ssh-ecdsa-curve ecdsaCurve SSH ECDSA public key curve (p256, p384, p521) (default p384)

1
docs/cmd/flux_create_source_git.md
Unescape Escape View File

@ -56,6 +56,7 @@ flux create source git [name] [flags]
``` ```
--branch string git branch (default "master") --branch string git branch (default "master")
--ca-file string path to TLS CA file used for validating self-signed certificates, requires libgit2
--git-implementation gitImplementation the Git implementation to use, available options are: (go-git, libgit2) --git-implementation gitImplementation the Git implementation to use, available options are: (go-git, libgit2)
-h, --help help for git -h, --help help for git
-p, --password string basic authentication password -p, --password string basic authentication password

Write Preview
Loading…
Cancel
Save