Mirrors
/
flux2
mirror of https://github.com/fluxcd/flux2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/go_modules/tests/integration/golang.org/x/net-0.36.0
rfc-multi-tenant-workload-identity
dependabot/github_actions/ci-256d05664c
release/v2.5.x
main
release/v2.4.x
remove-notation-validation
release/v2.3.x
rfc-flux-bootstrap-oci
release/v2.2.x
RFC
fix-commit-log
flux-audit
release/v2.1.x
context-ns
ksm-dashboard
rfc-passwordless-git-auth
release/v2.0.x
rfc-gating
release/v0.27.4
rfc-0003
rfc-0002
rfc-0001
prompt-for-tokens
encrypt-init-cmd
v2.5.1
v2.5.0
v2.4.0
v2.3.0
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v2.0.0-rc.5
v2.0.0-rc.4
v2.0.0-rc.3
v2.0.0-rc.2
v2.0.0-rc.1
v0.41.2
v0.40.0
v0.39.0
v0.38.2
v0.38.1
v0.38.0
v0.37.0
v0.36.0
v0.35.0
v0.34.0
v0.33.0
v0.32.0
v0.31.3
v0.31.2
v0.31.1
v0.31.0
v0.30.1
v0.28.2
v0.27.2
v0.27.1
v0.27.0
v0.26.3
v0.26.2
v0.26.1
v0.26.0
v0.25.3
v0.0.1
v0.0.1-alpha.1
v0.0.1-beta.1
v0.0.1-beta.2
v0.0.1-beta.3
v0.0.1-beta.4
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.10.0
v0.11.0
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.14.0
v0.14.1
v0.14.2
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.16.1
v0.16.2
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.19.0
v0.19.1
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.22.0
v0.22.1
v0.23.0
v0.24.0
v0.24.1
v0.25.0
v0.25.1
v0.25.2
v0.27.3
v0.27.4
v0.28.0
v0.28.1
v0.28.3
v0.28.4
v0.28.5
v0.29.0
v0.29.1
v0.29.2
v0.29.3
v0.29.4
v0.29.5
v0.3.0
v0.30.0
v0.30.2
v0.31.4
v0.31.5
v0.38.3
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.40.1
v0.40.2
v0.41.0
v0.41.1
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.8.0
v0.8.1
v0.8.2
v0.9.0
v0.9.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e3f6b242ea'
${ noResults }
flux2/rfcs/0006-git-repo-passwordless-...
History
Sanskar Jaiswal e3f6b242ea
rfc: add passswordless auth for git repos draft 
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
 		2 years ago
..
README.md rfc: add passswordless auth for git repos draft 2 years ago

README.md

RFC-0006 Passwordless authentication for Git repositories

Status: provisional

Creation date: 2023-31-07

Summary

Flux should provide a mechanism to authenticate against Git repositories without the use of passwords. This RFC proposes the use of alternative authentication methods like OIDC, OAuth2 and IAM to access Git repositories hosted on specific Git SaaS platforms and cloud providers.

Motivation

At the moment, Flux supports HTTP basic and bearer authentication. Users are required to create a Secret containing the username and the password/bearer token, which is then referred to in the GitRepository using .spec.secretRef.

While this works fine, it has a couple of drawbacks:

  • Scalability: Each new GitRepository potentially warrants another credentials pair, which doesn't scale well in big organizations with hundreds of repositories with different owners, increasing the risk of mismanagement and leaks.
  • Identity: A username is associated with an actual human. But often, the repository belongs to a team of 2 or more people. This leads to a problem where teams have to decide whose credentials should Flux use for authentication.

These problems exist not due to flaws in Flux, but because of the inherent nature of password based authentication.

With support for OIDC, OAuth2 and IAM based authentication, we can eliminate these problems:

  • Scalability: Since OIDC is fully handled by the cloud provider, it eliminates any user involvement in managing credentials. For OAuth2 and IAM, users do need to provide certain information like the ID of the resource, private key, etc. but these are still a better alternative to passwords since the same resource can be reused by multiple teams with different members.
  • Identity: Since all the above authentication methods are associated with a virtual resource independent of a user, it solves the problem of a single person being tied to automation that several people are involved in.

Goals

  • Integrate with major cloud providers' OIDC and IAM offerings to provide a seamless way of Git repository authentication.
  • Integrate with major Git SaaS providers to support their app based OAuth2 mechanism.

Non-Goals

  • Replace the existing basic and bearer authentication API.

Proposal

A new string field .spec.provider shall be added to the GitRepository API. The field will be an enum with the following variants:

  • azure
  • github
  • gcp

AWS CodeCommit is not supported as it does not support authentication via IAM Roles without the use of https://github.com/aws/git-remote-codecommit.

By default, it will be blank, which indicates that the user wants to authenticate via HTTP basic/bearer auth or SSH.

Azure

Git repositories hosted on Azure Devops can be accessed by Flux using OIDC if the cluster running Flux is hosted on AKS with managed identity enabled. The managed identity associated with the cluster must have sufficient permissions to be able to access Azure Devops resources. This enables Flux to access the Git repository without the need for any credentials.

apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: azure-devops
spec:
  interval: 1m
  url: https://dev.azure.com/<org>/<project>/_git/<repository>
  ref:
    branch: master
  # notice the lack of secretRef
  provider: azure

GCP

Git repositories hosted on Google Cloud Source Repositories can be accessed by Flux via a GCP Service Account. The Service Account must have sufficient permissions to be able to access Google Cloud Source Repositories and its credentials should be specified in the secret referred to in .spec.secretRef.

apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: gcp-repo
spec:
  interval: 1m
  url: https://source.developers.google.com/p/<project>/r/<repository>
  ref:
    branch: master
  provider: gcp
  secretRef:
    name: gcp-sa
---
kind: Secret
metadata:
  name: gcp-sa
stringData:
  gcpServiceAccount: |
    {
      "type": "service_account",
      "project_id": "my-google-project",
      "private_key_id": "REDACTED",
      "private_key": "-----BEGIN PRIVATE KEY-----\nREDACTED\n-----END PRIVATE KEY-----\n",
      "client_email": "<service-account-id>@my-google-project.iam.gserviceaccount.com",
      "client_id": "REDACTED",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://oauth2.googleapis.com/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/<service-account-id>%40my-google-project.iam.gserviceaccount.com"
    }

GitHub

Git repositories hosted on GitHub can be accessed via GitHub Apps. This allows users to create a single resource from which they can access all their GitHub repositories. The app must have sufficient permissions to be able to access repositories. The app's ID, private key and installation ID should be mentioned in the Secret referred to by .spec.secretRef. GitHub Enterprise users will also need to mention their GitHub API URL in the Secret.

apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: github-repo
spec:
  interval: 1m
  url: https://github.com/<org>/<repository>
  ref:
    branch: master
  provider: github
  secretRef:
    name: github-app
---
kind: Secret
metadata:
  name: gcp-sa
stringData:
  githubAppID: <app-id>
  githubInstallationID: <installation-id>
  githubPrivateKey: |
        <PEM-private-key>
  githubApiURl: <github-enterprise-api-url> #optional, required only for GitHub Enterprise users

Design Details

Azure

If .spec.provider is set to azure, Flux controllers will reach out to Azure IMDS (Instance Metadata Service) to get an access token. This access token will be then used as a bearer token to perform HTTP bearer authentication.

GCP

If .spec.provider is set to gcp, Flux controllers will get the Service Account credentials from the specified Secret and use google.CredentialsFromJSON to fetch the access token. This access token will be then used as the password and the client_email as the username to perform HTTP basic authentication.

GitHub

If .spec.provider is set to github, Flux controllers will get the app details from the specified Secret and use it to generate an app installation token. This token is then used as the password and x-access-token as the username to perform HTTP basic authentication.

Caching

To avoid calling the upstream API for a token during every reconciliation, Flux controllers shall cache the token after fetching it. Since GitHub and GCP tokens self-expire, the cache shall automatically evict the token after it has expired, triggering a fetch of a fresh token.

While Azure's managed identities subsystem caches the token, it is recommended for the consumer application to implement their own caching as well.