From 1355dbbe3ddeb174a65f12f0d2f761684a7a5762 Mon Sep 17 00:00:00 2001 From: Dipti Pai Date: Thu, 31 Oct 2024 14:26:05 -0700 Subject: [PATCH] [RFC-007] Implement GitHub app authentication for git repositories in IAC - Controller change to use the GitHub authentication information specified in Git Repository's `.spec.secretRef` to create the auth options to authenticate to git repositories when the `provider` field is set to `github`, - Tests for new `github` provider field in IAC - Updated docs to use GitHub Apps for authentication in image-automation-controller. Signed-off-by: Dipti Pai --- docs/spec/v1beta2/imageupdateautomations.md | 7 ++ go.mod | 2 + go.sum | 4 +- internal/source/git.go | 20 ++++- internal/source/git_test.go | 96 +++++++++++++++++++-- 5 files changed, 118 insertions(+), 11 deletions(-) diff --git a/docs/spec/v1beta2/imageupdateautomations.md b/docs/spec/v1beta2/imageupdateautomations.md index feded61a..4f5b4531 100644 --- a/docs/spec/v1beta2/imageupdateautomations.md +++ b/docs/spec/v1beta2/imageupdateautomations.md @@ -257,6 +257,13 @@ patches: azure.workload.identity/use: "true" ``` +##### GitHub + +If the provider is set to `github`, make sure the GitHub App is registered and +installed with the necessary permissions and the github app secret is configured +as described +[here](https://fluxcd.io/flux/components/source/gitrepositories/#github). + ### Git specification `.spec.git` is a required field to specify Git configurations related to source diff --git a/go.mod b/go.mod index a8e998ae..c4b1a72f 100644 --- a/go.mod +++ b/go.mod @@ -162,3 +162,5 @@ require ( sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) + +replace github.com/fluxcd/source-controller/api => github.com/dipti-pai/source-controller/api v0.0.0-20241209192934-58ebb1b51f43 diff --git a/go.sum b/go.sum index 5342cc8d..bfa35b73 100644 --- a/go.sum +++ b/go.sum @@ -56,6 +56,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= +github.com/dipti-pai/source-controller/api v0.0.0-20241209192934-58ebb1b51f43 h1:f/wiXS42JPs6ibWkh3SfJvrr7UEKRdI7bbftYx5tyPo= +github.com/dipti-pai/source-controller/api v0.0.0-20241209192934-58ebb1b51f43/go.mod h1:0lo5XmaerQ3tncMQKSqWwNOJo75AeXqaBCL1Qx55gX4= github.com/elazarl/goproxy v0.0.0-20240909085733-6741dbfc16a1 h1:g7YUigN4dW2+zpdusdTTghZ+5Py3BaUMAStvL8Nk+FY= github.com/elazarl/goproxy v0.0.0-20240909085733-6741dbfc16a1/go.mod h1:thX175TtLTzLj3p7N/Q9IiKZ7NF+p72cvL91emV0hzo= github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU= @@ -96,8 +98,6 @@ github.com/fluxcd/pkg/ssh v0.15.0 h1:RSjoFlrPPXR8ac9roV4BnfbhaqjcoJeywQ+0BO8kf6s github.com/fluxcd/pkg/ssh v0.15.0/go.mod h1:ulKcj8psZyUNJrvZZ3J748Ygh7EiS2HfdSzqoORDM4k= github.com/fluxcd/pkg/version v0.5.0 h1:td9PR7Um3CLP9ke+PgNex4yqMCRmUZv6dMK+oquD654= github.com/fluxcd/pkg/version v0.5.0/go.mod h1:ASkoZ+vz1Ob+5vb81ptUXPPNf3jjX/UQyfAeg+bnFfk= -github.com/fluxcd/source-controller/api v1.4.1 h1:zV01D7xzHOXWbYXr36lXHWWYS7POARsjLt61Nbh3kVY= -github.com/fluxcd/source-controller/api v1.4.1/go.mod h1:gSjg57T+IG66SsBR0aquv+DFrm4YyBNpKIJVDnu3Ya8= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= diff --git a/internal/source/git.go b/internal/source/git.go index 2adcf3b3..f6a3ee32 100644 --- a/internal/source/git.go +++ b/internal/source/git.go @@ -32,6 +32,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "github.com/fluxcd/pkg/auth/azure" + "github.com/fluxcd/pkg/auth/github" "github.com/fluxcd/pkg/git" "github.com/fluxcd/pkg/git/gogit" sourcev1 "github.com/fluxcd/source-controller/api/v1" @@ -181,13 +182,30 @@ func getAuthOpts(ctx context.Context, c client.Client, repo *sourcev1.GitReposit return nil, fmt.Errorf("failed to configure authentication options: %w", err) } - if repo.GetProvider() == sourcev1.GitProviderAzure { + switch repo.GetProvider() { + case sourcev1.GitProviderAzure: opts.ProviderOpts = &git.ProviderOptions{ Name: sourcev1.GitProviderAzure, AzureOpts: []azure.OptFunc{ azure.WithAzureDevOpsScope(), }, } + case sourcev1.GitProviderGitHub: + // if provider is github, but secret ref is not specified + if repo.Spec.SecretRef == nil { + return nil, fmt.Errorf("secretRef with github app data must be specified when provider is set to github: %w", ErrInvalidSourceConfiguration) + } + opts.ProviderOpts = &git.ProviderOptions{ + Name: sourcev1.GitProviderGitHub, + GitHubOpts: []github.OptFunc{ + github.WithAppData(data), + }, + } + default: + // analyze secret, if it has github app data, perhaps provider should have been github. + if appID := data[github.AppIDKey]; len(appID) != 0 { + return nil, fmt.Errorf("secretRef '%s/%s' has github app data but provider is not set to github: %w", repo.GetNamespace(), repo.Spec.SecretRef.Name, ErrInvalidSourceConfiguration) + } } return opts, nil diff --git a/internal/source/git_test.go b/internal/source/git_test.go index 2802d68e..91647d3a 100644 --- a/internal/source/git_test.go +++ b/internal/source/git_test.go @@ -18,6 +18,7 @@ package source import ( "context" + "errors" "fmt" "testing" "time" @@ -34,6 +35,7 @@ import ( imagev1 "github.com/fluxcd/image-automation-controller/api/v1beta2" "github.com/fluxcd/image-automation-controller/internal/testutil" "github.com/fluxcd/pkg/apis/meta" + "github.com/fluxcd/pkg/auth/github" "github.com/fluxcd/pkg/git" sourcev1 "github.com/fluxcd/source-controller/api/v1" ) @@ -141,49 +143,127 @@ func Test_getAuthOpts(t *testing.T) { func Test_getAuthOpts_providerAuth(t *testing.T) { tests := []struct { name string + url string + secret *corev1.Secret beforeFunc func(obj *sourcev1.GitRepository) wantProviderOptsName string + wantErr error }{ { name: "azure provider", + url: "https://dev.azure.com/foo/bar/_git/baz", beforeFunc: func(obj *sourcev1.GitRepository) { obj.Spec.Provider = sourcev1.GitProviderAzure }, wantProviderOptsName: sourcev1.GitProviderAzure, }, + { + name: "github provider with no secret ref", + url: "https://github.com/org/repo.git", + beforeFunc: func(obj *sourcev1.GitRepository) { + obj.Spec.Provider = sourcev1.GitProviderGitHub + }, + wantProviderOptsName: sourcev1.GitProviderGitHub, + wantErr: errors.New("secretRef with github app data must be specified when provider is set to github: invalid source configuration"), + }, + { + name: "github provider with secret ref that does not exist", + url: "https://github.com/org/repo.git", + beforeFunc: func(obj *sourcev1.GitRepository) { + obj.Spec.Provider = sourcev1.GitProviderGitHub + obj.Spec.SecretRef = &meta.LocalObjectReference{ + Name: "githubAppSecret", + } + }, + wantErr: errors.New("failed to get auth secret '/githubAppSecret': secrets \"githubAppSecret\" not found"), + }, + { + name: "github provider with github app data in secret", + url: "https://example.com/org/repo", + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "githubAppSecret", + }, + Data: map[string][]byte{ + github.AppIDKey: []byte("123"), + github.AppInstallationIDKey: []byte("456"), + github.AppPrivateKey: []byte("abc"), + }, + }, + beforeFunc: func(obj *sourcev1.GitRepository) { + obj.Spec.Provider = sourcev1.GitProviderGitHub + obj.Spec.SecretRef = &meta.LocalObjectReference{ + Name: "githubAppSecret", + } + }, + wantProviderOptsName: sourcev1.GitProviderGitHub, + }, + { + name: "generic provider with github app data in secret", + url: "https://example.com/org/repo", + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "githubAppSecret", + }, + Data: map[string][]byte{ + github.AppIDKey: []byte("123"), + }, + }, + beforeFunc: func(obj *sourcev1.GitRepository) { + obj.Spec.Provider = sourcev1.GitProviderGeneric + obj.Spec.SecretRef = &meta.LocalObjectReference{ + Name: "githubAppSecret", + } + }, + wantErr: errors.New("secretRef '/githubAppSecret' has github app data but provider is not set to github: invalid source configuration"), + }, { name: "generic provider", + url: "https://example.com/org/repo", beforeFunc: func(obj *sourcev1.GitRepository) { obj.Spec.Provider = sourcev1.GitProviderGeneric }, }, { name: "no provider", + url: "https://example.com/org/repo", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { g := NewWithT(t) + clientBuilder := fakeclient.NewClientBuilder(). + WithScheme(scheme.Scheme). + WithStatusSubresource(&sourcev1.GitRepository{}) + if tt.secret != nil { + clientBuilder.WithObjects(tt.secret) + } + c := clientBuilder.Build() obj := &sourcev1.GitRepository{ Spec: sourcev1.GitRepositorySpec{ - URL: "https://dev.azure.com/foo/bar/_git/baz", + URL: tt.url, }, } if tt.beforeFunc != nil { tt.beforeFunc(obj) } - opts, err := getAuthOpts(context.TODO(), nil, obj) + opts, err := getAuthOpts(context.TODO(), c, obj) - g.Expect(err).ToNot(HaveOccurred()) - g.Expect(opts).ToNot(BeNil()) - if tt.wantProviderOptsName != "" { - g.Expect(opts.ProviderOpts).ToNot(BeNil()) - g.Expect(opts.ProviderOpts.Name).To(Equal(tt.wantProviderOptsName)) + if tt.wantErr != nil { + g.Expect(err).To(HaveOccurred()) + g.Expect(err.Error()).To(ContainSubstring(tt.wantErr.Error())) } else { - g.Expect(opts.ProviderOpts).To(BeNil()) + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(opts).ToNot(BeNil()) + if tt.wantProviderOptsName != "" { + g.Expect(opts.ProviderOpts).ToNot(BeNil()) + g.Expect(opts.ProviderOpts.Name).To(Equal(tt.wantProviderOptsName)) + } else { + g.Expect(opts.ProviderOpts).To(BeNil()) + } } }) }