Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC-007] Implement GitHub app authentication for git repositories in IAC #780

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[RFC-007] Implement GitHub app authentication for git repositories in IAC #780

wants to merge 1 commit into from
+59 −10

Conversation

dipti-pai
Copy link
Member

  • Controller change to use the GitHub authentication information specified in gitrepository.spec.secretRef to create the auth options to authenticate to git repositories when the gitrepository.spec.provider field is set to github,
  • Tests for new github provider field in IAC
  • Updated docs to use GitHub Apps for authentication in image-automation-controller.

@dipti-pai dipti-pai mentioned this pull request Oct 31, 2024
Open
14 tasks
makkes
makkes reviewed Nov 3, 2024
View reviewed changes
go.mod Outdated
Comment on lines 168 to 174
replace github.com/fluxcd/source-controller/api => github.com/dipti-pai/source-controller/api v0.0.0-20241022192612-2ada07176114

replace github.com/fluxcd/pkg/auth => github.com/dipti-pai/pkg/auth v0.0.0-20241024052802-53e4364eab6a

replace github.com/fluxcd/pkg/git => github.com/dipti-pai/pkg/git v0.0.0-20241024052802-53e4364eab6a

replace github.com/fluxcd/pkg/git/gogit => github.com/dipti-pai/pkg/git/gogit v0.0.0-20241024052802-53e4364eab6a
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reminder to remove these before merging.

@dipti-pai
[RFC-007] Implement GitHub app authentication for git repositories in…
67837db 
… IAC

- Controller change to use the GitHub authentication information specified in Git Repository's `.spec.secretRef` to create the auth options to authenticate to git repositories when the `provider` field is set to `github`,
- Tests for new `github` provider field in IAC
- Updated docs to use GitHub Apps for authentication in image-automation-controller.

Signed-off-by: Dipti Pai <[email protected]>
darkowlzz
darkowlzz reviewed Dec 3, 2024
View reviewed changes
internal/source/git.go
opts.ProviderOpts = &git.ProviderOptions{
Name: sourcev1.GitProviderAzure,
AzureOpts: []azure.OptFunc{
azure.WithAzureDevOpsScope(),
},
}
case sourcev1.GitProviderGitHub:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the SC issue described in fluxcd/source-controller#1647 (comment), it would be good to perform a provider validation here too. In this case, we have a typed error already

image-automation-controller/internal/source/source.go

Line 47 in 5b945f7

var ErrInvalidSourceConfiguration = errors.New("invalid source configuration")

We can return an error with proper context, saying that the referred GitRepository's provider configuration is invalid. Wrapping the typed error with the context should allow the reader of the errors to determine that it should result in stalled state, with the context intact. Refer similar code in

image-automation-controller/internal/source/source.go

Lines 102 to 108 in 5b945f7

if obj.Spec.SourceRef.Kind != sourcev1.GitRepositoryKind {
return nil, fmt.Errorf("source kind '%s' not supported: %w", obj.Spec.SourceRef.Kind, ErrInvalidSourceConfiguration)
}
if obj.Spec.GitSpec == nil {
return nil, fmt.Errorf("source kind '%s' necessitates field .spec.git: %w", sourcev1.GitRepositoryKind, ErrInvalidSourceConfiguration)
}

and see how the reconciler interprets it

image-automation-controller/internal/controller/imageupdateautomation_controller.go

Lines 354 to 358 in 5b945f7

if errors.Is(err, source.ErrInvalidSourceConfiguration) {
conditions.MarkStalled(obj, imagev1.InvalidSourceConfigReason, "%s", err)
result, retErr = ctrl.Result{}, nil
return
}
.

Since we have a watch for GitRepository in

image-automation-controller/internal/controller/imageupdateautomation_controller.go

Lines 140 to 143 in 5b945f7

Watches(
&sourcev1.GitRepository{},
handler.EnqueueRequestsFromMapFunc(r.automationsForGitRepo),
builder.WithPredicates(sourceConfigChangePredicate{}),
, the stalled ImageUpdateAutomation should be notified of any update to the GitRepository object to fix it and that'll result in a re-evaluation.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also consider an update to the same issue in source-controller fluxcd/source-controller#1647 (comment).
I believe the same validations can be done within getAuthOpts().

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@darkowlzz darkowlzz darkowlzz left review comments

@makkes makkes makkes left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dipti-pai @makkes @darkowlzz