From f03a53d73efbb3aefa0952622470b3fd51c3b51e Mon Sep 17 00:00:00 2001 From: Dipti Pai Date: Thu, 31 Oct 2024 14:26:05 -0700 Subject: [PATCH] [RFC-007] Implement GitHub app authentication for git repositories in IAC - Controller change to use the GitHub authentication information specified in Git Repository's `.spec.secretRef` to create the auth options to authenticate to git repositories when the `provider` field is set to `github`, - Tests for new `github` provider field in IAC - Updated docs to use GitHub Apps for authentication in image-automation-controller. Signed-off-by: Dipti Pai --- docs/spec/v1beta2/imageupdateautomations.md | 7 ++ internal/source/git.go | 20 ++++- internal/source/git_test.go | 96 +++++++++++++++++++-- 3 files changed, 114 insertions(+), 9 deletions(-) diff --git a/docs/spec/v1beta2/imageupdateautomations.md b/docs/spec/v1beta2/imageupdateautomations.md index feded61a..4f5b4531 100644 --- a/docs/spec/v1beta2/imageupdateautomations.md +++ b/docs/spec/v1beta2/imageupdateautomations.md @@ -257,6 +257,13 @@ patches: azure.workload.identity/use: "true" ``` +##### GitHub + +If the provider is set to `github`, make sure the GitHub App is registered and +installed with the necessary permissions and the github app secret is configured +as described +[here](https://fluxcd.io/flux/components/source/gitrepositories/#github). + ### Git specification `.spec.git` is a required field to specify Git configurations related to source diff --git a/internal/source/git.go b/internal/source/git.go index 2adcf3b3..f6a3ee32 100644 --- a/internal/source/git.go +++ b/internal/source/git.go @@ -32,6 +32,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "github.com/fluxcd/pkg/auth/azure" + "github.com/fluxcd/pkg/auth/github" "github.com/fluxcd/pkg/git" "github.com/fluxcd/pkg/git/gogit" sourcev1 "github.com/fluxcd/source-controller/api/v1" @@ -181,13 +182,30 @@ func getAuthOpts(ctx context.Context, c client.Client, repo *sourcev1.GitReposit return nil, fmt.Errorf("failed to configure authentication options: %w", err) } - if repo.GetProvider() == sourcev1.GitProviderAzure { + switch repo.GetProvider() { + case sourcev1.GitProviderAzure: opts.ProviderOpts = &git.ProviderOptions{ Name: sourcev1.GitProviderAzure, AzureOpts: []azure.OptFunc{ azure.WithAzureDevOpsScope(), }, } + case sourcev1.GitProviderGitHub: + // if provider is github, but secret ref is not specified + if repo.Spec.SecretRef == nil { + return nil, fmt.Errorf("secretRef with github app data must be specified when provider is set to github: %w", ErrInvalidSourceConfiguration) + } + opts.ProviderOpts = &git.ProviderOptions{ + Name: sourcev1.GitProviderGitHub, + GitHubOpts: []github.OptFunc{ + github.WithAppData(data), + }, + } + default: + // analyze secret, if it has github app data, perhaps provider should have been github. + if appID := data[github.AppIDKey]; len(appID) != 0 { + return nil, fmt.Errorf("secretRef '%s/%s' has github app data but provider is not set to github: %w", repo.GetNamespace(), repo.Spec.SecretRef.Name, ErrInvalidSourceConfiguration) + } } return opts, nil diff --git a/internal/source/git_test.go b/internal/source/git_test.go index 2802d68e..91647d3a 100644 --- a/internal/source/git_test.go +++ b/internal/source/git_test.go @@ -18,6 +18,7 @@ package source import ( "context" + "errors" "fmt" "testing" "time" @@ -34,6 +35,7 @@ import ( imagev1 "github.com/fluxcd/image-automation-controller/api/v1beta2" "github.com/fluxcd/image-automation-controller/internal/testutil" "github.com/fluxcd/pkg/apis/meta" + "github.com/fluxcd/pkg/auth/github" "github.com/fluxcd/pkg/git" sourcev1 "github.com/fluxcd/source-controller/api/v1" ) @@ -141,49 +143,127 @@ func Test_getAuthOpts(t *testing.T) { func Test_getAuthOpts_providerAuth(t *testing.T) { tests := []struct { name string + url string + secret *corev1.Secret beforeFunc func(obj *sourcev1.GitRepository) wantProviderOptsName string + wantErr error }{ { name: "azure provider", + url: "https://dev.azure.com/foo/bar/_git/baz", beforeFunc: func(obj *sourcev1.GitRepository) { obj.Spec.Provider = sourcev1.GitProviderAzure }, wantProviderOptsName: sourcev1.GitProviderAzure, }, + { + name: "github provider with no secret ref", + url: "https://github.com/org/repo.git", + beforeFunc: func(obj *sourcev1.GitRepository) { + obj.Spec.Provider = sourcev1.GitProviderGitHub + }, + wantProviderOptsName: sourcev1.GitProviderGitHub, + wantErr: errors.New("secretRef with github app data must be specified when provider is set to github: invalid source configuration"), + }, + { + name: "github provider with secret ref that does not exist", + url: "https://github.com/org/repo.git", + beforeFunc: func(obj *sourcev1.GitRepository) { + obj.Spec.Provider = sourcev1.GitProviderGitHub + obj.Spec.SecretRef = &meta.LocalObjectReference{ + Name: "githubAppSecret", + } + }, + wantErr: errors.New("failed to get auth secret '/githubAppSecret': secrets \"githubAppSecret\" not found"), + }, + { + name: "github provider with github app data in secret", + url: "https://example.com/org/repo", + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "githubAppSecret", + }, + Data: map[string][]byte{ + github.AppIDKey: []byte("123"), + github.AppInstallationIDKey: []byte("456"), + github.AppPrivateKey: []byte("abc"), + }, + }, + beforeFunc: func(obj *sourcev1.GitRepository) { + obj.Spec.Provider = sourcev1.GitProviderGitHub + obj.Spec.SecretRef = &meta.LocalObjectReference{ + Name: "githubAppSecret", + } + }, + wantProviderOptsName: sourcev1.GitProviderGitHub, + }, + { + name: "generic provider with github app data in secret", + url: "https://example.com/org/repo", + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "githubAppSecret", + }, + Data: map[string][]byte{ + github.AppIDKey: []byte("123"), + }, + }, + beforeFunc: func(obj *sourcev1.GitRepository) { + obj.Spec.Provider = sourcev1.GitProviderGeneric + obj.Spec.SecretRef = &meta.LocalObjectReference{ + Name: "githubAppSecret", + } + }, + wantErr: errors.New("secretRef '/githubAppSecret' has github app data but provider is not set to github: invalid source configuration"), + }, { name: "generic provider", + url: "https://example.com/org/repo", beforeFunc: func(obj *sourcev1.GitRepository) { obj.Spec.Provider = sourcev1.GitProviderGeneric }, }, { name: "no provider", + url: "https://example.com/org/repo", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { g := NewWithT(t) + clientBuilder := fakeclient.NewClientBuilder(). + WithScheme(scheme.Scheme). + WithStatusSubresource(&sourcev1.GitRepository{}) + if tt.secret != nil { + clientBuilder.WithObjects(tt.secret) + } + c := clientBuilder.Build() obj := &sourcev1.GitRepository{ Spec: sourcev1.GitRepositorySpec{ - URL: "https://dev.azure.com/foo/bar/_git/baz", + URL: tt.url, }, } if tt.beforeFunc != nil { tt.beforeFunc(obj) } - opts, err := getAuthOpts(context.TODO(), nil, obj) + opts, err := getAuthOpts(context.TODO(), c, obj) - g.Expect(err).ToNot(HaveOccurred()) - g.Expect(opts).ToNot(BeNil()) - if tt.wantProviderOptsName != "" { - g.Expect(opts.ProviderOpts).ToNot(BeNil()) - g.Expect(opts.ProviderOpts.Name).To(Equal(tt.wantProviderOptsName)) + if tt.wantErr != nil { + g.Expect(err).To(HaveOccurred()) + g.Expect(err.Error()).To(ContainSubstring(tt.wantErr.Error())) } else { - g.Expect(opts.ProviderOpts).To(BeNil()) + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(opts).ToNot(BeNil()) + if tt.wantProviderOptsName != "" { + g.Expect(opts.ProviderOpts).ToNot(BeNil()) + g.Expect(opts.ProviderOpts.Name).To(Equal(tt.wantProviderOptsName)) + } else { + g.Expect(opts.ProviderOpts).To(BeNil()) + } } }) }