Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add GitCredentialSecret to checkout params #365

Merged
merged 1 commit into from
Aug 20, 2024
Merged

Add GitCredentialSecret to checkout params #365

merged 1 commit into from
Aug 20, 2024

Conversation

DrJosh9000
Copy link
Contributor

@DrJosh9000 DrJosh9000 commented Aug 19, 2024
edited
Loading

What

Add a new checkout parameter, gitCredentialsSecret, that can be used to supply .git-credentials to the checkout container from a Kubernetes secret.

Screenshot 2024-08-19 at 3 50 06 PM

Why

Currently, checking out code with an SSH key loaded from a k8s secret is supported and even reasonably documented. The situation for HTTPS checkouts is much more lacking. I was able to get it working with a mish-mash of podSpecPatch and a pre-checkout hook, but I think that packaging it up into a single new parameter would be nice.

How

  • Add the new field to config.CheckoutParams and test data
  • When creating the checkout container, determine if a gitCredentialsSecret was set, if so, add a secret volume to the podSpec, volume mount to the container, and an extra command to the container entrypoint.

@DrJosh9000 DrJosh9000 changed the title [WIP] Git credential secret [WIP] Add GitCredentialSecret to checkout params Aug 19, 2024
@DrJosh9000 DrJosh9000 force-pushed the git-credential-secret branch 2 times, most recently from 9fa35a8 to 675dbf5 Compare August 19, 2024 05:49
@DrJosh9000 DrJosh9000 changed the title [WIP] Add GitCredentialSecret to checkout params Add GitCredentialSecret to checkout params Aug 19, 2024
@DrJosh9000 DrJosh9000 force-pushed the git-credential-secret branch 6 times, most recently from dc4a415 to 018ff26 Compare August 19, 2024 06:54
@DrJosh9000 DrJosh9000 marked this pull request as ready for review August 19, 2024 06:54
@DrJosh9000 DrJosh9000 requested a review from a team August 19, 2024 07:15
@wolfeidau
Copy link
Contributor

@DrJosh9000 is there a way we can avoid writing this secret to the filesystem?

@DrJosh9000
Copy link
Contributor Author

@wolfeidau That's a great question. I did a little more digging and thinking.

AFAICT our options for accessing k8s secrets within a container are limited to:

  1. referencing a secret through a environment variables with env (or multiple at once, with envFrom)
  2. mounting a secret volume

Either way, the data is accessible within the checkout container in plain text. I went for option 2 since it works with git's built-in credential helper.

We could switch to option 1 (env vars), but would need some workaround.

Copying the file means it often lives beyond the checkout container, so a workaround for that would be to add another ephemeral volume for the read-write copy of the file (I plan to do this, if we stick with option 2).

Elastic CI Stack uses s3 secrets hooks, which among other things implements a custom git credential helper in Go. We could do something similar.

@wolfeidau
Copy link
Contributor

@DrJosh9000 Maybe this is a thread to pull on separately, i think the best way forward would be a custom git credential helper of some sort, this way other stores like hashicorp vault, aws ssm or secret manager, could be used in the future.

Maybe something we attack in the agent proper so it is more widely usable and build on the implementation already there.

wolfeidau
wolfeidau approved these changes Aug 20, 2024
View reviewed changes
Copy link
Contributor

@wolfeidau wolfeidau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻 good starting point

@DrJosh9000 DrJosh9000 force-pushed the git-credential-secret branch 3 times, most recently from 3572dbf to f7a840f Compare August 20, 2024 05:37
@DrJosh9000 DrJosh9000 force-pushed the git-credential-secret branch from f7a840f to 482f108 Compare August 20, 2024 06:14
@DrJosh9000 DrJosh9000 enabled auto-merge August 20, 2024 06:15
@DrJosh9000 DrJosh9000 merged commit 3b9fb54 into main Aug 20, 2024
1 check passed
@DrJosh9000 DrJosh9000 deleted the git-credential-secret branch August 20, 2024 06:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wolfeidau wolfeidau wolfeidau approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DrJosh9000 @wolfeidau