[RFC-007] Implement GitHub app authentication for git repositories. #1647
Conversation
dipti-pai
force-pushed
the
github-app-auth
branch
from
2ada071 to
0e437a3
Compare
|
Thank you for picking up this topic. Can we also add documentation for the use with GitHub Enterprise? |
There was a problem hiding this comment.
Did some basic testing and it worked as expected for the happy path
spec:
interval: 5m0s
provider: github
ref:
branch: main
secretRef:
name: github-sa
timeout: 60s
url: https://github.com/darkowlzz/test-1
status:
artifact:
digest: sha256:4166a3310c4f57471a5cfa2910475e4d47874920d7c156f656b7e70c01adcd2e
lastUpdateTime: "2024-12-03T21:09:21Z"
path: gitrepository/default/test-1/a4f6eca644dadd9112ff3d93c99eda63eeca949a.tar.gz
revision: main@sha1:a4f6eca644dadd9112ff3d93c99eda63eeca949a
size: 4083
url: http://:0/gitrepository/default/test-1/a4f6eca644dadd9112ff3d93c99eda63eeca949a.tar.gz
conditions:
- lastTransitionTime: "2024-12-03T21:09:21Z"
message: stored artifact for revision 'main@sha1:a4f6eca644dadd9112ff3d93c99eda63eeca949a'
observedGeneration: 1
reason: Succeeded
status: "True"
type: Ready
- lastTransitionTime: "2024-12-03T21:09:21Z"
message: stored artifact for revision 'main@sha1:a4f6eca644dadd9112ff3d93c99eda63eeca949a'
observedGeneration: 1
reason: Succeeded
status: "True"
type: ArtifactInStorage
observedGeneration: 1Left some comments, suggestions a few improvements.
dipti-pai
force-pushed
the
github-app-auth
branch
from
0e437a3 to
8e06af4
Compare
|
@dipti-pai please rebase with main, it contains the latest auth and git packages with GitHub App support. |
dipti-pai
force-pushed
the
github-app-auth
branch
from
8e06af4 to
1c25389
Compare
dipti-pai
force-pushed
the
github-app-auth
branch
from
1c25389 to
58ebb1b
Compare
- API change to add new `github` provider field in `GitRepository` spec. - Controller change to use the GitHub authentication information specified in `.spec.secretRef` to create the auth options to authenticate to git repositories when the `provider` field is set to `github`, - Tests for new `github` provider field - Updated docs to use GitHub Apps for authentication in source-controller. Signed-off-by: Dipti Pai <[email protected]>
darkowlzz
force-pushed
the
github-app-auth
branch
from
58ebb1b to
9556a63
Compare
| if obj.Spec.SecretRef == nil { | ||
| e := serror.NewStalling( | ||
| fmt.Errorf("secretRef with github app data must be specified when provider is set to github"), | ||
| sourcev1.AuthenticationFailedReason, |
There was a problem hiding this comment.
I believe the way we use AuthenticationFailedReason today is for actual authentication failures which are retried. Using AuthenticationFailedReason with stalled condition seems incorrect. The problem is a misconfiguration, invalid configuration. We have URLInvalidReason, InvalidSTSConfigurationReason, etc which are explicit about the type of failure. In this case, we haven't even attempted authentication but we know that authentication won't work. I think it would be better to introduce a new reason for this, similar to STS configuration, say InvalidProviderConfigurationReason.
I think the same can be used for the case below where the secret contains github app data but the provider is not set, also invalid provider configuration.
There was a problem hiding this comment.
I pushed a separate commit introducing InvalidProviderConfigurationReason and using it above. I'll change it in case of any objection.
Also, added a few tests for checking this reason on failure in the status conditions.
Also, slightly modified and rearranged a test case where secret ref is provided but the secret doesn't exist. This is not specific to github provider, but generic in getAuthOpts().
Introduce InvalidProviderConfigurationReason for Git provider github related misconfiguration. Add github provider related tests to check the status conditions reason. Rearrange and modify a test case for getAuthOpts() for provider test where a referred secret doesn't exist. This scenario is not specific to any provider. Signed-off-by: Sunny <[email protected]>
githubprovider field inGitRepositoryspec..spec.secretRefto create the auth options to authenticate to git repositories when theproviderfield is set togithubgithubprovider field