Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds mTLS support for GitRepositories #1766

Closed
wants to merge 1 commit into from
Closed

Adds mTLS support for GitRepositories #1766

wants to merge 1 commit into from

Conversation

benke33
Copy link

@benke33 benke33 commented Mar 28, 2025

Hi,

Here's an updated version of PR #1302, without the proxy parts.

This PR adds mTLS support for GitRepositories, which is required if you have your git infrastructure
behind a firewall.
With this feature you don't need any additional setup like nginx reverse proxy or mtls-transmitter,
to access git repos behind a firewall requiring mTLS.

Certificates are added to the same secret used for the credentials in spec.secretRef, CA is optional:

apiversion: v1
kind: Secret
metadata:
  name: my-mtls-secret
stringData:
  certFile: < certificate data >
  keyFile: < private key data > 
  caFile: < CA data >
  username: < git username >
  password: < git token >
  or
  bearerToken: < git token >

Credit to @VasylR for the PR #1302

This PR closes #1761

stefanprodan
stefanprodan reviewed Apr 7, 2025
View reviewed changes
internal/controller/gitrepository_controller.go Outdated

// Ensures the secret contains the valid keys for the certificate & private key.
func (r *GitRepositoryReconciler) isCertificateDataValid(sslCertificateData map[string][]byte) bool {
certBytes, keyBytes := sslCertificateData["certFile"], sslCertificateData["keyFile"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The keys should be tls.crt and tls.key, same as for OCIRepository and other APIs we have in Flux.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • updated isCertificateDataValid function to use tls.key & tls.crt instead.
  • Changed to use KubeTLSClientConfigFromSecret as OCIRepository does.

stefanprodan
stefanprodan reviewed Apr 8, 2025
View reviewed changes
internal/controller/gitrepository_controller.go
transportHttp = h.DefaultTransport
}

gitclient.InstallProtocol("https", transportHttp)
Copy link
Member

@stefanprodan stefanprodan Apr 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't alter the global client as this would impact all GitRepositories. If you have a GitHub repo and some mTLS Git server, then GitHub will fail. Not to mention this breaks multi-tenancy allowing any tenant to use the client certs of any other tenant.

Copy link
Member

@stefanprodan stefanprodan Apr 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to add support for mTLS to fluxcd/pkg/git in the same way we do for CA: https://github.com/fluxcd/pkg/blob/155709e21f1e4cbe9726c7be831fcf92aceda3d1/git/options.go#L51

Then source-controller and image-automation-controller would set the client certs as options when they create the client for each reconciliation.

But before all of this, go-git needs to support client certs here: https://github.com/go-git/go-git/blob/4e67bbed91c0e31ce97b9ad5e2b9b51f1cf139de/options.go#L77

@stefanprodan
Copy link
Member

Closing, please see the implementation requirements for Git mTLS documented here: #1761 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

mTLS support for GitRepositories
2 participants
@benke33 @stefanprodan