Skip to content

Commit 143de5d

Browse files
Add "--password-file-reload" flag to refresh password during each sync cycle (#976)
* add-password-file-reload-flag * Update main.go Co-authored-by: Tim Hockin <thockin@google.com> * Remove password file reload functionality Removed the password file reload flag and related logic to simplify credential management. * Simplify comment about token rotation Removed redundant mention of 'from Vault' in comment. * Implement password-file reload test in e2e script Add end-to-end test for password-file reload during sync. * Fix indentation in comments for clarity * Format * Update main.go Co-authored-by: Tim Hockin <thockin@google.com> * rename e2e test function & add max-attempts flag --------- Co-authored-by: Tim Hockin <thockin@google.com>
1 parent 5b53c82 commit 143de5d

2 files changed

Lines changed: 76 additions & 15 deletions

File tree

main.go

Lines changed: 18 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -749,19 +749,6 @@ func main() {
749749
os.Exit(1)
750750
}
751751

752-
// Finish populating credentials.
753-
for i := range *flCredentials {
754-
cred := &(*flCredentials)[i]
755-
if cred.PasswordFile != "" {
756-
passwordFileBytes, err := os.ReadFile(cred.PasswordFile)
757-
if err != nil {
758-
log.Error(err, "can't read password file", "file", cred.PasswordFile)
759-
os.Exit(1)
760-
}
761-
cred.Password = string(passwordFileBytes)
762-
}
763-
}
764-
765752
// If the --repo or any submodule uses SSH, we need to know which keys.
766753
if err := git.SetupGitSSH(*flSSHKnownHosts, *flSSHKeyFiles, *flSSHKnownHostsFile); err != nil {
767754
log.Error(err, "can't set up git SSH", "keyFiles", *flSSHKeyFiles, "useKnownHosts", *flSSHKnownHosts, "knownHostsFile", *flSSHKnownHostsFile)
@@ -883,7 +870,20 @@ func main() {
883870
refreshCreds := func(ctx context.Context) error {
884871
// These should all be mutually-exclusive configs.
885872
for _, cred := range *flCredentials {
886-
if err := git.StoreCredentials(ctx, cred.URL, cred.Username, cred.Password); err != nil {
873+
password := cred.Password
874+
875+
// If this credential has a password file, re-read it from disk
876+
// to pick up token rotation
877+
if cred.PasswordFile != "" {
878+
passwordFileBytes, err := os.ReadFile(cred.PasswordFile)
879+
if err != nil {
880+
return fmt.Errorf("can't read password file %q: %w", cred.PasswordFile, err)
881+
}
882+
password = string(passwordFileBytes)
883+
git.log.V(3).Info("read password from file", "file", cred.PasswordFile)
884+
}
885+
886+
if err := git.StoreCredentials(ctx, cred.URL, cred.Username, password); err != nil {
887887
return err
888888
}
889889
}
@@ -2584,7 +2584,10 @@ OPTIONS
25842584
--password-file <string>, $GITSYNC_PASSWORD_FILE
25852585
The file from which the password or personal access token (see
25862586
github docs) to use for git authentication (see --username) will be
2587-
read. See also $GITSYNC_PASSWORD.
2587+
read. The file is re-read before each sync attempt, allowing
2588+
git-sync to pick up token rotations automatically (e.g. when using
2589+
dynamic credentials from an external secrets system).
2590+
See also $GITSYNC_PASSWORD.
25882591
25892592
--period <duration>, $GITSYNC_PERIOD
25902593
How long to wait between sync attempts. This must be at least

test_e2e.sh

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2022,6 +2022,64 @@ function e2e::auth_http_password_file() {
20222022
assert_file_eq "$ROOT/link/file" "${FUNCNAME[0]}"
20232023
}
20242024

2025+
##############################################
2026+
# Test password-file reload on each sync
2027+
##############################################
2028+
function e2e::auth_password_file_reload() {
2029+
# Run a git-over-HTTP server.
2030+
local ctr
2031+
ctr=$(docker_run \
2032+
-v "$REPO":/git/repo:ro \
2033+
e2e/test/httpd)
2034+
local ip
2035+
ip=$(docker_ip "$ctr")
2036+
2037+
# Create a password file with the correct password.
2038+
echo -n "testpass" > "$WORK/password-file"
2039+
2040+
# First sync
2041+
echo "${FUNCNAME[0]} 1" > "$REPO/file"
2042+
git -C "$REPO" commit -qam "${FUNCNAME[0]} 1"
2043+
2044+
GIT_SYNC \
2045+
--period=1s \
2046+
--repo="http://$ip/repo" \
2047+
--root="$ROOT" \
2048+
--link="link" \
2049+
--username="testuser" \
2050+
--password-file="$WORK/password-file" \
2051+
--max-failures=100 \
2052+
&
2053+
wait_for_sync "${MAXWAIT}"
2054+
assert_link_exists "$ROOT/link"
2055+
assert_file_exists "$ROOT/link/file"
2056+
assert_file_eq "$ROOT/link/file" "${FUNCNAME[0]} 1"
2057+
2058+
# Change password file to wrong password
2059+
echo -n "wrong" > "$WORK/password-file.tmp"
2060+
mv "$WORK/password-file.tmp" "$WORK/password-file"
2061+
2062+
# Commit a change to the repo
2063+
echo "${FUNCNAME[0]} 2" > "$REPO/file"
2064+
git -C "$REPO" commit -qam "${FUNCNAME[0]} 2"
2065+
2066+
# Wait a bit and verify sync did NOT happen (still has old content)
2067+
sleep 3
2068+
assert_link_exists "$ROOT/link"
2069+
assert_file_exists "$ROOT/link/file"
2070+
assert_file_eq "$ROOT/link/file" "${FUNCNAME[0]} 1"
2071+
2072+
# Change password file back to correct password
2073+
echo -n "testpass" > "$WORK/password-file.tmp"
2074+
mv "$WORK/password-file.tmp" "$WORK/password-file"
2075+
2076+
# Verify sync now picks up the new change
2077+
wait_for_sync "${MAXWAIT}"
2078+
assert_link_exists "$ROOT/link"
2079+
assert_file_exists "$ROOT/link/file"
2080+
assert_file_eq "$ROOT/link/file" "${FUNCNAME[0]} 2"
2081+
}
2082+
20252083
##############################################
20262084
# Test SSH (user@host:path syntax)
20272085
##############################################

0 commit comments

Comments
 (0)