Merge pull request #1061 from renyunkang/ca

stoneshi-yunify · web-flow · commit 5fede30b2967 · 2025-09-05T15:01:00.000+08:00
support self-signed certificates &amp; skip tls authentication
diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
@@ -17,14 +17,17 @@ limitations under the License.
 package constants
 
 const (
-	CreatorAnnotationKey         = "kubesphere.io/creator"
-	WorkspaceLabelKey            = "kubesphere.io/workspace"
-	DisplayNameAnnotationKey     = "kubesphere.io/alias-name"
-	InsecureSkipTLSAnnotationKey = "devops.kubesphere.io/insecure-skip-tls"
-	GitAuthorNameAnnotationKey   = "devops.kubesphere.io/git-author-name"
-	GitAuthorEmailAnnotationKey  = "devops.kubesphere.io/git-author-email"
-	DevOpsProjectLabelKey        = "kubesphere.io/devopsproject"
+	CreatorAnnotationKey           = "kubesphere.io/creator"
+	WorkspaceLabelKey              = "kubesphere.io/workspace"
+	DisplayNameAnnotationKey       = "kubesphere.io/alias-name"
+	InsecureSkipTLSAnnotationKey   = "devops.kubesphere.io/insecure-skip-tls"
+	TLSCertsNameAnnotationKey      = "devops.kubesphere.io/tls-certs"
+	TLSCertsNameSpaceAnnotationKey = "devops.kubesphere.io/tls-certs-namespace"
+	GitAuthorNameAnnotationKey     = "devops.kubesphere.io/git-author-name"
+	GitAuthorEmailAnnotationKey    = "devops.kubesphere.io/git-author-email"
+	DevOpsProjectLabelKey          = "kubesphere.io/devopsproject"
 
+	TLSCertKey               = "ca.crt"
 	AuthenticationTag        = "Authentication"
 	DevOpsCredentialTag      = "DevOps Credential"
 	DevOpsPipelineTag        = "DevOps Pipeline"
@@ -38,7 +41,9 @@ const (
 	DevOpsClusterTemplateTag = "DevOps ClusterTemplate"
 	GitOpsTag                = "GitOps"
 
-	DevOpsManagedKey = "devops.kubesphere.io/managed"
+	DevOpsManagedKey      = "devops.kubesphere.io/managed"
+	DevOpsSystemNamespace = "kubesphere-devops-system"
+	DevOpsWorkerNamespace = "kubesphere-devops-worker"
 )
 
 var (
diff --git a/pkg/kapis/devops/v1alpha3/gitops/factory.go b/pkg/kapis/devops/v1alpha3/gitops/factory.go
@@ -2,7 +2,6 @@ package gitops
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -47,6 +46,32 @@ func (g *gitRepoFactory) parseSkipTLSFromRepo(ctx context.Context, repo *v1alpha
 	return yes
 }
 
+func (g *gitRepoFactory) parseTLSCertsFromRepo(ctx context.Context, repo *v1alpha3.GitRepository) ([]byte, error) {
+	tlsCertsName := repo.Annotations[constants.TLSCertsNameAnnotationKey]
+	if tlsCertsName == "" {
+		return nil, nil
+	}
+
+	tlsCertsNamespace := repo.Annotations[constants.TLSCertsNameSpaceAnnotationKey]
+	if tlsCertsNamespace == "" {
+		tlsCertsNamespace = constants.DevOpsWorkerNamespace
+	}
+
+	caSecret := &v1.ConfigMap{}
+	if err := g.k8sClient.Get(ctx, types.NamespacedName{
+		Name:      tlsCertsName,
+		Namespace: tlsCertsNamespace,
+	}, caSecret); err != nil {
+		return nil, err
+	}
+
+	if caSecret.Data[constants.TLSCertKey] == "" {
+		return nil, fmt.Errorf("invalid secret data: %s", constants.TLSCertKey)
+	}
+
+	return []byte(caSecret.Data[constants.TLSCertKey]), nil
+}
+
 func (g *gitRepoFactory) parseAuthorFromSecret(ctx context.Context, secret *v1.Secret) *object.Signature {
 	var authorName, authorEmail string
 	if secret != nil {
@@ -97,6 +122,10 @@ func (g *gitRepoFactory) NewRepoService(ctx context.Context, user user.Info, rep
 	}
 
 	insecureSkipTLS := g.parseSkipTLSFromRepo(ctx, gitRepo)
+	ca, err := g.parseTLSCertsFromRepo(ctx, gitRepo)
+	if err != nil {
+		return nil, err
+	}
 	author := g.parseAuthorFromSecret(ctx, secret)
 	repoDir := g.getRepoDirForUser(ctx, repoName.Namespace, gitRepo.Spec.URL)
 
@@ -111,12 +140,15 @@ func (g *gitRepoFactory) NewRepoService(ctx context.Context, user user.Info, rep
 		if err != nil {
 			return nil, err
 		}
-	} else if errors.Is(err, os.ErrNotExist) {
-		repo, err = git.PlainClone(repoDir, false, &git.CloneOptions{
-			Auth:     auth,
-			URL:      gitRepo.Spec.URL,
-			Progress: os.Stdout,
-		})
+	} else if os.IsNotExist(err) {
+		opt := &git.CloneOptions{
+			Auth:            auth,
+			URL:             gitRepo.Spec.URL,
+			Progress:        os.Stdout,
+			InsecureSkipTLS: insecureSkipTLS,
+			CABundle:        ca,
+		}
+		repo, err = git.PlainClone(repoDir, false, opt)
 		if err != nil {
 			return nil, err
 		}
@@ -133,8 +165,9 @@ func (g *gitRepoFactory) NewRepoService(ctx context.Context, user user.Info, rep
 		user:            user,
 		repo:            repo,
 		auth:            auth,
-		insecureSkipTLS: insecureSkipTLS,
 		newFilePerm:     g.config.NewFilePerm,
+		insecureSkipTLS: insecureSkipTLS,
+		caBundle:        ca,
 	}
 	repoService := NewGitRepoService(gitRepoOpts)
 
diff --git a/pkg/kapis/devops/v1alpha3/scm/scmhandler.go b/pkg/kapis/devops/v1alpha3/scm/scmhandler.go
@@ -28,9 +28,11 @@ import (
 	"github.com/go-git/go-git/v5/storage/memory"
 	goscm "github.com/jenkins-x/go-scm/scm"
 	"github.com/kubesphere/ks-devops/pkg/client/git"
+	"github.com/kubesphere/ks-devops/pkg/constants"
 	"github.com/kubesphere/ks-devops/pkg/kapis"
 	"github.com/kubesphere/ks-devops/pkg/kapis/common"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -50,6 +52,9 @@ func newHandler(k8sClient client.Client) *handler {
 func (h *handler) verify(request *restful.Request, response *restful.Response) {
 	scm := request.PathParameter("scm")
 	secretName := request.QueryParameter("secret")
+	insecureSkipTLS := request.QueryParameter("insecureSkipTLS") == "true"
+	caName := request.QueryParameter("caName")
+	caNamespace := request.QueryParameter("caNamespace")
 	secretNamespace := request.QueryParameter("secretNamespace")
 	server := common.GetQueryParameter(request, queryParameterServer)
 
@@ -62,7 +67,8 @@ func (h *handler) verify(request *restful.Request, response *restful.Response) {
 			response.WriteHeaderAndEntity(http.StatusBadRequest, err)
 			return
 		}
-		code, err = h.checkRepoAccess(server, secretName, secretNamespace)
+
+		code, err = h.checkRepoAccess(server, secretName, secretNamespace, insecureSkipTLS, caName, caNamespace)
 
 	default:
 		_, code, err = h.getOrganizations(scm, server, secretName, secretNamespace, 1, 1, false)
@@ -74,14 +80,34 @@ func (h *handler) verify(request *restful.Request, response *restful.Response) {
 	_ = response.WriteAsJson(verifyResult)
 }
 
-func (h *handler) checkRepoAccess(repourl, secretName, secretNamespace string) (int, error) {
+func (h *handler) checkRepoAccess(repourl, secretName, secretNamespace string, insecureSkipTLS bool, caName, caNamespace string) (int, error) {
 	storage := memory.NewStorage()
 	remote := gogit.NewRemote(storage, &config.RemoteConfig{
 		Name: "origin",
 		URLs: []string{repourl},
 	})
 
-	listOption := &gogit.ListOptions{}
+	listOption := &gogit.ListOptions{InsecureSkipTLS: insecureSkipTLS}
+	if caName != "" {
+		if caNamespace == "" {
+			caNamespace = constants.DevOpsWorkerNamespace
+		}
+
+		cacm := &v1.ConfigMap{}
+		if err := h.Get(context.Background(), client.ObjectKey{Namespace: caNamespace, Name: caName}, cacm); err != nil {
+			if errors.IsNotFound(err) {
+				return http.StatusNotFound, err
+			}
+			return http.StatusInternalServerError, err
+		}
+
+		certData, exists := cacm.Data[constants.TLSCertKey]
+		if !exists {
+			return http.StatusNotFound, fmt.Errorf("ca.crt not found in configmap %s", caName)
+		}
+		listOption.CABundle = []byte(certData)
+	}
+
 	if secretName != "" && secretNamespace != "" {
 		factory := git.NewClientFactory("git", &v1.SecretReference{
 			Namespace: secretNamespace, Name: secretName,
