source-controller icon indicating copy to clipboard operation
source-controller copied to clipboard
verified publisher icon fluxcd

GitRepository fails to clone from public repo if secretRef is specified without HTTP creds

Open chenbh opened this issue 3 years ago • 0 comments

When trying to pull from a publicly accessible repo, if the .spec.secretRef.name is specified but the secret itself doesn't contain a username/password, the GitRepository will always fail with failed to checkout and determine revision: unable to clone 'https://github.com/fluxcd/source-controller.git': authentication required.

---
apiVersion: v1
kind: Secret
metadata:
  name: git-creds
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
secrets:
- name: git
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
  name: gitrepo
spec:
  secretRef:
    name: git-creds
  url: https://github.com/fluxcd/source-controller.git
  ref:
    branch: main
  interval: 1m

Our use case is that we have a SSH key and need to template out a bunch of GitRepositories, some of which are private. So instead of adding logic to conditionally template in the SSH secret, we specify the secretRef on all of the GitRepositories with the expectation that the secret is simply ignored for public repos.

I think this is caused by the controller defaulting to assuming ssh transport (and using git as the username) if the secret is specified but no username is found: https://github.com/fluxcd/source-controller/blob/20b26f235e11a9eb6e0784f2598aeffa63a81606/pkg/git/options.go#L144-L146

chenbh avatar Aug 30 '22 19:08 chenbh