Add support for mTLS to GitHub App transport #1860
Conversation
| obj.GetName(), obj.GetNamespace(), cache.OperationReconcile)) | ||
| } | ||
|
|
||
| username, password, err := github.GetCredentials(ctx, opts...) | ||
| if len(opts.CAFile) > 0 { |
There was a problem hiding this comment.
I just realized that we are using .spec.secretRef for certs that apply to the communication with Git via HTTPS, and here we are using the same certs also for hitting the GitHub API to get a token. Does this make sense in all cases? Could you need a custom CA/client cert only for getting the token, but if you use the same CA/cert for the Git HTTPS communication it would not work?
There was a problem hiding this comment.
Also, where does client cert authentication apply exactly? If you're using a GitHub App to authenticate, would client cert authentication still make any sense? For example, would you need the client cert authentication just for getting a GitHub App token from the API?
There was a problem hiding this comment.
Hi @matheuscscp
I just realized that we are using
.spec.secretReffor certs that apply to the communication with Git via HTTPS, and here we are using the same certs also for hitting the GitHub API to get a token. Does this make sense in all cases? Could you need a custom CA/client cert only for getting the token, but if you use the same CA/cert for the Git HTTPS communication it would not work?
Also, where does client cert authentication apply exactly? If you're using a GitHub App to authenticate, would client cert authentication still make any sense? For example, would you need the client cert authentication just for getting a GitHub App token from the API?
So TLDR; It is needed for all cases, all endpoints, including git protocol need the ca.crt as it is a global GitHub Enterprise configuration.
So POST request to api/v3/app/installations/INSTALLATION_ID/access_tokens needs ca.crt
Also it makes it easier in flux to only specify the ca.crt in one place and re-use it to fetch installation token and for rest of the git checkout commands.
Let me try to summarize the scenario -
So for on-premise / hybrid cloud scenario GitHub normally recommends this as a Security Hardening feature.
-
Enterprise instances that implement the hardening, require
ca.crt(Custom / Company RootCA) to be presented for all API endpoints of GitHub... including for git protocols. -
This is not limited to just GitHub App, but also applicable to PAT and SSH.
-
But when running in containers you either need to have these certs in the image you build, or provide the
ca.crtin thetls.Configof the API calls you make. -
source-controllerwas already handling this for PAT based auth / SSH scenarios but not for GitHub App.
There was a problem hiding this comment.
This makes sense to me. I'll confirm this is ok in the dev meeting tomorrow and get back here 👍
There was a problem hiding this comment.
This needs to be documented, but if you set certs in the secretRef they must apply all calls no matter the scope.
There was a problem hiding this comment.
This needs to be documented, but if you set certs in the
secretRefthey must apply all calls no matter the scope.
@stefanprodan - there are references to certificate authority usage here in the docs.
https://fluxcd.io/flux/components/source/gitrepositories/#https-certificate-authority
Should I add a bullet point under GitHub provider section here?
https://fluxcd.io/flux/components/source/gitrepositories/#github
There was a problem hiding this comment.
Yeap we need to mention there the certs key as optional
this commit ensures that if ca.crt or caFile is available in the github app secret, a tls config with user provided certs is appended to system cert pool and passed to the underlying http transport Signed-off-by: abhijith-darshan <[email protected]> (chore): update target URL for TLSConfigFromSecret this commit ensures that the target URL for runtime/secrets.TLSConfigFromSecret has the scheme and host Signed-off-by: abhijith-darshan <[email protected]> (chore): adds test scenarios this commit adds test scenarios for mTLS GitHub app in reconcile source auth strategy Signed-off-by: abhijith-darshan <[email protected]>
abhijith-darshan
force-pushed
the
feat/gh_app_tls
branch
from
aae442d to
371c49f
Compare
| username, password, err := github.GetCredentials(ctx, opts...) | ||
| if len(opts.CAFile) > 0 { | ||
| targetURL := fmt.Sprintf("%s://%s", u.Scheme, u.Host) | ||
| tlsConfig, err := secrets.TLSConfigFromSecret(ctx, secret, targetURL, secrets.WithSystemCertPool()) |
stefanprodan
changed the title
stefanprodan
added
area/git
If
ca.crtorcaFileis available in the GitHub App secret, atlsconfig with user provided certs is appended to system cert pool and passed to the underlying GitHub App transport.closes #1858