Add Custom Git Client for WAF-Secured Repos

Introduce a custom Git client to handle repositories behind Web Application
Firewalls (WAF). This client facilitates TLS certificate-based authentication,
enabling secure Git operations in corporate environments.

Signed-off-by: Vasyl Rudiuk <[email protected]>

Author: Vasyl Rudiuk

internal/controller/auth_certificate.go

@@ -0,0 +1,34 @@
+package controller
+
+import (
+	"context"
+	"crypto/tls"
+	"net/http"
+
+	"github.com/go-git/go-git/v5/plumbing/transport"
+	httptransport "github.com/go-git/go-git/v5/plumbing/transport/http"
+	ctrl "sigs.k8s.io/controller-runtime"
+)
+
+// HttpTransportWithCustomCerts returns an HTTP transport with custom certificates.
+// If proxyStr is provided, it will be used as the proxy URL.
+// If not, it tries to fetch the proxy from an environment variable.
+func HttpTransportwithCustomCerts(tlsConfig *tls.Config, proxyStr *transport.ProxyOptions, ctx context.Context) (transport.Transport, error) {
+
+	log := ctrl.LoggerFrom(ctx)
+	// var message string
+
+	if tlsConfig == nil || len(tlsConfig.Certificates) == 0 {
+		log.Info("tlsConfig cannot be nil")
+		return nil, nil
+	}
+
+	return httptransport.NewClient(&http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: tlsConfig,
+		},
+	}), nil
+
+}
+
+//

internal/controller/gitrepository_controller.go

@@ -62,6 +62,8 @@ import (
 	sreconcile "github.com/fluxcd/source-controller/internal/reconcile"
 	"github.com/fluxcd/source-controller/internal/reconcile/summarize"
 	"github.com/fluxcd/source-controller/internal/util"
+	"github.com/fluxcd/source-controller/internal/tls"
+	gitclient "github.com/go-git/go-git/v5/plumbing/transport/client"
 )
 
 // gitRepositoryReadyCondition contains the information required to summarize a
@@ -148,6 +150,100 @@ func (r *GitRepositoryReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return r.SetupWithManagerAndOptions(mgr, GitRepositoryReconcilerOptions{})
 }
 
+// Interface co configure gitclient with custom TLS options
+// used for application firewall authentication.
+type GitClientConfigurer interface {
+	ConfigureGitClient(ctx context.Context, obj *sourcev1.GitRepository)
+	IsValid() bool
+	backupHttpsTransport()
+}
+
+type GitClientHttpConfigurer struct {
+	SSLCertificateData   map[string][]byte
+	ProxyOpts            *transport.ProxyOptions
+	Valid                bool
+	DefaultTransport     transport.Transport
+	AppFirewallTransport transport.Transport
+}
+
+func (c *GitClientHttpConfigurer) IsValid() bool {
+	return c.Valid
+}
+
+func (c *GitClientHttpConfigurer) SetValid() {
+	c.Valid = true
+}
+
+func (c *GitClientHttpConfigurer) SetInvalid() {
+	c.Valid = false
+}
+
+func (r *GitRepositoryReconciler) isCertificateDataValid(sslCertificateData map[string][]byte) bool {
+	certBytes, keyBytes := sslCertificateData["certFile"], sslCertificateData["keyFile"]
+	// Validate that both the certificate and key data are present
+	return len(certBytes) > 0 && len(keyBytes) > 0
+}
+
+func (h *GitClientHttpConfigurer) backupHttpsTransport() {
+	h.DefaultTransport = gitclient.Protocols["https"]
+}
+
+func (h *GitClientHttpConfigurer) ConfigureGitClient(ctx context.Context, obj *sourcev1.GitRepository) {
+
+	if obj.Spec.SecretRef != nil {
+		// var secretName = obj.Spec.SecretRef.Name
+		// if secretName == "waf-authentication" {
+		sslCertificate := &corev1.Secret{
+			Data: h.SSLCertificateData,
+		}
+		tlsConfig, _, err := tls.TLSClientConfigFromSecret(*sslCertificate, "")
+		if err != nil {
+			fmt.Println("Error generating TLS config:", err)
+			return
+		}
+		h.backupHttpsTransport()
+
+		transportHttp, err := HttpTransportwithCustomCerts(tlsConfig, h.ProxyOpts, ctx)
+		if err != nil {
+			fmt.Println("Error setting up transport:", err)
+			return
+		}
+
+		gitclient.InstallProtocol("https", transportHttp)
+
+	}
+	// }
+}
+
+
+
+// configureHttpTransport sets up the HTTP transport configuration for the Git client.
+func (r *GitRepositoryReconciler) configureHttpTransport(ctx context.Context, obj *sourcev1.GitRepository) (*GitClientHttpConfigurer, error) {
+	httpTransportConfig := &GitClientHttpConfigurer{} // Initialize with defaults configuration
+
+	// Check if SecretRef is specified for the repository
+	if obj.Spec.SecretRef != nil {
+		// Fetch the SSL certificate data from the specified secret
+		sslCertificateData, err := r.getSecretData(ctx, obj.Spec.SecretRef.Name, obj.Namespace)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get secret '%s/%s': %w", obj.Namespace, obj.Spec.SecretRef.Name, err)
+		}
+
+		// Set up the HTTP transport configuration with the fetched certificate data
+		httpTransportConfig.SSLCertificateData = sslCertificateData
+		if r.isCertificateDataValid(sslCertificateData) {
+			httpTransportConfig.SetValid()
+		} else {
+			httpTransportConfig.SetInvalid()
+		}
+	} else {
+		// If no SecretRef is provided, mark the transport config as invalid or set defaults
+		httpTransportConfig.SetInvalid()
+	}
+
+	return httpTransportConfig, nil
+}
+
 func (r *GitRepositoryReconciler) SetupWithManagerAndOptions(mgr ctrl.Manager, opts GitRepositoryReconcilerOptions) error {
 	r.patchOptions = getPatchOptions(gitRepositoryReadyCondition.Owned, r.ControllerName)
 
@@ -535,7 +631,12 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 	// Persist the ArtifactSet.
 	*includes = *artifacts
 
-	c, err := r.gitCheckout(ctx, obj, authOpts, proxyOpts, dir, true)
+	httpTransportConfig, err := r.configureHttpTransport(ctx, obj)
+	if err != nil {
+		return sreconcile.ResultEmpty, err
+	}
+
+	c, err := r.gitCheckout(ctx, obj, authOpts, proxyOpts, dir, true, httpTransportConfig)
 	if err != nil {
 		return sreconcile.ResultEmpty, err
 	}
@@ -579,7 +680,7 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 
 		// If we can't skip the reconciliation, checkout again without any
 		// optimization.
-		c, err := r.gitCheckout(ctx, obj, authOpts, proxyOpts, dir, false)
+		c, err := r.gitCheckout(ctx, obj, authOpts, proxyOpts, dir, false, httpTransportConfig)
 		if err != nil {
 			return sreconcile.ResultEmpty, err
 		}
@@ -832,7 +933,7 @@ func (r *GitRepositoryReconciler) reconcileInclude(ctx context.Context, sp *patc
 // gitCheckout builds checkout options with the given configurations and
 // performs a git checkout.
 func (r *GitRepositoryReconciler) gitCheckout(ctx context.Context, obj *sourcev1.GitRepository,
-	authOpts *git.AuthOptions, proxyOpts *transport.ProxyOptions, dir string, optimized bool) (*git.Commit, error) {
+	authOpts *git.AuthOptions, proxyOpts *transport.ProxyOptions, dir string, optimized bool, clientConf GitClientConfigurer) (*git.Commit, error) {
 	// Configure checkout strategy.
 	cloneOpts := repository.CloneConfig{
 		RecurseSubmodules: obj.Spec.RecurseSubmodules,
@@ -866,6 +967,9 @@ func (r *GitRepositoryReconciler) gitCheckout(ctx context.Context, obj *sourcev1
 		clientOpts = append(clientOpts, gogit.WithProxy(*proxyOpts))
 	}
 
+	if clientConf.IsValid() {
+		clientConf.ConfigureGitClient(ctx, obj)
+	}
 	gitReader, err := gogit.NewClient(dir, authOpts, clientOpts...)
 	if err != nil {
 		e := serror.NewGeneric(

internal/controller/gitrepository_controller_test.go

@@ -571,6 +571,33 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
 				*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
 			},
 		},
+		{
+			name:     "HTTPS with TLS certs authentication with WAF Reconciling=True",
+			protocol: "https",
+			server: options{
+				publicKey:  tlsPublicKey,
+				privateKey: tlsPrivateKey,
+				ca:         tlsCA,
+			},
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "waf-authentication",
+				},
+				Data: map[string][]byte{
+					"certFile": clientPublicKey,
+					"keyFile":  clientPrivateKey,
+					"caFile":   tlsCA,
+				},
+			},
+			beforeFunc: func(obj *sourcev1.GitRepository) {
+				obj.Spec.SecretRef = &meta.LocalObjectReference{Name: "waf-authentication"}
+			},
+			want: sreconcile.ResultSuccess,
+			assertConditions: []metav1.Condition{
+				*conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
+				*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
+			},
+		},
 	}
 
 	for _, tt := range tests {