Fix repo rename (#39)

* Fix go imports

* Remove legacy secrets

* Renmae ci and chart names

* Fix logger na dmetrics prefix

* Update docs

Author: phillebaba

.github/workflows/publish.yaml

@@ -3,7 +3,7 @@ on:
   release:
     types: [published]
 env:
-  NAME: "azdo-proxy"
+  NAME: "git-auth-proxy"
 jobs:
   helm:
     runs-on: ubuntu-latest

Dockerfile

@@ -2,10 +2,10 @@ FROM golang:1.17 as builder
 RUN mkdir /build
 ADD . /build/
 WORKDIR /build
-RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -ldflags '-extldflags "-static"' -o azdo-proxy .
+RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -ldflags '-extldflags "-static"' -o git-auth-proxy .
 
 FROM gcr.io/distroless/static:nonroot
-COPY --from=builder /build/azdo-proxy /app/
+COPY --from=builder /build/git-auth-proxy /app/
 WORKDIR /app
 USER nonroot:nonroot
-ENTRYPOINT ["./azdo-proxy"]
+ENTRYPOINT ["./git-auth-proxy"]

Makefile

@@ -1,5 +1,5 @@
 TAG = $$(git rev-parse --short HEAD)
-IMG ?= ghcr.io/xenitab/azdo-proxy:$(TAG)
+IMG ?= ghcr.io/xenitab/git-auth-proxy:$(TAG)
 
 assets:
 	draw.io -b 10 -x -f png -p 0 -o assets/architecture.png assets/diagram.drawio

README.md

@@ -1,38 +1,40 @@
-# Azure DevOps Proxy
+# Git Auth Proxy
 
-[![Go Report Card](https://goreportcard.com/badge/github.com/XenitAB/azdo-proxy)](https://goreportcard.com/report/github.com/XenitAB/azdo-proxy)
-[![Docker Repository on Quay](https://quay.io/repository/xenitab/azdo-proxy/status "Docker Repository on Quay")](https://quay.io/repository/xenitab/azdo-proxy)
+[![Go Report Card](https://goreportcard.com/badge/github.com/XenitAB/git-auth-proxy)](https://goreportcard.com/report/github.com/XenitAB/git-auth-proxy)
 
-Proxy to allow sharing of a Azure DevOps Personal Access Token in a Kubernetes cluster.
+Proxy to allow multi tenant sharing of GitHub and Azure DevOps credentials in Kubernetes.
 
-Azure DevOps allows the use of Personal Access Tokens (PAT) to authenticate access to both its
-API and Git repositories. Sadly it does not provide an API to create new PAT, making the process
-of automation cumbersome if multiple tokens are needed with limited scopes.
+Most Git providers offer mutliple ways of authenticating when cloning repositories and communicating with their API. These authentication methods are usually tied to a specific user and in the best
+case offer the ability to scope the permissions. The lack of organization API keys leads to solutions like GitHubs soltution to [create a machine user](https://docs.github.com/en/developers/overview/managing-deploy-keys#machine-users)
+that has limited permissions. The need for machine user accounts is especially important for GitOps deployment flows with projects like [Flux](https://docs.github.com/en/developers/overview/managing-deploy-keys#machine-users)
+and [ArgoCD](https://github.com/argoproj/argo-cd). These tools need an authentication method that supports accessing multiple repositories, without sharing the global credentials with all users.
 
 <p align="center">
   <img src="./assets/architecture.png">
 </p>
 
-Azure DevOps Proxy (azdo-proxy) is an attempt to solve this issue by enabling a single PAT
-to be shared by many applications, while at the same time limiting access for each application.
-Tokens are generated automatically and written as a Kubernetes secrets to one or multiple namespaces,
-the application just needs to mount the secret and use it when communicating with the proxy.
-Requests are sent to azdo-proxy together with a token, which gives access to a specific repository.
-The request is checked and if allowed forwarded to Azure DevOps with the PAT appended to the request.
+Git Auth Proxy attemps to solve this problem by implementing its own authentication and authorization layer inbetween the client and the Git provider. It works by generating static tokens that are
+specific to a Git repository. These tokens are then written to a Kubernetes secret in the Kubernetes namespaces which should have access to the repositories. When a repository is cloned through the
+proxy, the token will be checked agains the repository cloned, and if valid it will be replaced with the correct credentials. The request will be denied if a token is used to clone any other
+repository which is does not have access to.
 
 ## How To
 
-Start off by [creating a new PAT](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page) as it has to be given to the proxy.
+The proxy reads its configuration from a JSON file. It contains a list of repositories that can be accessed through the proxy and the Kubernetes namespaces which should receive a Secret.
+
+When using Azure DevOps a [PAT](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page) has to be
+configured for Git Auth Proxy to append to authorized requests.
 
-The proxy reads its configuration from a JSON file. The file will contain the PAT used to authenticate
-requests with, the Azure DevOps organization, and a list of repositories that can be accessed through
-the froxy from the specified namespaces.
 ```json
 {
   "organizations": [
     {
+      "provider": "azuredevops",
+      "azuredevops": {
+        "pat": "<PAT>"
+      },
+      "host": "dev.azure.com",
       "name": "xenitab",
-      "pat": "foobar",
       "repositories": [
         {
           "name": "fleet-infra",
@@ -48,42 +50,81 @@ the froxy from the specified namespaces.
 }
 ```
 
+When using GitHub a [GitHub Application](https://docs.github.com/en/developers/apps) has to be created and installed. The PEM key needs to be extracted and passed as a base64 endoded string in the
+configuration file. Note that the project field is not required when using GitHub as projects do not exists in GitHub.
+
+```json
+{
+  "organizations": [
+    {
+      "provider": "github",
+      "github": {
+        "appID": 123,
+        "installationID: 123,
+        "privateKey: "<BASE64>"
+      },
+      "host": "github.com",
+      "name": "xenitab",
+      "repositories": [
+        {
+          "name": "fleet-infra",
+          "namespaces": [
+            "foo",
+            "bar"
+          ]
+        }
+      ]
+    }
+  ]
+}
+```
+
 Add the Helm repository and install the chart, be sure to set the config content.
+
 ```shell
-helm repo add https://xenitab.github.io/azdo-proxy/
-helm install azdo-proxy --set config=<config>
+helm repo add https://xenitab.github.io/git-auth-proxy/
+helm install git-auth-proxy --set config=<config>
 ```
 
-There should now be a azdo-proxy Pod and Service in the cluster, ready to proxy traffic.
+There should now be a `git-auth-proxy` Deployment and Service in the cluster, ready to proxy traffic.
 
 ### Git
 
-Cloning a repository through the proxy is not too different from doing so directly from Azure DevOps.
-The only limitation is that it is not possible to clone through ssh, as azdo-proxy only proxies HTTP traffic.
-To clone the repository `repo-1` [get the clone URL from the repository page](https://docs.microsoft.com/en-us/azure/devops/repos/git/clone?view=azure-devops&tabs=visual-studio#get-the-clone-url-to-your-repo).
-Then replace the host part of the URL with `azdo-proxy` and add the token as a basic auth parameter. The result should be similar to below.
+Cloning a repository through the proxy is not too different from doing so directly from GitHub or Azure DevOps. The only limitation is that it is not possible to clone through ssh, as Git Auth Proxy
+only proxies HTTP traffic. To clone the repository `repo-1` [get the clone URL from the repository page](https://docs.microsoft.com/en-us/azure/devops/repos/git/clone?view=azure-devops&tabs=visual-studio#get-the-clone-url-to-your-repo).
+Then replace the host part of the URL with `git-auth-proxy` and add the token as a basic auth parameter. The result should be similar to below.
+
 ```shell
-git clone http://<token-1>@azdo-proxy/org/proj/_git/repo-1
+git clone http://<token-1>@git-auth-proxy/org/proj/_git/repo-1
 ```
 
 ### API
 
-Authenticated API calls can also be done through the proxy. Currently only repository specific
-requests will be permitted. This may change in future releases. As an example execute the
-following command to list all pull requests in the repository `repo-1`.
+API calls can also be done through the proxy. Currently only repository specific requests will be permitted as authorization is done per repository. This may change in future releases.
+
+#### GitHub
+
+The proxy assumes that the requests sent to it are in a GitHub enterprise format due to the way GitHub clients behave when configured with a host that is not `github.com`. The main difference between
+GitHub Enterprise and non GitHub Enterprise is the API format. The GitHub Enterprise API expects all requests to the API to have the prefix `/api/v3/` while non GitHub Enterprise API requests are sent
+to the host `api.github.com`.
+
+#### Azure DevOps
+
+Execute the following command to list all pull requests in the repository `repo-1` using the local token to authenticate to the proxy.
+
 ```shell
-curl http://<token-1>@azdo-proxy/org/proj/_apis/git/repositories/repo-1/pullrequests?api-version=5.1
+curl http://<token-1>@git-auth-proxy/org/proj/_apis/git/repositories/repo-1/pullrequests?api-version=5.1
 ```
 
 > :warning: **If you intend on using a language specific API**: Please read this!
 
 Some APIs built by Microsoft, like [azure-devops-go-api](https://github.com/microsoft/azure-devops-go-api), will make a request to the [Resource Areas API](https://docs.microsoft.com/en-us/azure/devops/extend/develop/work-with-urls?view=azure-devops&tabs=http#how-to-get-an-organizations-url)
-which returns a list of location URLs for a specific organization. They will then use those URLs
-when making additional requests, skipping the proxy. To avoid this you need to explicitly create
-your client instead of allowing it to be created automatically.
+which returns a list of location URLs for a specific organization. They will then use those URLs when making additional requests, skipping the proxy. To avoid this you need to explicitly create your
+client instead of allowing it to be created automatically.
 
 In the case of Go you should create a client in the following way.
-```golang
+
+```go
 package main
 
 import (
@@ -92,16 +133,17 @@ import (
 )
 
 func main() {
-  connection := azuredevops.NewAnonymousConnection("http://azdo-proxy")
-  client := connection.GetClientByUrl("http://azdo-proxy")
+  connection := azuredevops.NewAnonymousConnection("http://git-auth-proxy")
+  client := connection.GetClientByUrl("http://git-auth-proxy")
   gitClient := &git.ClientImpl{
     Client: *client,
   }
 }
 ```
 
 Instead of the cleaner solution which would ignore the proxy.
-```golang
+
+```go
 package main
 
 import (
@@ -112,7 +154,7 @@ import (
 )
 
 func main() {
-  connection := azuredevops.NewAnonymousConnection("http://azdo-proxy")
+  connection := azuredevops.NewAnonymousConnection("http://git-auth-proxy")
   ctx := context.Background()
   gitClient, _ := git.NewClient(ctx, connection)
 }

assets/architecture.png

@@ -1 +1 @@
-<mxfile host="Electron" modified="2020-07-09T12:44:40.518Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/13.3.5 Chrome/83.0.4103.119 Electron/9.0.5 Safari/537.36" etag="ny_sSromxSdBE-dT1N06" version="13.3.5" type="device"><diagram id="gbA4HWZm-8l8qiuZn7tg" name="architecture">1ZfbjpswEIafJpepOASavdyEdHtUW6VS26vKCwO4NQw1JkCevg6YAPIm3a66OVyB/xlj++OfQUzsZVLdcZLFHzAANrGMoJrY3sSyLMO15GWn1K1iWjOjVSJOA6X1wppuQYldWkEDyEeJApEJmo1FH9MUfDHSCOdYjtNCZONVMxKBJqx9wnT1Kw1E3Kq2bRh94DXQKFZLz9y5mpKQLlul5jEJsBxI9mpiLzmiaO+Saglsh68D0857dSC63xmHVDxqQvbuhhPvzdSyivLzxtu+xd9Tu33KhrBCnfjT7Re1X1F3FCCQUNQQuYgxwpSwVa8uOBZpALuVDDnqc94jZlI0pfgThKjVGyaFQCnFImEqqp9GHTDHgvtw5AidLQiPQBzJU1bcnWWwgGJ1B5iA4LVM4MCIoJuxAYjyUbTP60nLGwX7H8CbGniyDXCacaxqjf+YbhlTAeuMNFRKWXhjkiFlbIkMeTPXDgjMQ1/queD4CwYR15/DfXiM/Qa4gOoorS5qdBWhKn3W2b7sy8bstHhQMa7xTIQtjbDGleRZ2zRCWu3wDjFmSFPR7MlZTBxPKoTRKJWCLzGBZLigSdM9FiGmQhnbtHrdo0kkd87o/W7/uU9AXm+3BYcfHmw+ZvmLfBP9L/y2M8K/b1AD/M4D9J3nov9Soy+k+9LO9wfN/YTWIbHx+pua3wy+DyNeNQx5tRo9veHMHtlwzItqODO94WTZX1/HJfaa+Wzcapz5uVvN/IDZ9Y4z/JKmmJ750+lcpZOdB52ss758J2tfzfNb+eaAle2TWHnfys3TtHL3KgvAfbAA9Dd0BQVguqcrADns/7aa2OCv1V79AQ==</diagram></mxfile>
+<mxfile host="Electron" modified="2021-10-07T12:52:09.415Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/15.4.0 Chrome/89.0.4389.128 Electron/12.2.1 Safari/537.36" etag="MLVpu5QK5Lus0AjYw-5j" version="15.4.0" type="device"><diagram id="gbA4HWZm-8l8qiuZn7tg" name="architecture">3VjbdqIwFP0aH3VxEWsfvfTeWdNOZ622T7MiRMhM4DAhKPr1k0gQmKC2U6vt+CLZOYFk73M2IS17FGYXDMXBF/AwbVmGl7XsccsSP8MQfxJZ5IjTN3PAZ8TLoQrwQJZYgWqcnxIPJ7VADkA5ieugC1GEXV7DEGMwr4dNgdafGiMfa8CDi6iOPhKPBzlq28W6ZMclJn6gHt3tFQsMURGtQpMAeTCvQPZZyx4xAJ5fhdkIU8leQUw+7nxD73pmDEf8RQPim1OGxldty0rn97Px8hp+t+38LjNEU7Xiu8F3NV++KFjAniBFNYHxAHyIED0r0SGDNPKwfJIhWmXMLUAsQFOAPzHnC6UwSjkIKOAhVb36atQCE0iZi7csoUgLxHzMt8RZeZxcS+UBiqsLDCHmbCECGKaIk1k9AZDKI38dVzItLhTZzcQ/mRfZjX91Epn8/vb5ks+/ZVG7qxF//agT/2ZacUb4kxzeOXFU81ndTV6Ps2pjoRqNRO1NnEY6DqXFtklWtPAJbwsyg3bMIFvskGUeEI4fYrQiYi58sC7BlFA6AgpsNdb2EO5PXYEnnMEvXOnpuX08mW6rhRlmHGdbs7foNQqHUsbbLWxoXtqYWWBBxcF6xjuxbGksf8MxCMTS+EVJnJv5lGSS5iqdMZCIr+bmDFvOWCCIEj8SgCvowoLLIQlXrj6cQsRVZZhWiY9J6IsVUDKR60hchMX/YJky/GOMZ1/jpJPMfBFO0QTTO0gIJ1C7v5SBiHfE7V8BXBblunegpjUBziHcl6y2U5PV6uuyOg2qOu+l6ommKhdZHRU1tVcvi8SEnwrDko3nak/pZatW3cz+xbu6L3yxmMd6sWybdUUQFMc75fiIHtbv1i3Macj1w1pYf0Oy6w5W3TFFEB15i+R8ykx2GjNZ5/rjZ7L2Nj5+Kp9uSGX7IKm8tnLzMFbe+5QF0GssAF2hT1AAZu+IBbD5i6NpO6rz66EkKLM95ZREgqjiwMGo86vtRve9jUwCFMuJhZkvz1w6czyhovySjvhoCdKJnIK2fQZGlmIzjOqvEk2/BpVfLukht6KNiurlsussY+92ZnQsp+poxg5Hw5E3kKdU5VwEck7kulf9iXAsXkS4FCUJcQtYhZVyvvaDvZFE+zVOeazDE/3UStWuvs39nz8l31S/p+bBylc0y2POVV/ltNg++wM=</diagram></mxfile>

assets/diagram.drawio

@@ -1,6 +1,6 @@
 apiVersion: v2
-name: azdo-proxy
-description: A Helm chart for azdo-proxy
+name: git-auth-proxy
+description: A Helm chart for git-auth-proxy
 type: application
 version: v0.4.1
 appVersion: v0.4.1

charts/azdo-proxy/.helmignore renamed to charts/git-auth-proxy/.helmignore

@@ -2,7 +2,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "azdo-proxy.name" -}}
+{{- define "git-auth-proxy.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -11,7 +11,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "azdo-proxy.fullname" -}}
+{{- define "git-auth-proxy.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -27,16 +27,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "azdo-proxy.chart" -}}
+{{- define "git-auth-proxy.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "azdo-proxy.labels" -}}
-helm.sh/chart: {{ include "azdo-proxy.chart" . }}
-{{ include "azdo-proxy.selectorLabels" . }}
+{{- define "git-auth-proxy.labels" -}}
+helm.sh/chart: {{ include "git-auth-proxy.chart" . }}
+{{ include "git-auth-proxy.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -46,7 +46,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "azdo-proxy.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "azdo-proxy.name" . }}
+{{- define "git-auth-proxy.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "git-auth-proxy.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}

charts/azdo-proxy/Chart.yaml renamed to charts/git-auth-proxy/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "azdo-proxy.fullname" . }}
+  name: {{ include "git-auth-proxy.fullname" . }}
   labels:
-    {{- include "azdo-proxy.labels" . | nindent 4 }}
+    {{- include "git-auth-proxy.labels" . | nindent 4 }}
 data:
   config.json: {{ required "Config has to be set." .Values.config | quote }}

charts/azdo-proxy/templates/_helpers.tpl renamed to charts/git-auth-proxy/templates/_helpers.tpl

@@ -1,16 +1,16 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "azdo-proxy.fullname" . }}
+  name: {{ include "git-auth-proxy.fullname" . }}
   labels:
-    {{- include "azdo-proxy.labels" . | nindent 4 }}
+    {{- include "git-auth-proxy.labels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.replicaCount }}
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      {{- include "azdo-proxy.selectorLabels" . | nindent 6 }}
+      {{- include "git-auth-proxy.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       annotations:
@@ -19,9 +19,9 @@ spec:
         {{- toYaml . | nindent 8 }}
     {{- end }}
       labels:
-        {{- include "azdo-proxy.selectorLabels" . | nindent 8 }}
+        {{- include "git-auth-proxy.selectorLabels" . | nindent 8 }}
     spec:
-      serviceAccountName: {{ include "azdo-proxy.fullname" . }}
+      serviceAccountName: {{ include "git-auth-proxy.fullname" . }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -62,7 +62,7 @@ spec:
       volumes:
         - name: config
           configMap:
-            name: {{ include "azdo-proxy.fullname" . }}
+            name: {{ include "git-auth-proxy.fullname" . }}
       {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName }}
       {{- end }}

charts/azdo-proxy/templates/configmap.yaml renamed to charts/git-auth-proxy/templates/configmap.yaml

@@ -2,13 +2,13 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: {{ include "azdo-proxy.fullname" . }}
+  name: {{ include "git-auth-proxy.fullname" . }}
   labels:
-    {{- include "azdo-proxy.labels" . | nindent 4 }}
+    {{- include "git-auth-proxy.labels" . | nindent 4 }}
 spec:
   podSelector:
     matchLabels:
-      {{- include "azdo-proxy.selectorLabels" . | nindent 8 }}
+      {{- include "git-auth-proxy.selectorLabels" . | nindent 8 }}
   policyTypes:
     - Ingress
     - Egress

charts/azdo-proxy/templates/deployment.yaml renamed to charts/git-auth-proxy/templates/deployment.yaml

@@ -1,16 +1,16 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "azdo-proxy.fullname" . }}
+  name: {{ include "git-auth-proxy.fullname" . }}
   labels:
-    {{- include "azdo-proxy.labels" . | nindent 4 }}
+    {{- include "git-auth-proxy.labels" . | nindent 4 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "azdo-proxy.fullname" . }}
+  name: {{ include "git-auth-proxy.fullname" . }}
   labels:
-    {{- include "azdo-proxy.labels" . | nindent 4 }}
+    {{- include "git-auth-proxy.labels" . | nindent 4 }}
 rules:
 - apiGroups: [""]
   resources: ["secrets"]
@@ -19,15 +19,15 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "azdo-proxy.fullname" . }}
+  name: {{ include "git-auth-proxy.fullname" . }}
   labels:
-    {{- include "azdo-proxy.labels" . | nindent 4 }}
+    {{- include "git-auth-proxy.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ include "azdo-proxy.fullname" . }}
+  name: {{ include "git-auth-proxy.fullname" . }}
 subjects:
 - apiGroup: ""
   kind: ServiceAccount
-  name: {{ include "azdo-proxy.fullname" . }}
+  name: {{ include "git-auth-proxy.fullname" . }}
   namespace: {{ .Release.Namespace }}