Add option to specify Git credentials for private Git repositories

creydr · creydr · commit acec1dd227c0 · 2026-01-13T17:32:02.000+01:00
diff --git a/README.md b/README.md
@@ -46,6 +46,8 @@ metadata:
 spec:
   source:
     repositoryUrl: https://github.com/your-org/your-function.git
+    authSecretRef:
+      name: git-credentials
   registry:
     path: quay.io/your-username/my-function
     authSecretRef:
@@ -83,6 +85,48 @@ kubectl create secret docker-registry registry-credentials \
   --docker-email=<email>
 ```
 
+### Git Authentication
+
+For private Git repositories, create a secret with the Git credentials:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-credentials
+  namespace: default
+data:
+  token: <base64-encoded-access-token>
+```
+
+or 
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-credentials
+  namespace: default
+data:
+  username: <base64-encoded-username>
+  password: <base64-encoded-password>
+```
+
+Then reference it in the Function under `.spec.source.authSecretRef.name`
+
+```yaml
+apiVersion: functions.dev/v1alpha1
+kind: Function
+metadata:
+  name: my-function
+  namespace: default
+spec:
+  source:
+    repositoryUrl: https://github.com/your-org/your-function.git
+    authSecretRef:
+      name: git-credentials
+```
+
 ### Check Function Status
 
 View the status of your function:
@@ -169,12 +213,13 @@ make lint
 
 ### Function Spec
 
-| Field | Type | Required | Description |
-|-------|------|----------|-------------|
-| `source.repositoryUrl` | string | Yes | Git repository URL containing the function source code |
-| `registry.path` | string | Yes | Container registry path for the function image |
-| `registry.insecure` | boolean | No | Allow insecure registry connections |
-| `registry.authSecretRef` | object | No | Reference to registry authentication secret |
+| Field                    | Type    | Required | Description                                            |
+|--------------------------|---------|----------|--------------------------------------------------------|
+| `source.repositoryUrl`   | string  | Yes      | Git repository URL containing the function source code |
+| `source.authSecretRef`   | object  | No       | Reference to Git repository authentication secret      |
+| `registry.path`          | string  | Yes      | Container registry path for the function image         |
+| `registry.insecure`      | boolean | No       | Allow insecure registry connections                    |
+| `registry.authSecretRef` | object  | No       | Reference to registry authentication secret            |
 
 ### Function Status
 
diff --git a/api/v1alpha1/function_types.go b/api/v1alpha1/function_types.go
@@ -46,6 +46,8 @@ type FunctionSpecSource struct {
 
 	// +kubebuilder:validation:Optional
 	Reference string `json:"reference"`
+
+	AuthSecretRef *v1.LocalObjectReference `json:"authSecretRef,omitempty"`
 }
 
 type FunctionSpecRegistry struct {
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/functions.dev_functions.yaml b/config/crd/bases/functions.dev_functions.yaml
@@ -67,6 +67,22 @@ spec:
                 type: object
               source:
                 properties:
+                  authSecretRef:
+                    description: |-
+                      LocalObjectReference contains enough information to let you locate the
+                      referenced object inside the same namespace.
+                    properties:
+                      name:
+                        default: ""
+                        description: |-
+                          Name of the referent.
+                          This field is effectively required, but due to backwards compatibility is
+                          allowed to be empty. Instances of this type with an empty value here are
+                          almost certainly wrong.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
                   reference:
                     type: string
                   repositoryUrl:
diff --git a/internal/controller/function_controller.go b/internal/controller/function_controller.go
@@ -90,7 +90,15 @@ func (r *FunctionReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 	if function.Spec.Source.Reference != "" {
 		branchReference = function.Spec.Source.Reference
 	}
-	repo, err := r.GitManager.CloneRepository(ctx, function.Spec.Source.RepositoryURL, branchReference)
+
+	gitAuthSecret := v1.Secret{}
+	if function.Spec.Source.AuthSecretRef != nil {
+		if err := r.Get(ctx, types.NamespacedName{Namespace: req.Namespace, Name: function.Spec.Source.AuthSecretRef.Name}, &gitAuthSecret); err != nil {
+			return ctrl.Result{}, err
+		}
+	}
+
+	repo, err := r.GitManager.CloneRepository(ctx, function.Spec.Source.RepositoryURL, branchReference, gitAuthSecret.Data)
 	if err != nil {
 		return ctrl.Result{}, fmt.Errorf("failed to setup git repository: %w", err)
 	}
diff --git a/internal/controller/function_controller_test.go b/internal/controller/function_controller_test.go
@@ -128,7 +128,7 @@ var _ = Describe("Function Controller", func() {
 						Builder:  "s2i",
 					}).Return(nil)
 
-					gitMock.EXPECT().CloneRepository(mock.Anything, "https://github.com/foo/bar", "my-branch").Return(createTmpGitRepo(functions.Function{Name: "func-go"}), nil)
+					gitMock.EXPECT().CloneRepository(mock.Anything, "https://github.com/foo/bar", "my-branch", mock.Anything).Return(createTmpGitRepo(functions.Function{Name: "func-go"}), nil)
 				},
 			}),
 			Entry("should skip deploy when middleware already up to date", reconcileTestCase{
@@ -142,7 +142,7 @@ var _ = Describe("Function Controller", func() {
 					funcMock.EXPECT().GetLatestMiddlewareVersion(mock.Anything, mock.Anything, mock.Anything).Return("v1.0.0", nil)
 					funcMock.EXPECT().GetMiddlewareVersion(mock.Anything, functionName, resourceNamespace).Return("v1.0.0", nil)
 
-					gitMock.EXPECT().CloneRepository(mock.Anything, "https://github.com/foo/bar", "my-branch").Return(createTmpGitRepo(functions.Function{Name: "func-go"}), nil)
+					gitMock.EXPECT().CloneRepository(mock.Anything, "https://github.com/foo/bar", "my-branch", mock.Anything).Return(createTmpGitRepo(functions.Function{Name: "func-go"}), nil)
 				},
 			}),
 			Entry("should use main as default branch", reconcileTestCase{
@@ -163,7 +163,7 @@ var _ = Describe("Function Controller", func() {
 					funcMock.EXPECT().GetLatestMiddlewareVersion(mock.Anything, mock.Anything, mock.Anything).Return("v1.0.0", nil)
 					funcMock.EXPECT().GetMiddlewareVersion(mock.Anything, functionName, resourceNamespace).Return("v1.0.0", nil)
 
-					gitMock.EXPECT().CloneRepository(mock.Anything, "https://github.com/foo/bar", "main").Return(createTmpGitRepo(functions.Function{Name: "func-go"}), nil)
+					gitMock.EXPECT().CloneRepository(mock.Anything, "https://github.com/foo/bar", "main", mock.Anything).Return(createTmpGitRepo(functions.Function{Name: "func-go"}), nil)
 				},
 			}),
 		)
diff --git a/internal/git/Manager_mock.go b/internal/git/Manager_mock.go
diff --git a/internal/git/manager.go b/internal/git/manager.go
@@ -10,6 +10,8 @@ import (
 	"github.com/creydr/func-operator/internal/monitoring"
 	"github.com/go-git/go-git/v6"
 	"github.com/go-git/go-git/v6/plumbing"
+	"github.com/go-git/go-git/v6/plumbing/transport"
+	"github.com/go-git/go-git/v6/plumbing/transport/http"
 	"github.com/prometheus/client_golang/prometheus"
 )
 
@@ -18,7 +20,7 @@ const (
 )
 
 type Manager interface {
-	CloneRepository(ctx context.Context, url, reference string) (*Repository, error)
+	CloneRepository(ctx context.Context, url, reference string, auth map[string][]byte) (*Repository, error)
 }
 
 func NewManager() Manager {
@@ -27,7 +29,7 @@ func NewManager() Manager {
 
 type managerImpl struct{}
 
-func (*managerImpl) CloneRepository(ctx context.Context, repoUrl, reference string) (*Repository, error) {
+func (m *managerImpl) CloneRepository(ctx context.Context, repoUrl, reference string, auth map[string][]byte) (*Repository, error) {
 	timer := prometheus.NewTimer(monitoring.GitCloneDuration)
 	defer timer.ObserveDuration()
 
@@ -47,6 +49,7 @@ func (*managerImpl) CloneRepository(ctx context.Context, repoUrl, reference stri
 		ReferenceName: plumbing.ReferenceName(reference),
 		SingleBranch:  true,
 		Depth:         1,
+		Auth:          m.getAuth(auth),
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to clone repo: %w", err)
@@ -56,3 +59,23 @@ func (*managerImpl) CloneRepository(ctx context.Context, repoUrl, reference stri
 		CloneDir: targetDir,
 	}, nil
 }
+
+func (m *managerImpl) getAuth(authSecret map[string][]byte) transport.AuthMethod {
+	if len(authSecret) == 0 {
+		return nil
+	} else if token, ok := authSecret["token"]; ok {
+		return &http.BasicAuth{
+			Username: "empty", // can be anything except an empty string
+			Password: string(token),
+		}
+	} else if username, ok := authSecret["username"]; ok {
+		if password, ok := authSecret["password"]; ok {
+			return &http.BasicAuth{
+				Username: string(username),
+				Password: string(password),
+			}
+		}
+		return nil
+	} // add other auth methods when needed
+	return nil
+}

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,8 @@ type FunctionSpecSource struct {`
`46`	`46`
`47`	`47`	`// +kubebuilder:validation:Optional`
`48`	`48`	Reference string `json:"reference"`
	`49`	`+`
	`50`	+ AuthSecretRef *v1.LocalObjectReference `json:"authSecretRef,omitempty"`
`49`	`51`	`}`
`50`	`52`
`51`	`53`	`type FunctionSpecRegistry struct {`