feat(deploy): P3 — source=git (pull-by-URL build), flag-gated OFF#222
Merged
Conversation
POST /deploy/new with source=git + git_url (+ optional git_ref, git_token) points Kaniko at the repo via its native git context — no tarball upload, so projects over the 10 MB cap can ship from a repo URL. Gated by DEPLOY_SOURCE_GIT_ENABLED (default false) → source=git returns 501 until an operator canary; tarball/image deploys unaffected. - config: DeploySourceGitEnabled flag (+ true/off/default tests, allKeys). - migration 065: deployments.git_url/git_ref/git_token_enc (additive; the 064 source CHECK already permits 'git'). Mirrored in the testhelpers DDL + all three hardcoded deployment-row mock column lists. - model: GitURL/GitRef/GitTokenEnc on Deployment + CreateDeploymentParams + deploymentColumns + scan + INSERT. - handler: source=git case (flag-gate 501 source_git_disabled, validateGitURL, git_ref, git_token encrypt); deploymentToMap echoes git_url/git_ref + git_token_set (token never echoed); applyGitSourceOpts in runDeploy. encryptRegistryCreds generalised to encryptDeploySecret (shared by both). agent_action entries for source_git_disabled + invalid_git_url. - compute: createKanikoJob gains a git-context mode (no build-context volume, GIT_USERNAME/GIT_PASSWORD from a short-lived git-auth Secret); buildImageFromGit mirrors buildImage's namespace/NP/registry-auth prep; Deploy gains a git branch (source switch). DeployOptions += GitURL/GitRef/GitAuth. SSRF hardening (security review): validateGitURL now rejects a git_url whose host is — or resolves to — loopback / RFC1918 / link-local (incl. the 169.254.169.254 metadata endpoint) / unspecified (DNS injectable for tests, fail-closed on resolution failure). Defense-in-depth: the build-pod egress NetworkPolicy now excepts RFC1918 + loopback (metadata/link-local already blocked), so a DNS-rebind or future validator bypass still can't reach internal services. http(s)-only, no embedded credentials. Coverage: config/model/handler/k8s git paths + all error arms covered (fake-clientset reactors for the compute branches; injectable DNS for the SSRF screen). Contract sync (openapi/llms/MCP) deferred to flag-on, as with P2. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
TestDeployNew_InvalidSource_400 used source="git" as its "unrecognised" example, but P3 made git a valid (flag-gated) case — so it hit the 501 source_git_disabled arm instead of the 400 invalid_source default, both breaking the assertion and leaving the default branch (deploy.go:919) uncovered. Switch the example to "svn" so it exercises the real default → invalid_source path. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
TestDeployNew_SourceImage_FlagOn_Accepted flaked on the 5s poll for the async runDeploy goroutine to stamp the row healthy — the goroutine's DB writes can run past 5s under `-race -p 1` with the full suite loaded. Bump both the image and git happy-path polls to a 30s ceiling (still early-breaks the instant the provider id appears, so normal runs are unaffected). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
POST /deploy/new with source=git + git_url (+ optional git_ref, git_token)
points Kaniko at the repo via its native git context — no tarball upload, so
projects over the 10 MB cap can ship from a repo URL. Gated by
DEPLOY_SOURCE_GIT_ENABLED (default false) → source=git returns 501 until an
operator canary; tarball/image deploys unaffected.
source CHECK already permits 'git'). Mirrored in the testhelpers DDL + all
three hardcoded deployment-row mock column lists.
deploymentColumns + scan + INSERT.
git_ref, git_token encrypt); deploymentToMap echoes git_url/git_ref +
git_token_set (token never echoed); applyGitSourceOpts in runDeploy.
encryptRegistryCreds generalised to encryptDeploySecret (shared by both).
agent_action entries for source_git_disabled + invalid_git_url.
GIT_USERNAME/GIT_PASSWORD from a short-lived git-auth Secret); buildImageFromGit
mirrors buildImage's namespace/NP/registry-auth prep; Deploy gains a git branch
(source switch). DeployOptions += GitURL/GitRef/GitAuth.
SSRF hardening (security review): validateGitURL now rejects a git_url whose
host is — or resolves to — loopback / RFC1918 / link-local (incl. the
169.254.169.254 metadata endpoint) / unspecified (DNS injectable for tests,
fail-closed on resolution failure). Defense-in-depth: the build-pod egress
NetworkPolicy now excepts RFC1918 + loopback (metadata/link-local already
blocked), so a DNS-rebind or future validator bypass still can't reach internal
services. http(s)-only, no embedded credentials.
Coverage: config/model/handler/k8s git paths + all error arms covered
(fake-clientset reactors for the compute branches; injectable DNS for the SSRF
screen). Contract sync (openapi/llms/MCP) deferred to flag-on, as with P2.
Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com