Implement RFC-007: Passwordless authentication for Git repositories for all providers and controllers

[dipti-pai]

This issue tracks the implementation of RFC-007 : Passwordless authentication for Git repositories

WorkItems

Implement pkg changes

• [x] Implement azure auth pkg to obtain workload identity credentials to access ADO - https://github.com/fluxcd/pkg/pull/789
• [x] Implement GitHub provider to read the provided secret and get the gh app installation token - https://github.com/fluxcd/pkg/pull/818
• [ ] Implement GitLab provider to read the provided secret and get the access token
• [ ] Implement gcp auth pkg to fetch the access token to access CSR
• [x] Implement caching of git credentials to avoid fetching the credentials from provider repeatedly

Controller changes

• [x] Add .spec.provider to GitRepository API - https://github.com/fluxcd/source-controller/pull/1591
• [x] Implement source-controller changes to use the azure provider to authenticate to git - https://github.com/fluxcd/source-controller/pull/1591
• [x] Implement IAC changes to use the azure provider to authenticate to git - https://github.com/fluxcd/image-automation-controller/pull/747
• [x] Implement source-controller changes to use the github provider to authenticate to git - https://github.com/fluxcd/source-controller/pull/1647
• [x] Implement IAC changes to use the github provider to authenticate to git - https://github.com/fluxcd/image-automation-controller/pull/780

CLI changes

• [x] Add --provider flag to flux create source git - https://github.com/fluxcd/flux2/pull/4986
• [x] Implement flux create secret githubapp - https://github.com/fluxcd/flux2/pull/5103

Integration tests

• [x] Add terraform module for provisioning AzureDevOps project and repository in organization - https://github.com/fluxcd/test-infra/pull/44
• [x] Add end-to-end test for Azure that provisions the required cloud infrastructure (AKS cluster, workload identity) and Azure DevOps repository and validates cloning a git repository with cloud provider credentials - https://github.com/fluxcd/pkg/pull/793

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[Jaykul]

When we have issues to "Implement RFC-###" it would be helpful to put the RFC title in the issue title: "Implement RFC-007 Passwordless authentication for Git repositories"

If you want to put something else in, as you did here, we should at least put it in that first line, so instead of "This issue tracks the implementation of RFC-007" ... you'd save most people a click if it said "This issue tracks the implementation of RFC-007 Passwordless authentication for Git repositories"

[stefanprodan]

I have removed CodeCommit as this service has been shutdown by AWS.

[ArKam]

Sorry to bother guys, I've just created a request about kinda this topic as I was redirected from the documentation directly to the issue template creation.

But, wouldn't it OIDC/OAuth2 standard implementation belong onto this as a method for GIT authentication against IaC for gitea/gitlab/forgejo/others too?

[qzmiro]

Hello! The issue states for all controllers but does this include the notification-controller? i'm trying to use the GithubDispatch provider in my company but since it allows only PAT token, it's a bit complicated to negociate with the security team.

[stefanprodan]

@qzmiro I agree that notification-controller should work with GitHub App auth for commit status updates and workflow dispatch. Can you please open an issue in NC repo for these two?

[matheuscscp]

@dipti-pai Is there any items left from this issue? I marked caching as done, and I suppose GCP is no longer in the scope of this issue, so maybe only GitLab left?