Enable use of PAT token authentication for use with private git repos, for custom playbooks in robusta-runner. (Install Git Credential Manager))

[heresandyboy]

Is your feature request related to a problem? I'd like to request support be added to safely authenticate with a git repo in Azure DevOps Repositories with Personal Access Tokens, In order for PAT authentication to work, we require Git Credential Manager to be installed in the robusta-runner container.

This is so that the token can be encrypted at rest in the container, and the credential manager handles encoding the token for use with Azure DevOps.

The solution for enabling PAT use with Azure DevOps will also enable PAT authentication for repos in Azure DevOps Server (formerly Team Foundation Server), Bitbucket, GitHub, and GitLab. It should also enable SSH keys to be encrypted at rest too.

Describe the solution you'd like It should just be a case of installing Git Credential Manager in the robusta-runner image/container and ensuring it is configured to be used as the default credential helper in the global git settings. The installation instructions below cover that, and should result in one of the following settings in the global git config (depending on installation OS).

"'credential.helper=manager'" or "'credential.helper=manager-core'"

Describe alternatives you've considered I have considered using an SSH key as described in your documentation, or a deploy key configured for read access to a single repository. While these should work ok, I'd also like the option to use PAT tokens as they are, at least for me, easier to generate, rotate, limit access, they don't require both a public and private key (for better or worse). Though I'm sure most of the same is true of SSH keys for others.

In order to use a PAT, you do need to ensure the PAT is encrypted at rest. PAT auth will not work without a credential helper set that encrypts the key.

I was also concerned that currently you do not encrypt the SSH keys at rest inside the robusta-runner container, as such they could be accessed in a breach or be potentially logged out to the console in unencrypted form. Using Git Cred Mgr will address that issue for you if properly configured.

Additional context Installing and configuring Git Credential Manager will enable the use of PAT tokens with a variety of git vendors, and will also allow for encryption of SSH keys at rest rather than having the keys in the file system.

We would still need to ensure that any log lines between the container reading the key and passing it to git clone, do not display the key. There is the opportunity to read the unencrypted key in the clone command before it is encrypted.

As usual we will want to advise that the key is still passed into kubernetes securely, either by encrypting it in your CI or in a kubernetes secret.

installation/Configuration instructions for Git Cred Mgr

https://github.com/git-ecosystem/git-credential-manager/blob/release/docs/install.md