{"id":22458380,"url":"https://github.com/xenitab/git-auth-proxy","last_synced_at":"2025-07-25T21:42:14.298Z","repository":{"id":41170649,"uuid":"274930575","full_name":"XenitAB/git-auth-proxy","owner":"XenitAB","description":"Proxy to allow multi tenant sharing of Git credentials.","archived":false,"fork":false,"pushed_at":"2023-06-30T08:40:11.000Z","size":553,"stargazers_count":8,"open_issues_count":13,"forks_count":2,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-12-06T02:34:19.633Z","etag":null,"topics":["azure-devops","git","github","kubernetes","xenit-kubernetes-framework"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/XenitAB.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-25T13:59:46.000Z","updated_at":"2024-07-31T00:48:50.000Z","dependencies_parsed_at":"2024-06-19T11:15:25.155Z","dependency_job_id":"b3865eca-557a-49a2-a498-bad52001dbda","html_url":"https://github.com/XenitAB/git-auth-proxy","commit_stats":null,"previous_names":["xenitab/azdo-proxy"],"tags_count":34,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XenitAB%2Fgit-auth-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XenitAB%2Fgit-auth-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XenitAB%2Fgit-auth-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XenitAB%2Fgit-auth-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/XenitAB","download_url":"https://codeload.github.com/XenitAB/git-auth-proxy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228432514,"owners_count":17918894,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure-devops","git","github","kubernetes","xenit-kubernetes-framework"],"created_at":"2024-12-06T08:12:24.445Z","updated_at":"2024-12-06T08:12:25.602Z","avatar_url":"https://github.com/XenitAB.png","language":"Go","readme":"# Git Auth Proxy\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/XenitAB/git-auth-proxy)](https://goreportcard.com/report/github.com/XenitAB/git-auth-proxy)\n\nProxy to allow multi-tenant sharing of GitHub and Azure DevOps credentials in Kubernetes.\n\nMost Git providers offer multiple ways of authenticating when cloning repositories and communicating with their API. These authentication methods are usually tied to a specific user and in the best\ncase offer the ability to scope the permissions. The lack of organization API keys leads to solutions like GitHubs solution to [create a machine user](https://docs.github.com/en/developers/overview/managing-deploy-keys#machine-users)\nthat has limited permissions. The need for machine user accounts is especially important for GitOps deployment flows with projects like [Flux](https://docs.github.com/en/developers/overview/managing-deploy-keys#machine-users)\nand [ArgoCD](https://github.com/argoproj/argo-cd). These tools need an authentication method that supports accessing multiple repositories, without sharing the global credentials with all users.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./assets/architecture.png\"\u003e\n\u003c/p\u003e\n\nGit Auth Proxy attempts to solve this problem by implementing its own authentication and authorization layer in between the client and the Git provider. It works by generating static tokens that are\nspecific to a Git repository. These tokens are then written to a Kubernetes secret in the Kubernetes namespaces which should have access to the repositories. When a repository is cloned through the\nproxy, the token will be checked against the repository cloned, and if valid it will be replaced with the correct credentials. The request will be denied if a token is used to clone any other\nrepository which is does not have access to.\n\n## How To\n\nThe proxy reads its configuration from a JSON file. It contains a list of repositories that can be accessed through the proxy and the Kubernetes namespaces which should receive a Secret.\n\nWhen using Azure DevOps a [PAT](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page) has to be\nconfigured for Git Auth Proxy to append to authorized requests. Note that organization and repository names are matched case-insensitive.\n\n```json\n{\n  \"organizations\": [\n    {\n      \"provider\": \"azuredevops\",\n      \"azuredevops\": {\n        \"pat\": \"\u003cPAT\u003e\"\n      },\n      \"host\": \"dev.azure.com\",\n      \"name\": \"xenitab\",\n      \"repositories\": [\n        {\n          \"name\": \"fleet-infra\",\n          \"project\": \"lab\",\n          \"namespaces\": [\n            \"foo\",\n            \"bar\"\n          ]\n        }\n      ]\n    }\n  ]\n}\n```\n\nWhen using GitHub a [GitHub Application](https://docs.github.com/en/developers/apps) has to be created and installed. The PEM key needs to be extracted and passed as a base64 encoded string in the\nconfiguration file. Note that the project field is not required when using GitHub as projects do not exists in GitHub.\n\n```json\n{\n  \"organizations\": [\n    {\n      \"provider\": \"github\",\n      \"github\": {\n        \"appID\": 123,\n        \"installationID\": 123,\n        \"privateKey\": \"\u003cBASE64\u003e\"\n      },\n      \"host\": \"github.com\",\n      \"name\": \"xenitab\",\n      \"repositories\": [\n        {\n          \"name\": \"fleet-infra\",\n          \"namespaces\": [\n            \"foo\",\n            \"bar\"\n          ]\n        }\n      ]\n    }\n  ]\n}\n```\n\nAdd the Helm repository and install the chart, be sure to set the config content.\n\n```shell\nkubectl create namespace git-auth-proxy\nhelm upgrade --install --version \u003cversion\u003e git-auth-proxy oci://ghcr.io/xenitab/helm-charts/git-auth-proxy\n```\n\nThere should now be a `git-auth-proxy` Deployment and Service in the cluster, ready to proxy traffic.\n\n### Git\n\nCloning a repository through the proxy is not too different from doing so directly from GitHub or Azure DevOps. The only limitation is that it is not possible to clone through ssh, as Git Auth Proxy\nonly proxies HTTP(S) traffic. To clone the repository `repo-1` [get the clone URL from the repository page](https://docs.microsoft.com/en-us/azure/devops/repos/git/clone?view=azure-devops\u0026tabs=visual-studio#get-the-clone-url-to-your-repo).\nThen replace the host part of the URL with `git-auth-proxy` and add the token as a basic auth parameter. The result should be similar to below.\n\n```shell\ngit clone http://\u003ctoken-1\u003e@git-auth-proxy/org/proj/_git/repo-1\n```\n\n### API\n\nAPI calls can also be done through the proxy. Currently only repository specific requests will be permitted as authorization is done per repository. This may change in future releases.\n\n#### GitHub\n\nThe proxy assumes that the requests sent to it are in a GitHub enterprise format due to the way GitHub clients behave when configured with a host that is not `github.com`. The main difference between\nGitHub Enterprise and non GitHub Enterprise is the API format. The GitHub Enterprise API expects all requests to the API to have the prefix `/api/v3/` while non GitHub Enterprise API requests are sent\nto the host `api.github.com`.\n\n#### Azure DevOps\n\nExecute the following command to list all pull requests in the repository `repo-1` using the local token to authenticate to the proxy.\n\n```shell\ncurl https://\u003ctoken-1\u003e@git-auth-proxy/org/proj/_apis/git/repositories/repo-1/pullrequests?api-version=5.1\n```\n\n\u003e :warning: **If you intend on using a language specific API**: Please read this!\n\nSome APIs built by Microsoft, like [azure-devops-go-api](https://github.com/microsoft/azure-devops-go-api), will make a request to the [Resource Areas API](https://docs.microsoft.com/en-us/azure/devops/extend/develop/work-with-urls?view=azure-devops\u0026tabs=http#how-to-get-an-organizations-url)\nwhich returns a list of location URLs for a specific organization. They will then use those URLs when making additional requests, skipping the proxy. To avoid this you need to explicitly create your\nclient instead of allowing it to be created automatically.\n\nIn the case of Go you should create a client in the following way.\n\n```go\npackage main\n\nimport (\n  \"github.com/microsoft/azure-devops-go-api/azuredevops\"\n  \"github.com/microsoft/azure-devops-go-api/azuredevops/git\"\n)\n\nfunc main() {\n  connection := azuredevops.NewAnonymousConnection(\"http://git-auth-proxy\")\n  client := connection.GetClientByUrl(\"http://git-auth-proxy\")\n  gitClient := \u0026git.ClientImpl{\n    Client: *client,\n  }\n}\n```\n\nInstead of the cleaner solution which would ignore the proxy.\n\n```go\npackage main\n\nimport (\n  \"context\"\n\n  \"github.com/microsoft/azure-devops-go-api/azuredevops\"\n  \"github.com/microsoft/azure-devops-go-api/azuredevops/git\"\n)\n\nfunc main() {\n  connection := azuredevops.NewAnonymousConnection(\"http://git-auth-proxy\")\n  ctx := context.Background()\n  gitClient, _ := git.NewClient(ctx, connection)\n}\n```\n\n# License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxenitab%2Fgit-auth-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxenitab%2Fgit-auth-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxenitab%2Fgit-auth-proxy/lists"}