Gitsync fails to read new credentials when using ESO Github token generator

[electrical]

Description

We use Github for our git repos.

To provide access from airflow we use External Secrets Operator to manage this using GithubAccessToken that uses a github app to create the access token.
This token only lives for 1 hour maximum.
Because of this lifespan, The gitsync container needs to re-read the secret to have the new token.
Unfortunately it seems that gitsync doesn't support re-reading the secret while it's running.

This causes it to fail the sync, exit and restarts.
Thankfully it will restart fine and syncs again.

Use case/motivation

Gitsync project have released a new feature kubernetes/git-sync#976 that allows for reading a file that contains the password and re-read it at each sync loop

Env vars are only set at startup time so won't detect a change, therefor the secret will have to be mounted inside the container which I think should allow for accepting token rotations?

Related issues

No response

Are you willing to submit a PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[sidshas03]

Hi @electrical, thanks for raising this. I checked the flow, and issue is valid: with dags.gitSync.credentialsSecret the token goes as env var (GITSYNC_PASSWORD), so after ESO rotates it, running git-sync pod will not pick new value until restart. Better fix is to support secret file mount + GITSYNC_PASSWORD_FILE (file-based auth), so git-sync can read rotated token in sync loop without crashing/restarting. I can raise a PR with backward-compatible chart changes for this.

[electrical]

@sidshas03 Thank you so much for looking into this so quickly. Looking forward to the fix. Happy to do any testing if needed in our deployment for validation.