Gitsync fails to read new credentials when using ESO Github token generator

[electrical]

We use Github for our git repos.

To provide access from airflow we use External Secrets Operator to manage this using GithubAccessToken that uses a github app to create the access token.
This token only lives for 1 hour maximum.
Because of this lifespan, The gitsync container needs to re-read the secret to have the new token.
Unfortunately it seems that gitsync doesn't support re-reading the secret while it's running.

This causes it to fail the sync, exit and restarts.
Thankfully it will restart fine and syncs again.

I'm wondering if there is something I've missed to solve this, or is this an expected and known 'issue'?

[thockin]

Are you using --password-file ?

If so, see #976 which is released in version 4.6.0

[electrical]

It seems that Airflow sets the GIT_SYNC_PASSWORD env variable.
Also airflow is still on version 4.4.2. Although I think we could do a test upgrade with the latest version.
The env var option won't work of course since it's set at startup time.
I will raise a GH issue about this with airflow and see what they think about this solution :)

[thockin]

Yeah, you cannot modify an env variable from outside the process, so thast approach is DOA

[thockin]

I will close for now, but I think between askpass and this new re-read behavior, you have what you need. Please reopen if not!