feat(git-gate): remove git remote host override plumbing
This commit is contained in:
@@ -49,7 +49,7 @@ from ...egress import (
|
||||
EGRESS_HOSTNAME,
|
||||
EGRESS_ROUTES_IN_CONTAINER,
|
||||
)
|
||||
from ...git_gate import GIT_GATE_HOSTNAME, git_gate_aggregate_extra_hosts
|
||||
from ...git_gate import GIT_GATE_HOSTNAME
|
||||
from ...log import die, warn
|
||||
from ...pipelock import PIPELOCK_HOSTNAME
|
||||
from ...supervise import (
|
||||
@@ -198,7 +198,6 @@ def _sidecar_bundle_service(plan: DockerBottlePlan) -> dict[str, Any]:
|
||||
env.append(token_env)
|
||||
|
||||
# --- git-gate ----------------------------------------------------
|
||||
extra_hosts: list[str] = []
|
||||
gp = plan.git_gate_plan
|
||||
if gp.upstreams:
|
||||
volumes += [
|
||||
@@ -217,8 +216,6 @@ def _sidecar_bundle_service(plan: DockerBottlePlan) -> dict[str, Any]:
|
||||
u.known_hosts_file,
|
||||
f"{GIT_GATE_CREDS_DIR_IN_CONTAINER}/{u.name}-known_hosts",
|
||||
))
|
||||
extra_map = git_gate_aggregate_extra_hosts(gp.upstreams)
|
||||
extra_hosts = [f"{host}:{ip}" for host, ip in sorted(extra_map.items())]
|
||||
|
||||
# --- supervise ---------------------------------------------------
|
||||
sp = plan.supervise_plan
|
||||
@@ -261,8 +258,6 @@ def _sidecar_bundle_service(plan: DockerBottlePlan) -> dict[str, Any]:
|
||||
"environment": env,
|
||||
"volumes": volumes,
|
||||
}
|
||||
if extra_hosts:
|
||||
service["extra_hosts"] = extra_hosts
|
||||
return service
|
||||
|
||||
|
||||
|
||||
@@ -349,7 +349,6 @@ def _bundle_launch_spec(
|
||||
env.append(token_env)
|
||||
|
||||
# --- git-gate ---------------------------------------------
|
||||
extra_hosts: list[str] = []
|
||||
gp = plan.git_gate_plan
|
||||
if gp.upstreams:
|
||||
daemons += ["git-gate", "git-http"]
|
||||
|
||||
+2
-40
@@ -30,11 +30,9 @@ backend-specific and lives on concrete subclasses (see
|
||||
from __future__ import annotations
|
||||
|
||||
from abc import ABC, abstractmethod
|
||||
from dataclasses import dataclass, field
|
||||
from dataclasses import dataclass
|
||||
from pathlib import Path
|
||||
from typing import Mapping
|
||||
|
||||
from .log import die
|
||||
from .manifest import Bottle, GitEntry
|
||||
|
||||
|
||||
@@ -47,10 +45,6 @@ GIT_GATE_HOSTNAME = "git-gate"
|
||||
GIT_GATE_DAEMON_TIMEOUT_SECS = 15
|
||||
|
||||
|
||||
def _empty_str_map() -> dict[str, str]:
|
||||
return {}
|
||||
|
||||
|
||||
@dataclass(frozen=True)
|
||||
class GitGateUpstream:
|
||||
"""One bare repo on the gate. `name` drives the bare-repo path
|
||||
@@ -64,10 +58,7 @@ class GitGateUpstream:
|
||||
KnownHostKey string from the manifest; the gate's start step
|
||||
materialises it into a known_hosts file if non-empty.
|
||||
|
||||
`extra_hosts` is a `{hostname: ip}` map the backend injects into
|
||||
the gate container's `/etc/hosts` via `--add-host` so the gate
|
||||
can resolve upstream hostnames that aren't reachable via the
|
||||
container's default DNS (e.g. Tailscale-only hosts)."""
|
||||
the gate credential paths inside the running sidecar."""
|
||||
|
||||
name: str
|
||||
upstream_url: str
|
||||
@@ -76,7 +67,6 @@ class GitGateUpstream:
|
||||
identity_file: str
|
||||
known_host_key: str
|
||||
known_hosts_file: Path = Path()
|
||||
extra_hosts: Mapping[str, str] = field(default_factory=_empty_str_map)
|
||||
|
||||
|
||||
@dataclass(frozen=True)
|
||||
@@ -113,38 +103,11 @@ def git_gate_upstreams_for_bottle(bottle: Bottle) -> tuple[GitGateUpstream, ...]
|
||||
upstream_port=e.UpstreamPort,
|
||||
identity_file=e.IdentityFile,
|
||||
known_host_key=e.KnownHostKey,
|
||||
extra_hosts=dict(e.ExtraHosts),
|
||||
)
|
||||
for e in bottle.git
|
||||
)
|
||||
|
||||
|
||||
def git_gate_aggregate_extra_hosts(
|
||||
upstreams: tuple[GitGateUpstream, ...],
|
||||
) -> dict[str, str]:
|
||||
"""Merge every upstream's `extra_hosts` into a single
|
||||
`{hostname: ip}` map for `--add-host` on the gate container. Two
|
||||
entries naming the same hostname with different IPs is a manifest
|
||||
bug — the gate has one /etc/hosts — so die loudly with the
|
||||
conflicting names rather than silently picking one."""
|
||||
merged: dict[str, str] = {}
|
||||
source: dict[str, str] = {}
|
||||
for u in upstreams:
|
||||
for host, ip in u.extra_hosts.items():
|
||||
existing = merged.get(host)
|
||||
if existing is None:
|
||||
merged[host] = ip
|
||||
source[host] = u.name
|
||||
elif existing != ip:
|
||||
die(
|
||||
f"git-gate ExtraHosts conflict: '{host}' maps to "
|
||||
f"'{existing}' in upstream '{source[host]}' and to "
|
||||
f"'{ip}' in upstream '{u.name}'. The gate has one "
|
||||
f"/etc/hosts; pick one IP."
|
||||
)
|
||||
return merged
|
||||
|
||||
|
||||
def git_gate_render_gitconfig(
|
||||
entries: tuple[GitEntry, ...], gate_host: str, *, scheme: str = "git",
|
||||
) -> str:
|
||||
@@ -443,7 +406,6 @@ class GitGate(ABC):
|
||||
identity_file=u.identity_file,
|
||||
known_host_key=u.known_host_key,
|
||||
known_hosts_file=known_hosts_file,
|
||||
extra_hosts=dict(u.extra_hosts),
|
||||
)
|
||||
)
|
||||
return GitGatePlan(
|
||||
|
||||
@@ -71,13 +71,6 @@ class GitEntry:
|
||||
upstream after gitleaks passes. The agent itself never holds the
|
||||
upstream credential.
|
||||
|
||||
`ExtraHosts` is an optional `{hostname: ip}` map injected into the
|
||||
gate container's `/etc/hosts` via `--add-host`. Use it when the
|
||||
Upstream's hostname isn't resolvable from the gate (e.g. a
|
||||
Tailscale-only host whose public DNS A record points elsewhere):
|
||||
the agent's `insteadOf` rewrite still matches the original
|
||||
hostname, but the gate routes to the right IP.
|
||||
|
||||
The Upstream URL is parsed once at construction and the pieces are
|
||||
stashed in the `Upstream*` fields so the git-gate render step
|
||||
doesn't have to re-parse."""
|
||||
@@ -86,7 +79,6 @@ class GitEntry:
|
||||
Upstream: str
|
||||
IdentityFile: str
|
||||
KnownHostKey: str = ""
|
||||
ExtraHosts: Mapping[str, str] = field(default_factory=_empty_str_dict)
|
||||
RemoteKey: str = ""
|
||||
UpstreamUser: str = ""
|
||||
UpstreamHost: str = ""
|
||||
@@ -139,10 +131,6 @@ class GitEntry:
|
||||
d.get("KnownHostKey"),
|
||||
f"bottle '{bottle_name}' {label} '{name}' KnownHostKey",
|
||||
)
|
||||
extra_hosts = _opt_extra_hosts(
|
||||
d.get("ExtraHosts"),
|
||||
f"bottle '{bottle_name}' {label} '{name}' ExtraHosts",
|
||||
)
|
||||
user, host, port, path = _parse_git_upstream(
|
||||
upstream, f"bottle '{bottle_name}' {label} '{name}' Upstream"
|
||||
)
|
||||
@@ -160,7 +148,6 @@ class GitEntry:
|
||||
Upstream=upstream,
|
||||
IdentityFile=ident,
|
||||
KnownHostKey=khk,
|
||||
ExtraHosts=extra_hosts,
|
||||
RemoteKey=host_key or host,
|
||||
UpstreamUser=user,
|
||||
UpstreamHost=host,
|
||||
@@ -978,26 +965,6 @@ def _opt_str(value: object, label: str) -> str:
|
||||
return value
|
||||
|
||||
|
||||
def _opt_extra_hosts(value: object, label: str) -> dict[str, str]:
|
||||
"""Validate a `{hostname: ip}` object and return a plain dict. None
|
||||
yields an empty dict so callers can treat ExtraHosts as always
|
||||
present. IP format is not checked here; docker validates at
|
||||
`--add-host` time."""
|
||||
if value is None:
|
||||
return {}
|
||||
obj = _as_json_object(value, label)
|
||||
out: dict[str, str] = {}
|
||||
for host, ip in obj.items():
|
||||
if not host:
|
||||
raise ManifestError(f"{label} contains an empty hostname key")
|
||||
if not isinstance(ip, str):
|
||||
raise ManifestError(f"{label}['{host}'] must be a string (was {type(ip).__name__})")
|
||||
if not ip:
|
||||
raise ManifestError(f"{label}['{host}'] must be a non-empty string")
|
||||
out[host] = ip
|
||||
return out
|
||||
|
||||
|
||||
def _parse_git_upstream(url: str, label: str) -> tuple[str, str, str, str]:
|
||||
"""Parse `ssh://user@host[:port]/path` into (user, host, port, path).
|
||||
Dies if `url` doesn't match the ssh:// shape v1 supports. Default
|
||||
|
||||
Reference in New Issue
Block a user