git

package

v0.3.4 Latest Latest Go to latest Published: Jun 10, 2026 License: AGPL-3.0 Imports: 28 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/home-operations/flate

Links

Open Source Insights

Documentation ¶

Overview ¶

Package git implements the source.Fetcher for KindGitRepository.

File map:

fetcher.go    — Fetcher type, Fetch entry, fetch + fetchViaMirror, authIdentity
remotebase.go — FetchRemoteBase: anonymous kustomize remote git base
auth.go       — SecretRef → transport.AuthMethod resolution
tls.go        — spec.secretRef.ca.crt → *tls.Config
ssh.go        — SSH host-key callbacks (known_hosts / insecure)
checkout.go   — checkoutRef + updateSubmodules
resolve.go    — ref → commit hash (mirror path)
marker.go     — slot revision sidecar (.flate-meta.json) + worktree HEAD lookup

Index ¶

type Fetcher
- func (f *Fetcher) Fetch(ctx context.Context, repo *manifest.GitRepository) (*store.SourceArtifact, error)
- func (f *Fetcher) FetchRemoteBase(ctx context.Context, repoURL, ref string) (*store.SourceArtifact, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Fetcher ¶

type Fetcher struct {
	Cache   *source.Cache
	Secrets source.SecretGetter
	Mirrors *mirror.Cache

	// Depth caps the clone/fetch history depth for both the bare mirror
	// and the legacy clone path. 0 (the zero value) clones full history,
	// so library embedders are unaffected; the CLI defaults it to 1
	// (opt-out via --git-depth=0). Shallow is forced off for commit-pinned
	// refs (see effectiveDepth) and, in the legacy path, for submodule
	// recursion. The worktree materialization only needs the resolved
	// tip's tree, which a shallow clone provides in full.
	Depth int
}

Fetcher is the source.Fetcher implementation for KindGitRepository. It owns a shared Cache so multiple GitRepository CRs writing to the same cache root serialize on slot allocation correctly. Secrets is optional; required when a GitRepository sets spec.secretRef.

Mirrors, when set, switches the default fetch path to an incremental bare-mirror-plus-worktree strategy: one bare clone per upstream URL (kept warm across runs and across refs), and per-slot worktrees are materialized by walking the commit tree out of the mirror. The legacy full PlainClone-into-slot path still runs for repos that need submodule recursion or sparse checkout — neither feature is expressible against a bare mirror without a separate fetch that defeats the cache. Leave nil to keep the legacy path everywhere.

func (*Fetcher) Fetch ¶

func (f *Fetcher) Fetch(ctx context.Context, repo *manifest.GitRepository) (*store.SourceArtifact, error)

Fetch implements source.TypedFetcher[*manifest.GitRepository]. The typed signature is wrapped via source.Wrap at orchestrator registration — a payload mismatch returns ErrInput once at the adapter site rather than panicking here.

func (*Fetcher) FetchRemoteBase ¶ added in v0.3.4

func (f *Fetcher) FetchRemoteBase(ctx context.Context, repoURL, ref string) (*store.SourceArtifact, error)

FetchRemoteBase fetches a public kustomize remote git base: repoURL at a bare, undifferentiated ref (tag, branch, commit, or "" for the default branch), anonymously, returning a SourceArtifact whose LocalPath is a materialized worktree directory (no .git). It is a lean sibling of fetchViaMirror for the one job kustomize remote bases need.

Unlike Fetch — which takes a Flux GitRepository CR with EXCLUSIVE ref fields (Tag XOR Branch XOR Commit XOR …) and a NARROW per-field mirror fetch — kustomize's ?ref= is a single opaque string with `git checkout <ref>` semantics: it may be a tag, branch, or commit SHA and the caller cannot know which. So FetchRemoteBase fetches the mirror BROADLY (empty FetchPlan → +refs/*:refs/*, all heads+tags+HEAD) and resolves the string through resolveRefHash's Name branch, which delegates to go-git ResolveRevision — git rev-parse order over refs/tags then refs/heads then a hash prefix, peeling annotated tags. One call covers every ref kind with no field-guessing; an empty ref resolves to the mirror's HEAD.

Anonymous only (no SecretRef/proxy/TLS/verification/submodules/sparse): kustomize remote bases are public bases; an authenticated base belongs in a real GitRepository CR. Requires Mirrors and Cache. The materialized worktree is cached per (repoURL, ref) in a slot whose ref label is namespaced so it never collides with a real GitRepository CR's slot for the same URL, and is reused on warm runs via the revision recorded in the slot's .flate-meta.json sidecar.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
internal
gittransport Package gittransport carries the shared HTTPS-transport install lock serialized across git.Fetcher and the bare-mirror cache.	Package gittransport carries the shared HTTPS-transport install lock serialized across git.Fetcher and the bare-mirror cache.
mirror Package mirror implements the bare-clone object store shared across GitRepository fetches.	Package mirror implements the bare-clone object store shared across GitRepository fetches.
verify Package verify performs PGP signature verification against a freshly cloned GitRepository's HEAD commit and/or referenced tag, matching source-controller's spec.verify behavior.	Package verify performs PGP signature verification against a freshly cloned GitRepository's HEAD commit and/or referenced tag, matching source-controller's spec.verify behavior.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL