This PR adds support for SSH-based access to git via HTTP Proxy in a shamelessly similar way to what was done in https://github.com/concourse/git-resource/pull/154. Most of the work is a one-to-one copy of the work done in that PR.
The gist of it is that we install proxytunnel in the base image(s), and use it together with ProxyCommand to talk to a standard HTTP proxy through which SSH commands transit.
This approach is essential in environments where internet access is only possible via corporate proxies which support HTTP CONNECT but block all traffic other than HTTP on ports 80 and 443. At the same time, in these environments, accessing GitHub using personal tokens is frowned upon, making connecting via SSH the only viable option.
The whole https_tunnel block is optional. Similarly, it is possible to omit proxy_user and proxy_password when the proxy does not have authentication.
Done:
Adapted base images (ubuntu/alpine).
Made necessary changes to check, in, and out.
Added some simple unit tests, such as testing that the configuration is as expected and that proxytunnel is installed in the image.
Added integration tests similar to the original PR (using squid proxy), slightly adapted to be more suitable for this resource. They are not running automatically as a git repository and SSH credentials are required, but I think I made it as painless and maintainable as possible by providing test instructions and a script to set up a test repository. While this repo seems to have BDD integration tests, I am nowhere near well versed to understand or have the necessary time to assess whether the integration tests could have been written in that style.
Thanks for taking the time to review and consider merging this PR :)
xtremerui
commented
3 years ago
This PR adds support for SSH-based access to git via HTTP Proxy in a shamelessly similar way to what was done in https://github.com/concourse/git-resource/pull/154. Most of the work is a one-to-one copy of the work done in that PR.
The gist of it is that we install proxytunnel in the base image(s), and use it together with
ProxyCommandto talk to a standard HTTP proxy through which SSH commands transit.This approach is essential in environments where internet access is only possible via corporate proxies which support
HTTP CONNECTbut block all traffic other than HTTP on ports 80 and 443. At the same time, in these environments, accessing GitHub using personal tokens is frowned upon, making connecting via SSH the only viable option.The configuration block is:
The whole
https_tunnelblock is optional. Similarly, it is possible to omitproxy_userandproxy_passwordwhen the proxy does not have authentication.Done:
check,in, andout.proxytunnelis installed in the image.Thanks for taking the time to review and consider merging this PR :)