[PATCH] kas-container: add git credential cache socket support
18 views
Skip to first unread message
Jorge Solla Rubiales
Apr 17, 2026, 9:51:11 AM (2 days ago) Apr 17
to kas-...@googlegroups.com, jan.k...@siemens.com, Jorge Solla Rubiales
The existing credential helper support only covered the "store" helper,
which writes credentials to a plain-text file. Add support for the "cache"
helper, which keeps credentials in memory via a background daemon and
exposes them through a Unix socket.
The new --git-credential-socket option accepts the path to that socket and
bind-mounts it into the container, setting KAS_GIT_CREDENTIAL_HELPER_DEFAULT
accordingly.
Signed-off-by: Jorge Solla Rubiales <jorge...@qtactica.com>
---
docs/userguide/credentials.rst | 48 ++++++++++++++++++++++++++++++++++
kas-container | 17 ++++++++++++
2 files changed, 65 insertions(+)
diff --git a/docs/userguide/credentials.rst b/docs/userguide/credentials.rst
index e088e5b..e19f7c4 100644
--- a/docs/userguide/credentials.rst
+++ b/docs/userguide/credentials.rst
@@ -44,6 +44,54 @@ When running in a GitHub Action or GitLab CI job, the ``.gitconfig`` file
is automatically injected. Otherwise, the environment variable
``GITCONFIG_FILE`` needs to point to the `.gitconfig` kas should use.
+
+Git credential cache
+~~~~~~~~~~~~~~~~~~~~
+
+You can share git credentials with the kas-container by using the Git
+credential cache helper. This allows credentials to be securely stored in
+memory via a background daemon and reused across Git operations without
+re-entering them or writing them to disk in plain text.
+
+For a full description of the available options, refer to the official
+`git-credential-cache documentation
+<https://git-scm.com/docs/git-credential-cache>`_.
+
+Enable credential caching on your host machine with a command like:
+
+.. code-block:: bash
+
+ git config --global credential.helper 'cache --timeout=86400'
+
+.. note::
+ The ``--timeout`` value (in seconds) controls how long credentials are
+ kept in the cache after the last use. The value ``86400`` (24 hours) is
+ just an example. Adjust it to fit your workflow and security requirements.
+
+From the host, perform a Git operation that requires authentication, such as
+a ``git pull`` against a password-protected repository:
+
+.. code-block:: bash
+
+ git pull
+
+After entering your credentials once, Git will store them and make them
+available through a background daemon that exposes a Unix socket.
+
+You should see a running process similar to this on your host:
+
+.. code-block:: bash
+
+ /usr/lib/git-core/git credential-cache--daemon $HOME/.cache/git/credential/socket
+
+Now you can launch the kas container passing the socket path via
+``--git-credential-socket``:
+
+.. code-block:: bash
+
+ kas-container --git-credential-socket $HOME/.cache/git/credential/socket <other options...>
+
+
GitHub Actions
~~~~~~~~~~~~~~
diff --git a/kas-container b/kas-container
index 2241c31..8868653 100755
--- a/kas-container
+++ b/kas-container
@@ -85,6 +85,8 @@ usage()
"container.\n"
printf "%b" "--git-credential-store\tFile path to the git credential " \
"store\n"
+ printf "%b" "--git-credential-socket\tPath to the git credential cache " \
+ "socket.\n"
printf "%b" "--no-proxy-from-env\tDo not inherit proxy settings from " \
"environment.\n"
printf "%b" "--repo-ro\t\tMount current repository read-only\n" \
@@ -419,6 +421,13 @@ while [ $# -gt 0 ]; do
KAS_GIT_CREDENTIAL_STORE="$2"
shift 2
;;
+
+ --git-credential-socket)
+ [ $# -gt 2 ] || usage
+ KAS_GIT_CREDENTIAL_SOCKET="$2"
+ shift 2
+ ;;
+
--no-proxy-from-env)
KAS_NO_PROXY_FROM_ENV=1
shift 1
@@ -687,6 +696,14 @@ if [ -n "${KAS_GIT_CREDENTIAL_STORE}" ] ; then
set -- "$@" -v "$(realpath -e "${KAS_GIT_CREDENTIAL_STORE}")":/var/kas/userdata/.git-credentials:ro
fi
+if [ -n "${KAS_GIT_CREDENTIAL_SOCKET}" ] ; then
+ if [ ! -S "${KAS_GIT_CREDENTIAL_SOCKET}" ]; then
+ fatal_error "passed KAS_GIT_CREDENTIAL_SOCKET '${KAS_GIT_CREDENTIAL_SOCKET}' is not a socket"
+ fi
+ KAS_GIT_CREDENTIAL_HELPER_DEFAULT="cache --socket=/var/kas/userdata/.git-cache-socket"
+ set -- "$@" -v "$(realpath -e "${KAS_GIT_CREDENTIAL_SOCKET}")":/var/kas/userdata/.git-cache-socket
+fi
+
GIT_CREDENTIAL_HELPER="${GIT_CREDENTIAL_HELPER:-${KAS_GIT_CREDENTIAL_HELPER_DEFAULT}}"
if [ -n "${GIT_CREDENTIAL_HELPER}" ] ; then
--
2.34.1
which writes credentials to a plain-text file. Add support for the "cache"
helper, which keeps credentials in memory via a background daemon and
exposes them through a Unix socket.
The new --git-credential-socket option accepts the path to that socket and
bind-mounts it into the container, setting KAS_GIT_CREDENTIAL_HELPER_DEFAULT
accordingly.
Signed-off-by: Jorge Solla Rubiales <jorge...@qtactica.com>
---
docs/userguide/credentials.rst | 48 ++++++++++++++++++++++++++++++++++
kas-container | 17 ++++++++++++
2 files changed, 65 insertions(+)
diff --git a/docs/userguide/credentials.rst b/docs/userguide/credentials.rst
index e088e5b..e19f7c4 100644
--- a/docs/userguide/credentials.rst
+++ b/docs/userguide/credentials.rst
@@ -44,6 +44,54 @@ When running in a GitHub Action or GitLab CI job, the ``.gitconfig`` file
is automatically injected. Otherwise, the environment variable
``GITCONFIG_FILE`` needs to point to the `.gitconfig` kas should use.
+
+Git credential cache
+~~~~~~~~~~~~~~~~~~~~
+
+You can share git credentials with the kas-container by using the Git
+credential cache helper. This allows credentials to be securely stored in
+memory via a background daemon and reused across Git operations without
+re-entering them or writing them to disk in plain text.
+
+For a full description of the available options, refer to the official
+`git-credential-cache documentation
+<https://git-scm.com/docs/git-credential-cache>`_.
+
+Enable credential caching on your host machine with a command like:
+
+.. code-block:: bash
+
+ git config --global credential.helper 'cache --timeout=86400'
+
+.. note::
+ The ``--timeout`` value (in seconds) controls how long credentials are
+ kept in the cache after the last use. The value ``86400`` (24 hours) is
+ just an example. Adjust it to fit your workflow and security requirements.
+
+From the host, perform a Git operation that requires authentication, such as
+a ``git pull`` against a password-protected repository:
+
+.. code-block:: bash
+
+ git pull
+
+After entering your credentials once, Git will store them and make them
+available through a background daemon that exposes a Unix socket.
+
+You should see a running process similar to this on your host:
+
+.. code-block:: bash
+
+ /usr/lib/git-core/git credential-cache--daemon $HOME/.cache/git/credential/socket
+
+Now you can launch the kas container passing the socket path via
+``--git-credential-socket``:
+
+.. code-block:: bash
+
+ kas-container --git-credential-socket $HOME/.cache/git/credential/socket <other options...>
+
+
GitHub Actions
~~~~~~~~~~~~~~
diff --git a/kas-container b/kas-container
index 2241c31..8868653 100755
--- a/kas-container
+++ b/kas-container
@@ -85,6 +85,8 @@ usage()
"container.\n"
printf "%b" "--git-credential-store\tFile path to the git credential " \
"store\n"
+ printf "%b" "--git-credential-socket\tPath to the git credential cache " \
+ "socket.\n"
printf "%b" "--no-proxy-from-env\tDo not inherit proxy settings from " \
"environment.\n"
printf "%b" "--repo-ro\t\tMount current repository read-only\n" \
@@ -419,6 +421,13 @@ while [ $# -gt 0 ]; do
KAS_GIT_CREDENTIAL_STORE="$2"
shift 2
;;
+
+ --git-credential-socket)
+ [ $# -gt 2 ] || usage
+ KAS_GIT_CREDENTIAL_SOCKET="$2"
+ shift 2
+ ;;
+
--no-proxy-from-env)
KAS_NO_PROXY_FROM_ENV=1
shift 1
@@ -687,6 +696,14 @@ if [ -n "${KAS_GIT_CREDENTIAL_STORE}" ] ; then
set -- "$@" -v "$(realpath -e "${KAS_GIT_CREDENTIAL_STORE}")":/var/kas/userdata/.git-credentials:ro
fi
+if [ -n "${KAS_GIT_CREDENTIAL_SOCKET}" ] ; then
+ if [ ! -S "${KAS_GIT_CREDENTIAL_SOCKET}" ]; then
+ fatal_error "passed KAS_GIT_CREDENTIAL_SOCKET '${KAS_GIT_CREDENTIAL_SOCKET}' is not a socket"
+ fi
+ KAS_GIT_CREDENTIAL_HELPER_DEFAULT="cache --socket=/var/kas/userdata/.git-cache-socket"
+ set -- "$@" -v "$(realpath -e "${KAS_GIT_CREDENTIAL_SOCKET}")":/var/kas/userdata/.git-cache-socket
+fi
+
GIT_CREDENTIAL_HELPER="${GIT_CREDENTIAL_HELPER:-${KAS_GIT_CREDENTIAL_HELPER_DEFAULT}}"
if [ -n "${GIT_CREDENTIAL_HELPER}" ] ; then
--
2.34.1
Jan Kiszka
Apr 17, 2026, 10:06:58 AM (2 days ago) Apr 17
to Jorge Solla Rubiales, kas-...@googlegroups.com
per repo. When using custom socket paths, this would enable credential
isolation.
that in docs/command-line/environment-variables.inc - I was about to
say, "just like KAS_GIT_CREDENTIAL_STORE", but that isn't documented
either. Bonus for fixing this up (separate patch, please).
This API is important as it can simplify the invocation of kas by simply
setting the variable in the terminal env.
> + if [ ! -S "${KAS_GIT_CREDENTIAL_SOCKET}" ]; then
> + fatal_error "passed KAS_GIT_CREDENTIAL_SOCKET '${KAS_GIT_CREDENTIAL_SOCKET}' is not a socket"
> + fi
> + KAS_GIT_CREDENTIAL_HELPER_DEFAULT="cache --socket=/var/kas/userdata/.git-cache-socket"
> + set -- "$@" -v "$(realpath -e "${KAS_GIT_CREDENTIAL_SOCKET}")":/var/kas/userdata/.git-cache-socket
> +fi
> +
> GIT_CREDENTIAL_HELPER="${GIT_CREDENTIAL_HELPER:-${KAS_GIT_CREDENTIAL_HELPER_DEFAULT}}"
>
> if [ -n "${GIT_CREDENTIAL_HELPER}" ] ; then
Thanks,
Jan
--
Siemens AG, Foundational Technologies
Linux Expert Center
Jorge Solla Rubiales
Apr 17, 2026, 11:22:25 AM (2 days ago) Apr 17
to kas-...@googlegroups.com, jan.k...@siemens.com, Jorge Solla Rubiales, Jorge Solla Rubiales
From: Jorge Solla Rubiales <jorge...@bench.com>
The existing credential helper support only covered the "store" helper,
which writes credentials to a plain-text file. Add support for the "cache"
helper, which keeps credentials in memory via a background daemon and
exposes them through a Unix socket.
The new --git-credential-socket option accepts the path to that socket and
bind-mounts it into the container, setting KAS_GIT_CREDENTIAL_HELPER_DEFAULT
accordingly.
Signed-off-by: Jorge Solla Rubiales <jorge...@qtactica.com>
---
docs/command-line/environment-variables.inc | 7 +++
docs/userguide/credentials.rst | 56 +++++++++++++++++++++
kas-container | 17 +++++++
3 files changed, 80 insertions(+)
diff --git a/docs/command-line/environment-variables.inc b/docs/command-line/environment-variables.inc
index 62d366d..a03c3a3 100644
--- a/docs/command-line/environment-variables.inc
+++ b/docs/command-line/environment-variables.inc
@@ -149,6 +149,12 @@ overwritten using the ``env`` section of the config file.
| (K,C) | credential helper in the `.gitconfig` of the kas |
| | user. |
+--------------------------+--------------------------------------------------+
+| |kas_git_cred_socket| | Path to the git credential cache daemon socket |
+| (C) | on the host. When set, the socket is |
+| | bind-mounted into the container and the git |
+| | credential cache helper is configured to use it. |
+| | Equivalent to ``--git-credential-socket``. |
++--------------------------+--------------------------------------------------+
| ``GITCONFIG_FILE`` | Path to a `.gitconfig` file which will be |
| (K,C) | copied to the kas home dir as `.gitconfig`. |
+--------------------------+--------------------------------------------------+
@@ -222,6 +228,7 @@ overwritten using the ``env`` section of the config file.
``AWS_SHARED_CREDENTIALS_FILE``
``AWS_WEB_IDENTITY_TOKEN_FILE``
.. |git_cred| replace:: ``GIT_CREDENTIAL_HELPER`` ``GIT_CREDENTIAL_USEHTTPPATH``
+.. |kas_git_cred_socket| replace:: ``KAS_GIT_CREDENTIAL_SOCKET``
.. |ci_server_vars| replace:: ``CI_SERVER_HOST``
``CI_SERVER_PORT``
``CI_SERVER_PROTOCOL``
diff --git a/docs/userguide/credentials.rst b/docs/userguide/credentials.rst
index e088e5b..0f375be 100644
--- a/docs/userguide/credentials.rst
+++ b/docs/userguide/credentials.rst
@@ -44,6 +44,62 @@ When running in a GitHub Action or GitLab CI job, the ``.gitconfig`` file
+``KAS_GIT_CREDENTIAL_SOCKET`` environment variable:
+ The ``git credential-cache`` daemon supports custom socket paths via the
+ ``--socket`` flag. This allows running a separate daemon per repository,
+ enabling credential isolation between projects. To use this, start the
+ daemon explicitly with a custom socket path and pass that path to
+ ``--git-credential-socket``.
2.34.1
The existing credential helper support only covered the "store" helper,
which writes credentials to a plain-text file. Add support for the "cache"
helper, which keeps credentials in memory via a background daemon and
exposes them through a Unix socket.
The new --git-credential-socket option accepts the path to that socket and
bind-mounts it into the container, setting KAS_GIT_CREDENTIAL_HELPER_DEFAULT
accordingly.
Signed-off-by: Jorge Solla Rubiales <jorge...@qtactica.com>
---
docs/userguide/credentials.rst | 56 +++++++++++++++++++++
kas-container | 17 +++++++
3 files changed, 80 insertions(+)
diff --git a/docs/command-line/environment-variables.inc b/docs/command-line/environment-variables.inc
index 62d366d..a03c3a3 100644
--- a/docs/command-line/environment-variables.inc
+++ b/docs/command-line/environment-variables.inc
@@ -149,6 +149,12 @@ overwritten using the ``env`` section of the config file.
| (K,C) | credential helper in the `.gitconfig` of the kas |
| | user. |
+--------------------------+--------------------------------------------------+
+| |kas_git_cred_socket| | Path to the git credential cache daemon socket |
+| (C) | on the host. When set, the socket is |
+| | bind-mounted into the container and the git |
+| | credential cache helper is configured to use it. |
+| | Equivalent to ``--git-credential-socket``. |
++--------------------------+--------------------------------------------------+
| ``GITCONFIG_FILE`` | Path to a `.gitconfig` file which will be |
| (K,C) | copied to the kas home dir as `.gitconfig`. |
+--------------------------+--------------------------------------------------+
@@ -222,6 +228,7 @@ overwritten using the ``env`` section of the config file.
``AWS_SHARED_CREDENTIALS_FILE``
``AWS_WEB_IDENTITY_TOKEN_FILE``
.. |git_cred| replace:: ``GIT_CREDENTIAL_HELPER`` ``GIT_CREDENTIAL_USEHTTPPATH``
+.. |kas_git_cred_socket| replace:: ``KAS_GIT_CREDENTIAL_SOCKET``
.. |ci_server_vars| replace:: ``CI_SERVER_HOST``
``CI_SERVER_PORT``
``CI_SERVER_PROTOCOL``
diff --git a/docs/userguide/credentials.rst b/docs/userguide/credentials.rst
index e088e5b..0f375be 100644
--- a/docs/userguide/credentials.rst
+++ b/docs/userguide/credentials.rst
@@ -44,6 +44,62 @@ When running in a GitHub Action or GitLab CI job, the ``.gitconfig`` file
+From the host, perform a Git operation that requires authentication, such as
+a ``git pull`` against a password-protected repository:
+
+.. code-block:: bash
+
+ git pull
+
+After entering your credentials once, Git will store them and make them
+available through a background daemon that exposes a Unix socket.
+
+You should see a running process similar to this on your host:
+
+.. code-block:: bash
+
+ /usr/lib/git-core/git credential-cache--daemon $HOME/.cache/git/credential/socket
+
+Now you can launch the kas container passing the socket path via
+``--git-credential-socket``, or equivalently by setting the
+a ``git pull`` against a password-protected repository:
+
+.. code-block:: bash
+
+ git pull
+
+After entering your credentials once, Git will store them and make them
+available through a background daemon that exposes a Unix socket.
+
+You should see a running process similar to this on your host:
+
+.. code-block:: bash
+
+ /usr/lib/git-core/git credential-cache--daemon $HOME/.cache/git/credential/socket
+
+Now you can launch the kas container passing the socket path via
+``KAS_GIT_CREDENTIAL_SOCKET`` environment variable:
+
+.. code-block:: bash
+
+ kas-container --git-credential-socket $HOME/.cache/git/credential/socket <other options...>
+
+.. note::
+.. code-block:: bash
+
+ kas-container --git-credential-socket $HOME/.cache/git/credential/socket <other options...>
+
+ The ``git credential-cache`` daemon supports custom socket paths via the
+ ``--socket`` flag. This allows running a separate daemon per repository,
+ enabling credential isolation between projects. To use this, start the
+ daemon explicitly with a custom socket path and pass that path to
+ ``--git-credential-socket``.
+ if [ ! -S "${KAS_GIT_CREDENTIAL_SOCKET}" ]; then
+ fatal_error "passed KAS_GIT_CREDENTIAL_SOCKET '${KAS_GIT_CREDENTIAL_SOCKET}' is not a socket"
+ fi
+ KAS_GIT_CREDENTIAL_HELPER_DEFAULT="cache --socket=/var/kas/userdata/.git-cache-socket"
+ set -- "$@" -v "$(realpath -e "${KAS_GIT_CREDENTIAL_SOCKET}")":/var/kas/userdata/.git-cache-socket
+fi
+
GIT_CREDENTIAL_HELPER="${GIT_CREDENTIAL_HELPER:-${KAS_GIT_CREDENTIAL_HELPER_DEFAULT}}"
if [ -n "${GIT_CREDENTIAL_HELPER}" ] ; then
--
+ fatal_error "passed KAS_GIT_CREDENTIAL_SOCKET '${KAS_GIT_CREDENTIAL_SOCKET}' is not a socket"
+ fi
+ KAS_GIT_CREDENTIAL_HELPER_DEFAULT="cache --socket=/var/kas/userdata/.git-cache-socket"
+ set -- "$@" -v "$(realpath -e "${KAS_GIT_CREDENTIAL_SOCKET}")":/var/kas/userdata/.git-cache-socket
+fi
+
GIT_CREDENTIAL_HELPER="${GIT_CREDENTIAL_HELPER:-${KAS_GIT_CREDENTIAL_HELPER_DEFAULT}}"
if [ -n "${GIT_CREDENTIAL_HELPER}" ] ; then
2.34.1
Jorge Solla Rubiales
Apr 17, 2026, 11:22:26 AM (2 days ago) Apr 17
to kas-...@googlegroups.com, jan.k...@siemens.com, Jorge Solla Rubiales, Jorge Solla Rubiales
KAS_GIT_CREDENTIAL_STORE was not documented in the environment variables
glossary despite being a public API equivalent to --git-credential-store.
Add the missing entry.
docs/command-line/environment-variables.inc | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/docs/command-line/environment-variables.inc b/docs/command-line/environment-variables.inc
index a03c3a3..58043db 100644
+| (C) | When set, the file is bind-mounted into the |
+| | container (read-only) and the git credential |
+| | store helper is configured to use it. |
+| | Equivalent to ``--git-credential-store``. |
++--------------------------+--------------------------------------------------+
2.34.1
glossary despite being a public API equivalent to --git-credential-store.
Add the missing entry.
docs/command-line/environment-variables.inc | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/docs/command-line/environment-variables.inc b/docs/command-line/environment-variables.inc
index a03c3a3..58043db 100644
--- a/docs/command-line/environment-variables.inc
+++ b/docs/command-line/environment-variables.inc
@@ -149,6 +149,12 @@ overwritten using the ``env`` section of the config file.
| (K,C) | credential helper in the `.gitconfig` of the kas |
| | user. |
+--------------------------+--------------------------------------------------+
+| |kas_git_cred_store| | Path to a git credential store file on the host. |
+++ b/docs/command-line/environment-variables.inc
@@ -149,6 +149,12 @@ overwritten using the ``env`` section of the config file.
| (K,C) | credential helper in the `.gitconfig` of the kas |
| | user. |
+--------------------------+--------------------------------------------------+
+| (C) | When set, the file is bind-mounted into the |
+| | container (read-only) and the git credential |
+| | store helper is configured to use it. |
+| | Equivalent to ``--git-credential-store``. |
++--------------------------+--------------------------------------------------+
| |kas_git_cred_socket| | Path to the git credential cache daemon socket |
| (C) | on the host. When set, the socket is |
| | bind-mounted into the container and the git |
@@ -228,6 +234,7 @@ overwritten using the ``env`` section of the config file.
``AWS_SHARED_CREDENTIALS_FILE``
``AWS_WEB_IDENTITY_TOKEN_FILE``
.. |git_cred| replace:: ``GIT_CREDENTIAL_HELPER`` ``GIT_CREDENTIAL_USEHTTPPATH``
+.. |kas_git_cred_store| replace:: ``KAS_GIT_CREDENTIAL_STORE``
``AWS_WEB_IDENTITY_TOKEN_FILE``
.. |git_cred| replace:: ``GIT_CREDENTIAL_HELPER`` ``GIT_CREDENTIAL_USEHTTPPATH``
.. |kas_git_cred_socket| replace:: ``KAS_GIT_CREDENTIAL_SOCKET``
.. |ci_server_vars| replace:: ``CI_SERVER_HOST``
``CI_SERVER_PORT``
--
.. |ci_server_vars| replace:: ``CI_SERVER_HOST``
``CI_SERVER_PORT``
2.34.1
Jorge Solla Rubiales
Apr 17, 2026, 11:32:11 AM (2 days ago) Apr 17
to kas-...@googlegroups.com, jan.k...@siemens.com, Jorge Solla Rubiales
KAS_GIT_CREDENTIAL_STORE was not documented in the environment variables
glossary despite being a public API equivalent to --git-credential-store.
Add the missing entry.
glossary despite being a public API equivalent to --git-credential-store.
Add the missing entry.
Jorge Solla Rubiales
Apr 17, 2026, 11:32:11 AM (2 days ago) Apr 17
to kas-...@googlegroups.com, jan.k...@siemens.com, Jorge Solla Rubiales
The existing credential helper support only covered the "store" helper,
which writes credentials to a plain-text file. Add support for the "cache"
helper, which keeps credentials in memory via a background daemon and
exposes them through a Unix socket.
The new --git-credential-socket option accepts the path to that socket and
bind-mounts it into the container, setting KAS_GIT_CREDENTIAL_HELPER_DEFAULT
accordingly.
Signed-off-by: Jorge Solla Rubiales <jorge...@qtactica.com>
---
which writes credentials to a plain-text file. Add support for the "cache"
helper, which keeps credentials in memory via a background daemon and
exposes them through a Unix socket.
The new --git-credential-socket option accepts the path to that socket and
bind-mounts it into the container, setting KAS_GIT_CREDENTIAL_HELPER_DEFAULT
accordingly.
Signed-off-by: Jorge Solla Rubiales <jorge...@qtactica.com>
---
docs/command-line/environment-variables.inc | 7 +++
docs/userguide/credentials.rst | 56 +++++++++++++++++++++
kas-container | 17 +++++++
3 files changed, 80 insertions(+)
docs/userguide/credentials.rst | 56 +++++++++++++++++++++
kas-container | 17 +++++++
diff --git a/docs/command-line/environment-variables.inc b/docs/command-line/environment-variables.inc
index 62d366d..a03c3a3 100644
--- a/docs/command-line/environment-variables.inc
+++ b/docs/command-line/environment-variables.inc
@@ -149,6 +149,12 @@ overwritten using the ``env`` section of the config file.
| (K,C) | credential helper in the `.gitconfig` of the kas |
| | user. |
+--------------------------+--------------------------------------------------+
+++ b/docs/command-line/environment-variables.inc
@@ -149,6 +149,12 @@ overwritten using the ``env`` section of the config file.
| (K,C) | credential helper in the `.gitconfig` of the kas |
| | user. |
+--------------------------+--------------------------------------------------+
+| |kas_git_cred_socket| | Path to the git credential cache daemon socket |
+| (C) | on the host. When set, the socket is |
+| | bind-mounted into the container and the git |
+| | credential cache helper is configured to use it. |
+| | Equivalent to ``--git-credential-socket``. |
++--------------------------+--------------------------------------------------+
| ``GITCONFIG_FILE`` | Path to a `.gitconfig` file which will be |
| (K,C) | copied to the kas home dir as `.gitconfig`. |
+--------------------------+--------------------------------------------------+
@@ -222,6 +228,7 @@ overwritten using the ``env`` section of the config file.
+| (C) | on the host. When set, the socket is |
+| | bind-mounted into the container and the git |
+| | credential cache helper is configured to use it. |
+| | Equivalent to ``--git-credential-socket``. |
++--------------------------+--------------------------------------------------+
| ``GITCONFIG_FILE`` | Path to a `.gitconfig` file which will be |
| (K,C) | copied to the kas home dir as `.gitconfig`. |
+--------------------------+--------------------------------------------------+
``AWS_SHARED_CREDENTIALS_FILE``
``AWS_WEB_IDENTITY_TOKEN_FILE``
.. |git_cred| replace:: ``GIT_CREDENTIAL_HELPER`` ``GIT_CREDENTIAL_USEHTTPPATH``
+.. |kas_git_cred_socket| replace:: ``KAS_GIT_CREDENTIAL_SOCKET``
``AWS_WEB_IDENTITY_TOKEN_FILE``
.. |git_cred| replace:: ``GIT_CREDENTIAL_HELPER`` ``GIT_CREDENTIAL_USEHTTPPATH``
.. |ci_server_vars| replace:: ``CI_SERVER_HOST``
``CI_SERVER_PORT``
``CI_SERVER_PROTOCOL``
``CI_SERVER_PORT``
diff --git a/docs/userguide/credentials.rst b/docs/userguide/credentials.rst
index e088e5b..0f375be 100644
--- a/docs/userguide/credentials.rst
+++ b/docs/userguide/credentials.rst
@@ -44,6 +44,62 @@ When running in a GitHub Action or GitLab CI job, the ``.gitconfig`` file
+From the host, perform a Git operation that requires authentication, such as
+a ``git pull`` against a password-protected repository:
+
+.. code-block:: bash
+
+ git pull
+
+After entering your credentials once, Git will store them and make them
+available through a background daemon that exposes a Unix socket.
+
+You should see a running process similar to this on your host:
+
+.. code-block:: bash
+
+ /usr/lib/git-core/git credential-cache--daemon $HOME/.cache/git/credential/socket
+
+Now you can launch the kas container passing the socket path via
+a ``git pull`` against a password-protected repository:
+
+.. code-block:: bash
+
+ git pull
+
+After entering your credentials once, Git will store them and make them
+available through a background daemon that exposes a Unix socket.
+
+You should see a running process similar to this on your host:
+
+.. code-block:: bash
+
+ /usr/lib/git-core/git credential-cache--daemon $HOME/.cache/git/credential/socket
+
+Now you can launch the kas container passing the socket path via
+``--git-credential-socket``, or equivalently by setting the
+``KAS_GIT_CREDENTIAL_SOCKET`` environment variable:
+``KAS_GIT_CREDENTIAL_SOCKET`` environment variable:
+
+.. code-block:: bash
+
+ kas-container --git-credential-socket $HOME/.cache/git/credential/socket <other options...>
+
+.. code-block:: bash
+
+ kas-container --git-credential-socket $HOME/.cache/git/credential/socket <other options...>
+
+.. note::
+ The ``git credential-cache`` daemon supports custom socket paths via the
+ ``--socket`` flag. This allows running a separate daemon per repository,
+ enabling credential isolation between projects. To use this, start the
+ daemon explicitly with a custom socket path and pass that path to
+ ``--git-credential-socket``.
+ The ``git credential-cache`` daemon supports custom socket paths via the
+ ``--socket`` flag. This allows running a separate daemon per repository,
+ enabling credential isolation between projects. To use this, start the
+ daemon explicitly with a custom socket path and pass that path to
+ ``--git-credential-socket``.
+ if [ ! -S "${KAS_GIT_CREDENTIAL_SOCKET}" ]; then
+ fatal_error "passed KAS_GIT_CREDENTIAL_SOCKET '${KAS_GIT_CREDENTIAL_SOCKET}' is not a socket"
+ fi
+ KAS_GIT_CREDENTIAL_HELPER_DEFAULT="cache --socket=/var/kas/userdata/.git-cache-socket"
+ set -- "$@" -v "$(realpath -e "${KAS_GIT_CREDENTIAL_SOCKET}")":/var/kas/userdata/.git-cache-socket
+fi
+
GIT_CREDENTIAL_HELPER="${GIT_CREDENTIAL_HELPER:-${KAS_GIT_CREDENTIAL_HELPER_DEFAULT}}"
if [ -n "${GIT_CREDENTIAL_HELPER}" ] ; then
--
+ fatal_error "passed KAS_GIT_CREDENTIAL_SOCKET '${KAS_GIT_CREDENTIAL_SOCKET}' is not a socket"
+ fi
+ KAS_GIT_CREDENTIAL_HELPER_DEFAULT="cache --socket=/var/kas/userdata/.git-cache-socket"
+ set -- "$@" -v "$(realpath -e "${KAS_GIT_CREDENTIAL_SOCKET}")":/var/kas/userdata/.git-cache-socket
+fi
+
GIT_CREDENTIAL_HELPER="${GIT_CREDENTIAL_HELPER:-${KAS_GIT_CREDENTIAL_HELPER_DEFAULT}}"
if [ -n "${GIT_CREDENTIAL_HELPER}" ] ; then
2.34.1
Reply all
Reply to author
Forward
0 new messages