Fleet uses different git implementations depending on the operation:
internal/cmd/cli/apply/ (resolve current commit SHA): shell out to git rev-parse HEADinternal/cmd/cli/gitcloner/ (gitjob clone): go-gitinternal/bundlereader/ (Helm chart from helm.chart: git::https://…): go-getter, which shells out to the git binary for SSHpkg/git/ (ref listing, liveness): go-git
The shell-out paths have several problems. go-getter uses GIT_SSH_COMMAND for SSH clones (global process state requiring a mutex), replaces the system cert pool with any custom CA bundle (breaking connections to public CAs), does not enforce SSH known-host verification, and does not propagate InsecureSkipVerify from the GitRepo spec. The github.com/hashicorp/go-getter dependency also generates false-positive CVE reports in ArtifactHub. The git rev-parse shell-out in apply/ is a minor leftover with a TODO to migrate.
All git operations should use go-git directly so the same auth settings (CA bundle, credentials, known-hosts, InsecureSkipVerify) apply across all code paths.
After consolidating the git implementation in Fleet it should be possible to remove at least the git package from the Fleet Docker image.
Fleet uses different git implementations depending on the operation:
internal/cmd/cli/apply/(resolve current commit SHA): shell out togit rev-parse HEADinternal/cmd/cli/gitcloner/(gitjob clone): go-gitinternal/bundlereader/(Helm chart fromhelm.chart: git::https://…): go-getter, which shells out to thegitbinary for SSHpkg/git/(ref listing, liveness): go-gitThe shell-out paths have several problems. go-getter uses
GIT_SSH_COMMANDfor SSH clones (global process state requiring a mutex), replaces the system cert pool with any custom CA bundle (breaking connections to public CAs), does not enforce SSH known-host verification, and does not propagateInsecureSkipVerifyfrom the GitRepo spec. Thegithub.com/hashicorp/go-getterdependency also generates false-positive CVE reports in ArtifactHub. Thegit rev-parseshell-out inapply/is a minor leftover with aTODOto migrate.All git operations should use go-git directly so the same auth settings (CA bundle, credentials, known-hosts, InsecureSkipVerify) apply across all code paths.
After consolidating the git implementation in Fleet it should be possible to remove at least the git package from the Fleet Docker image.