-
Notifications
You must be signed in to change notification settings - Fork 31
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #163 from the-mama-ai/update-docs
feat(github): add documentation
- Loading branch information
Showing
7 changed files
with
281 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
Shadowing GitHub LFS | ||
==================== | ||
|
||
This guide shows how to use Giftless as the LFS server for an existing GitHub repository (not using GitHub LFS). Thanks to a handful tricks it also acts as a full remote HTTPS-based `git` repository, making this a zero client configuration setup. | ||
|
||
This guide uses `docker compose`, so you need to [install it](https://docs.docker.com/compose/install/). It also relies on you using HTTPS for cloning GitHub repos. The SSH way is not supported. | ||
|
||
### Running docker containers | ||
To run the setup, `git clone https://github.com/datopian/giftless`, step into the `examples/github-lfs` and run `docker compose up`. | ||
|
||
This will run two containers: | ||
- `giftless`: Locally built Giftless server configured to use solely the [GitHub authentication provider](auth-providers.md#github-authenticator) and a local docker compose volume as the storage backend. | ||
- `proxy`: An [Envoy reverse proxy](https://www.envoyproxy.io/) which acts as the frontend listening on a local port 5000, configured to route LFS traffic to `giftless` and pretty much anything else to `[api.]github.com`. **The proxy listens at an unencrypted HTTP**, setting the proxy to provide TLS termination is very much possible, but isn't yet covered (your turn, thanks for the contribution!). | ||
|
||
Feel free to explore the `compose.yaml`, which contains all the details. | ||
|
||
### Cloning a GitHub repository via proxy | ||
The frontend proxy forwards the usual `git` traffic to GitHub, so go there and pick/create some testing repository where you have writable access and clone it via the proxy hostname (just change `github.com` for wherever you host): | ||
```shell | ||
git clone http://localhost:5000/$YOUR_ORG/$YOUR_REPO | ||
``` | ||
When you don't use a credential helper, you might get asked a few times for the same credentials before the call gets through. [Make sure to get one](https://git-scm.com/doc/credential-helpers) before it drives you insane. | ||
|
||
Thanks to the [automatic LFS server discovery](https://github.com/git-lfs/git-lfs/blob/main/docs/api/server-discovery.md) this is all you should need to become LFS-enabled! | ||
|
||
### Pushing binary blobs | ||
Let's try pushing some binary blobs then! See also [Quickstart](quickstart.md#create-a-local-repository-and-push-some-file). | ||
```shell | ||
# create some blob | ||
dd if=/dev/urandom of=blob.bin bs=1M count=1 | ||
# make it tracked by LFS | ||
git lfs track blob.bin | ||
# the LFS tracking is written in .gitattributes, which you also want committed | ||
git add .gitattributes blob.bin | ||
git commit -m 'Hello LFS!' | ||
# push it, assuming the local branch is main | ||
# this might fail for the 1st time, when git automatically runs 'git config lfs.locksverify false' | ||
git push -u origin main | ||
``` | ||
|
||
This should eventually succeed, and you will find the LFS digest in place of the blob on GitHub and the binary blob on your local storage: | ||
```shell | ||
docker compose exec -it giftless find /lfs-storage | ||
/lfs-storage | ||
/lfs-storage/$YOUR_ORG | ||
/lfs-storage/$YOUR_ORG/$YOUR_REPO | ||
/lfs-storage/$YOUR_ORG/$YOUR_REPO/deadbeefb10bb10bad40beaa8c68c4863e8b00b7e929efbc6dcdb547084b01 | ||
``` | ||
|
||
Next time anyone clones the repo (via the proxy), the binary blob will get properly downloaded. Failing to use the proxy hostname will make `git` use GitHub's own LFS, which is a paid service you are obviously trying to avoid. | ||
|
||
### Service teardown | ||
|
||
Finally, to shut down your containers, break (`^C`) the current compose run and clean up dead containers with: | ||
```shell | ||
docker compose down [--volumes] | ||
``` | ||
Using `--volumes` tears down the `lfs-storage` volume too, so make sure it's what you wanted. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# listening (proxy) port on the host | ||
SERVICE_PORT=5000 | ||
# inner port giftless listens on | ||
GIFTLESS_PORT=5000 | ||
# inner port the reverse proxy listens on | ||
PROXY_PORT=8080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,162 @@ | ||
name: github-lfs | ||
|
||
volumes: | ||
lfs-storage: {} | ||
|
||
services: | ||
giftless: | ||
image: docker.io/datopian/giftless:latest | ||
volumes: | ||
- lfs-storage:/lfs-storage | ||
environment: | ||
GIFTLESS_DEBUG: "1" | ||
GIFTLESS_CONFIG_STR: | | ||
# use endpoints at /<org>/<repo>.git/info/lfs/ only | ||
LEGACY_ENDPOINTS: false | ||
AUTH_PROVIDERS: | ||
- factory: giftless.auth.github:factory | ||
TRANSFER_ADAPTERS: | ||
basic: | ||
factory: giftless.transfer.basic_streaming:factory | ||
options: | ||
# use the lfs-storage volume as local storage | ||
storage_class: giftless.storage.local_storage:LocalStorage | ||
storage_options: | ||
path: /lfs-storage | ||
# disable the default JWT pre-auth provider, object up/downloads get also authorized via GitHub | ||
PRE_AUTHORIZED_ACTION_PROVIDER: null | ||
command: "--http=0.0.0.0:$GIFTLESS_PORT -M -T --threads 2 -p 2 --manage-script-name --callable app" | ||
pull_policy: never # prefer local build | ||
build: | ||
cache_from: | ||
- docker.io/datopian/giftless:latest | ||
context: ../.. | ||
|
||
proxy: | ||
image: docker.io/envoyproxy/envoy:v1.30-latest | ||
configs: | ||
- source: envoy | ||
target: /etc/envoy/envoy.yaml | ||
command: "/usr/local/bin/envoy -c /etc/envoy/envoy.yaml" | ||
ports: | ||
- "$SERVICE_PORT:$PROXY_PORT" | ||
depends_on: | ||
giftless: | ||
condition: service_started | ||
|
||
configs: | ||
envoy: | ||
content: | | ||
static_resources: | ||
listeners: | ||
- address: | ||
socket_address: | ||
address: 0.0.0.0 | ||
port_value: $PROXY_PORT # proxy port | ||
filter_chains: | ||
- filters: | ||
- name: envoy.filters.network.http_connection_manager | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | ||
stat_prefix: ingress_http | ||
http_filters: | ||
- name: envoy.filters.http.router | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router | ||
suppress_envoy_headers: true | ||
access_log: | ||
- name: envoy.access_loggers.file | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog | ||
path: /dev/stdout | ||
generate_request_id: false | ||
preserve_external_request_id: true | ||
route_config: | ||
name: ingress_route | ||
virtual_hosts: | ||
- name: giftless | ||
domains: | ||
- "*" | ||
routes: | ||
- name: giftless | ||
# Only this goes to the giftless service | ||
match: | ||
safe_regex: | ||
regex: (?:/[^/]+){2,}\.git/info/lfs(?:/.*|$) | ||
route: | ||
timeout: 0s # don't break long-running downloads | ||
cluster: giftless | ||
- name: api_github_com | ||
# Routing 3rd party tools assuming this is a GitHub Enterprise URL /api/v#/X to public api.github.com/X | ||
match: | ||
safe_regex: &api_regex | ||
regex: /api/v\d(?:/(.*)|$) | ||
route: | ||
regex_rewrite: | ||
pattern: *api_regex | ||
substitution: /\1 | ||
host_rewrite_literal: api.github.com | ||
timeout: 3600s | ||
cluster: api_github_com | ||
request_headers_to_remove: | ||
- x-forwarded-proto | ||
- name: github_com | ||
# Anything else is forwarded directly to GitHub | ||
match: | ||
prefix: "/" | ||
route: | ||
host_rewrite_literal: github.com | ||
timeout: 3600s | ||
cluster: github_com | ||
request_headers_to_remove: | ||
- x-forwarded-proto | ||
clusters: | ||
- name: giftless | ||
connect_timeout: 0.25s | ||
type: strict_dns | ||
lb_policy: round_robin | ||
load_assignment: | ||
cluster_name: giftless | ||
endpoints: | ||
- lb_endpoints: | ||
- endpoint: | ||
address: | ||
socket_address: | ||
address: giftless # inner giftless hostname | ||
port_value: $GIFTLESS_PORT # local giftless port | ||
- name: api_github_com | ||
type: logical_dns | ||
# Comment out the following line to test on v6 networks | ||
dns_lookup_family: v4_only | ||
load_assignment: | ||
cluster_name: api_github_com | ||
endpoints: | ||
- lb_endpoints: | ||
- endpoint: | ||
address: | ||
socket_address: | ||
address: api.github.com | ||
port_value: 443 | ||
transport_socket: | ||
name: envoy.transport_sockets.tls | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
sni: api.github.com | ||
- name: github_com | ||
type: logical_dns | ||
# Comment out the following line to test on v6 networks | ||
dns_lookup_family: v4_only | ||
load_assignment: | ||
cluster_name: github_com | ||
endpoints: | ||
- lb_endpoints: | ||
- endpoint: | ||
address: | ||
socket_address: | ||
address: github.com | ||
port_value: 443 | ||
transport_socket: | ||
name: envoy.transport_sockets.tls | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
sni: github.com |