Add "--password-file-reload" flag to refresh password during each sync cycle

[vaibhavdesai137]

What type of PR is this?
/kind feature

What this PR does / why we need it:
Adds flags for --hooks-async and --hooks-before-symlink

Which issue(s) this PR fixes:
Fixes #975

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

--password-file-reload, $GITSYNC_PASSWORD_FILE_RELOAD
            Reload the password from --password-file on each sync cycle.  This
            is useful when using dynamic credentials that are rotated by an
            external system (e.g. Vault's dynamic GitHub secrets engine).
            Without this flag, the password file is read once at startup and
            cached in memory.  With this flag enabled, the file will be re-read
            before each sync attempt, allowing git-sync to pick up token
            rotations.  If not specified, this defaults to false.

/kind feature

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vaibhavdesai137
Once this PR has been reviewed and has the lgtm label, please assign janetkuo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[linux-foundation-easycla]

• ❌ - login: @vaibhavdesai137 / name: Vaibhav Desai . The commit (5e22c34) is not authorized under a signed CLA. Please click here to be authorized. For further assistance with EasyCLA, please submit a support request ticket.

[k8s-ci-robot]

Welcome @vaibhavdesai137!

It looks like this is your first PR to kubernetes/git-sync 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/git-sync has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[thockin]

What I need to make this happy is an e2e test (test_e2e.sh). Use a file in $WORK which we can change (write tmp file, rename).

The test could do something like:

• Run once with the correct password, verify the result.
• Change the password file contents to the wrong password
• Commit a change to the repo
• Verify the local sync did not change
• Change the password file back
• Verify it synced to the new change

Look at function e2e::auth_http_password_file() and function e2e::auth_askpass_url_sometimes_wrong() as examples?

[thockin]

let's not name specific products :)

Suggested change

	"reload the password from --password-file on each sync cycle (useful when password is rotated by an external system like Vault Dynamic Engine)")
	"reload the password from --password-file on each sync cycle, useful when password is rotated by an external system")

[thockin]

Is there a reason NOT to just re-read the file on every loop?

IOW, why not get rid of the "Finish populating credentials" block above (L752) and reload it here, if cred.PasswordFile is set?

If you set the period to milliseconds it might hurt (but this is the wrong tool for that anyway). On the order of seconds or longer it seems irrelevant and net simpler.