Helm chart: Git-sync v4 incorrect mix of branch, ref, rev

[yehoshuadimarsky]

Official Helm Chart version

1.15.0 (latest released)

Apache Airflow version

2.5.3

Kubernetes Version

1.30.4-gke.1348000

Helm Chart configuration

dags:
  gitSync:
    branch: main
    rev: HEAD
    ref: v1.2.3
    repo: git@github.com:<ORG>/<REPO>.git
    depth: 1
    enabled: true
    sshKeySecret: <my-key>
    subPath: src/<MY>/<PATH>
    knownHosts: |
      github.com ssh-rsa <KEY>

Docker Image customizations

No response

What happened

I pushed code to the main branch, and this was picked up by the gitSync sidecar and it updated the Airflow Dags to use the new code

What you think should happen instead

It should not have updated the code, because the ref is "frozen" to version v1.2.3. This is a production environment, and that's the whole reason I froze it by pointing it at a Git tag - so that pushing new code won't automatically deploy until it is reviewed/tagged/released.

How to reproduce

1. Have your git repo have a branch named main, and a tag named v1.2.3 that points to main.
2. Set this in your values.yaml

images:
 gitSync:
   repository: registry.k8s.io/git-sync/git-sync
   tag: v4.1.0
dags:
 gitSync:
   branch: main
   rev: HEAD
   ref: v1.2.3
   repo: git@github.com:<ORG>/<REPO>.git
   enabled: true

3. Deploy this
4. Make a new commit to the main branch, and push it
5. You will see that the gitSync container updates the code with the new commit, even though it is supposed to be "frozen" to v1.2.3

Anything else

I dug into this, and it's caused by incorrectly mapping 3 parameters to the gitSync container. The latest Helm chart (v1.15) by default uses this image

airflow/chart/values.yaml

Lines 124 to 127 in ff7463b

	gitSync:
	repository: registry.k8s.io/git-sync/git-sync
	tag: v4.1.0
	pullPolicy: IfNotPresent

which I believe is from this source code here https://github.com/kubernetes/git-sync/tree/v4.1.0.

The 3 incorrect params are:

• branch
• rev
• ref

In v4.x of gitSync, the params branch and rev are deprecated, and only ref should be used. But if any of the deprecated params are specified, they override ref, which was the root cause of my issue.

These are explicitly marked as deprecated (from v3 to v4) in the migration guide here, and inspecting the source code you can see they are:

• https://github.com/kubernetes/git-sync/blob/97c0d585a83057184821549b30945f2105cc8966/main.go#L306-L309
• https://github.com/kubernetes/git-sync/blob/97c0d585a83057184821549b30945f2105cc8966/main.go#L327-L329
• https://github.com/kubernetes/git-sync/blob/97c0d585a83057184821549b30945f2105cc8966/main.go#L421-L432

I fixed it using a hack, by setting branch and rev to empty strings, but this is not ideal.

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[potiuk]

Nice. Feel free to make PR to fix it

[cjj1120]

Faced the same issue. In my case I declared the branch under ref and branch as workaround:

# Git sync 4.X
dags:
  mountPath: /opt/airflow/xxx/xxx
  persistence:
    enabled: false
  gitSync:
    enabled: true
    subPath: dags
    repo: "https://github.com/xxx.git"
    ref: dev # The newer Git sync versions use --ref instead of --branch
    branch: dev
    maxFailures: 2
    credentialsSecret: airflow-xxx
    period: 15s
    wait: 15
    envFrom: ~
    containerName: git-sync
    uid: 65533
    extraVolumeMounts: []
    env:
      # - name: GITSYNC_VERBOSE
      #   value: "9" # TEST (DEBUGGING MODE)
      - name: GITSYNC_TIMEOUT
        value: "30"
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: 200m
        memory: 256Mi