githubappsecret

package module

v0.0.3 Latest Latest Go to latest Published: Mar 7, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kingdon-ci/github-app-secret

Links

Open Source Insights

README ¶

github-app-secret

Generate Github app auth token and write it into a Kubernetes Secret and refresh it periodically.

The application ./cmd/github-app-secret takes Github app private key, app ID, installation ID and a secret name, and generates an auth token and writes it to a Kubernetes Secret with the given secret name. This can be used by any application that needs Github app based authentication.

Instructions

⚠️ WARNING: Please make sure that the system time where this program runs is up-to-date. The token generation requests contain expiry time. If the expiry time used in the request is in the past, token generation would fail with 401 Unauthorized error.

Create a new Github app with the appropriate permissions, generate a private key for the app and install the app in the target repositories. Refer the official docs for detailed instructions.

The app ID can be obtained from the app settings page at https://github.com/settings/apps/<app-name>.

The installation ID can be obtained from https://github.com/settings/installations page. On clicking an installed app, the URL will contain the installation ID https://github.com/settings/installations/<installation-id>. For organizations, the first part of the URL may be different, but it follows the same pattern.

Put the private key in a Kubernetes Secret with

$ kubectl create secret generic github-app-private-key --from-file=privatekey.pem=/path-to-private-key.pem

This secret will be mounted as a volume and used by github-app-secret.

github-app-secret is run as a Kubernetes CronJob. Modify the manifests from ./deploy directory, adding the parameters collected above as argument to the github-app-secret container. For example:

    ...
    containers:
        - name: github-app-secret
          args:
            - "-v=3"
            - --privateKeyPath=/etc/secret-volume/privatekey.pem
            - --appID=<app-id>
            - --installationID=<installation-id>
            - --secretName=<secret-name>
    ...

Update the CronJob schedule depending on the needs, ensuring that the token gets refreshed before expiry.

Make sure that the manifests in ./deploy/rbac.yaml, which provide github-app-secret the necessary permissions it needs to create and update the Secret, are applied along with the CronJob manifest.

For cloning git repositories, the secret of type git can be used. This is the default type of Secret. It creates secret data with username field x-access-token as required by Github for http based clone.

For just the auth token, the secret of type plain can be used. This can be configured in github-app-secret by using --secretType flag.

For Github Enterprise, the Github API URL can be configured with --apiURL flag.

Build

Since this is a very basic golang application, ko can be used to build a container image for it.

Install ko and run make ko-build to build a container image for it. This will build the image and load it in the local container image store.

In order to build and publish to a remote repository, run KO_DOCKER_REPO=<container-repo-address> make ko-publish. Refer https://ko.build/get-started/#choose-destination for more examples.

Documentation ¶

Index ¶

Constants
type AppSecret
- func NewAppSecret(kclient client.Client, log logr.Logger, apiURL, privateKey string, ...) *AppSecret

Constants ¶

View Source

const (
	SecretGit   string = "git"
	SecretPlain string = "plain"

	AccessTokenUsername = "x-access-token"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AppSecret ¶

type AppSecret struct {
	client.Client
	// contains filtered or unexported fields
}

AppSecret helps generates Github app auth token and save it in a Kubernetes Secret.

func NewAppSecret ¶

func NewAppSecret(kclient client.Client, log logr.Logger, apiURL, privateKey string, appID, installationID int64) *AppSecret

NewAppSecret constructs and returns a new AppSecret instance.

func (*AppSecret) CreateOrUpdateSecret ¶

func (as *AppSecret) CreateOrUpdateSecret(ctx context.Context, namespacedName client.ObjectKey, secretType, token string) error

CreateOrUpdateSecret creates a new secret or updates an existing secret with the new secret data.

func (*AppSecret) GenerateAndCreate ¶

func (as *AppSecret) GenerateAndCreate(ctx context.Context, namespacedName client.ObjectKey, secretType string) error

GenerateAndCreate generates an auth token and creates a secret to store the token in Kubernetes based on the configured parameters.

func (*AppSecret) GenerateToken ¶

func (as *AppSecret) GenerateToken(ctx context.Context) (string, error)

GenerateToken generates an auth token based on the configured parameters.

Source Files ¶

View all Source files

appsecret.go

Directories ¶

Path	Synopsis
cmd
github-app-secret

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL