argocd-autopilot icon indicating copy to clipboard operation
argocd-autopilot copied to clipboard
verified publisher icon argoproj-labs

Support authenticating with GitHub App

Open joebowbeer opened this issue 4 years ago • 10 comments

GitHub App authentication was recently added to Argo CD, and is arguably "best-practice" and better than a PAT.

https://docs.github.com/en/developers/apps/authenticating-with-github-apps

Assuming that argocd-autopilot is intended to be an easy onramp to a best-practice configuration, it should support GitHub App authentication.

joebowbeer avatar May 06 '21 08:05 joebowbeer

GitHub App is currently not working on the release-2.0 branch (a fix was merged to master yesterday). Once it finds its way to the latest release, we can work on switching over to using it from the server.

I also recommend letting the cli's go-git dependency automatically use the ssh keys if the user supplied an ssh cloneUrl (like [email protected]:argoproj-labs/argocd-autopilot.git), and support https cloneUrls by requiring the user to manually supply the password/token in the url (like https://anything:<git_token>@github.com/argoproj-labs/argocd-autopilot.git)

This will separate the credentials the cli is using to clone/commit/push information from/to the repo, and the credentials used by the server to sync the changes to the cluster.

noam-codefresh avatar May 12 '21 08:05 noam-codefresh

Thanks Noam. I created the PR that was merged yesterday. How will this fix find its way to release-2.0? Should I be participating in that?

joebowbeer avatar May 12 '21 15:05 joebowbeer

I am not sure. I don't know how argo-cd decides which PRs to pick into the current 2.X release. But it seems like a big regression, so I hope it will find its way to the next patch.

noam-codefresh avatar May 13 '21 06:05 noam-codefresh

@noam-codefresh The fixes were cp'd to release-2.0 and are included in 2.0.2

joebowbeer avatar May 15 '21 19:05 joebowbeer

great news, thanks for your fix in argo-cd, and input over here.

noam-codefresh avatar May 16 '21 05:05 noam-codefresh

Once it finds its way to the latest release, we can work on switching over to using it from the server.

Update: autopilot manifests install argocd 2.0.3, which supports GitHub App authentication

joebowbeer avatar Jun 25 '21 19:06 joebowbeer

It could just be toggled support if the ref is 2.0.3 or greater.

if ref >= 2.0.3 do else "not supported".

Ideally the cli would accept a param to indicate bootstrapping as a github app.

For example:

argocd-autopilot repo bootstrap --repo https://github.com/example/repo --app https://github.com/argoproj/argo-cd/manifests/ha/cluster-install\?ref\=v2.1.2 --github-app

Or

argocd-autopilot repo bootstrap --repo https://github.com/example/repo --dry-run -t qwqeq3erwefwe --app https://github.com/argoproj/argo-cd/manifests/ha/cluster-install\?ref\=v2.1.2 --provider githubApp

I've done some init dev on this before I was aware of this project. A Github App can manage the webhooks, the oauth, and the repo access as well. The manifest flow for creating an app would be a great option for bootstrapping as it's not intuitive from the current docs

When using the manifest flow its quite easy to send the user to a pre-filled app ( via manifest url ) , with permissions, url etc. Then the return data with the 'code' has all the information to generate a repo-creds secret, dex secret and client, the webhook url. POST /app-manifests/{code}/conversions The api is located here https://docs.github.com/en/rest/reference/apps#create-a-github-app-from-a-manifest

# manifest yml
name: Org-ArgoCD
url: https://argocd.example.com/
description: ArgoCD Github App Installer
public: false
redirect_url: http://localhost:5000/
# Oauth Call back URL
callback_urls:
  - https://argocd.example.com/api/dex/callback
# The set of permissions needed by the GitHub App. The format of the object uses
# the permission name for the key (for example, issues) and the access type for
# the value (for example, write).
# Valid values are `read`, `write`, and `none`
default_permissions:
  contents: read
  metadata: read
  members: read
  emails: read
# events
default_events:
  - push
# hooks for repos push events
hook_attributes:
  url: https://argocd.example.com/api/webhook
  active: true



# example manifest flow response used to generate the cm, secrets, repo-creds template

{
  "id": 1,
  "slug": "octoapp",
  "node_id": "MDxOkludGVncmF0aW9uMQ==",
  "owner": {
    "login": "github",
    "id": 1,
    "node_id": "MDEyOk9yZ2FuaXphdGlvbjE=",
    "url": "https://api.github.com/orgs/github",
    "repos_url": "https://api.github.com/orgs/github/repos",
    "events_url": "https://api.github.com/orgs/github/events",
    "avatar_url": "https://github.com/images/error/octocat_happy.gif",
    "gravatar_id": "",
    "html_url": "https://github.com/octocat",
    "followers_url": "https://api.github.com/users/octocat/followers",
    "following_url": "https://api.github.com/users/octocat/following{/other_user}",
    "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
    "organizations_url": "https://api.github.com/users/octocat/orgs",
    "received_events_url": "https://api.github.com/users/octocat/received_events",
    "type": "User",
    "site_admin": true
  },
  "name": "Octocat App",
  "description": "",
  "external_url": "https://example.com",
  "html_url": "https://github.com/apps/octoapp",
  "created_at": "2017-07-08T16:18:44-04:00",
  "updated_at": "2017-07-08T16:18:44-04:00",
  "permissions": {
    "metadata": "read",
    "contents": "read",
    "issues": "write",
    "single_file": "write"
  },
  "events": [
    "push",
    "pull_request"
  ],
  "client_id": "Iv1.8a61f9b3a7aba766",
  "client_secret": "1726be1638095a19edd134c77bde3aa2ece1e5d8",
  "webhook_secret": "e340154128314309424b7c8e90325147d99fdafa",
  "pem": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAuEPzOUE+kiEH1WLiMeBytTEF856j0hOVcSUSUkZxKvqczkWM\n9vo1gDyC7ZXhdH9fKh32aapba3RSsp4ke+giSmYTk2mGR538ShSDxh0OgpJmjiKP\nX0Bj4j5sFqfXuCtl9SkH4iueivv4R53ktqM+n6hk98l6hRwC39GVIblAh2lEM4L/\n6WvYwuQXPMM5OG2Ryh2tDZ1WS5RKfgq+9ksNJ5Q9UtqtqHkO+E63N5OK9sbzpUUm\noNaOl3udTlZD3A8iqwMPVxH4SxgATBPAc+bmjk6BMJ0qIzDcVGTrqrzUiywCTLma\nszdk8GjzXtPDmuBgNn+o6s02qVGpyydgEuqmTQIDAQABAoIBACL6AvkjQVVLn8kJ\ndBYznJJ4M8ECo+YEgaFwgAHODT0zRQCCgzd+Vxl4YwHmKV2Lr+y2s0drZt8GvYva\nKOK8NYYZyi15IlwFyRXmvvykF1UBpSXluYFDH7KaVroWMgRreHcIys5LqVSIb6Bo\ngDmK0yBLPp8qR29s2b7ScZRtLaqGJiX+j55rNzrZwxHkxFHyG9OG+u9IsBElcKCP\nkYCVE8ZdYexfnKOZbgn2kZB9qu0T/Mdvki8yk3I2bI6xYO24oQmhnT36qnqWoCBX\nNuCNsBQgpYZeZET8mEAUmo9d+ABmIHIvSs005agK8xRaP4+6jYgy6WwoejJRF5yd\nNBuF7aECgYEA50nZ4FiZYV0vcJDxFYeY3kYOvVuKn8OyW+2rg7JIQTremIjv8FkE\nZnwuF9ZRxgqLxUIfKKfzp/5l5LrycNoj2YKfHKnRejxRWXqG+ZETfxxlmlRns0QG\nJ4+BYL0CoanDSeA4fuyn4Bv7cy/03TDhfg/Uq0Aeg+hhcPE/vx3ebPsCgYEAy/Pv\neDLssOSdeyIxf0Brtocg6aPXIVaLdus+bXmLg77rJIFytAZmTTW8SkkSczWtucI3\nFI1I6sei/8FdPzAl62/JDdlf7Wd9K7JIotY4TzT7Tm7QU7xpfLLYIP1bOFjN81rk\n77oOD4LsXcosB/U6s1blPJMZ6AlO2EKs10UuR1cCgYBipzuJ2ADEaOz9RLWwi0AH\nPza2Sj+c2epQD9ZivD7Zo/Sid3ZwvGeGF13JyR7kLEdmAkgsHUdu1rI7mAolXMaB\n1pdrsHureeLxGbRM6za3tzMXWv1Il7FQWoPC8ZwXvMOR1VQDv4nzq7vbbA8z8c+c\n57+8tALQHOTDOgQIzwK61QKBgERGVc0EJy4Uag+VY8J4m1ZQKBluqo7TfP6DQ7O8\nM5MX73maB/7yAX8pVO39RjrhJlYACRZNMbK+v/ckEQYdJSSKmGCVe0JrGYDuPtic\nI9+IGfSorf7KHPoMmMN6bPYQ7Gjh7a++tgRFTMEc8956Hnt4xGahy9NcglNtBpVN\n6G8jAoGBAMCh028pdzJa/xeBHLLaVB2sc0Fe7993WlsPmnVE779dAz7qMscOtXJK\nfgtriltLSSD6rTA9hUAsL/X62rY0wdXuNdijjBb/qvrx7CAV6i37NK1CjABNjsfG\nZM372Ac6zc1EqSrid2IjET1YqyIW2KGLI1R2xbQc98UGlt48OdWu\n-----END RSA PRIVATE KEY-----\n"
}

Then we generate yaml or create a simple kustomize base with the patches using the values from the response. Examples

## argocd-cm
apiVersion: v1
kind: ConfigMap
metadata:
    name: argocd-cm
    labels:
        app.kubernetes.io/name: argocd-cm
        app.kubernetes.io/part-of: argocd
connectors:
  # GitHub
  - type: github
    id: github
    name: GitHub
    config:
      clientID: XXXXXXXXXX
      clientSecret: $dex.github.clientSecret
      orgs:
        - name: MyOrg
 ---
# argocd-secret
apiVersion: v1
kind: Secret
metadata:
    name: argocd-secret
    labels:
        app.kubernetes.io/name: argocd-secret
        app.kubernetes.io/part-of: argocd
data:
    ...
    dex.github.clientSecret:  XXXXXXXX

---
# repo-creds template
apiVersion: v1
kind: Secret
metadata:
    name: myOrg-github-repo-creds
    labels:
        argocd.argoproj.io/secret-type: repo-creds
        app.kubernetes.io/part-of: argocd
stringData:
    url: https://github.com/myOrg
    githubAppID: "XXXXXX"
    githubAppInstallationID: "YYYYY"
    githubAppPrivateKey: |
        -----BEGIN RSA PRIVATE KEY-----
        ...
        -----END RSA PRIVATE KEY-----

Thoughts?

The only issue I foresee is the redirect url. Could be hacky and launch a simple http handler to accept the payload on local host. Alternatively will simplify this whole process with doing the manifest flow, and just use a cli read input to manually enter the information from the githubApp UI i.e. pem

pmcjury avatar Oct 02 '21 02:10 pmcjury

Hi just wondered if there was ever any traction on this? I'm new to argocd in general but have been trying to use a github application instead of a user account and pat token, so stumbled on this.

Cheers

Andy

iamandymcinnes avatar Mar 09 '23 12:03 iamandymcinnes

If we're interested in using Autopilot with a GitHub app, my understanding here is that Autopilot won't get me set up doing that. However, can I start with an Autopilot-created setup using a PAT and then transition over to a GitHub app once it's running?

glasser avatar Oct 04 '23 20:10 glasser