argocd-vault-plugin icon indicating copy to clipboard operation
argocd-vault-plugin copied to clipboard

Published 20 hours ago verified publisher icon argoproj-labs

[Feature] - Use GitHub App as backend configuration

Open ricardojdsilva87 opened this issue 2 years ago • 2 comments

Hello I've checked the backends available for the argocd secrets: https://argocd-vault-plugin.readthedocs.io/en/stable/backends/

Currently we are using aws as the secret provider but would like to be able to use some kind of interaction with github to interact with the secrets saved (that can be used with github actions).

There is the possibility to use a user and a token to interact with github but the issue is that this user has API limits: https://docs.github.com/en/developers/apps/building-github-apps/rate-limits-for-github-apps#server-to-server-requests In sum 5000 requests per user and 12500 per app.

The difference here is that in multiple organisations each app installation will have the 12500 call per organisation and not 5000 calls for 1 user.

This would allow a great escalation from teams separated by organisations. Each app needs to authenticate with a token with the created private key (this key is the same to authenticate in every org): https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app After that we can interact with the API successfully and get the installation id of a certain org for example: https://docs.github.com/en/rest/reference/apps#get-a-repository-installation-for-the-authenticated-app

A proposal for the needed variables to support a github app would be:

GH_API_URL= (to support github.com and a github enterprise instance)
GH_APP_ID= unique identifier for the app (the same for the all organisations)
GH_APP_TOKEN= ssh key generated for the app

The usage of the secret could be:

 <path:GITHUB-ORG#secret-name>

Feel free to ask any more questions if you need more clarification and thanks for the help!

ricardojdsilva87 avatar Mar 31 '22 09:03 ricardojdsilva87

@ricardojdsilva87 That is an interesting use case. We encourage contributions so if you are interested in contributing this backend we would greatly appreciate it, otherwise we will add it to our backlog and try to get to it when we can. Thanks!

werne2j avatar Apr 18 '22 15:04 werne2j

I would appreciate if this could be pushed to the backlog. We have the authentication integrated using python, I would not be able to write this in go... The links provided is basically the method of authentication for the github app, if you need any more examples of how everything connects please let me know. Thanks for the help!

ricardojdsilva87 avatar Apr 19 '22 08:04 ricardojdsilva87