bitops icon indicating copy to clipboard operation
bitops copied to clipboard

Published 20 hours ago verified publisher icon bitovi

BitOps Plugin support for private repos

Open ConnorGraham opened this issue 4 years ago • 5 comments

Need to implement a pattern in plugin.config.yml to support private plugin repos. For example:

plugins:
- name: pluginA
  repo: https://github.com/myorg/pluginA.git
  auth:
    # type http or ssh detected by repo prefix
    user:
      type: string
      value: myusername
    user:
      type: string
      value: mytoken
- name: pluginB
  repo: https://github.com/myorg/pluginB.git
  auth:
    user:
      type: env
      value: $GIT_USER #defines which env var to get this value from
    user:
      type: env
      value: $GIT_PASSWORD #defines which env var to get this value from
- name: pluginC
  repo: [email protected]:myorg/pluginC.git
  auth:
    sshkey:
      type: string
      value: |
        -----BEGIN RSA PRIVATE KEY-----
        ...
        -----END RSA PRIVATE KEY-----
- name: pluginD
  repo: [email protected]:myorg/pluginD.git
    sshkey:
      type: env
      value: $GIT_SSHKEY #defines which env var to get this value from
- name: pluginE
  repo: [email protected]:myorg/pluginD.git
    sshkey:
      type: path
      value: /path/to/mounted/sshkey

ConnorGraham avatar Feb 01 '21 16:02 ConnorGraham

thanks!

mickmcgrath13 avatar Feb 02 '21 13:02 mickmcgrath13

We will need set git credentials at the bitops docker env level just like how we set authN for other providers (like aws). So to solve this, we will need to create a github plugin and use that to set the credentials at the session level.

shyamrayaprolu avatar Jul 18 '22 18:07 shyamrayaprolu

Private Github repository could be already cloned via https://username:[email protected]/username/repo_name.git

For git cloning with SSH key, the user can mount his SSH key to the BitOps container and specify it in the SSH config ~/.ssh/config:

Host github.com
  IdentityFile ~/.ssh/github_rsa

At a minimum, both cases should be verified and documented. That could be an intermediate, but sufficient solution in a meantime.

arm4b avatar Aug 29 '22 18:08 arm4b

Going with a simple documentation case first might be a good intermediate state.

If we want to go deeper, from the proposals above, providing ENV or path for the SSH key to abstract the config creation might be a good option in some future :

- name: pluginD
  repo: [email protected]:myorg/pluginD.git
    sshkey:
      type: env
      value: $GIT_SSHKEY #defines which env var to get this value from
- name: pluginE
  repo: [email protected]:myorg/pluginD.git
    sshkey:
      type: path
      value: /path/to/mounted/sshkey

We probably don't want entering the entire security story yet where the credentials are supported by the bitops config schema natively, considering the current security state (like #208) and then thinking how to recommend protecting those credentials to the users. So we won't create more problems than we solve.

arm4b avatar Aug 29 '22 18:08 arm4b

In a minimum implementation complexity: easy effort, just add a small paragraph to the docs, providing an existing way to install a private plugin from the Github repo with github token.

Keep schema changes unplanned/low priority for now.

arm4b avatar Oct 12 '22 17:10 arm4b