flux2 icon indicating copy to clipboard operation
flux2 copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

flux bootstrap github - Scopes

Open don4of4 opened this issue 2 years ago • 17 comments

The documentation doesn't mention which scopes are needed for the Github PAT. Is it possible to add this information?

don4of4 avatar Jan 01 '22 01:01 don4of4

In the Getting Started guide, https://fluxcd.io/docs/get-started/#before-you-begin

A GitHub personal access token with repo permissions. See the GitHub documentation on creating a personal access token.

To be specific, even if you intend to use Flux in read-only mode, the repo permissions for the PAT should be for full read/write. This is because Flux writes to the repo, in order to set up SSH Deploy Keys. You can decide at bootstrap time whether the permissions for the Deploy Key should be read-only or read-write. (It is read-only by default.)

Hope this helps! Let us know if there's somewhere else you were expecting to find this information, then we can add it.

kingdonb avatar Jan 05 '22 19:01 kingdonb

@don4of4 are you referring to the these docs? https://fluxcd.io/docs/installation/#github-and-github-enterprise

stefanprodan avatar Jan 05 '22 19:01 stefanprodan

@stefanprodan It looks like I created this issue from this page: https://fluxcd.io/docs/cmd/flux_bootstrap_github/

Perhaps a reference could be added from here to the full doc page -- I do see this is documented fairly well on https://fluxcd.io/docs/installation/#github-and-github-enterprise

Thank you both.

don4of4 avatar Jan 05 '22 21:01 don4of4

Should be fixed in ./cmd/flux/bootstrap_github.go.

dholbach avatar Jan 24 '22 09:01 dholbach

The getting started guide does not mention anything about this. https://fluxcd.io/docs/get-started Screen Shot 2022-03-26 at 01 14 50

drozzy avatar Mar 26 '22 05:03 drozzy

@drozzy Can you please elaborate? What's missing / what did you expect to see and where?

Screen Shot 2022-03-26 at 8 36 35 AM

The note about the Access Token and that it requires repo-permission is at the top of the Getting Started guide.

kingdonb avatar Mar 26 '22 12:03 kingdonb

You are right, I missed that. Thanks for pointing it out. I think perhaps "Objectives" should go first, and "Before you begin" should go second. Because the eye naturally scans the page and skips past objectives. So anything above that seems optional.

drozzy avatar Mar 26 '22 15:03 drozzy

Thanks for the feedback. You're not the first person that missed this information, so it's helpful to hear! We can consider reordering the structure of the docs, that's a pretty reasonable suggestion and makes sense to me.

kingdonb avatar Mar 26 '22 15:03 kingdonb

Perhaps it would make sense to just remove "before you begin" entirely and move the mention about repo tokens into the "Export your credentials" section. Then move kubernetes cluster into its own section. E.g.:

  1. Objectives
  2. Export your credentials (with mention that access token should have "repo" premissions")
  3. Install Kubernetes
  4. Install the Flux CLI
  5. Check your Kubernetes cluster
  6. Install Flux onto your cluster
  7. Etc.

drozzy avatar Mar 26 '22 16:03 drozzy

Ehm, flux tries to create a deploy key which means that the token user must have Admin permissions.

pkit avatar Sep 23 '22 17:09 pkit

@stefanprodan Is there a proper way to bootstrap with pre-existing deploy key? Without the dance of manual secret creation?

pkit avatar Sep 27 '22 10:09 pkit

@pkit Yes there is a --private-key-file=<path/to/private.key> option, see https://fluxcd.io/flux/installation/#generic-git-server

stefanprodan avatar Sep 27 '22 11:09 stefanprodan

@stefanprodan It's not clear that it applies to github too... Because when I tried --token-auth=true it was still creating a deploy key...

pkit avatar Sep 27 '22 12:09 pkit

It does apply to the generic bootstrap flux bootstrap git, git not github, not sure how to make the docs clear, the GitHub/GitLab sections are way below

stefanprodan avatar Sep 27 '22 12:09 stefanprodan

For fine-grained (beta) tokens, I think the minimum I need for bootstrap to github is

 Read access to metadata
 Read and Write access to administration and code

Specifically

Administration

Repository creation, deletion, settings, teams, and collaborators. Read and Write

Contents

Repository contents, commits, branches, downloads, releases, and merges. Read and Write

Metadata mandatory

Search repositories, list collaborators, and access repository metadata. Read-only

tobywan avatar May 14 '23 20:05 tobywan

There needs to be more detail on GitHub token scopes in the getting started page with visual and/or use case examples. Three words in passing are not enough and assuming devs have used personal tokens with GitHub is a bad assumption. This is the difference between a quick start and one that takes an extra half hour for the extra research involved. Not to mention the potential mistakes for token creation if the incorrect settings are used. Put yourself in your new users' shoes, do them a favor, and expand the thinking around flux CD use and configuration requirements.

dreamsavage avatar Sep 08 '23 07:09 dreamsavage

@dreamsavage we'd be really happy to take PRs improving the docs.

makkes avatar Sep 08 '23 09:09 makkes