minder icon indicating copy to clipboard operation
minder copied to clipboard
verified publisher icon stacklok

[Spike] Changes needed to support GitHub Actions direct authentication to Minder

Open evankanderson opened this issue 1 year ago • 1 comments

Summary

This is a SPIKE. It is not ready to merge, is more for discussion about how to approach managing Minder rules using IaC.

This change enables Minder to leverage GitHub Actions OIDC identities directly as authorizable identities without creating Keycloak entities for them. I suspect this may be desirable given the differences between machine identities (ephemeral, can be created & destroyed in seconds via automation) and human identities (generally long-lived, can accept contracts, etc).

A short version of the setup:

  • make run-docker and set up KeyCloak with GitHub authentication.

  • minder auth login as a human, which calls CreateUser and creates a project.

  • (set up ngrok or some other internet -> docker connectivity)

  • Run minder project role grant -s githubactions/repo:evankanderson/actions-id-token-testing:ref:refs/heads/main -r admin or the equivalent with your own action name.

    Note that this currently only supports exact-match action names (of the form repo:$SLUG:ref:$REFNAME)

  • Set up a workflow like the following: https://github.com/evankanderson/actions-id-token-testing/blob/d4cc940fd69e3de78d09af7d95a936c14b69eb3c/.github/workflows/minder-auth-token-test.yaml

    • Also set up something to apply; I simply copied in a single rule type for testing.

  • Run the workflow (the example uses a workflow_dispatch, but you could also use a push to main to trigger this automatically.

Your empty project will now have a codeql_enabled rule:

minder ruletype list                                                                                               
WARNING: Running against a test environment (localhost) and may not be stable
+--------------------------------------+--------------------------------------+----------------+--------------------------------+
|               PROJECT                |                  ID                  |      NAME      |          DESCRIPTION           |
+--------------------------------------+--------------------------------------+----------------+--------------------------------+
| 14ac1534-e81a-4060-b4b8-bff2f1ee076a | 5fc82ecc-db9b-4665-8a8e-ecb71eb751d7 | codeql_enabled | Verifies that CodeQL is        |
|                                      |                                      |                | enabled for the repository     |
+--------------------------------------+--------------------------------------+----------------+--------------------------------+

(Workflow run that created the rule -- see the "Apply Minder ruletypes" step)

Note that at no point was there a need to touch GitHub Secrets or otherwise expose credentials off the local machine -- only minder project role grant.

Fixes https://github.com/stacklok/minder-stories/issues/10

Change Type

Mark the type of change your PR introduces:

  • [ ] Bug fix (resolves an issue without affecting existing features)
  • [x] Feature (adds new functionality without breaking changes)
  • [ ] Breaking change (may impact existing functionalities or require documentation updates)
  • [ ] Documentation (updates or additions to documentation)
  • [ ] Refactoring or test improvements (no bug fixes or new functionality)

Testing

This was tested manually.

Review Checklist:

  • :lolsob: Reviewed my own code for quality and clarity.
  • [x] Added comments to complex or tricky code sections.
  • [ ] Updated any affected documentation.
  • [ ] Included tests that validate the fix or feature.
  • [x] Checked that related changes are merged.

evankanderson avatar Aug 29 '24 19:08 evankanderson

This PR needs additional information before we can continue. It is now marked as stale because it has been open for 30 days with no activity. Please provide the necessary details to continue or it will be closed in 30 days.

github-actions[bot] avatar Sep 29 '24 02:09 github-actions[bot]

My estimate is fixing the above highlighted issues is probably ~1 week. There would be additional UI work needed as well to enable the grants to GitHub actions; minder project role grant -s githubactions/repo:evankanderson/actions-id-token-testing:ref:refs/heads/main -r admin doesn't exactly roll of the tongue, but repo:evankanderson/actions-id-token-testing:ref:refs/heads/main comes from the GitHub sub claim, so some assembly assistance may be required.

This also doesn't allow for any sort of wild-card matching on the subject, which may or may not be a feature.

evankanderson avatar Oct 11 '24 13:10 evankanderson

This PR needs additional information before we can continue. It is now marked as stale because it has been open for 30 days with no activity. Please provide the necessary details to continue or it will be closed in 30 days.

github-actions[bot] avatar Nov 11 '24 02:11 github-actions[bot]

Coverage Status

coverage: 55.032% (-0.2%) from 55.215% when pulling d41e578cc1ba7b96fd2cddebb83c7262bddd35b8 on evankanderson:auth-token-experiment-spike into b4fc9e370f8d3996a4ed8fc417aeae3a8eb84bcd on mindersec:main.

coveralls avatar Dec 05 '24 20:12 coveralls

This PR needs additional information before we can continue. It is now marked as stale because it has been open for 30 days with no activity. Please provide the necessary details to continue or it will be closed in 30 days.

github-actions[bot] avatar Jan 05 '25 02:01 github-actions[bot]

This was replaced by #5385

evankanderson avatar Feb 11 '25 07:02 evankanderson