Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[argocd] how to manage appset token secret #214

Closed
jkleinlercher opened this issue Jun 7, 2024 · 3 comments
Closed

[argocd] how to manage appset token secret #214

jkleinlercher opened this issue Jun 7, 2024 · 3 comments
Assignees
@phac008
Labels
security
Milestone
end of sept

Comments

@jkleinlercher
Copy link
Contributor

jkleinlercher commented Jun 7, 2024
edited
Loading

initial problem

an scm applicationset needs a secret with a github PAT refernced in tokenRef https://github.com/suxess-it/sx-cnp-oss/blob/main/platform-apps/charts/team-onboarding/templates/appset-scm-multi-stage-kargo.yaml#L18

Otherwise (when accessing github unauthenticated) we immediatly get a "rate limit" error:

{"message":"API rate limit exceeded for 91.115.241.173. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)","documentation_url":"https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting"}

there are also other issues talking about this problem: argoproj/argo-cd#9413

reason: the argocd ScmProvider for github first collects ALL repos in this organization and then applies the filters internally.

workaround

Putting this token in the gitops repo is not secure AND github automatically revokes this token if it recognizes this value in a commit.
So we will put this token in the https://github.com/suxess-it/sx-cnp-oss/blob/9c1b83cfd02f4dbbe8d5fc05c9ba4353ce2f81c5/install-platform.sh#L56-L61 as a workaround.
In the github workflow we set the variable to https://github.com/suxess-it/sx-cnp-oss/blob/9c1b83cfd02f4dbbe8d5fc05c9ba4353ce2f81c5/.github/workflows/cluster-test.yml#L53

chicken-egg-problem

However, the problem is that we then need to know the team app-definitions namespaces upfront. It may be okay for this demo, but how to manage this in real live with new teams onboarding? chicken-egg-problem because the namespace -apps gets created when onboarding the team, then automatically the appset gets created which already expects the secret to exist in this -apps .. is there also a central place for this secret for applicationsets? --> need to open argocd issue

with external-secrets we can reevaluate a sustainable solution
jkleinlercher added a commit that referenced this issue Jun 7, 2024
@jkleinlercher
create appset secret manually because over gitops repo is unsecure an…
88b3392 
…d not possible, see #214

Signed-off-by: Johannes Kleinlercher <[email protected]>
@jkleinlercher
Copy link
Contributor Author

with appSecretName we should be able to reference a GitHub App to access the API instead .. don't know where this secret needs to be placed.

@phac008 phac008 mentioned this issue Jun 23, 2024
Open
jkleinlercher added a commit that referenced this issue Jul 5, 2024
@jkleinlercher
add the appset-github-token as a secret, since it is just read-only i…
20b3c9f 
…t is okay for our showcase, part of #214
@jkleinlercher jkleinlercher added this to the mvp light uibk milestone Jul 10, 2024
@phac008
Copy link
Contributor

phac008 commented Sep 18, 2024
edited
Loading

The initialization secrets can be stored in vault via rest api call during installation, afterwards flexible usage within gitops with eso.
I will implement this.

@phac008 phac008 self-assigned this Sep 18, 2024
@phac008
Copy link
Contributor

phac008 commented Sep 19, 2024

move token to vault:
#616

@phac008 phac008 closed this as completed Sep 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@phac008 phac008

Labels
security
Projects
None yet
Milestone
end of sept
Development

No branches or pull requests
2 participants
@jkleinlercher @phac008