Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Onboarding CLI | Flux bootstrapping git authentication credentials #3295

Closed
Tracked by #3026
waleedhammam opened this issue Sep 6, 2023 · 0 comments · Fixed by #3578
Closed
Tracked by #3026

Onboarding CLI | Flux bootstrapping git authentication credentials #3295

waleedhammam opened this issue Sep 6, 2023 · 0 comments · Fixed by #3578

Comments

@waleedhammam
Copy link
Contributor

In order to execute flux bootstrapping we need auth with Git so we need to understand the alternatives that we have here.

Operations involved:

bootstrapping command will execute the following actions that will require interact with the git repo

  1. To execute flux bootstrap
  2. Adding the resources to the repository (HelmCharts, HelmReleases, Rbacs):
    • temporary clone the repo
    • add the resources
    • option A (currently implemented) commit and push the resources files
    • option B ask users to commit and push the resources files
    • Cleanup

Alternative A: generic git server

  • SSH Private Key (current way): using private key with access to the user's repository (push and pull access)

    Pros:

    • provides a seamless experience through the CLI
    • secure as it clones via SSH
    • supported by all git providers

    Cons:

    • Hard to maintain the key permissions
    • SSH traffic could be blocked by organization
  • SSH Agent: using authenticated ssh-agent with a loaded key with access to the user's repository (push and pull access)

    Pros:

    • same as ssh p.k

    Cons:

    • requires extra step from users to load the key into the agent + Hard to maintain the key permissions
  • HTTPS basic auth: using basic auth (username, password)

    Pros:

    • Straight forward and easy to use

    Cons:

    • Weak security
    • Some providers disabled it and encourages to use other methods like token or SSH

Alternative B: provider based methods

GitHub

  • using Github personal access token (GitHub PAT) with push and pull access.
  • using GitHub Deploy Keys (will use the github PAT ) to create a deploy key in the repository

GitLab

  • using GitLab personal access token (GitLab PAT) with push and pull access.
  • using GitLab Deploy Keys (will use the GitLab PAT ) to create a deploy key in the repository

BitBucket

  • Bitbucket HTTP Access Token

General Pros

  • Permission Control over tokens
  • More secure as tokens can have TTL & easy to revoke and rotate

General cons

  • Provider dependent
  • Requires different setup for each provider

More details in flux docs https://fluxcd.io/flux/installation/bootstrap/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants