Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub App credentials Cache rather than Store and multiple Orgs #4704

Open
1 task done
bdellegrazie opened this issue Jun 25, 2024 · 1 comment
Open
1 task done

GitHub App credentials Cache rather than Store and multiple Orgs #4704

bdellegrazie opened this issue Jun 25, 2024 · 1 comment
Labels
feature New functionality/enhancement

Comments

@bdellegrazie
Copy link
Contributor

bdellegrazie commented Jun 25, 2024
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Describe the user story

As a system operator I want Atlantis to adapt the Github App integration to use Git's credential cache rather than the Git's credential store.

Describe the solution you'd like

Assumptions

  • A single Github App

Solution

  1. Use the cache helper instead of store as this supports individual token expiry, as well as the cache expiry. An end user may want to use store for other reasons but this should not be forced.
  2. Instead of writing the credentials to the /home/atlantis/.git-credentials file, invoke git credential approve, supplying the url, username, password (token) and password_expiry_utc on stdin as per the documentation.

The Git credential protocol is quite simple and already supports token expiry. If this were used, the cache helper would automatically expire the token when necessary or when overwritten by Atlantis with a new token. Essentially this is leveraging Git credential protocol to minimise the amount of work being done by Atlantis and leaning on Git to do some of the heavy lifting.

A possible extension to this would help support multiple organisations (or owners) with a single Github App.
Create a custom git credentials helper that, for a specific domain (org/owner):

  1. Generates a JWT token from existing App ID (or Client ID) and Private Key.
  2. If you don't have an Installation ID for the organisation (or owner):
    • Use JWT token to get installation Id from GitHub API
  3. Request an access token using the JWT token and Installation Id.
    Output the url, username (app slug), password (token), expiry time (as UTC seconds)
    This helper would be configured at the org level in Git, e.g.:
[credential "https://github.com/exampleOrg/"]
        useHttpPath = true
        helper = github-app <ClientId|AppID> <path_to_private_key> exampleOrg

When combined with the cache helper - this minimises GitHub API calls and simplifies integration with tools like Terraform etc.

Background
Git has multiple credential helpers, the two installed with Git include:

Git custom credential helpers are also possible
The protocol used by Git Credential Helpers is quite simple.

The current Github App mechanism involves configuring Git by:

  1. Using the store credential helper as a default
  2. Forcing Git to use https rather than ssh protocol via a url.*.insteadOf configuration property.
  3. Periodically writing the Github App's default installation access token to /home/atlantis/.git-credential

In terms of Git configuration, the default behaviour (when using GitHub App) looks like this in /home/atlantis/.gitconfig:

[credential]
	helper = store
[url "https://[email protected]"]
	insteadOf = ssh://[email protected]

And /home/atlantis/.git-credential will look like:

https://x-access-token:<some_token>@github.com

Describe the drawbacks of your solution

More reliant on Git as a tool, but the integration feels less intrusive and allows the configuration to be overridden by the end user if it is not suitable. Also allows use of multiple organisations with a single GitHub App.

Moving the token generation away from Atlantis is not suitable for the primary organisation as interaction with PRs etc is needed, but for supplementary organisations it makes it much easier to allow Git based access to the executing processes - e.g. Terraform / Terragrunt etc.

Describe alternatives you've considered

None at this time.
@bdellegrazie bdellegrazie added the feature New functionality/enhancement label Jun 25, 2024
@bdellegrazie bdellegrazie mentioned this issue Jun 25, 2024
Open
@bdellegrazie bdellegrazie changed the title Cache GitHub App credentials rather than Store Cache GitHub App credentials rather than Store and multiple Orgs Jun 25, 2024
@bdellegrazie bdellegrazie changed the title Cache GitHub App credentials rather than Store and multiple Orgs GitHub App credentials Cache rather than Store and multiple Orgs Jun 25, 2024
@bdellegrazie
Copy link
Contributor Author

For anyone interested in this I wrote a git credentials helper that can already do part of what is required:
https://github.com/bdellegrazie/git-credential-github-app

I do have code to implement the above pending but it needs to be rebased and I haven't looked at it in a while.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New functionality/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bdellegrazie