feat: GitHub - Support loading git token from disk #4928
Conversation
meringu
requested review from
GenPage,
lukemassa and
X-Guardian
and removed request for
a team
github-actions
bot
added
docs
meringu
changed the title
meringu
force-pushed
the
rotate-git-token
branch
from
5c4d507 to
772ad71
Compare
|
Thanks for this @meringu, I have requested a few small changes. Can you also update the PR description to indicate that this is for GitHub. |
meringu
changed the title
meringu
force-pushed
the
rotate-git-token
branch
from
fc0f29a to
171b889
Compare
|
Cheers for the review @X-Guardian, I appreciate it. I have addressed your comments. |
meringu
force-pushed
the
rotate-git-token
branch
from
171b889 to
3112e2b
Compare
Signed-off-by: Henry Muru Paenga <[email protected]>
meringu
force-pushed
the
rotate-git-token
branch
from
3112e2b to
6f9f084
Compare
|
Thanks for this @meringu. You can test using one of these container images: dev-debian-74916fb or dev-alpine-74916fb |
|
Thanks for merging @X-Guardian! I hope I haven't messed up the release testing, but I noticed that there was a gap in my testing methodology when doing some more testing in my environment with the dev-debian-74916fb image. The current |
|
No problem @meringu, this is why we have these beta container image releases. I'll take a look at your new PR. |
Signed-off-by: kvanzuijlen <[email protected]>
what
Adds a
gh-token-fileserver setting that can be used instead ofgh-token. The token is read from disk as part of the GitHub client transport, allowing the token to be rotated without needing to restart the Atlantis process. I've also re-used the.git-credentialstoken rotator from the GitHub app integration to ensure thatwrite-git-credswill update the.git-credentialsfile as thegh-token-fileis updated. This only works for GitHub, we use a --gh-* prefixed flag like the other gh configs. This could be extended to the other VCS options as needed.why
We run about ~150 Atlantis instances in our organisation in our GitHub org. GitHub have a hard limit on 100 GitHub apps per org, and charge a seat per service account user. To get around these challenges we have developed a GitHub app which issues scoped token for each Atlantis and loads them as Kubernetes secrets. The app is also responsible for forwarding and re-signing the webhooks with per instance webhook secrets to the correct Atlantis instance. I'd potentially be interested in opening the source code for this app if there is interest. There are still a few issues we are working through, like this one, and it is currently in a complicated relationship with Keda.
We run Atlantis as a GitHub app, but configure it with short term credentials to run as a GitHub user. The tokens only last one hour, so we manage restarts as part of scale-to-zero to ensure that Atlantis is always running with a valid token.
If the Atlantis instance fails to restart within an hour due to high activity or long running plan or applies, the commands will finish, but results will fail to be commented back to the GitHub pull request.
With this change we can load the token from disk, and as our GitHub app rotates the token, it is immediately picked up by the running Atlantis instance, allowing it to run uninterrupted for longer periods of time.
tests
I ran an apply with the follow Terraform that used to fail to comment back:
I also ran some
catcommands agains the.git-credentialsfile with--write-git-credswas specified to ensure that it was getting updated as the token was being rotated.references