Generate Github app auth token and write it into a Kubernetes Secret and refresh it periodically.
The application ./cmd/github-app-secret takes Github app private key, app ID,
installation ID and a secret name, and generates an auth token and writes it to
a Kubernetes Secret with the given secret name. This can be used by any
application that needs Github app based authentication.
Create a new Github app with the appropriate permissions, generate a private key for the app and install the app in the target repositories. Refer the official docs for detailed instructions.
The app ID can be obtained from the app settings page at
https://github.com/settings/apps/<app-name>.
The installation ID can be obtained from
https://github.com/settings/installations page. On clicking an installed app,
the URL will contain the installation ID
https://github.com/settings/installations/<installation-id>. For
organizations, the first part of the URL may be different, but it follows the
same pattern.
Put the private key in a Kubernetes Secret with
$ kubectl create secret generic github-app-private-key --from-file=privatekey.pem=/path-to-private-key.pemThis secret will be mounted as a volume and used by github-app-secret.
github-app-secret is run as a Kubernetes CronJob. Modify the manifests from
./deploy directory, adding the parameters collected above as argument to the
github-app-secret container. For example:
...
containers:
- name: github-app-secret
args:
- "-v=3"
- --privateKeyPath=/etc/secret-volume/privatekey.pem
- --appID=<app-id>
- --installationID=<installation-id>
- --secretName=<secret-name>
...Update the CronJob schedule depending on the needs, ensuring that the token gets refreshed before expiry.
Make sure that the manifests in ./deploy/rbac.yaml, which provide
github-app-secret the necessary permissions it needs to create and update the
Secret, are applied along with the CronJob manifest.
For cloning git repositories, the secret of type git can be used. This is the
default type of Secret. It creates secret data with username field
x-access-token as required by Github for http based clone.
For just the auth token, the secret of type plain can be used. This can be
configured in github-app-secret by using --secretType flag.
For Github Enterprise, the Github API URL can be configured with --apiURL
flag.
Since this is a very basic golang application, ko can be
used to build a container image for it.
Install ko and run make ko-build to build a container image for it. This
will build the image and load it in the local container image store.
In order to build and publish to a remote repository, run
KO_DOCKER_REPO=<container-repo-address> make ko-publish. Refer
https://ko.build/get-started/#choose-destination for more examples.