Thread
#general
    b

    bored-monitor-99026

    5 months ago
    hi folks, is there a way to manage github PAT with pulumi? including creating, renew, deletion etc.
    r

    rhythmic-whale-48997

    5 months ago
    From the API docs no. There is no method that will allow you to manage PATshttps://www.pulumi.com/registry/packages/github/api-docs/
    b

    bored-monitor-99026

    5 months ago
    right, so i was wondering how other folks manage PATs given the provider doesn't allow you to do so
    i mean, creating, regenerating and replacing PAT is a manual process...? plus PATs usually have a expiration for security reason, then there needs a person to periodically do the manual work. this sounds like 😲 and if the person forgot to renew the PAT then 😲😲
    l

    little-cartoon-10569

    5 months ago
    PATs are intended to be UI-driven. SSH keys are much more CLI-friendly; if you need to automate security for a headless user, consider switching to SSH keys.
    b

    bored-monitor-99026

    5 months ago
    thanks for the advice, but i am still specifically wondering these use cases where it seems we have no choice but to use PAT 1. using pulumi to manage github resources: https://www.pulumi.com/registry/packages/github/installation-configuration/#configuring-credentials 2. bootstrap flux on a k8s cluster when the plan is not github enterprise: https://fluxcd.io/docs/cmd/flux_bootstrap_github
    l

    little-cartoon-10569

    5 months ago
    There's always a choice 🙂 OAuth would work in both of these cases. If PAT suits your case better, then you're likely to have to drop out to the CLI. Does the github CLI support generating PATs?
    No, I can't see any way of doing it. There's no CLI, SDK or API support for it (afaict). It's designed to be user-driven by GitHub, it isn't really a Pulumi thing at all.
    r

    rhythmic-whale-48997

    5 months ago
    @bored-monitor-99026 I'm using Pulumi to bootstrap Flux generate PAT on the UI and save it as a secet in pulumi then use Command module and run flux bootstrap I can provide with sample code if you need it
    l

    little-cartoon-10569

    5 months ago
    Yes, doing it manually is easy. The challenge is generating a new PAT from code. Not easy..
    r

    rhythmic-whale-48997

    5 months ago
    A simple shell script with call to GitHub REST API can be sufficient. This script can be run with Pulumi Command on create, Also, we can provide Pulumi with shell script to delete the PAT when deleting stuff. This is what I would do, and then PAT is "controlled" by Pulumi Command module on create and delete
    b

    bored-monitor-99026

    5 months ago
    thanks! yes, it would be very helpful if you can share the sample code 👍 i thought about OAUTH token approach after reading
    tenwit
    's comment. i would say, OAUTH sounds like the way to go and we probably should always prefer OAUTH to PAT since PAT doesn't have API support etc. after all, we will use Command module to CRUD OAUTH token. this sgtm
    r

    rhythmic-whale-48997

    5 months ago
    You can do something like this:
    // create an EKS cluster with no default nodes
    const cluster = new eks.Cluster("test-cluster", {
        version: "1.22",
        vpcId: vpc.id,
        privateSubnetIds: vpc.privateSubnetIds,
        skipDefaultNodeGroup: true,
        instanceRoles: [
            role
        ],
        endpointPrivateAccess: true,
        endpointPublicAccess: false,
        createOidcProvider: true,
        nodeAssociatePublicIpAddress: false
    });
    
    // write kubeconfig to a file so we can use it for Flux bootstrap
    cluster.kubeconfig.apply(v => {
        fs.writeFileSync("../kubeconfig.json",  JSON.stringify(v), 'utf-8');
    });
    
    // create managed node group and add it to the cluster
    const managedNodeGroup2 = eks.createManagedNodeGroup("example-managed-ng2", {
        cluster: cluster,
        nodeGroupName: "aws-managed-ng2",
        nodeRoleArn: role.arn,
        scalingConfig: {
            desiredSize: 1,
            minSize: 1,
            maxSize: 3,
        },
        subnetIds: vpc.privateSubnetIds,
        diskSize: 50,
        instanceTypes: ["c4.4xlarge"],
        labels: {"ondemand": "true"},
    }, cluster);
    
    // extract PAT from config
    let config = new pulumi.Config();
    const ghToken = config.get(githubToken);
    
    // run Flux bootstrap directly 
    const fluxBootstrap = new cmd.local.Command("fluxcd-bootstrap", {
        environment: {
            GITHUB_TOKEN: pulumi.interpolate`${ghToken}`
        },
        create: "flux bootstrap github --kubeconfig ../kubeconfig.json --hostname=<GITHUB_URL> --ssh-hostname=<GITHUB_URL> --owner=<OWNER> --repository=<REPO> --branch=main --path=./flux --personal",
    }, {
        dependsOn: [
            cluster, managedNodeGroup2 
        ]
    });
    This is something that I have put together with duck tape to check if it will work. And it's working. If you are worried about leaking resources, you can also define
    delete
    in the command that will do
    flux uninstall
    For proof of concept this is good for me. If you want to add more logic to the single command, you can invoke a shell script, a python script, you name it. Just remeber that this is run on the machine that does
    pulumi up
    command so if you are invoking for example a python script, you need to have python installed, same for Flux, you need to have the CLI installed in order this to work