hi folks, is there a way to manage github PAT with...
# general
hi folks, is there a way to manage github PAT with pulumi? including creating, renew, deletion etc.
From the API docs no. There is no method that will allow you to manage PATs https://www.pulumi.com/registry/packages/github/api-docs/
right, so i was wondering how other folks manage PATs given the provider doesn't allow you to do so
i mean, creating, regenerating and replacing PAT is a manual process...? plus PATs usually have a expiration for security reason, then there needs a person to periodically do the manual work. this sounds like 😲 and if the person forgot to renew the PAT then 😲😲
PATs are intended to be UI-driven. SSH keys are much more CLI-friendly; if you need to automate security for a headless user, consider switching to SSH keys.
👍 1
🙏 1
thanks for the advice, but i am still specifically wondering these use cases where it seems we have no choice but to use PAT 1. using pulumi to manage github resources: https://www.pulumi.com/registry/packages/github/installation-configuration/#configuring-credentials 2. bootstrap flux on a k8s cluster when the plan is not github enterprise: https://fluxcd.io/docs/cmd/flux_bootstrap_github
There's always a choice 🙂 OAuth would work in both of these cases. If PAT suits your case better, then you're likely to have to drop out to the CLI. Does the github CLI support generating PATs?
No, I can't see any way of doing it. There's no CLI, SDK or API support for it (afaict). It's designed to be user-driven by GitHub, it isn't really a Pulumi thing at all.
@bored-monitor-99026 I'm using Pulumi to bootstrap Flux generate PAT on the UI and save it as a secet in pulumi then use Command module and run flux bootstrap I can provide with sample code if you need it
Yes, doing it manually is easy. The challenge is generating a new PAT from code. Not easy..
A simple shell script with call to GitHub REST API can be sufficient. This script can be run with Pulumi Command on create, Also, we can provide Pulumi with shell script to delete the PAT when deleting stuff. This is what I would do, and then PAT is "controlled" by Pulumi Command module on create and delete
thanks! yes, it would be very helpful if you can share the sample code 👍 i thought about OAUTH token approach after reading
's comment. i would say, OAUTH sounds like the way to go and we probably should always prefer OAUTH to PAT since PAT doesn't have API support etc. after all, we will use Command module to CRUD OAUTH token. this sgtm
You can do something like this:
Copy code
// create an EKS cluster with no default nodes
const cluster = new eks.Cluster("test-cluster", {
    version: "1.22",
    vpcId: vpc.id,
    privateSubnetIds: vpc.privateSubnetIds,
    skipDefaultNodeGroup: true,
    instanceRoles: [
    endpointPrivateAccess: true,
    endpointPublicAccess: false,
    createOidcProvider: true,
    nodeAssociatePublicIpAddress: false

// write kubeconfig to a file so we can use it for Flux bootstrap
cluster.kubeconfig.apply(v => {
    fs.writeFileSync("../kubeconfig.json",  JSON.stringify(v), 'utf-8');

// create managed node group and add it to the cluster
const managedNodeGroup2 = eks.createManagedNodeGroup("example-managed-ng2", {
    cluster: cluster,
    nodeGroupName: "aws-managed-ng2",
    nodeRoleArn: role.arn,
    scalingConfig: {
        desiredSize: 1,
        minSize: 1,
        maxSize: 3,
    subnetIds: vpc.privateSubnetIds,
    diskSize: 50,
    instanceTypes: ["c4.4xlarge"],
    labels: {"ondemand": "true"},
}, cluster);

// extract PAT from config
let config = new pulumi.Config();
const ghToken = config.get(githubToken);

// run Flux bootstrap directly 
const fluxBootstrap = new cmd.local.Command("fluxcd-bootstrap", {
    environment: {
        GITHUB_TOKEN: pulumi.interpolate`${ghToken}`
    create: "flux bootstrap github --kubeconfig ../kubeconfig.json --hostname=<GITHUB_URL> --ssh-hostname=<GITHUB_URL> --owner=<OWNER> --repository=<REPO> --branch=main --path=./flux --personal",
}, {
    dependsOn: [
        cluster, managedNodeGroup2 
This is something that I have put together with duck tape to check if it will work. And it's working. If you are worried about leaking resources, you can also define
in the command that will do
flux uninstall
For proof of concept this is good for me. If you want to add more logic to the single command, you can invoke a shell script, a python script, you name it. Just remeber that this is run on the machine that does
pulumi up
command so if you are invoking for example a python script, you need to have python installed, same for Flux, you need to have the CLI installed in order this to work
👍 1
🙏 1