hi folks is there a way to manage github PAT with pulumi inc Pulumi Community #general

Join Slack

hi folks, is there a way to manage github PAT with...

# general

bored-monitor-99026

04/12/2022, 8:52 AM

hi folks, is there a way to manage github PAT with pulumi? including creating, renew, deletion etc.

rhythmic-whale-48997

04/12/2022, 9:29 AM

From the API docs no. There is no method that will allow you to manage PATs https://www.pulumi.com/registry/packages/github/api-docs/

bored-monitor-99026

04/12/2022, 8:08 PM

right, so i was wondering how other folks manage PATs given the provider doesn't allow you to do so

bored-monitor-99026

04/12/2022, 8:13 PM

i mean, creating, regenerating and replacing PAT is a manual process...? plus PATs usually have a expiration for security reason, then there needs a person to periodically do the manual work. this sounds like 😲 and if the person forgot to renew the PAT then 😲😲

little-cartoon-10569

04/12/2022, 9:35 PM

PATs are intended to be UI-driven. SSH keys are much more CLI-friendly; if you need to automate security for a headless user, consider switching to SSH keys.

👍 1

🙏 1

bored-monitor-99026

04/12/2022, 10:40 PM

thanks for the advice, but i am still specifically wondering these use cases where it seems we have no choice but to use PAT 1. using pulumi to manage github resources: https://www.pulumi.com/registry/packages/github/installation-configuration/#configuring-credentials 2. bootstrap flux on a k8s cluster when the plan is not github enterprise: https://fluxcd.io/docs/cmd/flux_bootstrap_github

little-cartoon-10569

04/12/2022, 10:54 PM

There's always a choice 🙂 OAuth would work in both of these cases. If PAT suits your case better, then you're likely to have to drop out to the CLI. Does the github CLI support generating PATs?

little-cartoon-10569

04/12/2022, 10:58 PM

No, I can't see any way of doing it. There's no CLI, SDK or API support for it (afaict). It's designed to be user-driven by GitHub, it isn't really a Pulumi thing at all.

rhythmic-whale-48997

04/13/2022, 6:24 AM

@bored-monitor-99026 I'm using Pulumi to bootstrap Flux generate PAT on the UI and save it as a secet in pulumi then use Command module and run flux bootstrap I can provide with sample code if you need it

little-cartoon-10569

04/13/2022, 6:38 AM

Yes, doing it manually is easy. The challenge is generating a new PAT from code. Not easy..

rhythmic-whale-48997

04/13/2022, 7:08 AM

A simple shell script with call to GitHub REST API can be sufficient. This script can be run with Pulumi Command on create, Also, we can provide Pulumi with shell script to delete the PAT when deleting stuff. This is what I would do, and then PAT is "controlled" by Pulumi Command module on create and delete

bored-monitor-99026

04/13/2022, 9:36 PM

thanks! yes, it would be very helpful if you can share the sample code 👍 i thought about OAUTH token approach after reading

tenwit

's comment. i would say, OAUTH sounds like the way to go and we probably should always prefer OAUTH to PAT since PAT doesn't have API support etc. after all, we will use Command module to CRUD OAUTH token. this sgtm

rhythmic-whale-48997

04/14/2022, 6:06 AM

You can do something like this:

Copy code

// create an EKS cluster with no default nodes
const cluster = new eks.Cluster("test-cluster", {
    version: "1.22",
    vpcId: vpc.id,
    privateSubnetIds: vpc.privateSubnetIds,
    skipDefaultNodeGroup: true,
    instanceRoles: [
        role
    ],
    endpointPrivateAccess: true,
    endpointPublicAccess: false,
    createOidcProvider: true,
    nodeAssociatePublicIpAddress: false
});

// write kubeconfig to a file so we can use it for Flux bootstrap
cluster.kubeconfig.apply(v => {
    fs.writeFileSync("../kubeconfig.json",  JSON.stringify(v), 'utf-8');
});

// create managed node group and add it to the cluster
const managedNodeGroup2 = eks.createManagedNodeGroup("example-managed-ng2", {
    cluster: cluster,
    nodeGroupName: "aws-managed-ng2",
    nodeRoleArn: role.arn,
    scalingConfig: {
        desiredSize: 1,
        minSize: 1,
        maxSize: 3,
    },
    subnetIds: vpc.privateSubnetIds,
    diskSize: 50,
    instanceTypes: ["c4.4xlarge"],
    labels: {"ondemand": "true"},
}, cluster);

// extract PAT from config
let config = new pulumi.Config();
const ghToken = config.get(githubToken);

// run Flux bootstrap directly 
const fluxBootstrap = new cmd.local.Command("fluxcd-bootstrap", {
    environment: {
        GITHUB_TOKEN: pulumi.interpolate`${ghToken}`
    },
    create: "flux bootstrap github --kubeconfig ../kubeconfig.json --hostname=<GITHUB_URL> --ssh-hostname=<GITHUB_URL> --owner=<OWNER> --repository=<REPO> --branch=main --path=./flux --personal",
}, {
    dependsOn: [
        cluster, managedNodeGroup2 
    ]
});

This is something that I have put together with duck tape to check if it will work. And it's working. If you are worried about leaking resources, you can also define

delete

in the command that will do

flux uninstall

For proof of concept this is good for me. If you want to add more logic to the single command, you can invoke a shell script, a python script, you name it. Just remeber that this is run on the machine that does

pulumi up

command so if you are invoking for example a python script, you need to have python installed, same for Flux, you need to have the CLI installed in order this to work

👍 1

🙏 1

6 Views

Open in Slack

Previous Next