Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArgoCD AddOn: Support for ArgoCD "GitHub App Credentials" #1043

Open
1 task
JonVDB opened this issue Jul 15, 2024 · 1 comment
Open
1 task

ArgoCD AddOn: Support for ArgoCD "GitHub App Credentials" #1043

JonVDB opened this issue Jul 15, 2024 · 1 comment
Assignees
@shapirov103
Labels
feature stale

Comments

@JonVDB
Copy link

JonVDB commented Jul 15, 2024

Describe the feature

ArgoCD provides a compatibility-feature for "GitHub App Credentials" when adding Private Repositories. From the ArgoCD Helm Chart, this also seems to be possible if provided as a credentialsTemplate.

Currently, when bootstrapping a private repository with the EKS Blueprints ArgoCD AddOn, it's not possible to provide this type of credential. Instead, the current AddOn seems to only allow credentials, tokens or SSH keys of a user account.

To prevent having to make separate users, and to properly make use of GitHub's intended and secure features, it would be nice if EKS Blueprints could support this as a credentialsType.

Use Case

I have many different customers that are unwilling to compromise on security when it comes to GitHub repositories. Using regular GitHub User Accounts for ArgoCD to connect with, to reach a Private Repository, is seen as insecure or at the very least annoying.

Instead, these customers want to use GitHub Apps which offers fine-grained access control between access levels (read, write) and access on the repository-level (picking & choosing which repo the GitHub App has access to).

Furthermore, when managing multiple customers, having to create separate GitHub User Accounts per customer(-app), pay a seat for it in GitHub Enterprise/Organizations and manage the account as a whole is seen as cumbersome, expensive and inefficient.

Because of the above reasons, support of GitHub App Credentials would immediately solve all these issues and customer worries.

Proposed Solution

The ability to use GitHub Apps as a way to access private Repositories. Below is an example.

const bootstrapRepo: ApplicationRepository = {
    repoUrl: "https://github.com/JonVDB/myRepo.git",
    credentialsSecretName: 'my-github-app-private-key',
    credentialsType: 'GITHUB_APP',
    githubAppID: 1111,
    githubAppInstallationID: 9999,
    // githubAppEnterpriseBaseUrl: https://example.com/api/v3  // This should be optional: not applicable for non-Enterprise GH Apps.
}

const bootstrapArgo = new ArgoCDAddOn({
    bootstrapRepo: {
        ...bootstrapRepo,
        path: 'envs/dev'
    }
});

const blueprint = EksBlueprint.builder()
    .version("auto")
    .addOns(bootstrapArgo)
    .account(account);

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request

CDK version used

2.133.0 (build dcc1e75)

EKS Blueprints Version

1.15.1

Node.js Version

v20.11.0

Environment details (OS name and version, etc.)

Win11Pro22H2
@JonVDB JonVDB added the feature label Jul 15, 2024
@shapirov103 shapirov103 self-assigned this Jul 29, 2024
@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has been open 60 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

@github-actions github-actions bot added the stale label Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shapirov103 shapirov103

Labels
feature stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JonVDB @shapirov103