Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(applicationset): reuse repo-creds for an existing GitHub App #10092

Merged
merged 1 commit into from Aug 19, 2022
Merged

feat(applicationset): reuse repo-creds for an existing GitHub App #10092

merged 1 commit into from Aug 19, 2022

Conversation

iamnoah
Copy link
Contributor

@iamnoah iamnoah commented Jul 25, 2022
edited

Closes #10079

@iamnoah iamnoah force-pushed the scm-reuse-github-app branch 4 times, most recently from abb2767 to 3b48148 Compare July 25, 2022 16:11
@codecov
Copy link

codecov bot commented Jul 25, 2022
edited

Codecov Report

Merging #10092 (d9f5a61) into master (5181bc1) will increase coverage by 0.11%.
The diff coverage is 15.62%.

❗ Current head d9f5a61 differs from pull request most recent head ed3cc89. Consider uploading reports for the commit ed3cc89 to get more accurate results

@@            Coverage Diff             @@
##           master   #10092      +/-   ##
==========================================
+ Coverage   45.92%   46.04%   +0.11%     
==========================================
  Files         229      232       +3     
  Lines       28278    27908     -370     
==========================================
- Hits        12987    12849     -138     
+ Misses      13518    13321     -197     
+ Partials     1773     1738      -35
Impacted Files Coverage Δ
applicationset/generators/pull_request.go 42.85% <0.00%> (-3.30%) ⬇️
applicationset/generators/scm_provider.go 35.57% <0.00%> (-5.09%) ⬇️
applicationset/services/pull_request/github.go 14.00% <0.00%> (ø)
applicationset/services/pull_request/github_app.go 0.00% <0.00%> (ø)
applicationset/services/scm_provider/github.go 81.17% <0.00%> (ø)
applicationset/services/scm_provider/github_app.go 0.00% <0.00%> (ø)
...is/applicationset/v1alpha1/applicationset_types.go 34.69% <ø> (-3.24%) ⬇️
util/db/repo_creds.go 0.00% <0.00%> (ø)
util/db/repository.go 39.28% <ø> (ø)
util/db/repository_secrets.go 68.60% <0.00%> (-1.09%) ⬇️
... and 28 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@crenshaw-dev crenshaw-dev mentioned this pull request Aug 9, 2022
Open
3 tasks
jetersen
jetersen approved these changes Aug 9, 2022
View reviewed changes
Copy link
Contributor

@jetersen jetersen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall looks good to me.

I can wonder why there is almost no code reuse from the existing implementation for github app authentication or refactor of existing code.

Consider my comment nitpicking.

crenshaw-dev
crenshaw-dev requested changes Aug 9, 2022
View reviewed changes
Copy link
Collaborator

@crenshaw-dev crenshaw-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this will be a pretty awesome enhancement!

I think you might have started down the path of auto-discovering the repo creds. Did that end up not being a viable option?

applicationset/generators/scm_provider.go Outdated Show resolved Hide resolved
applicationset/services/internal/github_app/client.go Show resolved Hide resolved
applicationset/services/internal/github_app/client.go Outdated Show resolved Hide resolved
applicationset/services/internal/github_app/try.go Outdated Show resolved Hide resolved
applicationset/services/pull_request/github_app.go Outdated Show resolved Hide resolved
@iamnoah
Copy link
Contributor Author

iamnoah commented Aug 9, 2022

why there is almost no code reuse from the existing implementation for github app authentication

I went down this path and the answer is that after ghinstallation.New, the logic for checking out a repo vs. making API calls diverges significantly. repo-server uses the git protocol naturally, vs. REST for the GitHub API.

@iamnoah
Copy link
Contributor Author

iamnoah commented Aug 9, 2022

I think you might have started down the path of auto-discovering the repo creds. Did that end up not being a viable option?

I thought better of it for a few reasons: 1. You might want a different app to checkout code than the one that scans for PRs or branches. 2. If you had a credential you didn't expect to be used this way, consuming some rate limit and making unexpected calls just seems like a good way to freak people out.

@crenshaw-dev
Copy link
Collaborator

@iamnoah makes sense. Did you find that there's something acting as a hard barrier to auto-discovery, or simply that it was too involved to tackle in this PR?

Just curious, in case someone decides to pick up auto-discovery in the future.

@jetersen
Copy link
Contributor

jetersen commented Aug 9, 2022

I went down this path and the answer is that after ghinstallation.New, the logic for checking out a repo vs. making API calls diverges significantly. repo-server uses the git protocol naturally, vs. REST for the GitHub API.

Thanks for taking the time detailing it 👍 Makes sense.

@iamnoah
Copy link
Contributor Author

iamnoah commented Aug 9, 2022

Did you find that there's something acting as a hard barrier to auto-discovery, or simply that it was too involved to tackle in this PR?

No, I had some code that would inject the argocddb, try each credential, and note if there was a 401 then stopping using it for one hour. But I realized that PRs need a separate permission and felt like the unintended consequences were too great.

I would want auto-discovery to:

  • For PRs, first use the GitHub API to make sure the App has permission to read PRs
  • Load the organization(s) the App is valid for and match that up to the configuration (don't use a credential you know will fail)
  • Some sort of opt-in/out at in argocd-cm and per credential.
  • Maybe refuse to automatically use any app credentials if there are more than one that could work.
  • Optional: the ability to use multiple credentials.

@iamstarkov iamstarkov mentioned this pull request Aug 16, 2022
Closed
@crenshaw-dev
Copy link
Collaborator

@iamnoah do you have time to resolve conflicts?

@iamnoah
feat(applicationset): reuse repo-creds for an existing GitHub App
ed3cc89 
Closes argoproj#10079

Signed-off-by: Noah Perks Sloan <noah_sloan@securityjourney.com>
crenshaw-dev
crenshaw-dev approved these changes Aug 19, 2022
View reviewed changes
Copy link
Collaborator

@crenshaw-dev crenshaw-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm - thanks @iamnoah!

@crenshaw-dev crenshaw-dev merged commit 506bd3b into argoproj:master Aug 19, 2022
@iamnoah iamnoah deleted the scm-reuse-github-app branch September 22, 2022 19:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crenshaw-dev crenshaw-dev crenshaw-dev approved these changes

@jetersen jetersen jetersen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

applicationset - use GitHub Apps for generators when available
3 participants
@iamnoah @crenshaw-dev @jetersen