Skip to content
This repository has been archived by the owner on Nov 1, 2022. It is now read-only.

Run flux with read-only access to repository #1139

Closed
jml opened this issue Jun 12, 2018 · 10 comments · Fixed by #1807
Closed

Run flux with read-only access to repository #1139

jml opened this issue Jun 12, 2018 · 10 comments · Fixed by #1807
Assignees
@squaremo
Labels
enhancement

Comments

@jml
Copy link

jml commented Jun 12, 2018

A few times I've spoken to flux users and potential flux users who really like the way flux keeps deployments in sync, but would rather not have flux actually edit their YAMLs.

They have a variety of reasons, include some or all of:

  • general wariness about granting write access
  • desire for all changes to be reviewed by a human
  • desire for all changes to go through some automated CI process before being applied
  • wanting to lock down which humans can trigger changes to the UI
  • general desire for as few ways of doing a thing as possible (simplifies processes, training, etc. in larger orgs)
@rade
Copy link
Contributor

rade commented Jun 12, 2018

Sounds like this is really a "sync-only" mode, correct?

desire for all changes to be reviewed by a human
desire for all changes to go through some automated CI process before being applied

Flux could open a PR.

@jml
Copy link
Author

jml commented Jun 12, 2018 via email

@squaremo squaremo mentioned this issue Jun 22, 2018
Closed
@squaremo
Copy link
Member

squaremo commented Aug 9, 2018

Flux could open a PR.

You can't open a PR if you can't write to the repo.

@squaremo
Copy link
Member

The main technical difficulty with this is that flux currently assumes it can forcepush its "sync tag" to the upstream repo. This is largely a mechanism to prevent duplicate events, though it is tangled up in a few other places. To have properly read-only repos, we'd have to figure out another way to keep a high water mark or otherwise prevent duplicate events. (The event receiver should really be deduplicating anyway, but we shouldn't rely on that here.)

@squaremo squaremo mentioned this issue Feb 25, 2019
Closed
@stefanprodan
Copy link
Member

We could store the checkpoint in an annotation on the SSH key secret that's under Flux control.

@dimitropoulos dimitropoulos self-assigned this Feb 26, 2019
@dtzar dtzar mentioned this issue Mar 12, 2019
Open
@dimitropoulos dimitropoulos mentioned this issue Mar 18, 2019
Merged
@ariep
Copy link

ariep commented Jul 17, 2019

Potential flux user here. I would also be very interested in this feature for yet another reason: our use-case would consist of a single repository specifying a deployment, and many (small) clusters, that are not under our control, using flux to pull from the specification and update accordingly. We would not want to give the people controlling the clusters write access to our source repo.

@primeroz
Copy link

primeroz commented Aug 19, 2019
edited
Loading

really interested in this.

I need it to run CI Clusters where, due to an higher risk of leaking credentials, i really don't want to attach a RW ssh key

is there any plan to work on this ? I can see work on it being done as soon as 3 hours ago :)

@ghost
Copy link

ghost commented Feb 7, 2020

Is there any documentation for how to do this?

@2opremio
Copy link
Contributor

2opremio commented Feb 7, 2020

There is a flux flag for this --git-readonly

@2opremio
Copy link
Contributor

2opremio commented Feb 7, 2020

See https://docs.fluxcd.io/en/1.18.0/faq.html#can-i-run-flux-with-readonly-git-access

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@squaremo squaremo

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Read-only mode dimitropoulos/flux
8 participants
@squaremo @rade @jml @primeroz @2opremio @stefanprodan @ariep @dimitropoulos