feat: Rotate Github App Token outside of Atlantis commands #3208

jonathanwiemers · 2023-03-15T13:22:51Z

what

move server/events/git_cred_writer.go out of the git clone flow, when using GitHub app authentication
implements a token rotator that tries to rotate the token every 30 seconds - it will only rotate the token when it's actually about to expire.
I thought about just trying to refresh the token when it's about to expire, (we could get the information from the installation lib (https://github.com/bradleyfalzon/ghinstallation/blob/master/transport.go#L182). But that would need more error handling when it fails. This way it would try again after 30 seconds which might be successful, if it failed before due to temporary problems (eg. network problem / gh incidents / rate limiting).

why

The GitHub app credentials can expire if a PR was open for a long time and no other clone happened in the meantime on Atlantis. Terraform init would then fail to download downstream modules from git.
This PR changes the behaviour of Github app token refreshes to happen outside of the usual Atlantis commands and ensures that the token is always valid.

tests

I have tested my changes by

running it locally
unit tests
running in our infrastructure

references

related to Occasionally terraform module download error: Could not download module - No such device or address #3186

fixes #3186

jonathanwiemers · 2023-03-15T13:39:51Z

@nitrocode Hey could you have a quick look and give some feedback?
Do you think this is a valid way?

server/server.go

krrrr38

lgtm

krrrr38 · 2023-03-16T11:39:06Z

server/scheduled/executor_service.go

 	}
 }

+func (s *ExecutorService) AddJob(jd JobDefinition) {
+	s.jobs = append(s.jobs, jd)
+}


server/events/github_app_working_dir.go

jonathanwiemers · 2023-03-17T10:47:21Z

@nitrocode pls review

.gitignore

server/events/github_app_working_dir.go

server/server.go

server/scheduled/executor_service.go

docker-compose.yml

Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>

nitrocode · 2023-03-20T21:23:28Z

@jonathanwiemers please fix linter errors

jonathanwiemers · 2023-03-21T08:28:15Z

@nitrocode fixed it

Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com> Co-authored-by: PePe Amengual <jose.amengual@gmail.com>

…is#3208) Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com> Co-authored-by: PePe Amengual <jose.amengual@gmail.com>

jonathanwiemers added 2 commits March 15, 2023 11:37

first naive implementation

02abcb5

Merge remote-tracking branch 'origin/main' into gh-app-refresh-token-fix

abca50b

jonathanwiemers changed the title ~~first naive implementation~~ Rotate Github App Token outside of Atlantis commands Mar 15, 2023

fix typos

b098860

krrrr38 reviewed Mar 15, 2023

View reviewed changes

server/server.go Show resolved Hide resolved

jonathanwiemers added 3 commits March 16, 2023 10:09

integration with executor_service

ba49842

adds unit tests

7defbe3

Merge remote-tracking branch 'origin/main' into gh-app-refresh-token-fix

31e5de3

jonathanwiemers marked this pull request as ready for review March 16, 2023 10:47

jonathanwiemers requested a review from a team as a code owner March 16, 2023 10:47

github-actions bot added go Pull requests that update Go code provider/github labels Mar 16, 2023

krrrr38 approved these changes Mar 16, 2023

View reviewed changes

jonathanwiemers added 2 commits March 17, 2023 11:44

fix

c77b239

fix

7dd7d34

jonathanwiemers commented Mar 17, 2023

View reviewed changes

server/events/github_app_working_dir.go Outdated Show resolved Hide resolved

jonathanwiemers added 2 commits March 17, 2023 11:54

Merge branch 'main' into gh-app-refresh-token-fix

7504143

fix tests

5ec0a62

JulianSuttner approved these changes Mar 17, 2023

View reviewed changes

Merge branch 'main' into gh-app-refresh-token-fix

e6cfa65