Are there plans to support GitHub apps instead of PAT?

[dan-slinky-ckpd]

In our organisation, GitHub apps are preferred over Personal Access Tokens. Any plans to support on source and notification controllers?

[cmergenthaler]

Is there any answer on this? We are also interested in using Github Apps to authenticate our repositories instead of using PAT or Deploy keys

[darkowlzz]

Hi, there had been a lot of request for this before and some attempts to add it in flux components itself, refer fluxcd/notification-controller#437. But after going through the details of it, it became apparent that github app token generation need not be part of flux itself but something else can handle the token creation and refresh, and flux can just use it. More details about it can be found in fluxcd/notification-controller#437 (comment) .
While investigating about the topic and validating the idea, I made https://github.com/fluxcd-community/github-app-secret to demonstrate the solution. It needs some maintenance. But soon after I came across another similar project https://github.com/Disturbing/github-app-secret-refresher which was create years ago. I haven't tried it myself, but it seems to be based on the same idea.

[kingdonb]

This https://github.com/fluxcd-community/github-app-secret has been officially released now, so I think we can close this discussion.

🎉🚀

[joebowbeer]

github-app-secret was archived 2/2024

[stefanprodan]

We'll have GitHub App support in Flux, RFC here #4806

[kingdonb]

When we created github-app-secret, we did it because we imagined that lots of people would be doing this but we didn't see many people doing it. Maybe we can get GitHub (Microsoft) to pay someone to turn this into a real product. 🤔

The code is very simple. The fluxcd-community organization projects can be archived and still remain useful. I think that is the point of fluxcd-community, we can publish experiments there, and there's no expectation that they are part of fluxcd proper.

(It's good to hear there is an RFC so we won't need this in the future! I think there is still a place for tools like github-app-secret, even with the RFC, as bootstrapping Flux with an app secret probably won't be covered, and other use cases perhaps even those unrelated to Flux would benefit from it.)

Are there any other projects in the wild like github-app-secret that can provide this behavior as stand-alone?

I forked github-app-secret myself as I am still using it, and it fits into my needs quite well, but I do not have a roadmap or plans to maintain it for everyone.

[SachithKasthuriarachchi]

Hi @dan-slinky-ckpd @cmergenthaler you can use a deploy key as follows.

• Go to a separate directory and generate an SSH key pair using the following command. (No passphrase should be given when generating the SSH keypair)

ssh-keygen -t ecdsa-sha2-nistp256 -f identity -C "<some label>"

• It will create two files(identity and identity.pub) in your directory
• Add the content of ‘identity.pub’ as a deploy key in the github repository
• Then create the following secret in the cluster in flux-system namespace

kubectl create secret generic -n flux-system flux-system --from-file ./identity --from-literal=known_hosts="<use ssh-keyscan github.com and paste the ecdsa-sha2-nistp256 entry>"

• Apply the flux components manually to the cluster

This way you can avoid the use of a PAT

[joebowbeer]

Given that GitHub App is the recommended way to integrate with GitHub, I think Flux should be implementing this.

GitHub Apps are the recommended way to integrate with GitHub. GitHub Apps offer many advantages over OAuth apps, including: enhanced security features, like fine-grained permissions, choice over repository access, and short lived tokens. the ability to act independently of or on behalf of a user.

I think the list of advantages is even longer when comparing to deploy keys.

Looking forward to #4806 !