Github: Using deployment key without a PAT after bootstrapping

[mbaeuerle]

We would like to get rid of the PAT, or more specifically remove the connection between the PAT and the deploy key.
The PAT is bound to a user and when this user deletes his access token or the token expires the deploy key will also be removed (see also info box "Deploy key" in the docs).
At that moment the whole CD process will be broken.

So I tried the following workaround and it seems to work. My question would be if this is advisable, or do you see any issue with this approach?

1. Bootstrap Flux with a PAT
2. Copy the public key from the k8s secret flux-system
3. Remove the deploy key created by Flux (as there only can exist one key with the same content)
4. Add the copied public key as a new deployment key
5. Remove PAT, deploy key will not be removed as it is no longer bound to PAT

As only the deploy key is known to the K8s cluster and not the PAT, all functionality should still work exactly like before. Is this correct?

[stefanprodan]

You can delete the flux-system secret after bootstrap, then generate a new deploy key with flux create secret git flux-system. This command will generate a private key, a public key and knownhost keys, it saves them all in-cluster then prints the public key.\

PS. I've added the above procedure to the docs in this PR fluxcd/website#912

[mbaeuerle]

Thank you very much for this fast answer and showing an even better approach!

[plaes]

Seems like switching from Github PAT to ssh keys is not just delete key and generate new, as in my case I also had to switch the repository URL from https:// to ssh://.
After some fiddling I had to do following:

• Update GitRepository in the git repo from https://... -> ssh://git@github.com/$user/$repo.git, reconcile so you won't be locked out...
• Delete secrets in kubernetes and regenerate them for the new URL
• Add key to repository deployment keys and reconcile again...
• (Not sure if needed with the steps given previously): kubectl edit gitrepositories -n flux-system flux-system -o yaml and fix the repository URL in the k8s objects

And if you have flux setup spanning across multiple repositories, picking up existing ssh key oneliner:
kubectl get secret -n flux-system flux-system -oyaml |yq '.data."identity.pub"' | base64 -d

[stefanprodan]

These are the steps using flux bootstrap:

gh repo deploy-key add ~/.ssh/flux.pub -w
kubectl -n flux-system delete secret flux-system
flux bootstrap git --url=ssh://git@github.com/<org>/<repository> --private-key-file ~/.ssh/flux