|
| 1 | +--- |
| 2 | +title: Extend GitHub token scope to a list of provided repositories within and outside namespaces |
| 3 | +authors: |
| 4 | + - "@savita" |
| 5 | +creation-date: 2023-04-17 |
| 6 | +status: implementable |
| 7 | +--- |
| 8 | + |
| 9 | +# Extend GitHub token scope to a list of provided repositories within and outside namespaces |
| 10 | + |
| 11 | +## Summary |
| 12 | + |
| 13 | +The proposal helps user to scope GitHub token to a list of provided repositries which exist in same namespace(By providing configuration at Repository level) as well as different namespace(Global Configuration). |
| 14 | + |
| 15 | +## Motivation/UseCase |
| 16 | + |
| 17 | +Their is a use case where CI Repos Differ from CD Repos, and the teams would like the generated GitHub Token from Pipelines As Code to allow control over these secondary repos, even if they were not the one triggering the pipeline. |
| 18 | + |
| 19 | +Ex: |
| 20 | + |
| 21 | +CD Repos are private and CI Repos have `.tekton/pr.yaml` and payload coming from CI repos where pr.yaml fetches some tasks from CD Repos which is Private. |
| 22 | + |
| 23 | +story : |
| 24 | + |
| 25 | +<https://issues.redhat.com/browse/SRVKP-2911> |
| 26 | + |
| 27 | +## Proposal |
| 28 | + |
| 29 | +There are 2 ways to scope GH token to a list of provided Repos |
| 30 | + |
| 31 | +1. Scoping GH token to a list of Repos provided by global configuration |
| 32 | +2. Scoping GH token to a list of Repos provided by Repository level configuration |
| 33 | + |
| 34 | +**Pre-requisite:** |
| 35 | + |
| 36 | + Disable `secret-github-app-token-scoped` to `false` from `pipelines-as-code` configmap in order to scope GH token to private and public repos listed under Global and Repo level configuration. |
| 37 | + |
| 38 | +### Scoping GH token to a list of Repos provided by global configuration |
| 39 | + |
| 40 | +* When list of Repos provided by global configuration then scope all those Repos by a Github Token irrespective of the namespaces. |
| 41 | + |
| 42 | +* The configuration exist in `pipelines-as-code` configmap. |
| 43 | + |
| 44 | +* The key which used to have list of Repos is `secret-github-app-scope-extra-repos` |
| 45 | + |
| 46 | + Ex: |
| 47 | + |
| 48 | + ``` |
| 49 | + apiVersion: v1 |
| 50 | + data: |
| 51 | + secret-github-app-scope-extra-repos: "owner2/project2, owner3/project3" |
| 52 | + kind: ConfigMap |
| 53 | + metadata: |
| 54 | + name: pipelines-as-code |
| 55 | + namespace: pipelines-as-code |
| 56 | + ``` |
| 57 | + |
| 58 | +### Scoping GH token to a list of Repos provided by Repository level configuration |
| 59 | + |
| 60 | +* Scope token to a list of Repos provided by `repo_list_to_scope_token` spec configuration within the Repository custom resource |
| 61 | + |
| 62 | +* Repos can be private or public |
| 63 | + |
| 64 | + ``` |
| 65 | + apiVersion: "pipelinesascode.tekton.dev/v1alpha1" |
| 66 | + kind: Repository |
| 67 | + metadata: |
| 68 | + name: test |
| 69 | + namespace: test-repo |
| 70 | + spec: |
| 71 | + url: "https://github.com/linda/project" |
| 72 | + repo_list_to_scope_token: |
| 73 | + - "owner/project" |
| 74 | + - "owner1/project1" |
| 75 | + ``` |
| 76 | + |
| 77 | + Now PAC will read `test` Repository custom resource and scope token to `owner/project`, `owner1/project1` and `linda/project` as well |
| 78 | + |
| 79 | + **Note:** |
| 80 | + |
| 81 | + 1. Both `owner/project` and `owner1/project1` Repository should be in same namespace where `test` Repository exist which is `test-repo` ns. |
| 82 | + |
| 83 | + 2. If any one of the `owner/project` or `owner1/project1` doesn't exist then scoping token will fail |
| 84 | + |
| 85 | + Ex: |
| 86 | + |
| 87 | + If `owner1/project1` does not exist in the namespace |
| 88 | + |
| 89 | + Then below error will be displayed |
| 90 | + |
| 91 | + ``` |
| 92 | + repo owner1/project1 does not exist in namespace test-repo |
| 93 | + ``` |
| 94 | +
|
| 95 | +### Scenarios when both global and Repo level configurations provided |
| 96 | +
|
| 97 | +1. When Repos are provided by both `secret-github-app-scope-extra-repos` and `repo_list_to_scope_token` then token will be scoped to all the Repos from both configuration |
| 98 | +
|
| 99 | + Ex: |
| 100 | +
|
| 101 | + * List of Repos provided by `secret-github-app-scope-extra-repos` in cm |
| 102 | +
|
| 103 | + ``` |
| 104 | + apiVersion: v1 |
| 105 | + data: |
| 106 | + secret-github-app-scope-extra-repos: "owner2/project2, owner3/project3" |
| 107 | + kind: ConfigMap |
| 108 | + metadata: |
| 109 | + name: pipelines-as-code |
| 110 | + namespace: pipelines-as-code |
| 111 | + ``` |
| 112 | +
|
| 113 | + * List of Repos provided by `repo_list_to_scope_token` in Repository spec |
| 114 | +
|
| 115 | + ``` |
| 116 | + apiVersion: "pipelinesascode.tekton.dev/v1alpha1" |
| 117 | + kind: Repository |
| 118 | + metadata: |
| 119 | + name: test |
| 120 | + namespace: test-repo |
| 121 | + spec: |
| 122 | + url: "https://github.com/linda/project" |
| 123 | + repo_list_to_scope_token: |
| 124 | + - "owner/project" |
| 125 | + - "owner1/project1" |
| 126 | + ``` |
| 127 | +
|
| 128 | + Now the GH token will be scoped to `owner/project`, `owner1/project1`, `owner2/project2`, `owner3/project3`, `linda/project` |
| 129 | +
|
| 130 | +2. If only Global `secret-github-app-scope-extra-repos` set then token will be scoped to all the provided repos |
| 131 | +
|
| 132 | +3. If only repos are provided by Repository spec using `repo_list_to_scope_token` then token will be scoped to all provided repos only when all repos exist in the same namespace where Repository created. |
| 133 | +
|
| 134 | +4. If no Github App is installed for the provided Repos in both global and repo level configuration then scoping token will fail with below error |
| 135 | +
|
| 136 | +``` |
| 137 | +failed to scope token to repositories in namespace article-pipelines with error : could not refresh installation id 36523992's token: received non 2xx response status \"422 Unprocessable Entity\" when fetching https://api.github.com/app/installations/36523992/access_tokens: Post \"https://api.github.com/repos/savitaashture/article/check-runs\ |
| 138 | +``` |
| 139 | +
|
| 140 | +5. If repos are given by `repo_list_to_scope_token` or `secret-github-app-scope-extra-repos` failed to scope token for any reason then CI will not run. |
| 141 | +
|
| 142 | +6. repo `owner5/project5` is given globally as well as at Repo level using `secret-github-app-scope-extra-repos` and `repo_list_to_scope_token` |
| 143 | +
|
| 144 | + Ex: |
| 145 | +
|
| 146 | + ``` |
| 147 | + apiVersion: v1 |
| 148 | + data: |
| 149 | + secret-github-app-scope-extra-repos: "owner5/project5" |
| 150 | + kind: ConfigMap |
| 151 | + metadata: |
| 152 | + name: pipelines-as-code |
| 153 | + namespace: pipelines-as-code |
| 154 | + ``` |
| 155 | +
|
| 156 | + ``` |
| 157 | + apiVersion: "pipelinesascode.tekton.dev/v1alpha1" |
| 158 | + kind: Repository |
| 159 | + metadata: |
| 160 | + name: test |
| 161 | + namespace: test-repo |
| 162 | + spec: |
| 163 | + url: "https://github.com/linda/project" |
| 164 | + repo_list_to_scope_token: |
| 165 | + - "owner5/project5" |
| 166 | + ``` |
| 167 | +
|
| 168 | + still failed to scope token with below error |
| 169 | + ``` |
| 170 | + repo owner5/project5 does not exist in namespace test-repo |
| 171 | + ``` |
| 172 | + because `owner5/project5` doesn't exist in namespace `test-repo`. |
| 173 | +
|
0 commit comments