Support for private repos about openfaas-cloud HOT 12 CLOSED

@tpiskula -- I'm also interested in getting this to work; if you put up a WIP; I may have a little bandwidth to help out -- so feel free to ping me or post here.

from openfaas-cloud.

@alexellis it shouldn't be difficult to programatically do it in go, I could probably knock something up to do it

from openfaas-cloud.

I can confirm that cloning works with an installation id + auth token generated with the GitHub app's private key.

I made my sofia-test1 repo private, then observed a token from the logs of github-status (adding debug_token env-var to make this print out)

$ git clone https://INSTALLATION:[email protected]/alexellis/sofia-test1
Cloning into 'sofia-test1'...
remote: Counting objects: 144, done.
remote: Compressing objects: 100% (126/126), done.
remote: Total 144 (delta 63), reused 11 (delta 0), pack-reused 0
Receiving objects: 100% (144/144), 27.75 KiB | 0 bytes/s, done.
Resolving deltas: 100% (63/63), done.
Checking connectivity... done.

from openfaas-cloud.

Hi @tpiskula the roadmap is represented in GitHub issues at the moment - there's lots of ways you can get involved with testing and building out the project. I think the idea of private repos would be a great addition to OpenFaaS Cloud.

Here's instructions for how to join Slack where we also have a private demo of a shared/hosted OpenFaaS cloud - http://docs.openfaas.com/community/

from openfaas-cloud.

I've looked into private repos and I think there is a good option for pulling / cloning. If you add a "Deploy Key" to the repo then you can clone over SSH. This does need a public/private key-pair for every repo supported - unfortunately GitHub won't allow one deploy key to be added to multiple repos.

I think this means that OpenFaaS Cloud needs to generate a key/pair for each user and repo - this could potentially be done via the API if OpenFaaS Cloud is given repository administration access via https://github.com/google/go-github/blob/master/github/repos_keys.go

We'd also need to check whether the key already existed and use a name to index it.

We can find out whether a repo is private by looking for X-GitHub-Event: installation_repositories:

  "repositories_added": [
    {
      "id": 133999179,
      "name": "my-fn",
      "full_name": "alexellis/my-fn",
      "private": true
    }
  ],

from openfaas-cloud.

OpenFaaS private repo flow.pdf.pdf

Attaching workflow/design.

We will need to generate private/public key-pairs for each repo we manage. These have to be stored for future use and the public key must be installed on the GitHub repo needing additional OAuth Scopes.

from openfaas-cloud.

Workflow looks good!
I imagine it something like:
Authorize Github Account -> Select Repo -> If repo is private, install Deploy Key via API and save it somewhere -> Run CI/CD, run CI/CD on every push (maybe allow filter on branch?)
Where would you suggest to store the generated keys?
In a k8s secret?

from openfaas-cloud.

This part (Authorize Github Account) is done via the installation event when you click to install the GitHub app on your repo in the GitHub UI.

Run CI/CD is triggered on the push.

I think we have to store them in K8s secrets, possibly SealedSecrets could be useful for us too.

The other alteration needed is to:

• connect installation event via github-event function
• generate the keys in Go or via ssh-keygen CLI cc @affix
• store keys against repos
• pull in a private key on demand
• change from git clone https:// to git clone git:// with the private key in scope.
• handle installation removed event and de-provision keys when needed

from openfaas-cloud.

I'm looking for someone to take on the task incrementally. We have at least a couple of people ready to test it too. Keiran if you can start work on the implementation that would be great.

from openfaas-cloud.

This looks promising - I think we can use the existing auth mechanism to clone the code from a private repo over HTTP, but I'd like someone to validate the idea first.

https://developer.github.com/apps/differences-between-apps/#git-access

It would mean avoiding creating and storing deploy keys per repo.

from openfaas-cloud.

@tpiskula @shaunc @affix I'll try to check that and help with it :-)

from openfaas-cloud.

Next we need to start parsing whether a repo is private or not and passing that through the stack. If we encounter a repo which is private, then we should clone with an auth token. That should be about all that is needed.

from openfaas-cloud.