Replies: 7 comments 6 replies
-
Bootstrap uses a GitLab PAT to clone the repo locally and push upstream the Flux manifests. After that it generates a SSH key, then uses the SSH public key to set it as a Deploy key using the PAT. I'm not sure I understand how a Deploy token would work, is it a replacement for the PAT? Does it allow write access? |
Beta Was this translation helpful? Give feedback.
-
|
With a Deploy Token the flow would be the following: Bootstrap uses a GitLab PAT to clone the repo locally and push upstream the Flux manifests. After that it create a Deploy token using the PAT and sets it as the secret for the GitRepository
Deploy tokens are a replacement for deploy keys. They are more flexible and secure. This link has a quick comparison of the two: https://docs.gitlab.com/ee/user/project/deploy_keys/ |
Beta Was this translation helpful? Give feedback.
-
|
One shortcoming of deploy tokens is that they work over HTTP-git only, SSH-git is not supported. Are there any Flux features that rely on a SSH GitRepository source? |
Beta Was this translation helpful? Give feedback.
-
|
I think the one major difference in CD context between Deploy Key and Deploy Token is permissions. Deploy Key is limited to repository access whereas Deploy Token can allow multiple permissions related to deployments, such as private container registry and package registry. So that users can consolidate multiple access secrets into one.
|
Beta Was this translation helpful? Give feedback.
-
|
Most users rely on SSH for bootstrap, also we have lots of GitLab users who disabled HTTP/S access from the cluster, and only allow SSH. Given this, I think we can add a |
Beta Was this translation helpful? Give feedback.
-
|
I think this would be a nice addition. One (probably not so popular 🤔 ) use-case for this I know of, apart from what has already been mentioned, is that in some regulated environments you want to tightly control outgoing connections. Relying on Deploy Tokens using HTTPS would omit opening up for outgoing SSH. I'd be up for contributing that if it's something you'd considering merging :) |
Beta Was this translation helpful? Give feedback.
-
|
Following-up on Slack:
|
Beta Was this translation helpful? Give feedback.
-
|
I created https://gitlab.com/gitlab-org/gitlab/-/issues/392605 to track the work at GitLab |
Beta Was this translation helpful? Give feedback.
-
|
Hello! Creating a deploy token (not key) with We need write access for image update automations. |
Beta Was this translation helpful? Give feedback.
-
|
Looks like GitLab Deploy Tokens don't allow write access to Git repositories https://docs.gitlab.com/ee/user/project/deploy_tokens/index.html Maybe @nagyv can confirm this limitation, if that's the case, then we should document in the bootstrap page for GitLab, that using |
Beta Was this translation helpful? Give feedback.
-
|
Stefan is right. Deploy tokens don't support repository writes.
I'll open a doc update pr if nobody beats me to it.
…-------- Eredeti üzenet --------
2024. ápr. 23. 16:19-kor, wvh ezt írta:
Hello!
Creating a deploy token (not key) with --deploy-token-auth works fine, but is always read-only, i.e. scope read_repository and not write_repository. Maybe this argument should also observe the --read-write-key flag; it's confusing for the token to be read-only if this flag is provided.
We need write access for image update automations.
—
Reply to this email directly, [view it on GitHub](#3595 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AAA65T6BELKIJECOKNZOZPLY6ZUYVAVCNFSM6AAAAAAU5AD5GGVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TEMBRGY4TE).
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
The https://fluxcd.io/flux/installation/bootstrap/gitlab/#gitlab-personal-account page already has an alert that deploy tokens are read-only. |
Beta Was this translation helpful? Give feedback.
-
|
Cool, to solve @wvh issue I think the CLI should error out when both |
Beta Was this translation helpful? Give feedback.
-
Today, Flux bootstrap (and the Terraform provider docs) uses GitLab Deploy Keys to access GitLab repositories.
GitLab offers GitLab tokens that already work with Flux, and might be better suited for Flux.
Were there any consideration behind going with Deploy Keys instead of Deploy Tokens? Would you be open to a PR that switches GitLab bootstrap to Deploy tokens?
Beta Was this translation helpful? Give feedback.
All reactions