-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for accessing internal repositories with tokens #519
Comments
Is this issue already relevant to the project? Also, could you give more details about the automation part? |
thought: Not sure if I'm the one that should answer these questions, but I will try. For me, this issue is still relevant. util_test.go describes the flow, urrently when we want to check out the given repo to scan it. There are few steps.
In case of support for GitLab tokens Instead of
In case of
For
Variable names are added just as an example. I'm not sure how the current project naming convention looks. Also not included test specification in this answer. Please correct me if I get anything wrong. |
@szymonwyrwiak after some deep dive in the source code I just realized that you can do what you want without any modification!! huskyci-report:
image: docker-registry/huskyci-client:<tag>
variables:
HUSKYCI_CLIENT_REPO_URL: https://<username>:<deploy_token>@gitlab.example.com/your_repository.git
HUSKYCI_CLIENT_REPO_BRANCH: main
HUSKYCI_CLIENT_API_ADDR: <huskyci_url>
HUSKYCI_CLIENT_API_USE_HTTPS: "true"
script:
- scan You can do something like: huskyci-report:
image: docker-registry/huskyci-client:<tag>
variables:
HUSKYCI_CLIENT_REPO_BRANCH: main
HUSKYCI_CLIENT_API_ADDR: <huskyci_url>
HUSKYCI_CLIENT_API_USE_HTTPS: "true"
script:
- HUSKYCI_CLIENT_REPO_URL="$CI_SERVER_PROTOCOL://$CI_DEPLOY_USER:$CI_DEPLOY_PASSWORD@$CI_SERVER_URL/$CI_PROJECT_PATH.git"
- scan Of course, if you know which protocol to use and what's your instance URL you can make something shorter!
The reason I'm saying that solution works is because husky injects your repo url directly in the command, example here, if you not set Is that work for you? |
Oh, now I see the problem! Sorry, the problem is to get the dependencies for a project in golang! But the same approach from above should work:
Maybe we just need to change the env variable name! |
Ok, for formatting reasons that idea above not possible (it adds and Now I'm thinking, maybe it's not worth for you to use an environment variable like that! I have an idea (maybe it's your original idea 😆), we modify both client and server to send/receive another param like WDYT @szymonwyrwiak?? I'd like to invite @rafaveira3 to this discussion too since he's the person who have more commits therefore more context! |
The idea with the I want to avoid a situation where we are adding support only for one case without considering the broad picture. It can introduce technical debt down the way. With the current dev landscape, it would be great to have something that can support cloud-based deployment. In these models, usually, there will be token injection, and this token will be short-lived. It may broaden our evaluation where we are adding the possibility to construct URL and header simultaneously. URL is a required parameter, and the header is an optional one. Then we will have to evaluate if the current case is:
And based on it, act accordingly. With all this in mind, we cannot make any decision without inviting @rafaveira3 As for business cases, you are probably aware that people already wrap huskyCI and add pricing for their services. I remember @edersonbrilhante showing it to me once. If we add support for all cases mentioned above, we will enable cloud services to add huskyCI as a base for scanning activities that they offer. It will be their decision, but changes in this area can lead to that outcome. In this answer, I avoided business case creation where we try to specify how to access will work, for example, in AWS with STS, IAM usage, etc. For now, it would be easier to focus on different authentication schemas that we can support and keep standards in mind. |
AFIK GitHub supports this pattern too: |
@szymonwyrwiak I've just tested both, |
Motivation
In our current setup, we are using SaaS Gitlab where all projects are private. In that case, huskyCI is always accessing internal repositories. A current approach where SSH key is used is not the preferred option.
We will have a lot of different teams to add their SSH keys and we don't have service users. It's hard to manage personal keys without service users for more than 500 repositories so we prefer access through tokens with a set expiration date.
It would be great if
We add support for accessing internal repositories through tokens like:
Then we may add automation through API and create tokens as needed.
What we expect
We suggest adding a new environment variable that can be defined inside CI/CD
Tips
The text was updated successfully, but these errors were encountered: