Configure Personal Access Token#
Let's add a few secrets that we will need to get our pipelines running. You can check secrets documentation to read more on these secrets.
Objectives#
- Generate a organization level PAT with the necessary permissions for pipeline integration.
- Securely store the GitHub PAT in Vault for added protection.
Key Results#
- Personal Access Token (PAT) with the specified permissions is generated successfully in the GitHub account.
- The GitHub PAT is securely stored in Vault and can be accessed only by authorized entities, enhancing security.
Prerequisites#
- Infra GitOps Repository is configured.
- Delivery Engineer added as the owner of root-tenant.
- Delivery Engineer added as a member of customer admin group. The customer admin group provides permission to deploy ArgoCD application in ArgoCD namespace.
- A GitHub user with access over all the repositories on GitHub. You can name this user
saap-bot
.
Tutorial#
Creating Personal Access Token#
-
Generate a Fine-grained Token (PAT) on GitHub.
-
Go to your GitHub account
settings
for the top-right corner on your profile. -
Navigate to
Developer settings
-
Go to
Personal access tokens
. -
From drop-down select
Fine-grained Tokens
. -
Click
Generate new token
. -
Provide a name for the token.
-
Select the
Resource owner
(your organization). -
Set Repository Access to
All Repositories
. -
Select the following scopes/permissions:
* Administration (Read only) * Commit status (Read only) * Contents (Read only) * Metadata (Read only) * Pull requests (Read and write) * Webhook (Read and write)
Note
Save the token cautiously, you'll need to save it in Vault
.
Adding Token to Vault#
Now that we have created the GitHub Token, we will store it in Vault.
Note
The delivery engineer should be part of the root-tenant. The root tenant makes sure that the delivery engineer is able to login to Vault with OIDC and is able to view the ArgoCD application created for bootstrapping Infra repository. Please contact SAAP team if you are unable to access Vault using OIDC method
Login to Vault to view
-
Access Vault from
Forecastle
console, searchVault
and open theVault
tile. -
From the drop-down menu under
Method
, selectOIDC
and click onSign in with OIDC Provider
. -
You will be brought to the
Vault
console. You should seecommon-shared-secrets
folder. -
Click on
common-shared-secrets
. -
You will now be brought to the
secrets
and theconfigurations
. Click oncreate secret
. -
Let's create a
git-pat-creds
secret for our webhook secret. Write the name of the secret inpath
which isgit-pat-creds
. Addsecret data
- key:
username
, value: (GitHub username). - key:
password
, value (Newly created PAT). Hit save.
- key:
Adding External Secret#
Since we want the git-pat-creds
secret to be deployed in all of the tenant namespaces, we will use a multi-tenant-operator template to deploy it.
-
Open up the
infra-gitops-config
repository that we have already bootstrapped. -
Open the
tenant-operator-config
folder and create atemplates
folder inside it.
- Now create a file named
git-pat-creds-template.yaml
and add the following content.
apiVersion: tenantoperator.stakater.com/v1alpha1
kind: Template
metadata:
name: git-pat-creds
resources:
manifests:
- apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: git-pat-creds
spec:
dataFrom:
- extract:
conversionStrategy: Default
key: git-pat-creds
refreshInterval: 1m0s
secretStoreRef:
kind: SecretStore
name: tenant-vault-shared-secret-store
target:
name: git-pat-creds
- Create another file named
git-pat-creds-tgi.yaml
and add the below content.
apiVersion: tenantoperator.stakater.com/v1alpha1
kind: TemplateGroupInstance
metadata:
name: git-pat-creds
spec:
template: git-pat-creds
selector:
matchExpressions:
- key: stakater.com/kind
operator: In
values: [ build, pr ]
sync: true
- Lets see our Template and TGI in ArgoCD. Open up ArgoCD and look for
tenant-operator-config
application. You should be able to see your Template and TGI deployed.