feat: Support loading git token from disk #4928
Open
+121
−42
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
meringu
requested review from
GenPage,
lukemassa and
X-Guardian
and removed request for
a team
github-actions
bot
added
docs
meringu
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
what
Adds a
gh-token-fileserver setting that can be used instead ofgh-token. The token is read from disk as part of the GitHub client transport, allowing the token to be rotated without needing to restart the Atlantis process. I've also re-used the.git-credentialstoken rotator from the GitHub app integration to ensure thatwrite-git-credswill update the.git-credentialsfile as thegh-token-fileis updated.why
We run about ~150 Atlantis instances in our organisation in our GitHub org. GitHub have a hard limit on 100 GitHub apps per org, and charge a seat per service account user. To get around these challenges we have developed a GitHub app which issues scoped token for each Atlantis and loads them as Kubernetes secrets. The app is also responsible for forwarding and re-signing the webhooks with per instance webhook secrets to the correct Atlantis instance. I'd potentially be interested in opening the source code for this app if there is interest. There are still a few issues we are working through, like this one, and it is currently in a complicated relationship with Keda.
We run Atlantis as a GitHub app, but configure it with short term credentials to run as a GitHub user. The tokens only last one hour, so we manage restarts as part of scale-to-zero to ensure that Atlantis is always running with a valid token.
If the Atlantis instance fails to restart within an hour due to high activity or long running plan or applies, the commands will finish, but results will fail to be commented back to the GitHub pull request.
With this change we can load the token from disk, and as our GitHub app rotates the token, it is immediately picked up by the running Atlantis instance, allowing it to run uninterrupted for longer periods of time.
tests
I ran an apply with the follow Terraform that used to fail to comment back:
I also ran some
catcommands agains the.git-credentialsfile with--write-git-credswas specified to ensure that it was getting updated as the token was being rotated.references