Merge pull request #21 from ec2dream/master

helm chart and code enhancements

Author: moutonjeremy

README.md

@@ -8,12 +8,21 @@ github-actions-exporter for prometheus
 Container image : https://hub.docker.com/repository/docker/spendeskplatform/github-actions-exporter
 
 ## Information
-If you want to monitor a public repository, you must put the public_repo option in the repo scope of your github token.
+If you want to monitor a public repository, you must put the public_repo option in the repo scope of your github token or Github App Authentication.
+
+## Authentication 
+
+Authentication can either via a Github Token or the Github App Authentication 3 parameters. When installing via the Helm Chart the authentication is provided via a secret.
+
+
 
 ## Options
 | Name | Flag | Env vars | Default | Description |
 |---|---|---|---|---|
-| Github Token | github_token, gt | GITHUB_TOKEN | - | Personnal Access Token |
+| Github Token | github_token, gt | GITHUB_TOKEN | - | Personnel Access Token |
+| Github App Id | app_id, gai | GITHUB_APP_ID |  | Github App Authentication App Id |
+| Github App Installation Id | app_installation_id, gii | GITHUB_APP_INSTALLATION_ID | - | Github App Authentication Installation Id |
+| Github App Private Key | app_private_key, gpk | GITHUB_APP_PRIVATE_KEY | - | Github App Authentication Private Key |
 | Github Refresh | github_refresh, gr | GITHUB_REFRESH | 30 | Refresh time Github Actions status in sec |
 | Github Organizations | github_orgas, go | GITHUB_ORGAS | - | List all organizations you want get informations. Format \<orga1>,\<orga2>,\<orga3> (like test1,test2) |
 | Github Repos | github_repos, grs | GITHUB_REPOS | - | List all repositories you want get informations. Format \<orga>/\<repo>,\<orga>/\<repo2>,\<orga>/\<repo3> (like test/test) |
@@ -166,8 +175,28 @@ Example:
 github_workflow_usage_seconds{id="2862037",name="Create Release",node_id="MDg6V29ya2Zsb3cyODYyMDM3",repo="xxx/xxx",state="active",os="UBUNTU"} 706.609
 ```
 
+## Setting up authentication with GitHub API
+
+There are two ways for github-actions-exporter to authenticate with the GitHub API (only 1 can be configured at a time however):
+
+1. Using a GitHub App (not supported when you use Github Enterprise )
+2. Using a Personal Access Token
+
+Functionality wise, there isn't much of a difference between the 2 authentication methods. The primarily benefit of authenticating via a GitHub App is an [increased API quota](https://docs.github.com/en/developers/apps/rate-limits-for-github-apps).
+
+If you are deploying the solution for a GitHub Enterprise Server environment you are able to [configure your rate limiting settings](https://docs.github.com/en/enterprise-server@3.0/admin/configuration/configuring-rate-limits) making the main benefit irrelevant. If you're deploying the solution for a GitHub Enterprise Cloud or regular GitHub environment and you run into rate limiting issues, consider deploying the solution using the GitHub App authentication method instead.
+
+### Deploying using GitHub App Authentication
+
+You can create a GitHub App for either your account or any organization. If you want to create a GitHub App for your account, open the following link to the creation page, enter any unique name in the "GitHub App name" field, and hit the "Create GitHub App" button at the bottom of the page.
+
+- [Create GitHub Apps on your account](https://github.com/settings/apps/new?url=http://github.com/actions-runner-controller/actions-runner-controller&webhook_active=false&public=false&administration=write&actions=read)
+
+If you want to create a GitHub App for your organization, replace the `:org` part of the following URL with your organization name before opening it. Then enter any unique name in the "GitHub App name" field, and hit the "Create GitHub App" button at the bottom of the page to create a GitHub App.
+
+- [Create GitHub Apps on your organization](https://github.com/organizations/:org/settings/apps/new?url=http://github.com/actions-runner-controller/actions-runner-controller&webhook_active=false&public=false&administration=write&organization_self_hosted_runners=write&actions=read)
 
-## Github Token configuration
+### Github Token configuration
 
 Scopes needed configuration for the Github token
 
@@ -181,3 +210,62 @@ admin:org
   - write:org
   - read:org
 ```
+
+### Authentication Errors
+
+#### Invalid Github Token 
+ if token is invalid then `401 Bad credentials` will be returned on github API error and displayed in an error message. 
+
+#### Invalid Github App configuration 
+ if the app id or app installation id value is incorrect then messages like the following are displayed:
+ ```
+ could not refresh installation id 12345678's token: request &{Method:POST URL:https://api.github.com/app/installations/12345678/access_tokens
+ ``` 
+
+ if the github_app_private_key is incorrect then errors like the following are displayed. 
+ ```
+  Error: Client creation failed.authentication failed: could not parse private key: Invalid Key: Key must be PEM encoded PKCS1 or PKCS8 private ke
+ ```
+
+###  Secret actions-exporter 
+
+In the kubernetes deployment authentication is passed via a kubernetes secret: 
+
+```
+kind: Secret
+apiVersion: v1
+metadata:
+  name: actions-exporter
+  namespace: github-actions-exporter
+type: Opaque
+data:
+  github_token: AAAAAA
+#  github_app_id: BBBBBB
+#  github_app_installation_id: CCCCCCCCC
+#  github_app_private_key: DDDDDDD
+```
+
+Or more probably using an external secret manager. Here is an example of using External Secrets with the EKS Secret Manager to define the authentication in a secret: 
+
+```
+apiVersion: 'kubernetes-client.io/v1'
+kind: ExternalSecret
+metadata:
+  name: actions-exporter
+  namespace: github-actions-exporter
+spec:
+  backendType: secretsManager
+  data:
+ #   - key: MySecretManagerKey
+ #     name: github_token
+ #     property: github_token
+    - key: MySecretManagerKey
+      name: github_app_id
+      property: github_app_id
+    - key: MySecretManagerKey
+      name: github_app_installation_id
+      property: github_app_installation_id
+  # separate plaintext aws secret needed for ssh key
+    - key: MySecretManagerKeyPrivateKey
+      name: github_app_private_key
+```

deploy/helm-chart/github-actions-exporter/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deploy/helm-chart/github-actions-exporter/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: github-actions-exporter
+description: github-actions exporter for prometheus
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.4
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 1.8.0

deploy/helm-chart/github-actions-exporter/templates/NOTES.txt

@@ -0,0 +1,52 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "github-actions-exporter.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "github-actions-exporter.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "github-actions-exporter.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "github-actions-exporter.labels" -}}
+helm.sh/chart: {{ include "github-actions-exporter.chart" . }}
+{{ include "github-actions-exporter.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "github-actions-exporter.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "github-actions-exporter.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

deploy/helm-chart/github-actions-exporter/templates/_helpers.tpl

@@ -0,0 +1,89 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "github-actions-exporter.fullname" . }}
+  labels:
+    {{ include "github-actions-exporter.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{ include "github-actions-exporter.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+    {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      labels:
+        app: {{ template "github-actions-exporter.name" . }}
+        release: {{ .Release.Name }}
+        {{ include "github-actions-exporter.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          env:
+          {{- range $name, $value := .Values.env }}
+          {{- if not (empty $value) }}
+          - name: {{ $name | quote }}
+            value: {{ $value | quote }}
+          {{- end }}
+          {{- end }}
+          - name: GITHUB_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.secret.name }}
+                key: github_token
+                optional: true
+          - name: GITHUB_APP_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.secret.name }}
+                key: github_app_id
+                optional: true
+          - name: GITHUB_APP_INSTALLATION_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.secret.name }}
+                key: github_app_installation_id
+                optional: true
+          - name: GITHUB_APP_PRIVATE_KEY
+            value: /etc/actions-exporter/github_app_private_key
+          volumeMounts:
+          - name: actions-exporter
+            mountPath: "/etc/actions-exporter"
+            readOnly: true
+          ports:
+            - name: http
+              containerPort: {{ .Values.env.PORT }}
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+      - name: actions-exporter
+        secret:
+          secretName: {{ .Values.secret.name }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

deploy/helm-chart/github-actions-exporter/templates/deployment.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "github-actions-exporter.fullname" . }}
+  labels:
+    app: {{ template "github-actions-exporter.name" . }}
+    release: {{ .Release.Name }}
+    {{- include "github-actions-exporter.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.env.PORT }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "github-actions-exporter.selectorLabels" . | nindent 4 }}

deploy/helm-chart/github-actions-exporter/templates/service.yaml

@@ -0,0 +1,43 @@
+{{- if $.Values.serviceMonitor }}
+{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) ( .Values.serviceMonitor.enabled ) }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+{{- if .Values.serviceMonitor.labels }}
+  labels:
+{{ toYaml .Values.serviceMonitor.labels | indent 4}}
+{{- end }}
+  name: {{ template "github-actions-exporter.fullname" . }}
+{{- if .Values.serviceMonitor.namespace }}
+  namespace: {{ .Values.serviceMonitor.namespace }}
+{{- end }}
+spec:
+  endpoints:
+  - targetPort: {{ .Values.service.port }}
+{{- if .Values.serviceMonitor.interval }}
+    interval: {{ .Values.serviceMonitor.interval }}
+{{- end }}
+    path: /metrics
+{{- if .Values.serviceMonitor.timeout }}
+    scrapeTimeout: {{ .Values.serviceMonitor.timeout }}
+{{- end }}
+{{- if .Values.serviceMonitor.metricRelabelings }}
+    metricRelabelings:
+{{ toYaml .Values.serviceMonitor.metricRelabelings | indent 4 }}
+{{- end }}
+  jobLabel: {{ template "github-actions-exporter.fullname" . }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app: {{ template "github-actions-exporter.name" . }}
+      release: {{ .Release.Name }}
+{{- if .Values.serviceMonitor.targetLabels }}
+  targetLabels:
+{{- range .Values.serviceMonitor.targetLabels }}
+    - {{ . }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}