|
1 | 1 | --- |
2 | 2 | title: GitHub and GitHub Enterprise |
3 | 3 | linkTitle: GitHub |
4 | | -description: "How to bootstrap Flux with GitHub" |
| 4 | +description: "How to bootstrap Flux with GitHub and GitHub Enterprise" |
5 | 5 | weight: 20 |
6 | 6 | --- |
7 | 7 |
|
8 | | -The `bootstrap github` command creates a GitHub repository if one doesn't exist and |
9 | | -commits the Flux components manifests to specified branch. Then it |
10 | | -configures the target cluster to synchronize with that repository by |
11 | | -setting up an SSH deploy key or by using token-based authentication. |
| 8 | +The [flux bootstrap github](/flux/cmd/flux_bootstrap_github/) command deploys the Flux controllers |
| 9 | +on a Kubernetes cluster and configures the controllers to sync the cluster state from a GitHub repository. |
| 10 | +Besides installing the controllers, the bootstrap command pushes the Flux manifests to the GitHub repository |
| 11 | +and configures Flux to update itself from Git. |
12 | 12 |
|
13 | | -Generate a [personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) |
14 | | -(PAT) that can create repositories by checking all permissions under `repo`. If |
15 | | -a pre-existing repository is to be used the PAT's user will require `admin` |
16 | | -[permissions](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role) |
17 | | -on the repository in order to create a deploy key. |
| 13 | +After running the bootstrap command, any operation on the cluster (including Flux upgrades) |
| 14 | +can be done via Git push, without the need to connect to the Kubernetes cluster. |
18 | 15 |
|
19 | | -Export your GitHub personal access token as an environment variable: |
| 16 | +{{% alert color="danger" title="Required permissions" %}} |
| 17 | +To bootstrap Flux, the person running the command must have **cluster admin rights** for the target Kubernetes cluster. |
| 18 | +It is also required that the person running the command to be the **owner** of the GitHub repository, |
| 19 | +or to have admin rights of a GitHub organization. |
| 20 | +{{% /alert %}} |
| 21 | + |
| 22 | +## GitHub PAT |
| 23 | + |
| 24 | +For accessing the GitHub API, the boostrap command requires a GitHub personal access token (PAT) |
| 25 | +with **admin permission**. |
| 26 | + |
| 27 | +The GitHub PAT can be exported as an environment variable: |
20 | 28 |
|
21 | 29 | ```sh |
22 | | -export GITHUB_TOKEN=<your-token> |
| 30 | +export GITHUB_TOKEN=<gh-token> |
23 | 31 | ``` |
24 | 32 |
|
| 33 | +If the `GITHUB_TOKEN` env var is not set, the bootstrap command will promote you to type it the token. |
| 34 | + |
| 35 | +You can also supply the token using a pipe e.g. `echo "<gh-token>" | flux bootstrap github`. |
| 36 | + |
| 37 | +## GitHub Personal Account |
| 38 | + |
| 39 | +If you want to bootstrap Flux for a repository owned by a personal account, you can generate a |
| 40 | +[GitHub PAT](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) |
| 41 | +that can create repositories by checking all permissions under `repo`. |
| 42 | + |
| 43 | +If you want to use an existing repository, the PAT's user must have `admin` |
| 44 | +[permissions](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role). |
| 45 | + |
25 | 46 | Run the bootstrap for a repository on your personal GitHub account: |
26 | 47 |
|
27 | 48 | ```sh |
28 | 49 | flux bootstrap github \ |
| 50 | + --token-auth \ |
29 | 51 | --owner=my-github-username \ |
30 | | - --repository=my-repository \ |
| 52 | + --repository=my-repository-name \ |
| 53 | + --branch=main \ |
31 | 54 | --path=clusters/my-cluster \ |
32 | 55 | --personal |
33 | 56 | ``` |
34 | 57 |
|
35 | | -{{% alert color="info" title="Deploy key" %}} |
36 | | -The bootstrap command creates an SSH key which it stores as a secret in the |
37 | | -Kubernetes cluster. The key is also used to create a deploy key in the GitHub |
38 | | -repository. The new deploy key will be linked to the personal access token used |
39 | | -to authenticate. **Removing the personal access token will also remove the deploy key.** |
| 58 | +If the specified repository does not exist, Flux will create it for you as private. If you wish to create |
| 59 | +a public repository, set `--private=false`. |
| 60 | + |
| 61 | +When using `--token-auth`, the CLI and the Flux controllers running on the cluster will use the GitHub PAT |
| 62 | +to access the Git repository over HTTPS. |
| 63 | + |
| 64 | +{{% alert color="danger" title="PAT secret" %}} |
| 65 | +Note that the GitHub PAT is stored in the cluster as a **Kubernetes Secret** named `flux-system` |
| 66 | +inside the `flux-system` namespace. If you want to avoid storing your PAT in the cluster, |
| 67 | +please see how to configure [GitHub Deploy Keys](#github-deploy-keys). |
40 | 68 | {{% /alert %}} |
41 | 69 |
|
| 70 | +## GitHub Organization |
| 71 | + |
| 72 | +If you want to bootstrap Flux for a repository owned by an GitHub organization, |
| 73 | +it is recommended to creat a dedicated user for Flux under your organization. |
| 74 | + |
| 75 | +Generate a GitHub PAT for the Flux user that can create repositories by checking all permissions under `repo`. |
| 76 | + |
| 77 | +If you want to use an existing repository, the Flux user must have `admin` permissions for that repository. |
| 78 | + |
42 | 79 | Run the bootstrap for a repository owned by a GitHub organization: |
43 | 80 |
|
44 | 81 | ```sh |
45 | 82 | flux bootstrap github \ |
| 83 | + --token-auth \ |
46 | 84 | --owner=my-github-organization \ |
47 | 85 | --repository=my-repository \ |
48 | | - --team=team1-slug \ |
49 | | - --team=team2-slug \ |
| 86 | + --branch=main \ |
50 | 87 | --path=clusters/my-cluster |
51 | 88 | ``` |
52 | 89 |
|
53 | | -When you specify a list of teams, those teams will be granted maintainer access to the repository. |
| 90 | +When creating a new repository, you can specify a list of GitHub teams with `--team=team1-slug,team2-slug`, |
| 91 | +those teams will be granted maintainer access to the repository. |
| 92 | + |
| 93 | +## GitHub Enterprise |
54 | 94 |
|
55 | 95 | To run the bootstrap for a repository hosted on GitHub Enterprise, you have to specify your GitHub hostname: |
56 | 96 |
|
57 | 97 | ```sh |
58 | 98 | flux bootstrap github \ |
| 99 | + --token-auth \ |
59 | 100 | --hostname=my-github-enterprise.com \ |
60 | | - --ssh-hostname=my-github-enterprise.com \ |
61 | 101 | --owner=my-github-organization \ |
62 | 102 | --repository=my-repository \ |
63 | 103 | --branch=main \ |
64 | 104 | --path=clusters/my-cluster |
65 | 105 | ``` |
66 | 106 |
|
67 | | -If your GitHub Enterprise has SSH access disabled, you can use HTTPS and token authentication with: |
| 107 | +If you want use SSH and [GitHub deploy keys](#github-deploy-keys), |
| 108 | +set `--token-auth=false` and provide the SSH hostname with `--ssh-hostname=my-github-enterprise.com`. |
68 | 109 |
|
69 | | -```sh |
70 | | -flux bootstrap github \ |
71 | | - --token-auth \ |
72 | | - --hostname=my-github-enterprise.com \ |
73 | | - --owner=my-github-organization \ |
74 | | - --repository=my-repository \ |
75 | | - --branch=main \ |
| 110 | +## GitHub Deploy Keys |
| 111 | + |
| 112 | +If you want to bootstrap Flux using SSH instead of HTTP/S, you can set `--token-auth=false` and the Flux CLI |
| 113 | +will use the GitHub PAT to set a deploy key for your repository. |
| 114 | + |
| 115 | +When using SSH, the bootstrap command will generate a SSH private key. The private key is stored |
| 116 | +in the cluster as a Kubernetes secret named `flux-system` inside the `flux-system` namespace. |
| 117 | + |
| 118 | +The generated SSH key defaults to `ECDSA P-384`, to change the format use `--ssh-key-algorithm` and `--ssh-ecdsa-curve`. |
| 119 | + |
| 120 | +The SSH public key, is used to create a GitHub deploy key. |
| 121 | +The deploy key is linked to the personal access token used to authenticate. |
| 122 | + |
| 123 | +By default, the GitHub deploy key is set to read-only access. |
| 124 | +If you're using Flux image automation, you must give it write access with `--read-write-key=true`. |
| 125 | + |
| 126 | +{{% alert color="info" title="Deploy Key rotation" %}} |
| 127 | +Note that when the PAT is removed or when it expires, the GitHub deploy key will stop working. |
| 128 | +To regenerate the deploy key, delete the `flux-system` secret from the cluster and re-run |
| 129 | +the bootstrap command using a valid GitHub PAT. |
| 130 | +{{% /alert %}} |
| 131 | + |
| 132 | +## Bootstrap without a GitHub PAT |
| 133 | + |
| 134 | +For existing GitHub repositories, you can bootstrap Flux over SSH without using a GitHub PAT. |
| 135 | + |
| 136 | +To use a SSH key instead of a GitHub PAT, the command changes to `flux bootstrap git`: |
| 137 | + |
| 138 | +```shell |
| 139 | +flux bootstrap git \ |
| 140 | + --url=ssh://git@github.com/<org>/<repository> \ |
| 141 | + --branch=<my-branch> \ |
| 142 | + --private-key-file=<path/to/ssh/private.key> \ |
| 143 | + --password=<key-passphrase> \ |
76 | 144 | --path=clusters/my-cluster |
77 | 145 | ``` |
| 146 | + |
| 147 | +**Note** that you must generate a SSH private key and set the public key as a deploy key on GitHub in advance. |
| 148 | + |
| 149 | +For more information on how to use the `flux bootstrap git` command, |
| 150 | +please see the generic Git server [documentation](generic-git-server.md). |
0 commit comments