feat: Unattended Flux installation

You don't need to manually add GitHub deploy keys anymore.

This feature enables you to install Flux via eksctl in an unattended way, by automatically creating GitHub deply key on cluster creation and on `eksctl enable repo`, and by automatically deleting the deploy key on cluster deletion.

All you need to use this feature is providing `GITHUB_TOKEN` that has access to your repository's deploy keys, and a standard cluster.yaml that contains a `git` configuration for installing Flux.

Usage:

```
$ eksctl create cluster -f cluster.yaml

eksctl automatically creates a deploy key named  `eksctl-REGION-NAME` from the public ssh key generated by Flux
```

```
$ eksctl delete cluster -f cluster.yaml

eksctl automatically deletes the deploy key named `eksctl-REGION-NAME` by calling GitHub API
```

```
$ eksctl enable repo -f cluster.yaml

eksctl automatically creates a deploy key named  `eksctl-REGION-NAME` from the public ssh key generated by Flux
```

Please also note that this feature has an extra ability to make the deploy key "read-only". With the read-only deploy key, If you prefer that, you can effectively block Flux from ever pushing commits to the repository.

This can be enabled by setting `git.readOnly` to `true` or passing `--readonly` to `eksctl enable repo`.

Resolves #2273

Author: mumoshu

go.mod

@@ -22,6 +22,7 @@ require (
 	github.com/gobwas/glob v0.2.3
 	github.com/gofrs/flock v0.7.1
 	github.com/golangci/golangci-lint v1.27.0
+	github.com/google/go-github/v31 v31.0.0
 	github.com/goreleaser/goreleaser v0.136.0
 	github.com/instrumenta/kubeval v0.0.0-20190918223246-8d013ec9fc56
 	github.com/justinbarrick/go-k8s-portforward v1.0.3
@@ -48,6 +49,7 @@ require (
 	github.com/weaveworks/github-release v0.6.3-0.20161024133933-73deea6af1e8
 	github.com/weaveworks/launcher v0.0.0-20180711153254-f1b2830d4f2d
 	github.com/whilp/git-urls v0.0.0-20160530060445-31bac0d230fa
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
 	golang.org/x/sys v0.0.0-20200428200454-593003d681fa // indirect
 	golang.org/x/tools v0.0.0-20200502202811-ed308ab3e770
 	k8s.io/api v0.16.8

go.sum

@@ -449,8 +449,12 @@ github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-github v17.0.0+incompatible h1:N0LgJ1j65A7kfXrZnUDaYCs/Sf4rEjNlfyDHW9dolSY=
 github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
+github.com/google/go-github/v25 v25.0.1 h1:s405kPD52lKa1MVxiEumod/E6/+0pvQ8Ed/sT65DjKc=
+github.com/google/go-github/v25 v25.0.1/go.mod h1:6z5pC69qHtrPJ0sXPsj4BLnd82b+r6sLB7qcBoRZqpw=
 github.com/google/go-github/v28 v28.1.1 h1:kORf5ekX5qwXO2mGzXXOjMe/g6ap8ahVe0sBEulhSxo=
 github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM=
+github.com/google/go-github/v31 v31.0.0 h1:JJUxlP9lFK+ziXKimTCprajMApV1ecWD4NB6CCb0plo=
+github.com/google/go-github/v31 v31.0.0/go.mod h1:NQPZol8/1sMoWYGN2yaALIBytu17gAWfhbweiEed3pM=
 github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/go-replayers/grpcreplay v0.1.0 h1:eNb1y9rZFmY4ax45uEEECSa8fsxGRU+8Bil52ASAwic=

pkg/apis/eksctl.io/v1alpha5/assets/schema.json

@@ -410,6 +410,9 @@
         "bootstrapProfile": {
           "$schema": "http://json-schema.org/draft-04/schema#",
           "$ref": "#/definitions/Profile"
+        },
+        "readOnly": {
+          "type": "boolean"
         }
       },
       "additionalProperties": false,

pkg/apis/eksctl.io/v1alpha5/schema.go

@@ -712,6 +712,8 @@ type Git struct {
 	Operator Operator `json:"operator,omitempty"`
 	// +optional
 	BootstrapProfile *Profile `json:"bootstrapProfile,omitempty"` // one or many profiles to enable on this cluster once it is created
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty"` // Instruct Flux to read-only mode and create the deploy key as read-only
 }
 
 // NewGit returns a new empty Git configuration

pkg/apis/eksctl.io/v1alpha5/types.go

@@ -23,6 +23,7 @@ const (
 	gitFluxPath = "git-flux-subdir"
 	gitLabel    = "git-label"
 	namespace   = "namespace"
+	readOnly    = "read-only"
 	withHelm    = "with-helm"
 
 	profileName     = "profile-source"
@@ -51,6 +52,8 @@ func AddCommonFlagsForFlux(fs *pflag.FlagSet, opts *api.Git) {
 		"Directory within the Git repository where to commit the Flux manifests")
 	fs.StringVar(&opts.Operator.Namespace, namespace, "flux",
 		"Cluster namespace where to install Flux, the Helm Operator and Tiller")
+	fs.BoolVar(&opts.ReadOnly, readOnly, false,
+		"Instruct Flux to read-only mode and create the deploy key as read-only")
 	opts.Operator.WithHelm = fs.Bool(withHelm, true, "Install the Helm Operator and Tiller")
 }
 
@@ -65,7 +68,8 @@ func AddCommonFlagsForGit(fs *pflag.FlagSet, repo *api.Repo) {
 		"Username to use as Git committer")
 	fs.StringVar(&repo.Email, gitEmail, "",
 		"Email to use as Git committer")
-	fs.StringVar(&repo.PrivateSSHKeyPath, gitPrivateSSHKeyPath, "",
+	fs.StringVar(&repo.PrivateSSHKeyPath,
+		gitPrivateSSHKeyPath, "",
 		"Optional path to the private SSH key to use with Git, e.g. ~/.ssh/id_rsa")
 }
 

pkg/ctl/cmdutils/gitops.go

@@ -16,6 +16,7 @@ import (
 	"github.com/weaveworks/eksctl/pkg/cfn/manager"
 	"github.com/weaveworks/eksctl/pkg/ctl/cmdutils"
 	"github.com/weaveworks/eksctl/pkg/elb"
+	"github.com/weaveworks/eksctl/pkg/gitops/deploykey"
 	iamoidc "github.com/weaveworks/eksctl/pkg/iam/oidc"
 	"github.com/weaveworks/eksctl/pkg/kubernetes"
 	"github.com/weaveworks/eksctl/pkg/printers"
@@ -184,6 +185,12 @@ func doDeleteCluster(cmd *cmdutils.Cmd) error {
 		logger.Success("all cluster resources were deleted")
 	}
 
+	{
+		if err := deploykey.ForCluster(cfg).Delete(context.Background()); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 

pkg/ctl/delete/cluster.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"time"
 
+	"github.com/weaveworks/eksctl/pkg/gitops/deploykey"
+
 	"github.com/kris-nova/logger"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -88,11 +90,17 @@ func doEnableRepository(cmd *cmdutils.Cmd) error {
 		return nil
 	}
 
-	userInstructions, err := installer.Run(context.Background())
+	userInstructions, fluxSSHKey, err := installer.Run(context.Background())
 	if err != nil {
 		logger.Critical("unable to set up gitops repo: %s", err.Error())
 		return err
 	}
+
+	if fluxSSHKey != nil {
+		return deploykey.ForCluster(cmd.ClusterConfig).Put(context.Background(), *fluxSSHKey)
+	}
+
 	logger.Info(userInstructions)
-	return err
+
+	return nil
 }

pkg/ctl/enable/repo.go

@@ -0,0 +1,155 @@
+package deploykey
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"regexp"
+
+	"github.com/google/go-github/v31/github"
+	"github.com/kris-nova/logger"
+	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
+	"github.com/weaveworks/eksctl/pkg/gitops/flux"
+	"golang.org/x/oauth2"
+)
+
+type Manager struct {
+	cluster  *api.ClusterMeta
+	repoURL  string
+	readOnly bool
+}
+
+func ForCluster(cluster *api.ClusterConfig) *Manager {
+	km := &Manager{
+		cluster: cluster.Metadata,
+	}
+
+	if git := cluster.Git; git != nil {
+		if repo := git.Repo; repo != nil {
+			km.repoURL = repo.URL
+		}
+
+		km.readOnly = git.ReadOnly
+	}
+
+	return km
+}
+
+func (km *Manager) Put(ctx context.Context, fluxSSHKey flux.PublicKey) error {
+	owner, repo, ok := km.getOwnerRepoFromRepoURL()
+	if !ok {
+		logger.Info("Skipped creating GitHub deploy key from Flux SSH public key for URL %s: Only `[email protected]:OWNER/REPO.git` is accepted for automatic deploy key creation", km.repoURL)
+
+		return nil
+	}
+
+	gh, ok := km.getGitHubAPIClient(ctx)
+	if !ok {
+		logger.Info("Skipped creating GitHub deploy key from Flux SSH public key due to missing GITHUB_TOKEN")
+
+		return nil
+	}
+
+	logger.Info("Creating GitHub deploy key from Flux SSH public key")
+
+	title := km.getDeployKeyTitle(km.cluster)
+
+	key, _, err := gh.Repositories.CreateKey(ctx, owner, repo, &github.Key{
+		Key:      &fluxSSHKey.Key,
+		Title:    &title,
+		ReadOnly: &km.readOnly,
+	})
+
+	if err != nil {
+		return err
+	}
+
+	logger.Info("%s configured with Flux SSH public key\n%s", *key.Title, fluxSSHKey.Key)
+
+	return nil
+}
+
+func (km *Manager) Delete(ctx context.Context) error {
+	owner, repo, ok := km.getOwnerRepoFromRepoURL()
+	if !ok {
+		logger.Info("Skipped deleting GitHub deploy key for URL %s: Only `[email protected]:OWNER/REPO.git` is accepted for automatic deploy key creation", km.repoURL)
+
+		return nil
+	}
+
+	gh, ok := km.getGitHubAPIClient(ctx)
+	if !ok {
+		logger.Info("Skipped deleting GitHub deploy key due to missing GITHUB_TOKEN")
+
+		return nil
+	}
+
+	logger.Info("Deleting GitHub deploy key")
+
+	title := km.getDeployKeyTitle(km.cluster)
+
+	keys, _, err := gh.Repositories.ListKeys(ctx, owner, repo, &github.ListOptions{})
+	if err != nil {
+		return err
+	}
+
+	var keyID int64
+
+	for _, key := range keys {
+		if key.GetTitle() == title {
+			keyID = key.GetID()
+
+			break
+		}
+	}
+
+	if keyID == 0 {
+		logger.Info("Skipped deleting GitHub deploy key %q: The key does not exist. Probably you've already deleted it?")
+
+		return nil
+	}
+
+	if _, err := gh.Repositories.DeleteKey(ctx, owner, repo, keyID); err != nil {
+		return err
+	}
+
+	logger.Info("Deleted GitHub deploy key %s", title)
+
+	return nil
+}
+
+func (km *Manager) getGitHubAPIClient(ctx context.Context) (*github.Client, bool) {
+	githubToken := os.Getenv("GITHUB_TOKEN")
+
+	if githubToken == "" {
+		return nil, false
+	}
+
+	ts := oauth2.StaticTokenSource(
+		&oauth2.Token{AccessToken: githubToken},
+	)
+	tc := oauth2.NewClient(ctx, ts)
+	gh := github.NewClient(tc)
+
+	return gh, true
+}
+
+func (km *Manager) getOwnerRepoFromRepoURL() (string, string, bool) {
+	if km.repoURL == "" {
+		return "", "", false
+	}
+
+	r := regexp.MustCompile(`[email protected]:([^/]+)/([^.]+).git`)
+
+	m := r.FindStringSubmatch(km.repoURL)
+
+	if len(m) != 3 {
+		return "", "", false
+	}
+
+	return m[1], m[2], true
+}
+
+func (km *Manager) getDeployKeyTitle(cluster *api.ClusterMeta) string {
+	return fmt.Sprintf("eksctl-flux-%s-%s", cluster.Region, cluster.Name)
+}

pkg/gitops/deploykey/deploykey.go

@@ -32,7 +32,6 @@ const (
 
 // Installer installs Flux
 type Installer struct {
-	cluster       *api.ClusterMeta
 	opts          *api.Git
 	timeout       time.Duration
 	k8sRestConfig *rest.Config
@@ -62,12 +61,12 @@ func NewInstaller(k8sRestConfig *rest.Config, k8sClientSet kubeclient.Interface,
 }
 
 // Run runs the Flux installer
-func (fi *Installer) Run(ctx context.Context) (string, error) {
+func (fi *Installer) Run(ctx context.Context) (string, *PublicKey, error) {
 
 	logger.Info("Generating manifests")
 	manifests, err := fi.getManifests()
 	if err != nil {
-		return "", err
+		return "", nil, err
 	}
 
 	logger.Info("Cloning %s", fi.opts.Repo.URL)
@@ -78,7 +77,7 @@ func (fi *Installer) Run(ctx context.Context) (string, error) {
 	}
 	cloneDir, err := fi.gitClient.CloneRepoInTmpDir("eksctl-install-flux-clone-", options)
 	if err != nil {
-		return "", errors.Wrapf(err, "cannot clone repository %s", fi.opts.Repo.URL)
+		return "", nil, errors.Wrapf(err, "cannot clone repository %s", fi.opts.Repo.URL)
 	}
 	cleanCloneDir := false
 	defer func() {
@@ -93,22 +92,22 @@ func (fi *Installer) Run(ctx context.Context) (string, error) {
 	logger.Info("Writing Flux manifests")
 	fluxManifestDir := filepath.Join(cloneDir, fi.opts.Repo.FluxPath)
 	if err := writeFluxManifests(fluxManifestDir, manifests); err != nil {
-		return "", err
+		return "", nil, err
 	}
 
 	if err := fi.createFluxNamespaceIfMissing(manifests); err != nil {
-		return "", err
+		return "", nil, err
 	}
 
 	logger.Info("Applying manifests")
 	if err := fi.applyManifests(manifests); err != nil {
-		return "", err
+		return "", nil, err
 	}
 
 	if api.IsEnabled(fi.opts.Operator.WithHelm) {
 		logger.Info("Waiting for Helm Operator to start")
 		if err := waitForHelmOpToStart(fi.opts.Operator.Namespace, fi.timeout, fi.k8sClientSet); err != nil {
-			return "", err
+			return "", nil, err
 		}
 		logger.Info("Helm Operator started successfully")
 		logger.Info("see https://docs.fluxcd.io/projects/helm-operator for details on how to use the Helm Operator")
@@ -117,27 +116,29 @@ func (fi *Installer) Run(ctx context.Context) (string, error) {
 	logger.Info("Waiting for Flux to start")
 	err = waitForFluxToStart(fi.opts.Operator.Namespace, fi.timeout, fi.k8sClientSet)
 	if err != nil {
-		return "", err
+		return "", nil, err
 	}
 	logger.Info("fetching public SSH key from Flux")
 	fluxSSHKey, err := getPublicKeyFromFlux(ctx, fi.opts.Operator.Namespace, fi.timeout, fi.k8sRestConfig, fi.k8sClientSet)
 	if err != nil {
-		return "", err
+		return "", nil, err
 	}
 
 	logger.Info("Flux started successfully")
 	logger.Info("see https://docs.fluxcd.io/projects/flux for details on how to use Flux")
 
-	logger.Info("Committing and pushing manifests to %s", fi.opts.Repo.URL)
-	if err = fi.addFilesToRepo(); err != nil {
-		return "", err
+	if !fi.opts.ReadOnly {
+		logger.Info("Committing and pushing manifests to %s", fi.opts.Repo.URL)
+		if err = fi.addFilesToRepo(); err != nil {
+			return "", nil, err
+		}
 	}
 	cleanCloneDir = true
 
 	logger.Info("Flux will only operate properly once it has write-access to the Git repository")
 	instruction := fmt.Sprintf("please configure %s so that the following Flux SSH public key has write access to it\n%s",
 		fi.opts.Repo.URL, fluxSSHKey.Key)
-	return instruction, nil
+	return instruction, &fluxSSHKey, nil
 }
 
 // IsFluxInstalled returns an error if Flux is not installed in the cluster. To determine that it looks for the flux
@@ -283,7 +284,7 @@ func getFluxManifests(opts *api.Git, cs kubeclient.Interface) (map[string][]byte
 		GitLabel:           opts.Operator.Label,
 		GitUser:            opts.Repo.User,
 		GitEmail:           opts.Repo.Email,
-		GitReadOnly:        false,
+		GitReadOnly:        opts.ReadOnly,
 		Namespace:          opts.Operator.Namespace,
 		ManifestGeneration: true,
 		AdditionalFluxArgs: []string{"--sync-garbage-collection"},

pkg/gitops/flux/installer.go

@@ -29,7 +29,6 @@ var _ = Describe("Installer", func() {
 		},
 	}
 	mockInstaller := &Installer{
-		cluster:      &api.ClusterMeta{Name: "cluster-1", Region: "us-west-2"},
 		opts:         mockOpts,
 		k8sClientSet: fake.NewSimpleClientset(),
 	}