Read only bootstrap

[steven-sheehy]

Problem

My git repo is public and doesn't require a deploy key or personal access token for anyone to clone. Neither should Flux. For security reasons, I would like to be able to bootstrap flux without granting the flux CLI write permission to my repository.

Running flux bootstrap github requires a read/write personal access token or it fails with GITHUB_TOKEN environment variable not found. Flux seems to default to using SSH and creating a deploy key even though HTTPS is available without the need for a key. I attempted using flux bootstrap git with a HTTPS URL as a workaround but it made the same assumption:

~> flux bootstrap git --url=https://github.com/steven-sheehy/flux.git --username=steven-sheehy --password="${GITHUB_TOKEN}" --branch=deploy
► cloning branch "test" from Git repository "https://github.com/steven-sheehy/flux.git"
✔ cloned repository
► generating component manifests
✔ generated component manifests
✔ committed sync manifests to "test"
► pushing component manifests to "https://github.com/steven-sheehy/flux.git"
► installing components in "flux-system" namespace
✔ installed components
✔ reconciled components
► determining if source secret "flux-system/flux-system" exists
► generating source secret
✔ public key: ssh-rsa AAAA...
✗ Please give the key access to your repository: N

I might be able to achieve equivalent functionality to bootstrap with flux install && flux create source ... && flux reconcile ..., but I'm unsure of exactly which commands to run and I like the convenience of the single command.

Additionally, flux requires write access to the repository so it can commit the flux manifests to the repo. This step seems optional since these manifests could be easily saved and committed out of band. Or not committed at all since the flux CLI reconciles those manifests.

Solution

I propose if someone is using flux bootstrap git with a HTTPS URL, then the source be set to use the same HTTPS URL. It is surprising to configure it one way and it produce a different source. If someone is using flux bootstrap github a --transport flag be added to specify the transport type with values ssh, http or https. An auto transport type could also be considered that detected if the repository is public and accessible via https first before falling back to ssh and requiring a deploy key.

For committing the flux manifests, a --commit-manifests flag can be added with a default of true to disable this feature. Alternatively, a --manifests=commit|file|stdout|none flag be added that controls whether to commit them (default), written to files (flux-system/gotk-*), or output them to stdout so they can be piped to another command.

The combination of these features will allow a read only bootstrap and reduce Flux's potential attack surface.

[yebyen]

Flux defaults to doing everything in private.

If you pass --private=false at bootstrap time, do you get different behavior? The private as default behavior is to avoid accidentally publishing something which should have remained private, which represents a serious risk for many users. Unless you're passing --token-auth that GITHUB_TOKEN is always discarded after bootstrap.

The default behavior in Flux v2 is bootstrap creates a private repo and uses the GITHUB_TOKEN to generate a deploy key, then discards the GITHUB_TOKEN. I believe what you've encountered is a side-effect of a bugfix related to "what happens if the repo already exists"

In something like Flux 0.12, the git driver changed to a more full-featured one, and we were able to reconcile the repository state with what values are passed into bootstrap. So suddenly, with this --private=true default value in the bootstrap command, we started getting reports that people were running bootstrap on public repos and Flux was turning them private, killing off any forks and wiping out their stars... eep!

So that reconcile feature got disabled, and Flux will no longer flip the private/public state of your repo if it already exists at bootstrap time. But any other behavior from --private=true default would likely still be in place unless you change that option.

I suspect you're seeing the effect of using flux bootstrap with an existing public repo and an implicit --private=true from the defaults; it still behaves like a private repo, which means it uses deploy keys and goes over SSH (unless you've also passed --token-auth, which definitely doesn't seem like you have...)

We should probably warn users that they're implicitly passing --private=true and their repo isn't private, but probably was decided not to because it will generate more questions and doesn't need to error out, as there isn't really a risky or dangerous part in this conflict anymore.

[steven-sheehy]

Thanks for your reply. I just tried flux bootstrap github --private=false ... and it still added the deploy key. So something's amiss.

Assuming this was addressed, there's still the discussion around whether committing manifests could be optional.

[yebyen]

Committing the manifests is optional, there's flux install which can be used with or without --export -- without export flag, it just installs gotk-components without any repos or files at all, no Kustomization is generated, and you're on your own to either commit it to a repo or not.

This is a perfectly fine way to use Flux, we do really encourage and push using the bootstrap because it makes a lot of sense to manage Flux with GitOps, and we built lots of nice tooling around it -- not to mention, providing users with one functioning sync out of the box saves answering a lot of support questions, as getting past that hurdle is probably the biggest obstacle to getting started actually using Flux.