From 4578d110de9e3b569c9a04e52a1bef6f3b8bb477 Mon Sep 17 00:00:00 2001 From: George MacRorie Date: Tue, 31 Oct 2023 15:39:51 +0000 Subject: [PATCH 1/4] feat(configuration/git): add SSH authentication documentation --- configuration/overview.mdx | 20 ++++++++++++-------- configuration/storage.mdx | 29 ++++++++++++++++++++++++++++- 2 files changed, 40 insertions(+), 9 deletions(-) diff --git a/configuration/overview.mdx b/configuration/overview.mdx index 7379341..565c18c 100644 --- a/configuration/overview.mdx +++ b/configuration/overview.mdx @@ -170,14 +170,18 @@ These properties are as follows: #### Storage Git -| Property | Description | Default | Since | -| ----------------------------------------- | ----------------------------------------------------------- | ------- | ------- | -| storage.git.repository | The URL of the git repository to use | | v1.25.0 | -| storage.git.ref | The git ref to use | main | v1.25.0 | -| storage.git.poll_interval | The interval to poll the git repository and ref for changes | 30s | v1.25.0 | -| storage.git.authentication.basic.username | The username to use for basic authentication | | v1.25.0 | -| storage.git.authentication.basic.password | The password to use for basic authentication | | v1.25.0 | -| storage.git.authentication.token | The access token to use for authentication | | v1.25.0 | +| Property | Description | Default | Since | +| ------------------------------------------------------- | ----------------------------------------------------------- | ------- | ------- | +| storage.git.repository | The URL of the git repository to use | | v1.25.0 | +| storage.git.ref | The git ref to use | main | v1.25.0 | +| storage.git.poll_interval | The interval to poll the git repository and ref for changes | 30s | v1.25.0 | +| storage.git.authentication.basic.username | The username to use for basic authentication | | v1.25.0 | +| storage.git.authentication.basic.password | The password to use for basic authentication | | v1.25.0 | +| storage.git.authentication.token | The access token to use for authentication | | v1.25.0 | +| storage.git.authentication.ssh.password | Password used to generate the SSH keypair | | v1.30.0 | +| storage.git.authentication.ssh.private_key_path | Path to private key on the filesystem | | v1.30.0 | +| storage.git.authentication.ssh.private_key_bytes | (alternative) raw private key bytes | | v1.30.0 | +| storage.git.authentication.ssh.insecure_ignore_host_key | Skip verifying the known hosts key (avoid in production) | false | v1.30.0 | #### Storage Object diff --git a/configuration/storage.mdx b/configuration/storage.mdx index e1dc1d8..9157091 100644 --- a/configuration/storage.mdx +++ b/configuration/storage.mdx @@ -205,7 +205,7 @@ Flipt will follow the configured reference (e.g. branch name) and keep up to dat #### Authentication Authentication enables the ability to leverage private Git repositories as flag state backends. -The `git` type backend supports both `basic` and `token` based authentication schemes. +The `git` type backend supports both `basic`, `token` and `ssh` based authentication schemes. **GitHub** @@ -229,6 +229,33 @@ storage: password: < github-personal-access-token > ``` +**SSH** + +In order to configure Flipt with SSH, you will need to generate an SSH key-pair and configure your repository provider with the public key. +GitHub has some excellent documentation regarding how to generate and install you credentials [here](https://docs.github.com/en/authentication/connecting-to-github-with-ssh). + +Once you have your private key credentials you will need to configure Flipt to use them. +This can be done via the `storage.git.authentication.ssh` configuration section: + +```yaml +storage: + type: git + git: + repository: git@github.com:flipt-io/some-private-repo.git + authentication: + ssh: + password: flipt + private_key_path: private-key.pem + # private_key_bytes: # alternatively pass the raw bytes inline + insecure_ignore_host_key: true +``` + + +`insecure_ignore_host_key` is not encouraged for production use, and is `false` by default. +Instead, you are advised to put the key fingerprint in the known hosts file where you are running Flipt. +For example, for Github you can do `ssh-keyscan github.com >> ~/.ssh/known_hosts` on the Flipt host. + + See our [GitOps Guide](/guides/get-going-with-gitops) for an example of how to set up a GitHub repository as a flag state backend. ### Object From 0887d675b619947102bcc9ea04e174d009fd68c6 Mon Sep 17 00:00:00 2001 From: GeorgeMac Date: Tue, 31 Oct 2023 15:40:51 +0000 Subject: [PATCH 2/4] chore: format code --- configuration/storage.mdx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/configuration/storage.mdx b/configuration/storage.mdx index 9157091..3358a3d 100644 --- a/configuration/storage.mdx +++ b/configuration/storage.mdx @@ -251,9 +251,10 @@ storage: ``` -`insecure_ignore_host_key` is not encouraged for production use, and is `false` by default. -Instead, you are advised to put the key fingerprint in the known hosts file where you are running Flipt. -For example, for Github you can do `ssh-keyscan github.com >> ~/.ssh/known_hosts` on the Flipt host. + `insecure_ignore_host_key` is not encouraged for production use, and is + `false` by default. Instead, you are advised to put the key fingerprint in the + known hosts file where you are running Flipt. For example, for Github you can + do `ssh-keyscan github.com >> ~/.ssh/known_hosts` on the Flipt host. See our [GitOps Guide](/guides/get-going-with-gitops) for an example of how to set up a GitHub repository as a flag state backend. From 71f22d5a0e09f712eaaaa97b541e44d28bf71c33 Mon Sep 17 00:00:00 2001 From: George MacRorie Date: Tue, 31 Oct 2023 16:20:13 +0000 Subject: [PATCH 3/4] chore: appease the lint gods --- configuration/storage.mdx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/configuration/storage.mdx b/configuration/storage.mdx index 9157091..3358a3d 100644 --- a/configuration/storage.mdx +++ b/configuration/storage.mdx @@ -251,9 +251,10 @@ storage: ``` -`insecure_ignore_host_key` is not encouraged for production use, and is `false` by default. -Instead, you are advised to put the key fingerprint in the known hosts file where you are running Flipt. -For example, for Github you can do `ssh-keyscan github.com >> ~/.ssh/known_hosts` on the Flipt host. + `insecure_ignore_host_key` is not encouraged for production use, and is + `false` by default. Instead, you are advised to put the key fingerprint in the + known hosts file where you are running Flipt. For example, for Github you can + do `ssh-keyscan github.com >> ~/.ssh/known_hosts` on the Flipt host. See our [GitOps Guide](/guides/get-going-with-gitops) for an example of how to set up a GitHub repository as a flag state backend. From 18965e1a2940c75beb9f9f310bd6f433ae377d84 Mon Sep 17 00:00:00 2001 From: George Date: Tue, 31 Oct 2023 16:21:21 +0000 Subject: [PATCH 4/4] chore: add suggestion to configuration/overview.mdx Co-authored-by: Mark Phelps <209477+markphelps@users.noreply.github.com> --- configuration/overview.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration/overview.mdx b/configuration/overview.mdx index 565c18c..76e838d 100644 --- a/configuration/overview.mdx +++ b/configuration/overview.mdx @@ -180,7 +180,7 @@ These properties are as follows: | storage.git.authentication.token | The access token to use for authentication | | v1.25.0 | | storage.git.authentication.ssh.password | Password used to generate the SSH keypair | | v1.30.0 | | storage.git.authentication.ssh.private_key_path | Path to private key on the filesystem | | v1.30.0 | -| storage.git.authentication.ssh.private_key_bytes | (alternative) raw private key bytes | | v1.30.0 | +| storage.git.authentication.ssh.private_key_bytes | (Alternative) Raw private key bytes | | v1.30.0 | | storage.git.authentication.ssh.insecure_ignore_host_key | Skip verifying the known hosts key (avoid in production) | false | v1.30.0 | #### Storage Object