FluxCD Github example uses unsupported Bearer token auth

[JamesMcMahon]

Describe the documentation issue

The example in the FluxCD Addon documentation is incorrect. FluxCD does not support bearer token auth with Github due to limitations in the Github API.

Specifically this secret will not work:

const externalSecret = new eks.KubernetesManifest(clusterInfo.cluster.stack, "ExternalSecret", {
    cluster: cluster,
    manifest: [
        {
            apiVersion: "external-secrets.io/v1beta1",
            kind: "ExternalSecret",
            metadata: {
                name: "git-admin-credentials",
                namespace: "flux-system"
            },
            spec: {
                secretStoreRef: {
                    name: "secret-manager-store",
                    kind: "ClusterSecretStore",
                },
                target: {
                    name: "repository-creds"
                },
                data: [
                    {
                        secretKey: "bearerToken",
                        remoteRef: {
                            key: "bearer-token-auth"
                        },
                    },
                ],
            },
        },
    ],
});
externalSecret.node.addDependency(secretStore);
return Promise.resolve(secretStore);
}

Instead Basic access authentication is needed.

FluxCD References:

• https://fluxcd.io/flux/components/source/gitrepositories/#bearer-token-authentication

Note: If you are looking to use OAuth tokens with popular servers (e.g. GitHub, Bitbucket, GitLab), you should use basic access authentication instead. These servers use basic HTTP authentication, with the OAuth token as the password. Check the documentation of your Git server for details.

• Issue to add the above note to documenton
• Confirmation of Github limitation by Flux maintainer

Links

• https://github.com/aws-quickstart/cdk-eks-blueprints/blob/main/docs/addons/fluxcd.md
• https://aws-quickstart.github.io/cdk-eks-blueprints/addons/fluxcd/

[shapirov103]

@elamaran11 do you mind triaging this one?

[elamaran11]

@shapirov103 Sure.

[JamesMcMahon]

If you are open to it I can put a PR together with a fix

[elamaran11]

@JamesMcMahon If you can put a PR, that will be Awesome. We can review it and get it merged sooner.

[JamesMcMahon]

@elamaran11 - PR is up at https://github.com/aws-quickstart/cdk-eks-blueprints/pull/1000

[JamesMcMahon]

PR merged, closed