Closed korenyoni closed 1 year ago
@DentonGentry alright, I'm going to close this and people can use this as a workaround until the GH action supports the OAuth Client functionality you just described.
No, this is not how we're going to do it. We wrote https://github.com/tailscale/tailscale/tree/main/cmd/get-authkey to use in these Actions, and will pass in the client-id+secret from GitHub secrets.
@DentonGentry
I started making a PR that uses get-authkey
, as you mentioned, in order to retrieve the API token to be used with gitops-pusher
. What I essentially got from your comment is that we would want to do something like this:
(entrypoint.sh
)
#!/bin/sh
# Need both client id and secret to get auth key, but if one is set, run get-authkey
# and allow it print the error message that both need to be set.
if [[ ! -z "${TS_API_CLIENT_ID}" ]] || [[ ! -z "${TS_API_CLIENT_SECRET}" ]]; then
echo >&2 "TS_API_CLIENT_* environment variables set, attempting to retrieve authkey..."
/usr/local/bin/get-authkey --tags "${TS_API_CLIENT_TAGS}" > /tmp/authkey || exit 1
fi
export TS_API_KEY=$(cat /tmp/authkey)
exec /usr/local/bin/gitops-pusher $*
But then it dawned on me... get-authkey
generates an auth key, not an API key, which we need for gitops-pusher
.
How can get-authkey
be used in conjunction with gitops-pusher
? Doesn't seem possible.
Unless you mean we should use the same OAuth flow in get-authkey
and port it to gitops-pusher
... in that case I can try making a PR in https://github.com/tailscale/tailscale (in order to extend gitops-pusher
).
Ah. For an actual API key I think curl is probably fine, it is the two step process to get an authkey where we didn't want to have such a large block of shell code doing it.
I think the ideal would be:
What
Why
Notes
Closes #19