tailscale / gitops-acl-action

GitOps for your Tailscale ACLs
85 stars 25 forks source link

Docs: Update README to include information on using OAuth Clients #20

Closed korenyoni closed 1 year ago

korenyoni commented 1 year ago

What

Why

Notes

Closes #19

korenyoni commented 1 year ago

@DentonGentry alright, I'm going to close this and people can use this as a workaround until the GH action supports the OAuth Client functionality you just described.

korenyoni commented 1 year ago

No, this is not how we're going to do it. We wrote https://github.com/tailscale/tailscale/tree/main/cmd/get-authkey to use in these Actions, and will pass in the client-id+secret from GitHub secrets.

@DentonGentry

I started making a PR that uses get-authkey, as you mentioned, in order to retrieve the API token to be used with gitops-pusher. What I essentially got from your comment is that we would want to do something like this:

(entrypoint.sh)

#!/bin/sh

# Need both client id and secret to get auth key, but if one is set, run get-authkey
# and allow it print the error message that both need to be set.
if [[ ! -z "${TS_API_CLIENT_ID}" ]] || [[ ! -z "${TS_API_CLIENT_SECRET}" ]]; then
    echo >&2 "TS_API_CLIENT_* environment variables set, attempting to retrieve authkey..."
    /usr/local/bin/get-authkey --tags "${TS_API_CLIENT_TAGS}" > /tmp/authkey || exit 1
fi

export TS_API_KEY=$(cat /tmp/authkey)
exec /usr/local/bin/gitops-pusher $*

But then it dawned on me... get-authkey generates an auth key, not an API key, which we need for gitops-pusher.

How can get-authkey be used in conjunction with gitops-pusher? Doesn't seem possible.

Unless you mean we should use the same OAuth flow in get-authkey and port it to gitops-pusher... in that case I can try making a PR in https://github.com/tailscale/tailscale (in order to extend gitops-pusher).

DentonGentry commented 1 year ago

Ah. For an actual API key I think curl is probably fine, it is the two step process to get an authkey where we didn't want to have such a large block of shell code doing it.

I think the ideal would be: