I’m starting to play around with Git descriptors, and I’m wondering how to deal with Github authentication, as we use private repositories and all our users don’t have Github account.
I’ve been thinking about these alternatives:
Create a dummy Github account with read-access to our private repositories. Then, roll out the SSH key to all users without Github account.
Use deploy keys instead of creating a dummy Github account, but roll out the SSH key to all users without Github account.
The idea of creating a Git mirror in a shared disk location doesn’t sound good to me, because we’re currently using Centralized configurations and we want to get rid of this approach.
So, what do you think? What would be the best solution? How have you solved similar situations?
I used the read only access key in a previous job. You need to have a key distribution mechanism, but if you’re managing your fleet of computers with e.g. Ansible or Puppet that’s pretty easy.
If done correctly, the users do not need git installed or access to GitHub. It is a bit overhead for the developer, but we’ve been doing this workflow for a couple of years now and it works quite well.
Just to expand my answer, I think I’ll discard your approach @Fabian because it needs to pack and upload the configuration with every update, right?
I mean, using read-only SSH keys, once the keys are rolled out and the Descriptor is updated in the Pipeline Configuration I don’t need to do anything else. But with your approach, I still have to pack and upload the configuration, don’t I?
It’s definitely not a big deal but I want to avoid as many manual steps (which can be automated with a script or tool, of course) as possible. I see your approach as the winner to use when users don’t have internet access.
Sure! Whatever floats your boat! just to clarify: you do not have to upload the whole bundled config. You can simply upload the app (look at the screenshot of the article that I linked to in my previous answer) and update your config. Uploading the whole bundled config is an additional option that you can, but don’t have to use. also the word “bundle” might be a bit confusing in this case. It just means “download the zip file” which, for most git services out there, is a one-click operation.
Anyway, if you are already down the ssh path I think it will be less work indeed.
just to clarify: you do not have to upload the whole bundled config. You can simply upload the app (look at the screenshot of the article that I linked to in my previous answer) and update your config. Uploading the whole bundled config is an additional option that you can, but don’t have to use.