Check out what's in the latest release of Kabanero Learn More

Specifying Credentials to Access GitHub Enterprise Resources

The Kabanero custom resource (CR) instance can be configured to access stack indexes and pipeline zips that are contained within a protected GitHub release. A GitHub Personal Access Token (PAT) is required, and must be stored within a Secret in the same namespace as the Kabanero CR instance.

  1. Generate a GitHub Personal Access Token (PAT) with sufficient privileges (scope) to read the GitHub release assets that you require. Typically the read:org scope is appropriate.

  2. Define a Secret containing the PAT that will be used to access the GitHub release. The PAT should be provided in the data section, with a key named password. The secret must also contain an annotation which associates it with the hostname where the GitHub release exists. The format of the annotation is kabanero.io/git-0: https://hostname where hostname is replaced with the GitHub hostname. For example, the following yaml defines a secret that is used to access GitHub releases on github.mydomain.com:

    apiVersion: v1
    kind: Secret
    metadata:
      name: basic-user-pass
      annotations:
        kabanero.io/git-0: https://github.mydomain.com
    type: kubernetes.io/basic-auth
    stringData:
      password: <PAT>

    For more information about how Kabanero uses this secret, read the notes at the end of this page.

  3. Modify your Kabanero CR instance to refer to the stack index, or pipeline zip, contained in a GitHub release. The release information is specified in the gitRelease field of the Kabanero CR instance. This field is mutually exclusive with the https field, which is used to specify an unprotected URL. For example, the default stack index for Kabanero 0.6.0 could be specified in the following way (note that this release is unprotected):

    apiVersion: kabanero.io/v1alpha2
    kind: Kabanero
    metadata:
      name: kabanero
      namespace: kabanero
    spec:
      version: "0.9.0"
      stacks:
        repositories:
        - name: central
          gitRelease:
            hostname: "github.com"
            organization: "kabanero-io"
            project: "kabanero-stack-hub"
            release: "0.9.0"
            assetName: "kabanero-stack-hub-index.yaml"
  4. The Kabanero operator will search for a secret where the kabanero.io/git-0 annotation matches the hostname defined in the Kabanero CR instance. If a match is found, the PAT contained within the secret is used to retrieve the asset from the GitHub release.

The example above shows how to access a stack hub index. The same approach is used to access pipeline zips, by replacing the https field in the pipeline specification, with the gitRelease field.

Notes about credential selection

In the unlikely event that the same PAT should be used for more than one hostname, multiple annotations can be added to the secret. For example, if the same PAT should be used for both github.mydomain.com and github.otherdomain.com, the following annotations are valid:

metadata:
  name: basic-user-pass
  annotations:
    kabanero.io/git-0: https://github.mydomain.com
    kabanero.io/git-1: https://github.otherdomain.com

If more than one Secret matches a given hostname, the one with the lexically lowest key (kabanero.io/git-*) is used.

Need help?

If you have questions, we would like to hear from you. You can reach out to the community for assistance on the Kabanero Slack channel.

Edit This Page