Story (Required)

As an admin of a multi users with potentially non trusted users i want to improve the security of my PaaC cluster making sure the Repo the user has belongs to the right github user.

Background (Required)

On github apps installed globally on a cluster we don't have a way to know which Repo CR belongs to which github user.

We currently avoid this issue by saying the first one who create the Repo CR will win..

It's not ideal and for that we have introduced the target_namespace annotation https://pipelinesascode.com/docs/guide/repositorycrd/#setting-pipelinerun-definition-source. This solution present a few caveats, making the PipelineRun not very easily transportable and have need to have user know about the underlying infrastrucutre.

Out of scope

• Manage token creation
• Oauth (or any sort of interactiveness)

Proposed Solution

One thing we can use is a github token, we already have a way to pass a github token for the github webhook method and we may as well use that to make sure the Repository CR that belongs to the user. This has another caveat, which would need to have a user be able to generate that token.

This could be add to the pac webhook service that currently ensures the uniqueness of  repo CR urls.

Flow

The flow could look like this:

• when user create a repo CR
• if the cluster is using a github app
• and if there is a setting enforcing using a token when installing (github_app_repo_install_need_github_token=true)
• we check that the repo CR has a token attached to it
• check that the token has admin (TBD) rights on that repo.
• and let the user create it.