Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Excessive admin work required to set up an enterprise-wide Github EMU code host #63783

Open
twarit-waikar opened this issue Jul 11, 2024 · 1 comment
Open

Excessive admin work required to set up an enterprise-wide Github EMU code host #63783

twarit-waikar opened this issue Jul 11, 2024 · 1 comment

Comments

@twarit-waikar
Copy link

  • Sourcegraph version: 5.3.1
  • Platform information: RHEL9, AWS

Setting up a Github code host in an EMU environment requires quite a few adjustments from admins on both Sourcegraph and the Github EMU admin side if we plan for 100% code coverage.

The first step is to get the Sourcegraph IPs whitelisted from the Github EMU side for every org.

Next is to set up the code hosts on Sourcegraph.

1. Using a Github app

If our goal is 100% coverage in EMU, using a Github app to set up the code host requires the app to be installed on every single org that we have, with access to private repos as well. We can perform the app installation steps manually (including the authentication using our IdP, the IdP auth comes as a part of the EMU mandates in our case).

Next up the org needs to be explicitly allowed via the admin, for the Github user (that we've also used in the code host) to be able to clone user permissions.

2. Using a PAT

Again, if the goal is 100% coverage, the user needs to be added to the orgs as a collaborator, then the token we generate needs to be explicitly authorized to access every single org we need indexed. This again is a redirect to the IdP. This kind of an authorization is a single time process but as the number of orgs increase, this is not a suitable option (we can get 100s of orgs created at once).

Similar to above, these orgs need a 1-time approval from the Github EMU admin for the user that Sourcegraph is using to be able to clone user permissions.

The token authorization step can be worked around by using Selenium but still it doesn't account for new orgs that get added, requiring another Selenium run to authorize the token to access the new orgs, on a regular cadence.

There is a possibility to fix this if we went the Github app route and Github implemented a way to install apps on an enterprise level, or on orgs using an API (so that Sourcegraph can hit those APIs on it's own instead of needing manual intervention). However, the Github approval required on the EMU admin side will also need changes from Github.

In the current state, it is virtually impossible to onboard a large number of orgs to EMU at once onto Sourcegraph.
@pjlast
Copy link
Contributor

pjlast commented Jul 18, 2024

Thanks @twarit-waikar ! We're blocked by GitHub here unfortunately. On the Sourcegraph side we could allow a GitHub App connection to iterate over all the orgs it has been installed on, but that still requires the App to be installed on each individual org on the GitHub side

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pjlast @twarit-waikar