Dynamics Accounts with GitHub Cannot Use Token


Issue

Dynamic Accounts can be set to use GitHub.com to store credentials, but this requires usage of having account information stored as clear text.  It cannot be stored as encrypted information, and cannot use GitHub's token system either.

Cause

Dynamic Accounts use Spring Cloud Config to manage account access.  Spring Cloud Config for any configuration does not support S3 encryption for secrets, since the secret decryption happens on a different stage. It also cannot access GitHub via Tokens.  So for GitHub configurations, credentials to access the GitHub Account can only be stored as clear text.

Solution

Rather than using GitHub to store credentials since it can only store it as Clear Text in Spring Cloud Config, Armory advises instead using HashiCorp Vault to store your credentials.

https://docs.armory.io/docs/spinnaker-install-admin-guides/dynamic-accounts/

An example from Spinnaker Days for how one of our customers created their Dynamic Accounts can be found here:

https://github.com/spinnaker-hackathon/vault-spinnaker-dynamic-accounts

Please also note that GitHub Dynamics Accounts does not allow to set the kubeconfig separately as encrypted.  You need to have them accessible on the same repository as your Dynamic Account configuration.

As Tested On Version

2.20.x

More Info

https://github.com/spinnaker/clouddriver/pull/4227