operator: introduce support for looking up GH app installation ID

cmd/cli/create_secret_githubapp.go

@@ -42,10 +42,11 @@ var createSecretGitHubAppCmd = &cobra.Command{
 }
 
 type createSecretGitHubAppFlags struct {
-	appID          string
-	installationID string
-	privateKeyFile string
-	baseURL        string
+	appID             string
+	installationOwner string
+	installationID    string
+	privateKeyFile    string
+	baseURL           string
 
 	annotations []string
 	labels      []string
@@ -58,8 +59,10 @@ var createSecretGitHubAppArgs createSecretGitHubAppFlags
 func init() {
 	createSecretGitHubAppCmd.Flags().StringVar(&createSecretGitHubAppArgs.appID, "app-id", "",
 		"GitHub App ID (required)")
+	createSecretGitHubAppCmd.Flags().StringVar(&createSecretGitHubAppArgs.installationOwner, "app-installation-owner", "",
+		"GitHub App Installation Owner (organization or user) (optional)")
 	createSecretGitHubAppCmd.Flags().StringVar(&createSecretGitHubAppArgs.installationID, "app-installation-id", "",
-		"GitHub App Installation ID (required)")
+		"GitHub App Installation ID (optional)")
 	createSecretGitHubAppCmd.Flags().StringVar(&createSecretGitHubAppArgs.privateKeyFile, "app-private-key-file", "",
 		"path to GitHub App private key file (required)")
 	createSecretGitHubAppCmd.Flags().StringVar(&createSecretGitHubAppArgs.baseURL, "app-base-url", "",
@@ -89,13 +92,22 @@ func createSecretGitHubAppCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	// Build the secret
+	var opts []secrets.GitHubAppOption
+	if owner := createSecretGitHubAppArgs.installationOwner; owner != "" {
+		opts = append(opts, secrets.WithGitHubAppInstallationOwner(owner))
+	}
+	if ID := createSecretGitHubAppArgs.installationID; ID != "" {
+		opts = append(opts, secrets.WithGitHubAppInstallationID(ID))
+	}
+	if u := createSecretGitHubAppArgs.baseURL; u != "" {
+		opts = append(opts, secrets.WithGitHubAppBaseURL(u))
+	}
 	secret, err := secrets.MakeGitHubAppSecret(
 		name,
 		*kubeconfigArgs.Namespace,
 		createSecretGitHubAppArgs.appID,
-		createSecretGitHubAppArgs.installationID,
 		string(privateKey),
-		createSecretGitHubAppArgs.baseURL,
+		opts...,
 	)
 	if err != nil {
 		return err

config/terraform/README.md

@@ -38,7 +38,7 @@ terraform apply \
   -var flux_version="2.x" \
   -var flux_registry="ghcr.io/fluxcd" \
   -var github_app_id="1" \
-  -var github_app_installation_id="2" \
+  -var github_app_installation_owner="org" \
   -var github_app_pem="$GITHUB_APP_PEM" \
   -var git_url="https://github.com/org/repo.git" \
   -var git_ref="refs/heads/main" \

config/terraform/main.tf

@@ -24,7 +24,7 @@ resource "kubernetes_secret" "git_auth" {
     username = var.git_token != "" ? "git" : null
     password = var.git_token != "" ? var.git_token : null
     githubAppID = var.github_app_id != "" ? var.github_app_id : null
-    githubAppInstallationID = var.github_app_installation_id != "" ? var.github_app_installation_id : null
+    githubAppInstallationOwner = var.github_app_installation_owner != "" ? var.github_app_installation_owner : null
     githubAppPrivateKey = var.github_app_pem != "" ? var.github_app_pem: null
   }
 

config/terraform/variables.tf

@@ -35,8 +35,8 @@ variable "github_app_id" {
   default     = ""
 }
 
-variable "github_app_installation_id" {
-  description = "GitHub App Installation ID"
+variable "github_app_installation_owner" {
+  description = "GitHub App Installation Owner"
   type        = string
   default     = ""
 }

docs/api/v1/resourcesetinputprovider.md

@@ -408,6 +408,7 @@ metadata:
   namespace: default
 stringData:
   githubAppID: "<GITHUB APP ID>"
+  githubAppInstallationOwner: "<GITHUB ORG OR USER>"
   githubAppInstallationID: "<GITHUB APP INSTALLATION ID>"
   githubAppBaseURL: <github-enterprise-api-url> # optional, for self-hosted GitHub Enterprise
   githubAppPrivateKey: |
@@ -424,6 +425,11 @@ spec:
     name: github-app
 ```
 
+Exactly one of `githubAppInstallationOwner` or `githubAppInstallationID` must be provided.
+If neither or both are provided, the reconciliation will fail with a misconfiguration error.
+When `githubAppInstallationOwner` is provided, the operator will look for the installation
+ID corresponding to the owner using the GitHub API.
+
 The GitHub App ID and Installation ID are integer numbers, so remember to quote them in the secret
 if using the `stringData` field as all values in this field must be strings.
 

go.mod

@@ -14,9 +14,9 @@ require (
 	github.com/fluxcd/pkg/apis/meta v1.24.0
 	github.com/fluxcd/pkg/auth v0.34.0
 	github.com/fluxcd/pkg/cache v0.12.0
-	github.com/fluxcd/pkg/git v0.39.0
+	github.com/fluxcd/pkg/git v0.40.0
 	github.com/fluxcd/pkg/kustomize v1.24.0
-	github.com/fluxcd/pkg/runtime v0.94.0
+	github.com/fluxcd/pkg/runtime v0.95.0
 	github.com/fluxcd/pkg/ssa v0.62.0
 	github.com/fluxcd/pkg/tar v0.16.0
 	github.com/fluxcd/pkg/version v0.11.0

go.sum

@@ -123,12 +123,12 @@ github.com/fluxcd/pkg/cache v0.12.0 h1:mabABT3jIfuo84VbIW+qvfqMZ7PbM5tXQgQvA2uo2
 github.com/fluxcd/pkg/cache v0.12.0/go.mod h1:HL/9cgBmwCdKIr3JH57rxrGdb7rOgX5Z1eJlHsaV1vE=
 github.com/fluxcd/pkg/envsubst v1.5.0 h1:S07mo+MkGhptdHA4pRze5HPKlc8tHxKswNdcMZi1WDY=
 github.com/fluxcd/pkg/envsubst v1.5.0/go.mod h1:c3a8DYI855sZUubHFYQbjfjop6Wu4/zg1cLyf7SnCes=
-github.com/fluxcd/pkg/git v0.39.0 h1:QydLWcsOso1BkO/ctE6ELlCFkhnGwpF2dUVa+R4aLp0=
-github.com/fluxcd/pkg/git v0.39.0/go.mod h1:MPhYH/ir7jr7cgQd75kWPHCGuJBu+sg7jzi0JPTSkKA=
+github.com/fluxcd/pkg/git v0.40.0 h1:B23gcdNqHQcVpp9P2BU4mrfFXGA8XFYi9mpy+5RDAQA=
+github.com/fluxcd/pkg/git v0.40.0/go.mod h1:MPhYH/ir7jr7cgQd75kWPHCGuJBu+sg7jzi0JPTSkKA=
 github.com/fluxcd/pkg/kustomize v1.24.0 h1:ckFB7hh9FpJA1Oy3bYl88p9On/zsZZTbwlLBgP6eUkA=
 github.com/fluxcd/pkg/kustomize v1.24.0/go.mod h1:cydG0vKpDuUaoP5STpKfxY3zqgzaARv5HsWDOFyt5nA=
-github.com/fluxcd/pkg/runtime v0.94.0 h1:z33lG+albHTmmcpZgV7DY5VVUZXFFAErnBBATDI2B5I=
-github.com/fluxcd/pkg/runtime v0.94.0/go.mod h1:/E4dT1pdSkidyRTR5ghSzoyHEUcEJw3ipvJt597ArOA=
+github.com/fluxcd/pkg/runtime v0.95.0 h1:Tz8vFOkA/L+LNRxxP0aWv9uQt3ytrTmXpvXFOz7k3Dw=
+github.com/fluxcd/pkg/runtime v0.95.0/go.mod h1:/E4dT1pdSkidyRTR5ghSzoyHEUcEJw3ipvJt597ArOA=
 github.com/fluxcd/pkg/sourceignore v0.15.0 h1:tB30fuk4jlB3UGlR7ppJguZ3zaJh1iwuTCEufs91jSM=
 github.com/fluxcd/pkg/sourceignore v0.15.0/go.mod h1:mZ9X6gNtNkq9ZsD35LebEYjePc7DRvB2JdowMNoj6IU=
 github.com/fluxcd/pkg/ssa v0.62.0 h1:YCNn6uhrrzL7IXy03ypAQ64H2U3stAAbCqkWjmw1tRA=

internal/controller/resourcesetinputprovider_controller_git_test.go

@@ -705,7 +705,7 @@ spec:
 }
 
 func TestResourceSetInputProviderReconciler_getGitHubToken_cached(t *testing.T) {
-	const key = "dd2ce27f135e666c946a3bd4657f4ffaf1d2c97d9a35b93336f467dcdd93a56b"
+	const key = "2fb26928de0418fa7b8f44c5c9629f7408035d751b751bedef50784ee1b1d900"
 
 	g := NewWithT(t)