chore(backport release-1.1): fix(creds): don't require base64 PK for …

…GitHub Apps (#3061)
akuity · Dec 5, 2024 · faa838f · faa838f
1 parent c7ed08e
commit faa838f
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/docs/docs/30-how-to-guides/20-managing-credentials.md b/docs/docs/30-how-to-guides/20-managing-credentials.md
@@ -297,7 +297,7 @@ in question, Kargo will also lose access.
         kargo.akuity.io/cred-type: git
     stringData:
       githubAppID: <app id>
-      githubAppPrivateKey: <base64-encoded private key>
+      githubAppPrivateKey: <PEM-encoded private key>
       githubAppInstallationID: <installation id>
       repoURL: <repo url>
       repoURLIsRegex: <true if repoURL is a pattern matching multiple repositories>

diff --git a/internal/credentials/kubernetes/github/app.go b/internal/credentials/kubernetes/github/app.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/base64"
+	"errors"
 	"fmt"
 	"strconv"
 	"time"
@@ -138,7 +139,14 @@ func (a *appCredentialHelper) getAccessToken(
 ) (string, error) {
 	decodedKey, err := base64.StdEncoding.DecodeString(encodedPrivateKey)
 	if err != nil {
-		return "", fmt.Errorf("error decoding private key: %w", err)
+		if corruptInputErr := new(base64.CorruptInputError); !errors.As(err, &corruptInputErr) {
+			return "", fmt.Errorf("error decoding private key: %w", err)
+		}
+
+		// If the key is not base64 encoded, it may be a raw key. Try using it
+		// as-is. We do this because initially, we required the PEM-encoded key
+		// to be base64 encoded (for reasons unknown today).
+		decodedKey = []byte(encodedPrivateKey)
 	}
 	appTokenSource, err := githubauth.NewApplicationTokenSource(appID, decodedKey)
 	if err != nil {