From faa838f12aeb32f32dea7d808141069df42dc7d3 Mon Sep 17 00:00:00 2001 From: akuitybot <105087302+akuitybot@users.noreply.github.com> Date: Wed, 4 Dec 2024 23:49:52 -0800 Subject: [PATCH] chore(backport release-1.1): fix(creds): don't require base64 PK for GitHub Apps (#3061) --- docs/docs/30-how-to-guides/20-managing-credentials.md | 2 +- internal/credentials/kubernetes/github/app.go | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/docs/30-how-to-guides/20-managing-credentials.md b/docs/docs/30-how-to-guides/20-managing-credentials.md index af3ab4a6f..3cfb33836 100644 --- a/docs/docs/30-how-to-guides/20-managing-credentials.md +++ b/docs/docs/30-how-to-guides/20-managing-credentials.md @@ -297,7 +297,7 @@ in question, Kargo will also lose access. kargo.akuity.io/cred-type: git stringData: githubAppID: - githubAppPrivateKey: + githubAppPrivateKey: githubAppInstallationID: repoURL: repoURLIsRegex: diff --git a/internal/credentials/kubernetes/github/app.go b/internal/credentials/kubernetes/github/app.go index 9db1d1fba..e2abbb960 100644 --- a/internal/credentials/kubernetes/github/app.go +++ b/internal/credentials/kubernetes/github/app.go @@ -4,6 +4,7 @@ import ( "context" "crypto/sha256" "encoding/base64" + "errors" "fmt" "strconv" "time" @@ -138,7 +139,14 @@ func (a *appCredentialHelper) getAccessToken( ) (string, error) { decodedKey, err := base64.StdEncoding.DecodeString(encodedPrivateKey) if err != nil { - return "", fmt.Errorf("error decoding private key: %w", err) + if corruptInputErr := new(base64.CorruptInputError); !errors.As(err, &corruptInputErr) { + return "", fmt.Errorf("error decoding private key: %w", err) + } + + // If the key is not base64 encoded, it may be a raw key. Try using it + // as-is. We do this because initially, we required the PEM-encoded key + // to be base64 encoded (for reasons unknown today). + decodedKey = []byte(encodedPrivateKey) } appTokenSource, err := githubauth.NewApplicationTokenSource(appID, decodedKey) if err != nil {