Konflux FAS Service Account

jcapitao commented

2026-05-05 09:04:28 +00:00

The Konflux community recently announced the support of the forge [1].
In Atomic Dekstops SIG, we would like to start building the different variants with Konflux but we are blocked with a security limitation: the Forge/Gitea only offers the creation of application tokens tied to individual user accounts.
That token is used by Konflux to 1. create/manage the Pipeline-as-code webhooks and 2. Interact with the repo (PR creation, feedback comment on PR, etc).
In Gitlab, application tokens are tied to the repo itself which is more manageable.

That token is set as a secret within the Fedora Konflux tenant [2] i.e: a kubernetes namespace. So, anyone with admin Role could access the personal user token which is not desirable. Secondly, all the Konflux operations would appear with the name and profile picture of that user, which would be misleading.

One option is to create a Konflux FAS Service Account user managed by the releng team. One would add it as contributor to the repo that needs to be onboarded in the Fedora Konflux cluster. And then, a releng admin would create a token per tenant, or SIG, or project, the granularity needs to be defined.
In some, that process would replicate the GitHub Konflux app.

Creating a dedicated FAS username is an option, but a general Konflux service account is more desirable since others will likely need one as well.

What are your thoughts?

[1] forge/forge#232
[2] https://gitlab.com/fedora/infrastructure/konflux/tenants-config/-/tree/main

The Konflux community recently announced the support of the forge [1]. In Atomic Dekstops SIG, we would like to start building the different variants with Konflux but we are blocked with a security limitation: the Forge/Gitea only offers the creation of application tokens tied to individual user accounts. That token is used by Konflux to 1. create/manage the Pipeline-as-code webhooks and 2. Interact with the repo (PR creation, feedback comment on PR, etc). In Gitlab, application tokens are tied to the repo itself which is more manageable. That token is set as a secret within the Fedora Konflux tenant [2] i.e: a kubernetes namespace. So, anyone with admin Role could access the personal user token which is not desirable. Secondly, all the Konflux operations would appear with the name and profile picture of that user, which would be misleading. One option is to create a Konflux FAS Service Account user managed by the releng team. One would add it as contributor to the repo that needs to be onboarded in the Fedora Konflux cluster. And then, a releng admin would create a token per tenant, or SIG, or project, the granularity needs to be defined. In some, that process would replicate the GitHub Konflux app. Creating a dedicated FAS username is an option, but a general Konflux service account is more desirable since others will likely need one as well. What are your thoughts? [1] https://forge.fedoraproject.org/forge/forge/issues/232 [2] https://gitlab.com/fedora/infrastructure/konflux/tenants-config/-/tree/main

👍 1

siosm referenced this issue from atomic-desktops/tracker

2026-05-07 16:22:46 +00:00

Setup CI on the repo in the new forge #114

jnsamyak added the

labels

2026-05-08 05:01:27 +00:00

kevin commented

2026-05-11 16:25:31 +00:00

Owner

@ryanlerch any thoughts here or more clever ways to do things?

humaton commented

2026-05-13 19:00:39 +00:00

Owner

I don't think we currently have an elegant solution for this. There is this upstream feature request. We might put it on the forge roadmap, but private issues are the top priority.

I think that we should create and maintain konflux-forge-bot FAS account for now, and maintain access tokens.

I don't think we currently have an elegant solution for this. There is [this](https://codeberg.org/forgejo/forgejo/issues/4992) upstream feature request. We might put it on the forge roadmap, but private issues are the top priority. I think that we should create and maintain konflux-forge-bot FAS account for now, and maintain access tokens.

👍 1

jcapitao commented

2026-06-01 15:02:29 +00:00

Author

Right, https://codeberg.org/forgejo/forgejo/issues/4992 would be the long term fix.
If you're ok with the short term solution, could you provide us a token from that konflux-forge-bot FAS account please ? Then we'll be able to continue the Konflux integration.

Right, https://codeberg.org/forgejo/forgejo/issues/4992 would be the long term fix. If you're ok with the short term solution, could you provide us a token from that konflux-forge-bot FAS account please ? Then we'll be able to continue the Konflux integration.

👍 2

kevin commented

2026-06-03 23:06:24 +00:00

Owner

I've created the fas account, logged into forge with it, so it exists there now (password is in ansible-private).

Questions:

what scopes does konflux need? ( https://forgejo.org/docs/latest/user/token-scope/ )
How best can we get that token to you once we generate it?

I've created the fas account, logged into forge with it, so it exists there now (password is in ansible-private). Questions: * what scopes does konflux need? ( https://forgejo.org/docs/latest/user/token-scope/ ) * How best can we get that token to you once we generate it?

walters commented

2026-06-05 20:03:39 +00:00

Contributor

xref https://gitlab.com/fedora/bootc/base-images/-/work_items/51

walters commented

2026-06-05 20:06:58 +00:00

Contributor

I think this secret needs to be managed by the people managing the Fedora Konflux instance, as it's a global thing right?

I could imagine though that we have a service account per forgejo namespace (in which case, the token would need to be provided per tenant namespace AFAIU) but I don't know if the Konflux Forgjeo code supports that or not.

I think this secret needs to be managed by the people managing the Fedora Konflux instance, as it's a global thing right? I could imagine though that we have a service account per forgejo namespace (in which case, the token would need to be provided per tenant namespace AFAIU) but I don't know if the Konflux Forgjeo code supports that or not.

👍 1

siosm referenced this issue from council/tickets

2026-06-09 11:13:08 +00:00

Use "Fedora Atomic" as name for bootable container base images #569

siosm commented

2026-06-09 15:38:54 +00:00

what scopes does konflux need? ( https://forgejo.org/docs/latest/user/token-scope/ )

Reading https://konflux-ci.dev/docs/building/creating-forgejo/ again, the token needs:

In Select permissions, configure the following permissions:

issue: Read and write

organization: Read

repository: Read and write

user: Read

So if I understand correctly this means that we need to add the Konflux user as a member of the org where we want to use Konflux and grant it access to the repos.

But if we have a single user, and tokens are not scope by repos, wouldn't that mean that once we setup this token in Konflux then I can have Konflux tasks write to any repos in the Forge where Konflux is set up? Am I missing something?

So maybe we do need a per-org Konflux account so that we don't share the token and repo access to broadly.

> * what scopes does konflux need? ( https://forgejo.org/docs/latest/user/token-scope/ ) Reading https://konflux-ci.dev/docs/building/creating-forgejo/ again, the token needs: > In Select permissions, configure the following permissions: > * issue: Read and write > * organization: Read > * repository: Read and write > * user: Read So if I understand correctly this means that we need to add the Konflux user as a member of the org where we want to use Konflux and grant it access to the repos. But if we have a single user, and tokens are not scope by repos, wouldn't that mean that once we setup this token in Konflux then I can have Konflux tasks write to any repos in the Forge where Konflux is set up? Am I missing something? So maybe we do need a per-org Konflux account so that we don't share the token and repo access to broadly.

siosm commented

2026-06-09 15:41:16 +00:00

So this got me back to what Colin suggested: we likely need a service account per Forgejo namespace/org.

humaton commented

2026-06-09 16:00:35 +00:00

Owner

@siosm wrote in #13341 (comment):

But if we have a single user, and tokens are not scope by repos, wouldn't that mean that once we setup this token in Konflux then I can have Konflux tasks write to any repos in the Forge where Konflux is set up? Am I missing something?

There are 2 types of tokens in Forgejo, broad token for all the repos account has access to or token for specific repository

@siosm wrote in https://forge.fedoraproject.org/releng/tickets/issues/13341#issuecomment-819053: > But if we have a single user, and tokens are not scope by repos, wouldn't that mean that once we setup this token in Konflux then I can have Konflux tasks write to any repos in the Forge where Konflux is set up? Am I missing something? There are 2 types of tokens in Forgejo, broad token for all the repos account has access to or token for [specific repository](https://forgejo.org/docs/latest/user/token-scope/#specific-repositories)

lenkaseg commented

2026-06-09 16:08:39 +00:00

Contributor

@humaton wrote in #13341 (comment):

@siosm wrote in #13341 (comment):

But if we have a single user, and tokens are not scope by repos, wouldn't that mean that once we setup this token in Konflux then I can have Konflux tasks write to any repos in the Forge where Konflux is set up? Am I missing something?

There are 2 types of tokens in Forgejo, broad token for all the repos account has access to or token for specific repository

Not sure if the repo scoped token can be used for Konflux needs. I was getting "token with not enough permissions" with it.
Konflux needs: issue r+w, org r, repo r+w, user r.
Repo scoped token can have max repo r+w, issue r+w
Edit: actually Konflux needed write:user as well IIRC

@humaton wrote in https://forge.fedoraproject.org/releng/tickets/issues/13341#issuecomment-819057: > @siosm wrote in #13341 (comment): > > > But if we have a single user, and tokens are not scope by repos, wouldn't that mean that once we setup this token in Konflux then I can have Konflux tasks write to any repos in the Forge where Konflux is set up? Am I missing something? > > There are 2 types of tokens in Forgejo, broad token for all the repos account has access to or token for [specific repository](https://forgejo.org/docs/latest/user/token-scope/#specific-repositories) Not sure if the repo scoped token can be used for Konflux needs. I was getting "token with not enough permissions" with it. Konflux needs: issue r+w, org r, repo r+w, user r. Repo scoped token can have max repo r+w, issue r+w Edit: actually Konflux needed write:user as well IIRC

siosm commented

2026-06-09 18:13:09 +00:00

I'm confused now. I though that repo scoped token was still an RFE: https://codeberg.org/forgejo/forgejo/issues/4992

Rows
Columns

Konflux FAS Service Account #13341