app-registry / appr Goto Github PK

I have a chart that I want to contain a number of private dependencies stored in quay, is there a way inside my helm chart to reference these? For example

my_chart/requirements.yml would contain something like

 - name: my_dependant_chart
    version: 1.1.0
    repository: https://quay.io/mycompany/my_dependant_chart

It would be nice for an appr dependency in a helm requirements.yaml to pass through other helm dependency options than just name, version, and repository. A use case is the dependency option condition which allows a dependency to be enabled depending on a value in user supplied configuration.

For example:

appr:
- name: reg.my.company/org/chart
  version: 0.1.0
  condition: subdep.enabled

would result in

dependencies:
- name: chart
  version: 0.1.0
  repository: file://appr_charts/org/chart
  condition: subdep.enabled
appr:
- name: reg.my.company/org/chart
  version: 0.1.0
  condition: subdep.enabled

So I have the following use-case:

We use the Quay Enterprise Registry in combination with the App-Registry Helm plugin. We have multiple organizations with Application Repositories and each organization has it's own robot account. This requires that we can login with different robot accounts into the same registry at the same "time"(if we don't want to login before every push). In the .appr/auths.yaml the credentials are stored per URL/Registry.

It would be nice if we could set the APPR_CONF_DIR (which is already there in the source code) per command line so that we can switch "context" between helm registry calls, e.g.:

• login with robot account 1 (org1) => .appr/auths.yaml
• login with robot account 2 (org2) => .appr2/auths.yaml
• push Helm charts to org1 Application Repositories by using .appr/auths.yaml
• push Helm charts to org2 Application Repositories by using .appr2/auths.yaml

It looks like it's not possible to use the environment variables APPR_CONF_DIR when using appr as Helm plugin (it's just ignored):

export APPR_CONF_DIR=.appr2
helm registry login -k -u <user> -p <pw> <registry-url>
# credentials are still stored in ~/.appr/auths.yaml

A command line flag for the registry plugin would solve this.

Switch between public./ private

The there isn't an included executable for alpine in the 0.7.3 release. Has this target been removed?

Hi,

currently appr and accordingly the helm app registry plugin is only supported on Linux and OSX. Would it be possible to support it also on Windows?

As far as I'm aware there biggest problem is that the appr binary is build with travis ci (I didn"t look in detail at the GitLab build) and pyinstaller. Travis ci only builds on Linux and OSX and pyinstaller doesn't support cross-compilation. But I saw there is one release of appr-helm-plugin with a Windows binary.

We got it running on Windows by building the appr.exe locally and creating a Powershell version of cnr.sh.

Is there a solution for the cross-compilation problem?

Hi,

it would be nice if appr could provide an option to specify a custom keystore / bundle, so that it can be used with registries with self-signed certificates.

I tried to set the environment variable APPR_CA_BUNDLES to a folder with our CA pem file and to the CA file, which should be trusted, itself, e.g.:

export APPR_CA_BUNDLES=/tmp/certs/
# or
export APPR_CA_BUNDLES=/tmp/certs/Root-CA.pem

If i understand the documentation of requests correctly, this should work. But we only got:

Api-version: .. Connection error
Client-version: 0.6.1

I can only guess that the environment variable is not used correctly?

app-registry/appr-helm-plugin#17 (comment)

appr list quay.io/myns

instead of

appr list quay.io -o myns

Most of the time the '--media-type' is required because there is a single manifest type available.
This case is handled server-side, if the media type is "-': api/v1/packages/ns/name/1.0.3/-/pull

$ appr helm upgrade cr.vertiv.life/devops/elasticsearch:beta --namespace logging --tiller-namespace logging -f values.yaml monitoring                                                                      14:00 on Fri Sep 01
Traceback (most recent call last):
  File "PyInstaller/loader/rthooks/pyi_rth_multiprocessing.py", line 9, in <module>
ImportError: No module named spawn
[129] Failed to execute script pyi_rth_multiprocessing

The 0.7.1 release works without issue.

With a failed login and using the output flag to choose json, the output is not json.

The expectation is that the output will always be in the format requested.

$ helm registry login -u 'foo' -p 'bar' quay.io --output json
usage: appr [-h]
            {run-server,show,inspect,logout,plugins,helm,pull,list,delete-package,version,push,login,config,channel}
            ...
appr: error: 
message: '401 Client Error: UNAUTHORIZED for url: https://quay.io/cnr/api/v1/users/login'
response: '{"error":{"code":"unauthorized-access","details":{},"message":"Invalid Username or Password"}}

  '

Error: plugin "registry" exited with error

In the event that you're using version-locked helm paths but still have a helm in PATH, the wrong version of helm is used.

As part of kraken, we maintain the last known tested version of helm for each of the last 3 kubernetes releases, ie.

/opt/cnct/kubernetes/v1.5/bin/helm
/opt/cnct/kubernetes/v1.6/bin/helm
/opt/cnct/kubernetes/v1.7/bin/helm

and a symlink of /usr/bin/helm to /opt/cnct/kubernetes/v1.7/bin/helm`

This causes a helm registry install to fail as the client and server versions do not match when using helm from a path other than v1.7.

Please use the helm version from which appr is called.

Native Helm execution

$ helm upgrade --namespace logging --tiller-namespace logging -f ../values.yaml monitoring .
Error: UPGRADE FAILED: Deployment.apps "monitoring-elasticsearch-kibana" is invalid: spec.template.metadata.labels: Invalid value: map[string]string{"chart":"elasticsearch-0.1.2", "heritage":"Tiller", "release":"monitoring", "role":"kibana", "app":"monitoring-elasticsearch-kibana"}: `selector` does not match template `labels` && StatefulSet.apps "monitoring-elasticsearch-master" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden. && StatefulSet.apps "monitoring-elasticsearch-client-2" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden. && StatefulSet.apps "monitoring-elasticsearch-ext4-data" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden. && StatefulSet.apps "monitoring-elasticsearch-data-gen2" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden.
$ echo $?
1

vs. through appr

$ appr helm upgrade cr.vertiv.life/devops/[email protected] --namespace logging --tiller-namespace logging -f values.yaml monitoring
Error: UPGRADE FAILED: Deployment.apps "monitoring-elasticsearch-kibana" is invalid: spec.template.metadata.labels: Invalid value: map[string]string{"release":"monitoring", "role":"kibana", "app":"monitoring-elasticsearch-kibana", "chart":"elasticsearch-0.1.2", "heritage":"Tiller"}: `selector` does not match template `labels` && StatefulSet.apps "monitoring-elasticsearch-master" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden. && StatefulSet.apps "monitoring-elasticsearch-client-2" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden. && StatefulSet.apps "monitoring-elasticsearch-data-gen2" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden. && StatefulSet.apps "monitoring-elasticsearch-ext4-data" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden.

$ echo $?
0

In order to script around this, the exit code of helm execution needs to be reflected in the exit code of appr.

@registry_app.route("/api/v1/packages/string:namespace/string:package_name/string:version/
channels"

helm registry install quay.io/samsung_cnct/[email protected] --name ingress-nginx --namespace default --values /home/jjulian/.kraken/jjregistry/quay.io-ingress-nginx.helmvalues fails:

usage: appr [-h]
            {show,inspect,logout,plugins,helm,pull,list,delete-package,version,push,login,config,channel}
            ...
appr: error: unrecognized arguments: --name ingress-nginx --namespace default --values /home/jjulian/.kraken/jjregistry/quay.io-ingress-nginx.helmvalues

E0706 23:09:02.730713   16604 portforward.go:209] Unable to create listener: Error listen tcp6 [::1]:41323: bind: cannot assign requested address
Error: This command needs 1 argument: chart name
Error: plugin "registry" exited with error

In https://github.com/app-registry/appr/blob/master/appr/commands/plugins/helm/cnr.sh, the switches are all passed to appr pull. Unsupported switches should probably be silently ignored.

Further, the needed switches are not passed to helm install preventing it from being assigned the expected name or being installed into the correct namespace.

https://stackoverflow.com/questions/31836104/pyinstaller-and-onefile-how-to-include-an-image-in-the-exe-file

Often different robot account are configured per namespace or repo.
Currently login are stored per domain and we would like more fine control to scope auth per namespace / repo too.
spin-off: #61

"auths":
  "domain":
      "*": {token: auth}      # default auth for the domain
      "namespace":
           "*": {token: auth}   # default auth for the namespace
           "repo": {token: auth} # auth for the repo  

or

"auths":
  "domain": {token: auth}   # default auth for the domain
   "domain/namespace": {token: auth}   # default auth for the namespace
   "domain/namespace/repo": {token: auth}    # auth for the repo  

CLI:

appr login quay.io
appr login quay.io/namespace
appr login quay.io/namespace/repo

Very cool project!! I pulled down the repo and was able to get the server running just fine, but when I tried to run ./Documentation/test.sh all of the curl commands besides the ones that pull down charts failed with:

curl -XPOST http://localhost:5000/api/v1/packages/foo/bar -d '{"blob": "H4sIAP3mAFgAA+3OMQqEMBCF4ak9RU4gGaPxPClcVogKGou9/SpYrI2yhYjwf82DeVO8LvTtq5lS/gldlGvYhfflmlpX9jc3XtStV++KSsVqobUTYy/aszNPKYzGSOiT04O/s/6h3k2MQ3b3CgAAAAAAAAAAAAAAAADAv77X4+BWACgAAA==", "release": "1.0.1", "media_type": "kpm"}'
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>

because the helm code for requirements.yaml uses a map keyed on name aliased entries in the appr map get ignored when building dependancies. Switching this to an array would solve the issue.

now that https://github.com/app-registry/appr-helm-plugin has a windows release the name of the file that gets downloaded needs to be either passed in from the command line or be set based on what the operating system is.

the current solution doesn't work and fails with the following output:

appr plugins install helm
Traceback (most recent call last):
File "/usr/bin/appr", line 6, in
cli()
File "/usr/lib/python2.7/site-packages/appr/commands/cli.py", line 56, in cli
args.func(args)
File "/usr/lib/python2.7/site-packages/appr/commands/plugins.py", line 70, in _install
cmd.status = cls.plugins[plugin_name]['install_method'](plugin, cls.plugins[plugin_name])
File "/usr/lib/python2.7/site-packages/appr/commands/plugins.py", line 21, in install_helm_plugin
res.raise_for_status()
File "/usr/lib/python2.7/site-packages/requests/models.py", line 935, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://github.com/app-registry/appr-helm-plugin/releases/download/v0.7.0/registry-helm-plugin.tar.gz

When running:
helm registry install quay.io/myorg/chartname --name releaseName --namespace prod -f env-values-overrides/prod.yaml
If there was an error (for example: in the env-values-overrides/prod.yaml file an environment variable has a value but no name) and Kubernetes fails to deploy, there will be an error logged:

Error: release releaseName failed: Deployment.apps "prod-appName" is invalid: spec.template.spec.containers[0].env[3].name: Required value

But helm registry exists with a 0 (aka: false success)

if not using the plugin, helm errors with status 1

same problem exists for helm registry upgrade --install

I have the following in a .helmignore

/.git
/.gitlab-ci.yml
test/
appr_charts/

This doesn't actually ignore anything and is a divergence from the way helm processes .helmignore.

See the test cases for helm here

This syntax is also valid for other ignore formats. I think the current code wrongly includes the path to the current directory from the drive root.

https://docs.python.org/2/library/abc.html

And then require that instances passed to functionality constructors pass the instanceof check.

This will help implementers to make sure they are implementing the bases correctly.

Close to the json returned in the list /api/v1/packages.
Add:

• available manifests and default version:
  manifests: [{name: kpm, default: v1.2.3}, {name: 'helm', default: v1.4.0}