Comments (5)
banjoh
commented on June 17, 2024
To make it easy to reproduce and understand what needs to change in Helm, could you provide me with the following?
- Concrete steps to configure gitlab (or any other freely available repository) with path/scoped based authorisation
- Any reference (preferably an upstream issue/PR/documentation) of the Buildkit extension
I know this is non-standard from ~/.docker/config.json point of view
This might be a sticking point when deciding on whether to add this support or not, but I'll leave that for later discussions
from helm.
patrikbeno
commented on June 17, 2024
All this is based on standard containers/podman/buildah containers-auth.json:
https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md#format
In Gitlab, create to separate repositories; e.g.
- gitlab.com/mygroup/myproject1
- gitlab.com/mygroup/myproject2
each of these provide namespace for OCI registry, e.g.:
- registry.gitlab.com/mygroup/myproject1/mychart1
- registry.gitlab.com/mygroup/myproject2/mychart2
You can create access tokens for registry pull from each of those repositories/registries (Settings/AccessTokens)
- https://gitlab.com/mygroup/myproject1/-/settings/access_tokens
- https://gitlab.com/mygroup/myproject2/-/settings/access_tokens
Hence, each of these repos/registries have different authentication tokens.
(Note: as regular user you may not be confronted with this issue, because you use your global personal authentication, and you have access to both repos with same authentication token. However, in CI/CD you typically don't use user authentication, you use group/project scoped auth. tokens.)
(Note2: you typically create tokens on group level, not project level. But you still need different tokens to different groups.)
Now, your local mychart3 may want to add dependency to both mychart1 and mychart2:
apiVersion: v2
name: mychart3
version 1.0.0
dependencies:
- name: mychart1
version: x
repository: oci://registry.gitlab.com/mygroup/myproject1
- name: mychart2
version: x
repository: oci://registry.gitlab.com/mygroup/myproject2
and your config.json would look like:
{"auths": {
"registry.gitlab.com": {"auth": "base64-encoded-token1"}
}}
^^ This is broken. There is nowhere to put token2 for access to myproject2. helm-dep-up will fail.
You want:
{"auths": {
"registry.gitlab.com/mygroup/myproject1": {"auth": "token1"},
"registry.gitlab.com/mygroup/myproject2": {"auth": "token2"}
}}
This is only way to use helm in this scenario. (Not only helm, but OCI registry in general.)
This is already prototyped/standardized by kubernetes/containers/podman/buildah/buildkit/etc...
from helm.
sabre1041
commented on June 17, 2024
@patrikbeno i am going to do a bit of research into what options we would be able to provide and if any, what enhancements need to be made. I'll circle back after i have a bit more information on the topic at hand
from helm.
gjenkins8
commented on June 17, 2024
note this duplicate: #11286
from helm.
gjenkins8
commented on June 17, 2024
will close in favor of the existing issue. I think #11286 (comment) is still the current state
from helm.
Related Issues (20)
- Helm version for v3.15.0 reports v3.15.0-rc.2 HOT 12
- Overriding Helm chart dependency version in parent chart HOT 2
- error converting YAML to JSON: did not find exected key HOT 1
- error converting YAML to JSON: yaml: line 22: did not find expected key HOT 7
- Update backward compatibility promise in CONTRIBUTING.md to reflect HIP 0004 HOT 3
- Helm Apt install/package is broken and can't be installed HOT 5
- How to instruct Helm not to add "managed-by" label to the STS HOT 2
- Make retryingRoundTripper type public HOT 1
- Unexpected HELM validation manifests behaviour HOT 1
- [Feature] Custom versioning support HOT 1
- Helm Chart Dependency Versions in chart.lock Not Matching Specified Versions
- Helm doesn't report the right status of the job
- Is mapkubeapis plugin recommended for production by helm for manipulating release manifest ?
- Version 3.15.0 for linux-amd64 is not published. HOT 2
- binary from helm-v3.15.0-linux-amd64.tar.gz reports wrong version HOT 1
- json value gets merged when using custom values yaml file instead of overriding
- Use of Helm build-in objects in Helm templates inside JSON files
- Make funcMap public for unit testing syntax of templates
- The randAscii function returns an error after multiple --dry-run tests HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm.