OCI registry authentication: Some registries will require different auth for different URIs about helm HOT 5 CLOSED

To make it easy to reproduce and understand what needs to change in Helm, could you provide me with the following?

• Concrete steps to configure gitlab (or any other freely available repository) with path/scoped based authorisation
• Any reference (preferably an upstream issue/PR/documentation) of the Buildkit extension

I know this is non-standard from ~/.docker/config.json point of view

This might be a sticking point when deciding on whether to add this support or not, but I'll leave that for later discussions

from helm.

All this is based on standard containers/podman/buildah containers-auth.json:

https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md#format

In Gitlab, create to separate repositories; e.g.

• gitlab.com/mygroup/myproject1
• gitlab.com/mygroup/myproject2

each of these provide namespace for OCI registry, e.g.:

• registry.gitlab.com/mygroup/myproject1/mychart1
• registry.gitlab.com/mygroup/myproject2/mychart2

You can create access tokens for registry pull from each of those repositories/registries (Settings/AccessTokens)

• https://gitlab.com/mygroup/myproject1/-/settings/access_tokens
• https://gitlab.com/mygroup/myproject2/-/settings/access_tokens

Hence, each of these repos/registries have different authentication tokens.

(Note: as regular user you may not be confronted with this issue, because you use your global personal authentication, and you have access to both repos with same authentication token. However, in CI/CD you typically don't use user authentication, you use group/project scoped auth. tokens.)

(Note2: you typically create tokens on group level, not project level. But you still need different tokens to different groups.)

Now, your local mychart3 may want to add dependency to both mychart1 and mychart2:

apiVersion: v2
name: mychart3
version 1.0.0
dependencies:
- name: mychart1
  version: x
  repository: oci://registry.gitlab.com/mygroup/myproject1
- name: mychart2
  version: x
  repository: oci://registry.gitlab.com/mygroup/myproject2

and your config.json would look like:

{"auths": {
"registry.gitlab.com": {"auth": "base64-encoded-token1"}
}}

^^ This is broken. There is nowhere to put token2 for access to myproject2. helm-dep-up will fail.

You want:

{"auths": {
"registry.gitlab.com/mygroup/myproject1": {"auth": "token1"},
"registry.gitlab.com/mygroup/myproject2": {"auth": "token2"}
}}

This is only way to use helm in this scenario. (Not only helm, but OCI registry in general.)

This is already prototyped/standardized by kubernetes/containers/podman/buildah/buildkit/etc...

from helm.

@patrikbeno i am going to do a bit of research into what options we would be able to provide and if any, what enhancements need to be made. I'll circle back after i have a bit more information on the topic at hand

from helm.

note this duplicate: #11286

from helm.

will close in favor of the existing issue. I think #11286 (comment) is still the current state

from helm.