-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for repo auth Secret and CA ConfigMap #192
Conversation
6fa35f2
to
80a3fce
Compare
Manifest to test: ---
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
namespace: kube-system
name: cert-manager
spec:
targetNamespace: cert-manager
version: v1.11.0
chart: cert-manager
repo: https://charts.jetstack.io
authSecret:
name: jetstack-auth
repoCAConfigMap:
name: jetstack-ca
set:
installCRDs: "true"
---
apiVersion: v1
kind: Secret
metadata:
namespace: kube-system
name: jetstack-auth
type: kubernetes.io/basic-auth
stringData:
username: user
password: pass
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: kube-system
name: jetstack-ca
data:
ca.crt: |-
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIQCjeHZF5ftIwiTv0b7RQMPDANBgkqhkiG9w0BAQsFADBa
MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl
clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTIw
MDEyNzEyNDgwOFoXDTI0MTIzMTIzNTk1OVowSjELMAkGA1UEBhMCVVMxGTAXBgNV
BAoTEENsb3VkZmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkZmxhcmUgSW5jIEVD
QyBDQS0zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEua1NZpkUC0bsH4HRKlAe
nQMVLzQSfS2WuIg4m4Vfj7+7Te9hRsTJc9QkT+DuHM5ss1FxL2ruTAUJd9NyYqSb
16OCAWgwggFkMB0GA1UdDgQWBBSlzjfq67B1DpRniLRF+tkkEIeWHzAfBgNVHSME
GDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYI
KwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
b20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL09t
bmlyb290MjAyNS5jcmwwbQYDVR0gBGYwZDA3BglghkgBhv1sAQEwKjAoBggrBgEF
BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzALBglghkgBhv1sAQIw
CAYGZ4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEB
AAUkHd0bsCrrmNaF4zlNXmtXnYJX/OvoMaJXkGUFvhZEOFp3ArnPEELG4ZKk40Un
+ABHLGioVplTVI+tnkDB0A+21w0LOEhsUCxJkAZbZB2LzEgwLt4I4ptJIsCSDBFe
lpKU1fwg3FZs5ZKTv3ocwDfjhUkV+ivhdDkYD7fa86JXWGBPzI6UAPxGezQxPk1H
goE6y/SJXQ7vTQ1unBuCJN0yJV0ReFEQPaA1IwQvZW+cwdFD19Ae8zFnWSfda9J1
CZMRJCQUzym+5iPDuI9yP+kHyCREU3qzuWFloUwOxkgAyXVjBYdwRVKD05WdRerw
6DEdfgkfCv4+3ao8XnTSrLE=
-----END CERTIFICATE----- Logs from pulling from a local repo that requires auth:
|
Also moves to storing chart values in a Secret instead of ConfigMap, to prevent accidental exposure of confidential information. Signed-off-by: Brad Davidson <[email protected]>
@@ -355,6 +357,11 @@ func job(chart *v1.HelmChart) (*batch.Job, *corev1.ConfigMap, *corev1.ConfigMap) | |||
targetNamespace = chart.Spec.TargetNamespace | |||
} | |||
|
|||
chartName := chart.Spec.Chart | |||
if chart.Spec.Repo != "" { | |||
chartName = chart.Name + "/" + chart.Spec.Chart |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems a bit confusing, but it works with how the klipper-helm script installs the chart.
- the chart repo is added using
chart.Name
as the repo name - the chart needs to be referenced as
repo/chart
in order for credentials specified when the repo is added to be used when installing or updating the chart. If the chart is referenced without arepo/
prefix, but the bare repo URL passed in the--repo
flag, the credentials will not be used.
@@ -566,9 +580,6 @@ func args(chart *v1.HelmChart) []string { | |||
if spec.TargetNamespace != "" { | |||
args = append(args, "--namespace", spec.TargetNamespace) | |||
} | |||
if spec.Repo != "" { | |||
args = append(args, "--repo", spec.Repo) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see above - we are now prefixing the repo name instead of passing the URL as a flag.
I suspect that because we were always passing this flag, the repo definition that we added with helm repo add
was never being used at all.
v1.1.1
spec.authSecret
- should be a secret of typekubernetes.io/basic-auth
with theusername
andpassword
keys set.spec.repoCAConfigMap
. The values of all keys in this ConfigMap will be merged with the value ofspec.repoCA
, and passed into helm as the--ca-file
argument.Linked Issues: