From 07de9d9ffe5e868b2a50fff1c3898bb632f93ad4 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Wed, 24 Aug 2022 15:11:13 +0300 Subject: [PATCH] [RFC-0002] Add auth specification for Helm OCI Signed-off-by: Stefan Prodan --- rfcs/0002-helm-oci/README.md | 62 +++++++++++++++++++++++++++++++++--- 1 file changed, 58 insertions(+), 4 deletions(-) diff --git a/rfcs/0002-helm-oci/README.md b/rfcs/0002-helm-oci/README.md index d3abe0a9..40ba19b2 100644 --- a/rfcs/0002-helm-oci/README.md +++ b/rfcs/0002-helm-oci/README.md @@ -4,7 +4,7 @@ **Creation date:** 2022-03-30 -**Last update:** 2022-06-07 +**Last update:** 2022-08-24 ## Summary @@ -32,12 +32,65 @@ they do today for container images. ## Proposal Introduce an optional field called `type` to the `HelmRepository` spec. - When not specified, the `spec.type` field defaults to `default` which preserve the current `HelmRepository` API behaviour. - When the `spec.type` field is set to `oci`, the `spec.url` field must be prefixed with `oci://` (to follow the Helm conventions). For `oci://` URLs, source-controller will use the Helm SDK and the `oras` library to connect to the OCI remote storage. -For authentication, the controller will use Kubernetes secrets of `kubernetes.io/dockerconfigjson` type. + +Introduce an optional field called `provider` for +[context-based authorization](https://fluxcd.io/docs/security/contextual-authorization/) +to AWS, Azure and Google Cloud. The `spec.provider` is ignored when `spec.type` is set to `default`. + + +### Pull charts from private repositories + +#### Basic auth + +For private repositories hosted on GitHub, Quay, self-hosted Docker Registry and others, +the credentials can be supplied with: + +```yaml +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: +spec: + type: oci + secretRef: + name: regcred +``` + +The `secretRef` points to a Kubernetes secret in the same namespace as the `HelmRepository`. +The [secret type](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) +must be `kubernetes.io/dockerconfigjson`: + +```shell +kubectl create secret docker-registry regcred \ + --docker-server= \ + --docker-username= \ + --docker-password= +``` + +#### OIDC auth + +When Flux runs on AKS, EKS or GKE, an IAM role (that grants read-only access to ACR, ECR or GCR) +can be used to bind the `source-controller` to the IAM role. + +```yaml +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: +spec: + type: oci + provider: azure +``` + +The provider accepts the following values: `generic`, `aws`, `azure` and `gcp`. When the provider is +not specified, it defaults to `generic`. When the provider is set to `aws`, `azure` or `gcp`, the +controller will use a specific cloud SDK for authentication purposes. + +If both `spec.secretRef` and a non-generic provider are present in the definition, +the controller will use the static credentials from the referenced secret. ### User Stories @@ -181,3 +234,4 @@ The feature is enabled by default. ### TODOs * [Add support for container registries with self-signed TLS certs](https://github.com/fluxcd/source-controller/issues/723) +* [Enable contextual login in OCI HelmRepository](https://github.com/fluxcd/source-controller/pull/873) \ No newline at end of file