Mirrors/flux2
1
0
Fork 0
mirror of synced 2026-02-06 19:05:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

[RFC-0002] Add auth specification for Helm OCI

Browse Source 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan
2022-08-24 15:11:13 +03:00
parent 9f26b09a06
commit 07de9d9ffe
1 changed files with 58 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
rfcs/0002-helm-oci/README.md
View File

@@ -4,7 +4,7 @@
**Creation date:** 2022-03-30
**Last update:** 2022-06-07
**Last update:** 2022-08-24
## Summary
@@ -32,12 +32,65 @@ they do today for container images.
## Proposal
Introduce an optional field called `type` to the `HelmRepository` spec.
When not specified, the `spec.type` field defaults to `default` which preserve the current `HelmRepository` API behaviour.
When the `spec.type` field is set to `oci`, the `spec.url` field must be prefixed with `oci://` (to follow the Helm conventions).
For `oci://` URLs, source-controller will use the Helm SDK and the `oras` library to connect to the OCI remote storage.
For authentication, the controller will use Kubernetes secrets of `kubernetes.io/dockerconfigjson` type.
Introduce an optional field called `provider` for
[context-based authorization](https://fluxcd.io/docs/security/contextual-authorization/)
to AWS, Azure and Google Cloud. The `spec.provider` is ignored when `spec.type` is set to `default`.
### Pull charts from private repositories
#### Basic auth
For private repositories hosted on GitHub, Quay, self-hosted Docker Registry and others,
the credentials can be supplied with:
```yaml
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: <repo-name>
spec:
type: oci
secretRef:
name: regcred
```
The `secretRef` points to a Kubernetes secret in the same namespace as the `HelmRepository`.
The [secret type](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types)
must be `kubernetes.io/dockerconfigjson`:
```shell
kubectl create secret docker-registry regcred \
--docker-server=<your-registry-server> \
--docker-username=<your-name> \
--docker-password=<your-pword>
```
#### OIDC auth
When Flux runs on AKS, EKS or GKE, an IAM role (that grants read-only access to ACR, ECR or GCR)
can be used to bind the `source-controller` to the IAM role.
```yaml
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: <repo-name>
spec:
type: oci
provider: azure
```
The provider accepts the following values: `generic`, `aws`, `azure` and `gcp`. When the provider is
not specified, it defaults to `generic`. When the provider is set to `aws`, `azure` or `gcp`, the
controller will use a specific cloud SDK for authentication purposes.
If both `spec.secretRef` and a non-generic provider are present in the definition,
the controller will use the static credentials from the referenced secret.
### User Stories
@@ -181,3 +234,4 @@ The feature is enabled by default.
### TODOs
* [Add support for container registries with self-signed TLS certs](https://github.com/fluxcd/source-controller/issues/723)
* [Enable contextual login in OCI HelmRepository](https://github.com/fluxcd/source-controller/pull/873)