search

GoogleCloudPlatform / buildpacks

Builders and buildpacks designed to run on Google Cloud's container platforms
Apache License 2.0
985 stars 146 forks source link

Add support for private NuGet feeds #171

Open matthewrobertson opened 2 years ago

matthewrobertson commented 2 years ago

I would expect that configuring a feed in a solution level NuGet.config would just work, but that doesn't seem to be the case: https://github.com/GoogleCloudPlatform/functions-framework-dotnet/issues/236

sdesaiLULA commented 2 years ago

Any idea if or when this would be supported? Work arounds are appreciated too.

jhoak commented 2 years ago

I think there's a bit more nuance to the issue. There are two different concepts, customizing which NuGet feeds to use, and private NuGet feeds -- for example, you may point your NuGet config to get packages from a different source other than nuget.org; or you might point it at some internal private URL(s) which may require their own authentication.

In short I believe the 1st is not an issue with buildpacks, but the 2nd might be.

WRT the first issue -- I was able to use a nuget.config file at the solution level to point it at a different feed instead of nuget.org. Here is a modified and redacted version of my build output in Cloud Run (*by the way, this is .NET Core 3.1, instead of the brand new .NET 6 coming out, which doesn't seem to be GA yet, if I understand correctly):

[builder]   Determining projects to restore...
[builder] /layers/google.dotnet.sdk/sdk/sdk/3.1.421/NuGet.targets(128,5): error : Unable to load the service index for source https://pkgs.dev.azure.com/<myproject>/_packaging/<myfeed>/nuget/v3/index.json. [/workspace/<myproj-folder>/<myproj>.csproj]
[builder] /layers/google.dotnet.sdk/sdk/sdk/3.1.421/NuGet.targets(128,5): error :   Response status code does not indicate success: 401 (Unauthorized). [/workspace/<myproj-folder>/<myproj>.csproj]

In the above, you can see it does not use nuget.org. One reason this might be caused is not in this buildpacks repo, but because the author should use a clear tag in their NuGet.config, at the solution level. Something like the below. NuGet aggregates package sources across multiple NuGet configs, including the solution folder config as well as machine/user-wide/other global settings, which might just include nuget.org as a default repo. (In my case, a clean install of Visual Studio 2022 Community gave me nuget.org in some kind of global setting on my machine... I'm not 100% sure where, to be honest.)

But having clear at the top of the solution's nuget config in package sources, should limit package sources to that file (the example under "Settings walkthrough" is helpful here):

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <packageSources>
      <clear />
      <add key="MyPrivateFeed" value="https://somefeed.url/nuget/v3/index.json" />
    </packageSources>
</configuration>

On the other hand, in order to connect to a private feed, you'd need to be able to authenticate to that. In my example, I got a 401, which gives me the impression it's not supported yet -- is that right? This is a reasonable use case overall since devs want to be able to point away from public package sources, which can and have been compromised by malicious packages.

BTW, a solution to the problem might have to deal with MFA.