search

helm / chartmuseum

helm chart repository server
https://chartmuseum.com
Apache License 2.0
3.6k stars 400 forks source link

GCS - No documentation for non-gke authentication #101

Open koalalorenzo opened 6 years ago

koalalorenzo commented 6 years ago

I have noticed on the helm chart for chartmuseum (stable/chartmuseum) that there is no way to pass the service account private file (.json file generated when creating the Storage Account created on Google Cloud.

What I am trying to do is to deploy chartmuseum, using the helm chart, and connecting it to a bucket on GCS, in a cluster that is not living on GKE. The documentation for both the chart and the chartmuseum does not provide any link or guide to setup Chartmuseum with GCS without GKE (that provides the credentials by default).

What I was able to achieve is to set up the environment variable GOOGLE_APPLICATION_CREDENTIALS in env.secret, but there is no other way to provide the file/mount an extra volume.

Here is the logs after deploying the helm chart:

W0409 18:04:32.223131   29387 cmd.go:353] log is DEPRECATED and will be removed in a future version. Use logs instead.
panic: dialing: google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: open /data/hello-world.json: no such file or directory

goroutine 1 [running]:
github.com/kubernetes-helm/chartmuseum/pkg/storage.NewGoogleCSBackend(0xc420016016, 0x13, 0x0, 0x0, 0x0)
        /go/src/github.com/kubernetes-helm/chartmuseum/pkg/storage/google.go:24 +0x36d
main.googleBackendFromContext(0xc4201b4dc0, 0x6, 0xf38c5a)
        /go/src/github.com/kubernetes-helm/chartmuseum/cmd/chartmuseum/main.go:120 +0xe9
main.backendFromContext(0xc4201b4dc0, 0xd81f60, 0xc4202ce8e0)
        /go/src/github.com/kubernetes-helm/chartmuseum/cmd/chartmuseum/main.go:81 +0x3f9
main.cliHandler(0xc4201b4dc0)
        /go/src/github.com/kubernetes-helm/chartmuseum/cmd/chartmuseum/main.go:38 +0x43
github.com/kubernetes-helm/chartmuseum/vendor/github.com/urfave/cli.HandleAction(0xd7e6e0, 0xf6d800, 0xc4201b4dc0, 0xc4201b90e0, 0x0)
        /go/src/github.com/kubernetes-helm/chartmuseum/vendor/github.com/urfave/cli/app.go:492 +0x7c
github.com/kubernetes-helm/chartmuseum/vendor/github.com/urfave/cli.(*App).Run(0xc420214b60, 0xc42000a1a0, 0x2, 0x2, 0x0, 0x0)
        /go/src/github.com/kubernetes-helm/chartmuseum/vendor/github.com/urfave/cli/app.go:264 +0x6ac
main.main()
        /go/src/github.com/kubernetes-helm/chartmuseum/cmd/chartmuseum/main.go:34 +0x1ef
ilyasotkov commented 6 years ago

Also must keep in mind that in GKE the default access is read-only, so writing charts will fail with {"error":"googleapi: Error 403: Insufficient Permission, insufficientPermissions"} unless you add

https://www.googleapis.com/auth/devstorage.read_write

to scopes / oauth_scopes when creating your GKE cluster. Also that will only work if your GCS bucket is located under the same GCP project as the cluster.

koalalorenzo commented 6 years ago

Yes, my service account is already properly configured and it works if I use the json file in other setup :) I am trying to use it OUTSIDE Google cloud, as I can if I set it up locally... but the chart is not allowing me to do that

ipedrazas commented 6 years ago

I've just submitted a PR to add this functionality to the chartmuseum chart.

https://github.com/kubernetes/charts/pull/4904

jdolitsky commented 6 years ago

@ipedrazas that looks good to me! @koalalorenzo if the change above works for you I can merge it

koalalorenzo commented 6 years ago

Ideally it should work :) (the code looks kinda-good, but I need to test it) I am going to test this out in few hours.

koalalorenzo commented 6 years ago

I am not able to test because after cloning the repository, changing the branch and directory, then blindly copy-pasting (and editing) I always get:

Error: This command needs 1 argument: chart name
ipedrazas commented 6 years ago

Which command gives you that error? I've just tested this command:

helm install stable/chartmuseum --debug  --set env.open.GOOGLE_SERVICE_ACCOUNT=true,env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcs-bucket,existing.secret.gcp.enabled=true,existing.secret.gcp.secretName=chartmuseum-secret

And this one that will use the cloned chart:

helm install ./stable/chartmuseum --debug  --set env.open.GOOGLE_SERVICE_ACCOUNT=true,env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcs-bucket,existing.secret.gcp.enabled=true,existing.secret.gcp.secretName=chartmuseum-secret

and both seem to work.

koalalorenzo commented 6 years ago

The one pointing to the local chart. It works now.

koalalorenzo commented 6 years ago

I found out that the helm chart is not mounting the configmap if GOOGLE_CREDENTIALS_JSON is only set in env.secret. I have reviewed the PR

jdolitsky commented 6 years ago

@koalalorenzo @ipedrazas good to close this issue?