Helm OCI registry support is missing authentication

pulumi / pulumi-kubernetes

A Pulumi resource provider for Kubernetes to manage API resources and workloads in running clusters

https://www.pulumi.com/docs/reference/clouds/kubernetes/

Apache License 2.0

407 stars 117 forks source link

Helm OCI registry support is missing authentication #1914

Open SharpEdgeMarshall opened 2 years ago

SharpEdgeMarshall commented 2 years ago

Hello!

Vote on this issue by adding a 👍 reaction
If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The new feature that adds the support to OCI registries for Helm Chart/Release is missing the authentication management. This means that you have to do helm registry login or docker login before running pulumi.

Looks like that Helm SDK is missing the support for receiving credentials for a registry on the fly but requires you to pass a config file (generated by helm registry login)

Could we think to manage the authentication generating the Helm config file on the fly based on the FetchOpts.username/password?

Affected area/feature

Helm Chart Helm Release

SharpEdgeMarshall commented 2 years ago

any update?

lblackstone commented 2 years ago

Hey, sorry for the delayed response here. I think this makes sense for the helm.Release resource, but not for the helm.Chart resource under the current implementation. We'll take a look at what this change would involve, but I suspect that it should be fairly straightforward to hook into the underlying library for this.

SharpEdgeMarshall commented 2 years ago

Why should be implemented only for one of the two?

lblackstone commented 2 years ago

Why should be implemented only for one of the two?

The implementation for helm.Chart doesn't support OCI registries at this time, so adding auth support would have to be part of a larger feature to add OCI support to that resource.

gencube commented 1 year ago

I'm not saying it is resolved. https://github.com/pulumi/pulumi-kubernetes/issues/1914 is still open. Ok. OCI Helm is important issue to be resolve or all EKS / AKS and other OCI protocol repo will not be able to install within pulumi.

mmisztal1980 commented 11 months ago

Is there a workaround for this?

EronWright commented 9 months ago

The scope seems small if limited to Release, scope grows if Chart is included. The later might better be solved by https://github.com/pulumi/pulumi-kubernetes/issues/1971.

blackat commented 2 months ago

Hello, I have encountered the same issue as others to pull helm charts from OCI registry. I have switched from Chart v4 to Resource v3 but it seems the authentication for OCI registry is not there yet (at least not for Java SDK).

I have created a pull scoped token in ACR with its password, but it does not work:

      // Deploy a Helm Chart
      var chart = new Release("my-helm-charts", ReleaseArgs
          .builder()
          .chart("oci://mycontainerregistry.azurecr.io/helm/my-helm")
          .version("1.0.0-SNAPSHOT")
          .valueYamlFiles(new FileAsset(valuesAssetFileName))
          .repositoryOpts(RepositoryOptsArgs
              .builder()
              .repo("mycontainerregistry.azurecr.io")
              .username("myRepositoryPull")
              .password("xxxxxxxx")
              .build())
          .namespace(myNamespace.metadata().applyValue(n -> {
            if (n.name().isPresent()) {
              ctx.log().info("Namespace: " + n.name());
              return n.name().get();
            }
            ctx.log().info("Namespace: " + n.name() + " not found, install in default.");
            return null;
          }))
          .build());

Workarond: I login via helm into the registry locally where I run the command.

Do you know please when the feature will be available?

EronWright commented 2 months ago

The repositoryOpts is applicable only for HTTP registries (Helm-native), not for OCI registries. For OCI, Pulumi relies on the ambient credentials, for example from docker login or helm registry login.

abarrerasan commented 2 weeks ago

I've tried to do a helm registry login before running a pulumi up, but it's not working. I want to use a private ECR. If I run helm by myself, it works, but with pulumi not. I think that there is a problem with the use of ambient credentials too.

Helm version: version.BuildInfo{Version:"v3.16.1", GitCommit:"5a5449dc42be07001fd5771d56429132984ab3ab", GitTreeState:"dirty", GoVersion:"go1.23.1"}

Pulumi about:

CLI
Version      3.135.1
Go Version   go1.23.2
Go Compiler  gc

Plugins
KIND      NAME        VERSION
resource  aws         6.55.0
resource  aws-native  0.105.0
resource  awsx        2.10.0
resource  docker      4.5.6
resource  eks         2.7.1
resource  kubernetes  4.18.1
language  python      unknown
resource  std         1.6.2

Host
OS       darwin
Version  15.0.1
Arch     arm64

This project is written in python

Python version: 3.12.7

I have the same issue detailed in #2364. But the close comment redirect to this issue.

Does anyone have any other workaround? Or a fix?

SharpEdgeMarshall commented 2 weeks ago

The repositoryOpts is applicable only for HTTP registries (Helm-native), not for OCI registries. For OCI, Pulumi relies on the ambient credentials, for example from docker login or helm registry login.

I think we are all aware of that, this issue is about proposing a way for pulumi to automatically authenticate without requiring any extra steps before running it. (like most if not ALL the pulumi providers works)

abarrerasan commented 2 weeks ago

In the meantime, this is the workaround that I implemented and it's working for me:

Create a new local chart.
Add your private chart as a dependency.
Use helm to build and manage the dependency updates and builds of the local chart.
Use Pulumi to install the local chart.