search

pulumi / pulumi-kubernetes

A Pulumi resource provider for Kubernetes to manage API resources and workloads in running clusters
https://www.pulumi.com/docs/reference/clouds/kubernetes/
Apache License 2.0
396 stars 113 forks source link

Release resource: Per-resource authentication support for OCI registries #2911

Open mjeffryes opened 3 months ago

mjeffryes commented 3 months ago

https://github.com/pulumi/pulumi-kubernetes/issues/1914 is a highly upvoted issue for supporting authentication for OCI registries (to enable the use of private registries). This ticket is intended to cover just the work required to enable this for the Release resource. (Chart will be addressed separately as suggested here

blampe commented 1 month ago

To look into: per-resource credentials in addition to ambient creds.

Ambient creds do work.

EronWright commented 2 days ago

@blampe what does the Docker provider do about OCI registry authentication, and can we do the same here? My preference would be to use ambient credentials only.

blampe commented 1 day ago

@blampe what does the Docker provider do about OCI registry authentication, and can we do the same here? My preference would be to use ambient credentials only.

I thought we confirmed ambient creds already work but definitely double check that. If they do work, we might want to add something like "Make sure to run helm registry login beforehand..." to the docs if it's not already there.

Ambient creds are tenable, but they can be clunky because you now have some pre-conditions to setup in CI and local dev before your program is runnable. That's especially annoying if you're using short-lived credentials with something like ECR, although I'm not sure how common that is with Helm.

I interpret this issue and #1914 as asking for a way to authenticate as part of the Pulumi program directly. A way to eliminate this step, essentially:

This means that you have to do helm registry login or docker login before running pulumi.

Both of the Docker providers expose credentials on their resources as well as the provider. During an update, it layers credentials from the host, the provider, and the image in that order. The Docker Build provider has two modes, one where it uses an in-memory config file and another where it shells out to the Docker CLI. When running in exec mode we write the merged credentials to a temporary directory and point the CLI process at that by setting DOCKER_CONFIG. Importantly, the credentials provided by the Pulumi program never contaminate the host's ambient credentials, so there's no risk of accidentally leaving yourself logged in to production.

Implementation-wise this is all internal and not easily shared unless the Helm library consumes the docker.Cli interface. It would be really nice to use https://github.com/helm/helm/issues/12584 but it looks like that's slipped to September. As a workaround it looks like Helm uses this library for auth which seems to respect DOCKER_CONFIG, so you could probably do a similar trick with temporary credentials on disk.