Support aws s3 bucket as a helm repository

[arunpmohan]

What problem are you facing?

We are running the crossplane in the aws eks environment.
We want to keep our helm charts in aws s3 and pull and install using the helm provider.
However the helm provider today doesn't support s3 plugin.

How could Crossplane help solve your problem?

We would be interested in contributing s3 plugin support in provider helm. Is this something the community/maintainers would agree?

[arunpmohan]

Another note to add is that terraform helm already supports this plugin.

https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release

[turkenh]

This sounds good to me.
However, assuming we are not talking about public buckets only, I am wondering how we are planning to handle the authentication part.

It would be nice to see some examples of how this feature would be used (with public/private buckets) before starting the actual implementation.

[arunpmohan]

Sure. Just FYI we are using this https://github.com/hypnoglow/helm-s3 plugin sources to integrate it with s3.

So it would work the way this plugin works for authentication.

[turkenh]

So it would work the way this plugin works for authentication.

To be clear, I am more interested in the API, e.g. how users would provide the credentials etc. over k8s api.

[philippart]

Currently we are using a S3 bucket policy to grant read-only access from a specific VPC where crossplane is running.
Ideally we would want to use IRSA like provider-aws to authenticate with AWS.

[philippart]

Concretely we are proposing to configure the IAM Role ARN into a secret that can be referenced in the ProviderConfig as follows:

apiVersion: helm.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: helm-provider
spec:
  credentials:
    source: InjectedIdentity
  identity:
    type: AWSCredentials
     source: Secret
    secretRef:
      name: aws-credentials
      namespace: crossplane-system
      key: roleArn

[philippart]

I wish to amend the above proposal: the role ARN should be configured in a secret referenced by the Release object (spec.forProvider.chart.pullSecretRef) rather than the ProviderConfig. This is a clearer split between the helm install credentials and the helm pull credentials. And it is more consistent with the current API.

apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
  name: my-service
spec:
  forProvider:
    chart:
      name: my-chart
      repository: s3://repo/charts/
      version: v1.2.3
      pullSecretRef:
        name: s3-role
        namespace: crossplane-system
    namespace: my-namespace
---
apiVersion: v1
kind: Secret
metadata:  
  name: s3-role
type: Opaque
data:
  roleARN: arn:aws:iam::999999999999:role/s3-role

[johnathan-sq]

Were there any developments on this issue, I would like to fetch a helm chart from a private s3 bucket. Can't think of any solutions in the current state.