Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Per-resource authentication support for OCI registries #2911

Open
Tracked by #2823
mjeffryes opened this issue Mar 26, 2024 · 4 comments · May be fixed by #3314
Open
Tracked by #2823

Per-resource authentication support for OCI registries #2911

mjeffryes opened this issue Mar 26, 2024 · 4 comments · May be fixed by #3314
Assignees
@EronWright
Labels
area/helm awaiting-upstream The issue cannot be resolved without action in another repository (may be owned by Pulumi). kind/task Work that's part of an ongoing epic size/L Estimated effort to complete (up to 10 days).

Comments

@mjeffryes
Copy link
Member

mjeffryes commented Mar 26, 2024
edited by EronWright
Loading

#1914 is a highly upvoted issue for supporting authentication for OCI registries (to enable the use of private registries). Release/v3 and Chart/v4 automatically use the ambient credentials (from docker login or helm registry login). This ticket is about supporting adhoc credentials within the Pulumi program.
@mjeffryes mjeffryes mentioned this issue Mar 26, 2024
Open
@mjeffryes mjeffryes added the kind/task Work that's part of an ongoing epic label Mar 28, 2024
@blampe blampe self-assigned this Apr 22, 2024
@blampe blampe added area/helm size/L Estimated effort to complete (up to 10 days). labels Apr 22, 2024
@blampe blampe removed their assignment May 7, 2024
@blampe
Copy link
Contributor

blampe commented May 7, 2024
edited
Loading

To look into: per-resource credentials in addition to ambient creds.

Ambient creds do work.

@blampe blampe changed the title Release resource: Authentication support for OCI registries Release resource: Per-resource authentication support for OCI registries May 7, 2024
@EronWright
Copy link
Contributor

@blampe what does the Docker provider do about OCI registry authentication, and can we do the same here? My preference would be to use ambient credentials only.

@blampe
Copy link
Contributor

blampe commented Jul 3, 2024

@blampe what does the Docker provider do about OCI registry authentication, and can we do the same here? My preference would be to use ambient credentials only.

I thought we confirmed ambient creds already work but definitely double check that. If they do work, we might want to add something like "Make sure to run helm registry login beforehand..." to the docs if it's not already there.

Ambient creds are tenable, but they can be clunky because you now have some pre-conditions to setup in CI and local dev before your program is runnable. That's especially annoying if you're using short-lived credentials with something like ECR, although I'm not sure how common that is with Helm.

I interpret this issue and #1914 as asking for a way to authenticate as part of the Pulumi program directly. A way to eliminate this step, essentially:

This means that you have to do helm registry login or docker login before running pulumi.

Both of the Docker providers expose credentials on their resources as well as the provider. During an update, it layers credentials from the host, the provider, and the image in that order. The Docker Build provider has two modes, one where it uses an in-memory config file and another where it shells out to the Docker CLI. When running in exec mode we write the merged credentials to a temporary directory and point the CLI process at that by setting DOCKER_CONFIG. Importantly, the credentials provided by the Pulumi program never contaminate the host's ambient credentials, so there's no risk of accidentally leaving yourself logged in to production.

Implementation-wise this is all internal and not easily shared unless the Helm library consumes the docker.Cli interface. It would be really nice to use helm/helm#12584 but it looks like that's slipped to September. As a workaround it looks like Helm uses this library for auth which seems to respect DOCKER_CONFIG, so you could probably do a similar trick with temporary credentials on disk.

@alexandrst88
Copy link

is this any ETA to implement OCI login?

const oomkill = new k8s.helm.v4.Chart("oomkill", {
      chart: "oci://us-central1-docker.pkg.dev/myprivate-registry/oomkill-exporter",
      version: "2.1.2",
      repositoryOpts: {
        repo: "https://us-central1-docker.pkg.dev/",
        password: "some-jwt-token",
        username: "oauth2accesstoken",
      }
    },{
      ...opts,
      parent: this,
    })

i have long running stack creation, with a chain of helm release installation.

@EronWright EronWright changed the title Release resource: Per-resource authentication support for OCI registries Per-resource authentication support for OCI registries Aug 20, 2024
@blampe blampe mentioned this issue Sep 5, 2024
Closed
@EronWright EronWright linked a pull request Dec 4, 2024 that will close this issue
Draft
@EronWright EronWright added the awaiting-upstream The issue cannot be resolved without action in another repository (may be owned by Pulumi). label Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EronWright EronWright

Labels
area/helm awaiting-upstream The issue cannot be resolved without action in another repository (may be owned by Pulumi). kind/task Work that's part of an ongoing epic size/L Estimated effort to complete (up to 10 days).
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

helmv4: Use username/password with private OCI registries pulumi/pulumi-kubernetes
4 participants
@blampe @mjeffryes @EronWright @alexandrst88