chartsync: support Git HTTPS credentials using secret #172
Conversation
richardcase
changed the title
|
@richardcase I think this should be paused until we decide how to handle git/helm repos outside the HelmRelease spec. See #142 |
@stefanprodan - Sure. Although i really need this functionality for a specific scenario i'm working on. I'll work from a fork. If you need any help with #142 let me know |
|
If you need this then please make it more compact like in my proposal: spec:
releaseName: my-app
chart:
git: https://github.com/someonesomerepo.git
ref: master
path: charts/my-app
secretRef: #optional
name: git-basic-auth #requiredapiVersion: v1
kind: Secret
metadata:
name: git-basic-auth
type: Opaque
data:
username: <BASE64> #required
password: <BASE64> #required |
Sure i can do that. I will make that change now |
|
In addition to all of the above, instead of merging in |
Understood, that was a mess up my side....a case of PEBKAC |
richardcase
force-pushed
the
https
branch
2 times, most recently
from
4ccc1cd
to
5f5cfee
Compare
richardcase
changed the title
richardcase
changed the title
|
@stefanprodan @hiddeco - i've made the change to simplify the specifiying of the creds as suggested. So as suggested you have: spec:
releaseName: my-release
chart:
git: https://github.com/someorg/somerepo.git
ref: master
path: charts/my-chart
secretRef:
name: git-pwdapiVersion: v1
kind: Secret
metadata:
name: git-pwd
type: Opaque
data:
password: supersecret
username: joeblogs |
There was a problem hiding this comment.
Besides the in-code comments, I think the mirrorName function needs to be made smarter as the credentials from other HelmRelease resources (and namespaces) will now leak by configuring a source.GitURL (without credentials) that is already in use by another HelmRelease (with credentials).
You may get away with just adding the namespace, if I am not mistaken this is the same approach Flux uses for image pull secrets.
@hiddeco - i checked and flux does use the namespace. I changed the |
|
@richardcase thanks a lot 🥇 @stefanprodan can you take a look and see if this matches your expectations for the issue you mentioned? Feature wise it looks fine and mergeable to me (after I get rid of the persistent alias caused by the linter). |
hiddeco
changed the title
|
@hiddeco it looks Ok to me, it needs a rebase with master are you going to do that when fixing the aliases? |
|
@stefanprodan yep, will do the rebase and some minor fixes that triggered my OCD 👍 |
Started to add https basic authentication to the git chart source. the
username and password can be set as a static value or from a secret.
For example:
```yaml
spec:
releaseName: my-app
chart:
git: https://github.com/someonesomerepo.git
ref: master
path: charts/my-app
auth:
username:
value: joebloggs
password:
valueFrom:
name: git-pwd
key: authpwd
```
Relates to: fluxcd#94
There was a problem hiding this comment.
Rebased and tidied up, awesome contribution @richardcase 🙌 🍰
|
In the future we should consider adding support for cross-namespace secrets like we have done in #219 |
Added error handling/logging if there is an error reported when adding the auth details. Also added comments to new types.
Based on review feedback the way to specify the http auth credentials has been simplified so that you just provide a secret name. The referenced secret is assumed to have 2 keys: username, password.
Incorporated changes from review. Changed the mirror name to be and composite key comprising namespace, auth secret name and git url.
Based on review feedback the mirrot name logic has been changed to reduce duplicate mirrors if there are no creds
Started to add https basic authentication to the git chart source. the
username and password can be set as a static value or from a secret.
For example:
Still a work in progress
Relates to: #94