New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Support Bearer token auth when get chart #8447
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR linked to the issue. Helm follows SemVer so the function signature cannot change.
258f537
to
a944dc1
Compare
@mattfarina Would you please review again? Thanks. |
} | ||
|
||
// FindChartInAuthRepoURL finds chart in chart repository pointed by repoURL | ||
// without adding repo to repositories, like FindChartInRepoURL, | ||
// but it also receives credentials for the chart repository. | ||
// Deprecated: this function is deprecated and will be removed in Helm 4, please use FindChartInRepoURLWithAuth instead. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mattfarina - do you think this is the best way to avoid modifying the public API? I'm not coming up with a good alternative given that this function takes other positional args such as "username" "password".
Should we take this moment to redesign the function to be more future proof? In the case there are more args? We can maybe use options to do things like FindChartInRepoURLWithAuth(WithCaFile(...), WithToken(...) ...
instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jdolitsky I think this is a good way as you said.
@mattfarina I can update my commit if you agree with this.
a944dc1
to
09e8cfa
Compare
@jdolitsky I have updated my commit, would you please review again? Thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for delay. Looks pretty good! just one comment
pkg/repo/chartrepo.go
Outdated
// Download and write the index file to a temporary location | ||
buf := make([]byte, 20) | ||
rand.Read(buf) | ||
name := strings.ReplaceAll(base64.StdEncoding.EncodeToString(buf), "/", "-") | ||
repoOpts := options{} | ||
for _, opt := range opts { | ||
opt(&repoOpts) | ||
} | ||
|
||
c := Entry{ | ||
URL: repoOpts.repoURL, | ||
Username: repoOpts.username, | ||
Password: repoOpts.password, | ||
CertFile: repoOpts.certFile, | ||
KeyFile: repoOpts.keyFile, | ||
CAFile: repoOpts.caFile, | ||
Name: name, | ||
Token: repoOpts.token, | ||
} | ||
r, err := NewChartRepository(&c, getters) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since most of this (besides relating to token) is reused from FindChartInAuthRepoURL, can we move it into a private helper function such as findChartInAuthRepoURL(token)
so that the file has overall less lines of code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jdolitsky I have updated my commit, would you please review again? Thanks.
9e3e0da
to
8b76c12
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
needs a rebase before it can be merged. |
9a7bd36
to
38320af
Compare
done |
38320af
to
db26a42
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to share the hold up I'm having with this PR.
Someone should not pass the bearer token in via the command because it will get caught up in the shell history. This is a security issue. Avoiding this with passwords is why Helm has the ability to read it from stdin.
There is also the case that the dearer token changes. Storing the bearer token so that it's used 6 months or a year from now doesn't seem like a good idea. It should expire. How does someone update that?
Does anyone have thoughts on these issues?
You can always set the token in an env var and pass it with --token $MYTOKEN. Mayabe eventually having a --token-stdin like In addition to my previous comment, this also happens with
Not sure I follow. Updating and rotating the token should be the user's concern? I guess the same happens with username/passowrd also right? |
The Helm project is rounding out a second security review that included things like a threat analysis. The details will be released soon. These types of things were a topic of conversation in that process. This is the kind of security some ask of Helm. When you specify a username and no password, Helm will prompt you enter it via stdin. This way it's not caught in the shell history. The usage of stdin matters. For this example, I'll use CIrcleCI. CircleCI has something called secrets masking where the value of an environment variable is masked when used with print and echo. That means it won't, for example, be masked if you use it with the A password could be inadvertently exposed through a CI system. This is something we want to take seriously on Helm. In the name of security, we need a stdin based method to accept a token. That way you can do something like...
This security issue is my primary hangup. |
I'm not going to go against something that improves the security of any project. If we can add this faeture also it'd be awesome. Not sure what's @lemonli's bandwidth to do it. |
Any update here? it is useful feature, can we separate the submit to more steps, first with --token $MYTOKEN, and 2nd step to add "--token-stdin"? |
I hope @jdolitsky or @lemonli can have a chance to make a workaround for --token-stdin soon. |
Sorry for delay. I will update my commit to support |
db26a42
to
4abc6f1
Compare
@mattfarina I have updated my commit, looking forward to your reply. |
Hi folks, any update on when this might become available? |
Signed-off-by: lemonli <liwenjun0323@gmail.com>
4abc6f1
to
01904fd
Compare
Any update on this? |
@lemonli I have rebased your branch locally. Let me know if you'd like me to PR that to your repo. |
what is the state of this pr? |
Can we get an update? Really looking forward to this feature. |
Do we have any update? I know it might be redundant but I would love to get this merged! what can we do to help getting this merged? @mattfarina @jdolitsky any idea? |
Would love to see this merged so that I can make use of helm charts published as releases in a private github repo. |
@mattfarina I think this is pending the resolution of a change you requested that's already been addressed, no? PS: @lemonli this needs a rebase (it's been a while 😞) |
Any updates? |
Someone check to see if I did the rebase correctly? |
any updates? |
can someone check the rebase? #10848 |
any news on this? |
Any news? |
Signed-off-by: lemonli liwenjun0323@gmail.com
What this PR does / why we need it:
PR for #8392
Special notes for your reviewer:
If applicable: