feat: Support Bearer token auth when get chart #8447
Conversation
helm-bot
added
the
size/L
lemonli
force-pushed
the
feat/chart-token
branch
from
258f537
to
a944dc1
Compare
|
@mattfarina Would you please review again? Thanks. |
| } | ||
|
|
||
| // FindChartInAuthRepoURL finds chart in chart repository pointed by repoURL | ||
| // without adding repo to repositories, like FindChartInRepoURL, | ||
| // but it also receives credentials for the chart repository. | ||
| // Deprecated: this function is deprecated and will be removed in Helm 4, please use FindChartInRepoURLWithAuth instead. |
There was a problem hiding this comment.
@mattfarina - do you think this is the best way to avoid modifying the public API? I'm not coming up with a good alternative given that this function takes other positional args such as "username" "password".
Should we take this moment to redesign the function to be more future proof? In the case there are more args? We can maybe use options to do things like FindChartInRepoURLWithAuth(WithCaFile(...), WithToken(...) ... instead?
There was a problem hiding this comment.
@jdolitsky I think this is a good way as you said.
@mattfarina I can update my commit if you agree with this.
lemonli
force-pushed
the
feat/chart-token
branch
from
a944dc1
to
09e8cfa
Compare
|
@jdolitsky I have updated my commit, would you please review again? Thanks. |
pkg/repo/chartrepo.go
Outdated
| // Download and write the index file to a temporary location | ||
| buf := make([]byte, 20) | ||
| rand.Read(buf) | ||
| name := strings.ReplaceAll(base64.StdEncoding.EncodeToString(buf), "/", "-") | ||
| repoOpts := options{} | ||
| for _, opt := range opts { | ||
| opt(&repoOpts) | ||
| } | ||
|
|
||
| c := Entry{ | ||
| URL: repoOpts.repoURL, | ||
| Username: repoOpts.username, | ||
| Password: repoOpts.password, | ||
| CertFile: repoOpts.certFile, | ||
| KeyFile: repoOpts.keyFile, | ||
| CAFile: repoOpts.caFile, | ||
| Name: name, | ||
| Token: repoOpts.token, | ||
| } | ||
| r, err := NewChartRepository(&c, getters) |
There was a problem hiding this comment.
Since most of this (besides relating to token) is reused from FindChartInAuthRepoURL, can we move it into a private helper function such as findChartInAuthRepoURL(token) so that the file has overall less lines of code?
There was a problem hiding this comment.
@jdolitsky I have updated my commit, would you please review again? Thanks.
lemonli
force-pushed
the
feat/chart-token
branch
2 times, most recently
from
9e3e0da
to
8b76c12
Compare
|
needs a rebase before it can be merged. |
lemonli
force-pushed
the
feat/chart-token
branch
2 times, most recently
from
9a7bd36
to
38320af
Compare
done |
lemonli
force-pushed
the
feat/chart-token
branch
from
38320af
to
db26a42
Compare
There was a problem hiding this comment.
I wanted to share the hold up I'm having with this PR.
Someone should not pass the bearer token in via the command because it will get caught up in the shell history. This is a security issue. Avoiding this with passwords is why Helm has the ability to read it from stdin.
There is also the case that the dearer token changes. Storing the bearer token so that it's used 6 months or a year from now doesn't seem like a good idea. It should expire. How does someone update that?
Does anyone have thoughts on these issues?
You can always set the token in an env var and pass it with --token $MYTOKEN. Mayabe eventually having a --token-stdin like In addition to my previous comment, this also happens with
Not sure I follow. Updating and rotating the token should be the user's concern? I guess the same happens with username/passowrd also right? |
The Helm project is rounding out a second security review that included things like a threat analysis. The details will be released soon. These types of things were a topic of conversation in that process. This is the kind of security some ask of Helm. When you specify a username and no password, Helm will prompt you enter it via stdin. This way it's not caught in the shell history. The usage of stdin matters. For this example, I'll use CIrcleCI. CircleCI has something called secrets masking where the value of an environment variable is masked when used with print and echo. That means it won't, for example, be masked if you use it with the A password could be inadvertently exposed through a CI system. This is something we want to take seriously on Helm. In the name of security, we need a stdin based method to accept a token. That way you can do something like... This security issue is my primary hangup. |
I'm not going to go against something that improves the security of any project. If we can add this faeture also it'd be awesome. Not sure what's @lemonli's bandwidth to do it. |
|
Any update here? it is useful feature, can we separate the submit to more steps, first with --token $MYTOKEN, and 2nd step to add "--token-stdin"? |
|
I hope @jdolitsky or @lemonli can have a chance to make a workaround for --token-stdin soon. |
|
Sorry for delay. I will update my commit to support |
lemonli
force-pushed
the
feat/chart-token
branch
from
db26a42
to
4abc6f1
Compare
@mattfarina I have updated my commit, looking forward to your reply. |
|
Hi folks, any update on when this might become available? |
Signed-off-by: lemonli <liwenjun0323@gmail.com>
lemonli
force-pushed
the
feat/chart-token
branch
from
4abc6f1
to
01904fd
Compare
|
Any update on this? |
|
@lemonli I have rebased your branch locally. Let me know if you'd like me to PR that to your repo. |
|
what is the state of this pr? |
|
Can we get an update? Really looking forward to this feature. |
|
Do we have any update? I know it might be redundant but I would love to get this merged! what can we do to help getting this merged? @mattfarina @jdolitsky any idea? |
|
Would love to see this merged so that I can make use of helm charts published as releases in a private github repo. |
|
@mattfarina I think this is pending the resolution of a change you requested that's already been addressed, no? PS: @lemonli this needs a rebase (it's been a while 😞) |
|
Any updates? |
|
Someone check to see if I did the rebase correctly? |
|
any updates? |
|
|
|
can someone check the rebase? #10848 |
|
any news on this? |
|
Any news? |
Signed-off-by: lemonli liwenjun0323@gmail.com
What this PR does / why we need it:
PR for #8392
Special notes for your reviewer:
If applicable: