-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ECR OCI Credentials for Docker and Helm repositories #19241
Comments
This requires a small refactor of the |
Hi @secustor thanks for the reply. Thinking about this a little more, what I really want is the ability to do the following: Set the following host rule that is only relevant for Helm charts.
It would be great if I could also do the above for Docker host rules.
My preference here is that a token is used for authentication rather than an AWS access key. |
If I'm understanding you correctly the second rule should work right now, at least if you supply a valid short lived token to For OCI registries host-rules with |
My understanding was that because these are ECR repositories, Renovate assumes that AWS access keys are passed. This line seems to force ECR auth for ECR repositories
|
K, I see now what you mean. |
Any updates on this? Right now all "helm login" commands fail as renovate tries to use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (which are configured as username and password in the hostRules) directly instead of using the aforementioned special treatment of ECR registries. renovate/lib/modules/manager/helmv3/artifacts.ts Lines 35 to 54 in 2f4c711
renovate/lib/modules/manager/helmv3/common.ts Lines 8 to 19 in 2f4c711
|
@markushinz If there updates they are posted here. Should you need this feature, feel free to provide a contribution as this is marked as |
I've submitted PR #24432 which should resolve ECR auth for Helm once merged. Feedback and/or help getting it merged would be welcome 🙏 |
🎉 This issue has been resolved in version 36.104.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
How are you running Renovate?
Self-hosted
If you're self-hosting Renovate, tell us what version of Renovate you run.
34.47.1
If you're self-hosting Renovate, select which platform you are using.
github.com
If you're self-hosting Renovate, tell us what version of the platform you run.
No response
Was this something which used to work for you, and then stopped?
I never saw this working
Describe the bug
In #19239 I describe the setup and make a request for the necessary hostRules.
Recap: I have an ECR OCI helm chart with ECR OCI helm sub-charts as dependencies.
I now have a better understanding of the issue.
Looking at the helm manager code https://github.com/renovatebot/renovate/blob/main/lib/modules/manager/helmv3/artifacts.ts#L29
I can see that if the repository is an OCI repository, it will swap "oci://" for "https://", which matches the documentation here https://docs.renovatebot.com/modules/manager/helmv3/
Here https://github.com/renovatebot/renovate/blob/main/lib/modules/manager/helmv3/artifacts.ts#L57 uses the username and password from the host rules.
For ECR OCI repositories, this should match this
If I create the following hostRule
I get an error related to finding the tags for the repository.
To get the tags, the docker data source is used.
This expects using the following authentication for ECR repositories
renovate/lib/modules/datasource/docker/index.ts
Line 232 in 8e4b523
This is expecting
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
.So I need to pass the AWS credentials for ECR repositories but a token for Helm login.
My suggestion is that allow the token field to be used for dynamic authentication.
This is similar to this request #16912
and a bit like this https://docs.renovatebot.com/docker/#using-short-lived-access-tokens
Relevant debug logs
Logs
The text was updated successfully, but these errors were encountered: