Authentication support for remote charts repositories (helm#3206)

Authentication support for remote charts repositories.

cmd/helm/fetch.go

@@ -52,6 +52,8 @@ type fetchCmd struct {
 	destdir  string
 	version  string
 	repoURL  string
+	username string
+	password string
 
 	verify      bool
 	verifyLater bool
@@ -106,6 +108,8 @@ func newFetchCmd(out io.Writer) *cobra.Command {
 	f.StringVar(&fch.keyFile, "key-file", "", "identify HTTPS client using this SSL key file")
 	f.StringVar(&fch.caFile, "ca-file", "", "verify certificates of HTTPS-enabled servers using this CA bundle")
 	f.BoolVar(&fch.devel, "devel", false, "use development versions, too. Equivalent to version '>0.0.0-0'. If --version is set, this is ignored.")
+	f.StringVar(&fch.username, "username", "", "chart repository username")
+	f.StringVar(&fch.password, "password", "", "chart repository password")
 
 	return cmd
 }
@@ -117,6 +121,8 @@ func (f *fetchCmd) run() error {
 		Keyring:  f.keyring,
 		Verify:   downloader.VerifyNever,
 		Getters:  getter.All(settings),
+		Username: f.username,
+		Password: f.password,
 	}
 
 	if f.verify {
@@ -138,7 +144,7 @@ func (f *fetchCmd) run() error {
 	}
 
 	if f.repoURL != "" {
-		chartURL, err := repo.FindChartInRepoURL(f.repoURL, f.chartRef, f.version, f.certFile, f.keyFile, f.caFile, getter.All(settings))
+		chartURL, err := repo.FindChartInAuthRepoURL(f.repoURL, f.username, f.password, f.chartRef, f.version, f.certFile, f.keyFile, f.caFile, getter.All(settings))
 		if err != nil {
 			return err
 		}

cmd/helm/inspect.go

@@ -59,6 +59,8 @@ type inspectCmd struct {
 	out       io.Writer
 	version   string
 	repoURL   string
+	username  string
+	password  string
 
 	certFile string
 	keyFile  string
@@ -88,7 +90,7 @@ func newInspectCmd(out io.Writer) *cobra.Command {
 			if err := checkArgsLength(len(args), "chart name"); err != nil {
 				return err
 			}
-			cp, err := locateChartPath(insp.repoURL, args[0], insp.version, insp.verify, insp.keyring,
+			cp, err := locateChartPath(insp.repoURL, insp.username, insp.password, args[0], insp.version, insp.verify, insp.keyring,
 				insp.certFile, insp.keyFile, insp.caFile)
 			if err != nil {
 				return err
@@ -107,7 +109,7 @@ func newInspectCmd(out io.Writer) *cobra.Command {
 			if err := checkArgsLength(len(args), "chart name"); err != nil {
 				return err
 			}
-			cp, err := locateChartPath(insp.repoURL, args[0], insp.version, insp.verify, insp.keyring,
+			cp, err := locateChartPath(insp.repoURL, insp.username, insp.password, args[0], insp.version, insp.verify, insp.keyring,
 				insp.certFile, insp.keyFile, insp.caFile)
 			if err != nil {
 				return err
@@ -126,7 +128,7 @@ func newInspectCmd(out io.Writer) *cobra.Command {
 			if err := checkArgsLength(len(args), "chart name"); err != nil {
 				return err
 			}
-			cp, err := locateChartPath(insp.repoURL, args[0], insp.version, insp.verify, insp.keyring,
+			cp, err := locateChartPath(insp.repoURL, insp.username, insp.password, args[0], insp.version, insp.verify, insp.keyring,
 				insp.certFile, insp.keyFile, insp.caFile)
 			if err != nil {
 				return err
@@ -145,7 +147,7 @@ func newInspectCmd(out io.Writer) *cobra.Command {
 			if err := checkArgsLength(len(args), "chart name"); err != nil {
 				return err
 			}
-			cp, err := locateChartPath(insp.repoURL, args[0], insp.version, insp.verify, insp.keyring,
+			cp, err := locateChartPath(insp.repoURL, insp.username, insp.password, args[0], insp.version, insp.verify, insp.keyring,
 				insp.certFile, insp.keyFile, insp.caFile)
 			if err != nil {
 				return err
@@ -181,6 +183,18 @@ func newInspectCmd(out io.Writer) *cobra.Command {
 		subCmd.Flags().StringVar(&insp.repoURL, repoURL, "", repoURLdesc)
 	}
 
+	username := "username"
+	usernamedesc := "chart repository username where to locate the requested chart"
+	inspectCommand.Flags().StringVar(&insp.username, username, "", usernamedesc)
+	valuesSubCmd.Flags().StringVar(&insp.username, username, "", usernamedesc)
+	chartSubCmd.Flags().StringVar(&insp.username, username, "", usernamedesc)
+
+	password := "password"
+	passworddesc := "chart repository password where to locate the requested chart"
+	inspectCommand.Flags().StringVar(&insp.password, password, "", passworddesc)
+	valuesSubCmd.Flags().StringVar(&insp.password, password, "", passworddesc)
+	chartSubCmd.Flags().StringVar(&insp.password, password, "", passworddesc)
+
 	certFile := "cert-file"
 	certFiledesc := "verify certificates of HTTPS-enabled servers using this CA bundle"
 	for _, subCmd := range cmds {

cmd/helm/install.go

@@ -118,6 +118,8 @@ type installCmd struct {
 	timeout      int64
 	wait         bool
 	repoURL      string
+	username     string
+	password     string
 	devel        bool
 	depUp        bool
 
@@ -165,7 +167,7 @@ func newInstallCmd(c helm.Interface, out io.Writer) *cobra.Command {
 				inst.version = ">0.0.0-0"
 			}
 
-			cp, err := locateChartPath(inst.repoURL, args[0], inst.version, inst.verify, inst.keyring,
+			cp, err := locateChartPath(inst.repoURL, inst.username, inst.password, args[0], inst.version, inst.verify, inst.keyring,
 				inst.certFile, inst.keyFile, inst.caFile)
 			if err != nil {
 				return err
@@ -191,6 +193,8 @@ func newInstallCmd(c helm.Interface, out io.Writer) *cobra.Command {
 	f.Int64Var(&inst.timeout, "timeout", 300, "time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks)")
 	f.BoolVar(&inst.wait, "wait", false, "if set, will wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment are in a ready state before marking the release as successful. It will wait for as long as --timeout")
 	f.StringVar(&inst.repoURL, "repo", "", "chart repository url where to locate the requested chart")
+	f.StringVar(&inst.username, "username", "", "chart repository username where to locate the requested chart")
+	f.StringVar(&inst.password, "password", "", "chart repository password where to locate the requested chart")
 	f.StringVar(&inst.certFile, "cert-file", "", "identify HTTPS client using this SSL certificate file")
 	f.StringVar(&inst.keyFile, "key-file", "", "identify HTTPS client using this SSL key file")
 	f.StringVar(&inst.caFile, "ca-file", "", "verify certificates of HTTPS-enabled servers using this CA bundle")
@@ -381,7 +385,7 @@ func (i *installCmd) printRelease(rel *release.Release) {
 // - URL
 //
 // If 'verify' is true, this will attempt to also verify the chart.
-func locateChartPath(repoURL, name, version string, verify bool, keyring,
+func locateChartPath(repoURL, username, password, name, version string, verify bool, keyring,
 	certFile, keyFile, caFile string) (string, error) {
 	name = strings.TrimSpace(name)
 	version = strings.TrimSpace(version)
@@ -414,12 +418,14 @@ func locateChartPath(repoURL, name, version string, verify bool, keyring,
 		Out:      os.Stdout,
 		Keyring:  keyring,
 		Getters:  getter.All(settings),
+		Username: username,
+		Password: password,
 	}
 	if verify {
 		dl.Verify = downloader.VerifyAlways
 	}
 	if repoURL != "" {
-		chartURL, err := repo.FindChartInRepoURL(repoURL, name, version,
+		chartURL, err := repo.FindChartInAuthRepoURL(repoURL, username, password, name, version,
 			certFile, keyFile, caFile, getter.All(settings))
 		if err != nil {
 			return "", err

cmd/helm/repo_add.go

@@ -30,6 +30,8 @@ import (
 type repoAddCmd struct {
 	name     string
 	url      string
+	username string
+	password string
 	home     helmpath.Home
 	noupdate bool
 
@@ -60,6 +62,8 @@ func newRepoAddCmd(out io.Writer) *cobra.Command {
 	}
 
 	f := cmd.Flags()
+	f.StringVar(&add.username, "username", "", "chart repository username")
+	f.StringVar(&add.password, "password", "", "chart repository password")
 	f.BoolVar(&add.noupdate, "no-update", false, "raise error if repo is already registered")
 	f.StringVar(&add.certFile, "cert-file", "", "identify HTTPS client using this SSL certificate file")
 	f.StringVar(&add.keyFile, "key-file", "", "identify HTTPS client using this SSL key file")
@@ -69,14 +73,14 @@ func newRepoAddCmd(out io.Writer) *cobra.Command {
 }
 
 func (a *repoAddCmd) run() error {
-	if err := addRepository(a.name, a.url, a.home, a.certFile, a.keyFile, a.caFile, a.noupdate); err != nil {
+	if err := addRepository(a.name, a.url, a.username, a.password, a.home, a.certFile, a.keyFile, a.caFile, a.noupdate); err != nil {
 		return err
 	}
 	fmt.Fprintf(a.out, "%q has been added to your repositories\n", a.name)
 	return nil
 }
 
-func addRepository(name, url string, home helmpath.Home, certFile, keyFile, caFile string, noUpdate bool) error {
+func addRepository(name, url, username, password string, home helmpath.Home, certFile, keyFile, caFile string, noUpdate bool) error {
 	f, err := repo.LoadRepositoriesFile(home.RepositoryFile())
 	if err != nil {
 		return err
@@ -91,6 +95,8 @@ func addRepository(name, url string, home helmpath.Home, certFile, keyFile, caFi
 		Name:     name,
 		Cache:    cif,
 		URL:      url,
+		Username: username,
+		Password: password,
 		CertFile: certFile,
 		KeyFile:  keyFile,
 		CAFile:   caFile,

cmd/helm/repo_add_test.go

@@ -80,7 +80,7 @@ func TestRepoAdd(t *testing.T) {
 
 	settings.Home = thome
 
-	if err := addRepository(testName, ts.URL(), hh, "", "", "", true); err != nil {
+	if err := addRepository(testName, ts.URL(), "", "", hh, "", "", "", true); err != nil {
 		t.Error(err)
 	}
 
@@ -93,11 +93,11 @@ func TestRepoAdd(t *testing.T) {
 		t.Errorf("%s was not successfully inserted into %s", testName, hh.RepositoryFile())
 	}
 
-	if err := addRepository(testName, ts.URL(), hh, "", "", "", false); err != nil {
+	if err := addRepository(testName, ts.URL(), "", "", hh, "", "", "", false); err != nil {
 		t.Errorf("Repository was not updated: %s", err)
 	}
 
-	if err := addRepository(testName, ts.URL(), hh, "", "", "", false); err != nil {
+	if err := addRepository(testName, ts.URL(), "", "", hh, "", "", "", false); err != nil {
 		t.Errorf("Duplicate repository name was added")
 	}
 }

cmd/helm/repo_remove_test.go

@@ -51,7 +51,7 @@ func TestRepoRemove(t *testing.T) {
 	if err := removeRepoLine(b, testName, hh); err == nil {
 		t.Errorf("Expected error removing %s, but did not get one.", testName)
 	}
-	if err := addRepository(testName, ts.URL(), hh, "", "", "", true); err != nil {
+	if err := addRepository(testName, ts.URL(), "", "", hh, "", "", "", true); err != nil {
 		t.Error(err)
 	}
 

cmd/helm/upgrade.go

@@ -73,6 +73,8 @@ type upgradeCmd struct {
 	reuseValues  bool
 	wait         bool
 	repoURL      string
+	username     string
+	password     string
 	devel        bool
 
 	certFile string
@@ -128,6 +130,8 @@ func newUpgradeCmd(client helm.Interface, out io.Writer) *cobra.Command {
 	f.BoolVar(&upgrade.reuseValues, "reuse-values", false, "when upgrading, reuse the last release's values, and merge in any new values. If '--reset-values' is specified, this is ignored.")
 	f.BoolVar(&upgrade.wait, "wait", false, "if set, will wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment are in a ready state before marking the release as successful. It will wait for as long as --timeout")
 	f.StringVar(&upgrade.repoURL, "repo", "", "chart repository url where to locate the requested chart")
+	f.StringVar(&upgrade.username, "username", "", "chart repository username where to locate the requested chart")
+	f.StringVar(&upgrade.password, "password", "", "chart repository password where to locate the requested chart")
 	f.StringVar(&upgrade.certFile, "cert-file", "", "identify HTTPS client using this SSL certificate file")
 	f.StringVar(&upgrade.keyFile, "key-file", "", "identify HTTPS client using this SSL key file")
 	f.StringVar(&upgrade.caFile, "ca-file", "", "verify certificates of HTTPS-enabled servers using this CA bundle")
@@ -139,7 +143,7 @@ func newUpgradeCmd(client helm.Interface, out io.Writer) *cobra.Command {
 }
 
 func (u *upgradeCmd) run() error {
-	chartPath, err := locateChartPath(u.repoURL, u.chart, u.version, u.verify, u.keyring, u.certFile, u.keyFile, u.caFile)
+	chartPath, err := locateChartPath(u.repoURL, u.username, u.password, u.chart, u.version, u.verify, u.keyring, u.certFile, u.keyFile, u.caFile)
 	if err != nil {
 		return err
 	}

docs/chart_repository.md

@@ -148,6 +148,11 @@ Charts repository hosts its charts, so you may want to take a
 **Note:** A public GCS bucket can be accessed via simple HTTPS at this address
 `https://bucket-name.storage.googleapis.com/`.
 
+### JFrog Artifactory
+
+You can also set up chart repositories using JFrog Artifactory.
+Read more about chart repositories with JFrog Artifactory [here](https://www.jfrog.com/confluence/display/RTF/Helm+Chart+Repositories)
+
 ### Github Pages example
 
 In a similar way you can create charts repository using GitHub Pages.
@@ -270,10 +275,10 @@ fantastic-charts    https://fantastic-charts.storage.googleapis.com
 If the charts are backed by HTTP basic authentication, you can also supply the
 username and password here:
 
-```console
-$ helm repo add fantastic-charts https://username:password@fantastic-charts.storage.googleapis.com
+``console
+$ helm repo add fantastic-charts https://fantastic-charts.storage.googleapis.com --username my-username --password my-password
 $ helm repo list
-fantastic-charts    https://username:password@fantastic-charts.storage.googleapis.com
+fantastic-charts    https://fantastic-charts.storage.googleapis.com
 ```
 
 **Note:** A repository will not be added if it does not contain a valid

docs/helm/helm_fetch.md

@@ -33,10 +33,12 @@ helm fetch [flags] [chart URL | repo/chartname] [...]
       --devel                use development versions, too. Equivalent to version '>0.0.0-0'. If --version is set, this is ignored.
       --key-file string      identify HTTPS client using this SSL key file
       --keyring string       keyring containing public keys (default "~/.gnupg/pubring.gpg")
+      --password string      chart repository password
       --prov                 fetch the provenance file, but don't perform verification
       --repo string          chart repository url where to locate the requested chart
       --untar                if set to true, will untar the chart after downloading it
       --untardir string      if untar is specified, this flag specifies the name of the directory into which the chart is expanded (default ".")
+      --username string      chart repository username
       --verify               verify the package against its signature
       --version string       specific version of a chart. Without this, the latest version is fetched
 ```
@@ -54,5 +56,3 @@ helm fetch [flags] [chart URL | repo/chartname] [...]
 
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
-
-###### Auto generated by spf13/cobra on 8-Mar-2018

docs/helm/helm_inspect.md

@@ -23,7 +23,9 @@ helm inspect [CHART]
       --cert-file string   verify certificates of HTTPS-enabled servers using this CA bundle
       --key-file string    identify HTTPS client using this SSL key file
       --keyring string     path to the keyring containing public verification keys (default "~/.gnupg/pubring.gpg")
+      --password string    chart repository password where to locate the requested chart
       --repo string        chart repository url where to locate the requested chart
+      --username string    chart repository username where to locate the requested chart
       --verify             verify the provenance data for this chart
       --version string     version of the chart. By default, the newest chart is shown
 ```

docs/helm/helm_inspect_chart.md

@@ -21,7 +21,9 @@ helm inspect chart [CHART]
       --cert-file string   verify certificates of HTTPS-enabled servers using this CA bundle
       --key-file string    identify HTTPS client using this SSL key file
       --keyring string     path to the keyring containing public verification keys (default "~/.gnupg/pubring.gpg")
+      --password string    chart repository password where to locate the requested chart
       --repo string        chart repository url where to locate the requested chart
+      --username string    chart repository username where to locate the requested chart
       --verify             verify the provenance data for this chart
       --version string     version of the chart. By default, the newest chart is shown
 ```

docs/helm/helm_inspect_values.md

@@ -21,7 +21,9 @@ helm inspect values [CHART]
       --cert-file string   verify certificates of HTTPS-enabled servers using this CA bundle
       --key-file string    identify HTTPS client using this SSL key file
       --keyring string     path to the keyring containing public verification keys (default "~/.gnupg/pubring.gpg")
+      --password string    chart repository password where to locate the requested chart
       --repo string        chart repository url where to locate the requested chart
+      --username string    chart repository username where to locate the requested chart
       --verify             verify the provenance data for this chart
       --version string     version of the chart. By default, the newest chart is shown
 ```

docs/helm/helm_install.md

@@ -80,6 +80,7 @@ helm install [CHART]
       --name-template string   specify template used to name the release
       --namespace string       namespace to install the release into. Defaults to the current kube config namespace.
       --no-hooks               prevent hooks from running during install
+      --password string        chart repository password where to locate the requested chart
       --replace                re-use the given name, even if that name is already used. This is unsafe in production
       --repo string            chart repository url where to locate the requested chart
       --set stringArray        set values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -89,6 +90,7 @@ helm install [CHART]
       --tls-cert string        path to TLS certificate file (default "$HELM_HOME/cert.pem")
       --tls-key string         path to TLS key file (default "$HELM_HOME/key.pem")
       --tls-verify             enable TLS for request and verify remote
+      --username string        chart repository username where to locate the requested chart
   -f, --values valueFiles      specify values in a YAML file or a URL(can specify multiple) (default [])
       --verify                 verify the package before installing it
       --version string         specify the exact chart version to install. If this is not specified, the latest version is installed

docs/helm/helm_repo_add.md

@@ -18,6 +18,8 @@ helm repo add [flags] [NAME] [URL]
       --cert-file string   identify HTTPS client using this SSL certificate file
       --key-file string    identify HTTPS client using this SSL key file
       --no-update          raise error if repo is already registered
+      --password string    chart repository password
+      --username string    chart repository username
 ```
 
 ### Options inherited from parent commands

docs/helm/helm_upgrade.md

@@ -46,6 +46,7 @@ helm upgrade [RELEASE] [CHART]
       --keyring string       path to the keyring that contains public signing keys (default "~/.gnupg/pubring.gpg")
       --namespace string     namespace to install the release into (only used if --install is set). Defaults to the current kube config namespace
       --no-hooks             disable pre/post upgrade hooks
+      --password string      chart repository password where to locate the requested chart
       --recreate-pods        performs pods restart for the resource if applicable
       --repo string          chart repository url where to locate the requested chart
       --reset-values         when upgrading, reset the values to the ones built into the chart
@@ -57,6 +58,7 @@ helm upgrade [RELEASE] [CHART]
       --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
       --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
       --tls-verify           enable TLS for request and verify remote
+      --username string      chart repository username where to locate the requested chart
   -f, --values valueFiles    specify values in a YAML file or a URL(can specify multiple) (default [])
       --verify               verify the provenance of the chart before upgrading
       --version string       specify the exact chart version to use. If this is not specified, the latest version is used