Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kustomize-build step should support private OCI helmCharts #3310

Open
jessesuen opened this issue Jan 17, 2025 · 5 comments
Open

kustomize-build step should support private OCI helmCharts #3310

jessesuen opened this issue Jan 17, 2025 · 5 comments
Labels
area/controller kind/enhancement priority/normal

Comments

@jessesuen
Copy link
Member

jessesuen commented Jan 17, 2025
edited
Loading

Proposed Feature

My preferred way of deploying helm charts is via kustomized helm. e.g.:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

helmCharts:
- name: guestbook
  releaseName: guestbook
  version: 1.2.3
  repo: oci://us-docker.pkg.dev/example/guestbook/charts
  valuesFile: values.yaml

The challenge is if repo is a private repo and needs image credentials, the kustomize build will fail in kargo.

On a workstation it works if your environment is logged into the private image repo. I believe this works because the helm command will know to use credentials from ~/.docker/config.json in order to authenticate to the remote registry. We need to make it possible for this to work in promotion.

Motivation

Kustomize is not fully functional to workstation capabilities.

Suggested Implementation

For the kustomize build command, we could set the ~/.docker/config.json so that helm will work. But this should not be done globally, obviously since would mean all projects could access it, so we need to be mindful of how to do this securely.
@jessesuen
Copy link
Member Author

This is similar to #2477, but for helm

@jessesuen
Copy link
Member Author

It should be noted that kustomize itself lacks the feature to pass credentials:
kubernetes-sigs/kustomize#4335

But I think the above issue applies to HTTP repos and we could still do something for OCI, which IMO is becoming the trend/norm.

@jessesuen
Copy link
Member Author

jessesuen commented Jan 17, 2025
edited
Loading

we could set the ~/.docker/config.json so that helm will work
we need to be mindful of how to do this securely.

I bet we could populate a temporary and randomized directory for the duration of the kustomize-build step containing the project image credentials, and then set DOCKER_CONFIG to it.

@hiddeco
Copy link
Contributor

hiddeco commented Jan 28, 2025

Helm maintains its own set of credentials, i.e. logging in to helm registry login holds a different set of credentials than what you have logged into via docker. These credentials are however stored and read from in Helm's config home directory, and we should be able to prepare both HTTP/S and OCI credentials by writing them to the expected (temporary) Helm paths before we hand this over to Kustomize.

@hiddeco
Copy link
Contributor

hiddeco commented Jan 28, 2025

Something to take into account is that we are currently also preparing credentials for the helm-update-chart step, and it may be beneficial to factor this out so it can work for this step and kustomize-build.

@hiddeco hiddeco assigned hiddeco and unassigned hiddeco Jan 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/controller kind/enhancement priority/normal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@krancour @hiddeco @jessesuen