-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider using local credentials for helm to support private oci-based helm charts #5407
Comments
/kind feature |
`HELM_CONFIG_HOME` is supposed to contain two files `repositories.yaml` and `repositories.lock`. Kustomize sets by default `HELM_CONFIG_HOME` to an empty tmp dir not populated with any of the `repositories.*` files which prevent Helm from pulling private OCI repo for instance (even if this repo is not listed in `repositories.yaml`). This commits remove the default value to a tmpdir. Kustomize will thus not populate `HELM_CONFIG_HOME`, `HELM_CACHE_HOME` and `HELM_DATA_HOME` by default anymore. User can still override this directory with `helmGlobals`. Setting `configHome` in global to the normal helm config location (`/home/MY_USER_HERE/.config/helm`) could also be used as a workaround before this commit. Fixes kubernetes-sigs#5407 Signed-off-by: Arthur Outhenin-Chalandre <[email protected]>
`HELM_CONFIG_HOME` is supposed to contain two files `repositories.yaml` and `repositories.lock`. Kustomize sets by default `HELM_CONFIG_HOME` to an empty tmp dir not populated with any of the `repositories.*` files which prevent Helm from pulling private OCI repo for instance (even if this repo is not listed in `repositories.yaml`). This commits remove the default value to a tmpdir. Kustomize will thus not populate `HELM_CONFIG_HOME`, `HELM_CACHE_HOME` and `HELM_DATA_HOME` by default anymore. User can still override this directory with `helmGlobals`. Setting `configHome` in global to the normal helm config location (`/home/MY_USER_HERE/.config/helm`) could also be used as a workaround before this commit. Fixes kubernetes-sigs#5407 Signed-off-by: Arthur Outhenin-Chalandre <[email protected]>
`HELM_CONFIG_HOME` is supposed to contain two files `repositories.yaml` and `repositories.lock`. Kustomize sets by default `HELM_CONFIG_HOME` to an empty tmp dir not populated with any of the `repositories.*` files which prevent Helm from pulling private OCI repo for instance (even if this repo is not listed in `repositories.yaml`). This commits remove the default value to a tmpdir. Kustomize will thus not populate `HELM_CONFIG_HOME`, `HELM_CACHE_HOME` and `HELM_DATA_HOME` by default anymore. User can still override this directory with `helmGlobals`. Setting `configHome` in global to the normal helm config location (`/home/MY_USER_HERE/.config/helm`) could also be used as a workaround before this commit. Related to kubernetes-sigs#5407 Signed-off-by: Arthur Outhenin-Chalandre <[email protected]>
Hi! I believe this should be more considered as a bug than a feature. The culprit of this would be
There is supposed to be two files in this folder: Although setting this environment variable is not motivated in the code, original commit or PR (#3784), so I have no idea why Kustomize sets this in the first place. Kustomize also doesn't really populate those dir so I don't think there is any use to those. My best guess is that the charts were supposed to be pulled in this tmp dir in the first place but as you may know this doesn't work as kustomize (and helm actually) will pull the charts inside the local folder in a So to fix the issue at hand I would have multiple propositions:
|
Any updates on this? It is currently a blocker for my org, with a hacky workaround being the script below for the time being (essentially running the for i in $(find -name 'kustomization.yaml' -printf "%h\n"); do
errormessage="first-run"
retries=0
while [ "${errormessage}" != "" ] && [ ${retries} -lt 5 ]
do
# Hacky extraction of the helm pull error message (https://unix.stackexchange.com/a/24151)
errormessage=$(kustomize build --enable-helm "${i}" 2>&1 | sed -n -e 's/^.*unable to run: //p' | cut -d"'" -f 2)
echo "${errormessage}"
${errormessage}
((retries++))
done
done |
It's also a blocker for us :(. As you can see above I have a PR fixing this in a minimalist way possible and also proposed alternative fixes that I would be happy to look at if the PR above is not considered... But yeah waiting for a kustomize reviewer/approver to take a look and validate the PR linked or some alternative approaches. |
Like @MrFreezeex mentions above, I see this more as a bug than a feature. IMO, using the local credentials of
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close not-planned |
@k8s-triage-robot: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
When running
kustomize build
andkustomize localize
, we use the localgit
binary and configuration stored on the users' machine for fetching remote resources. This means that the user can access private git repositories, so long as they have the git configuration & authorization to do so.When using the helm plugin, however, it looks like we set some global variables during execution that prevents helm from using the users' local credentials. This prevents the user from e.g. using private oci-based helm charts.
#4614 is an example of what it would look like to avoid setting those variables for helm, and enable users to use private oci-based helm charts in kustomize (provided that they run
helm registry login
on their own machine prior to runningkustomize build
).At first glance it seems inconsistent to me to be ok using the users' local credentials for
git
but nothelm
. That said, I unfortunately have no context on why we support private kustomize repositories but seem to be actively preventing it for private helm charts. I also have no context on what these extra variables do and if they have any side affects other than preventing private helm charts. If we have more information on the history of these decisions, it will help us understand if it makes sense to reconsider them.If we do make this change, another step we could consider from there would be to have
kustomize localize
support pulling down remote helm charts, to ease a workflow where someone is using a git-syncer such as Argo or Config Sync with kustomize + a private oci-based helm chart. The workflow for this use case would be something like:helm registry login
kustomize localize
on their kustomization that includes a private oci-based helm chartThe text was updated successfully, but these errors were encountered: