Comments (8)
philippart
commented on September 26, 2024
2
I wish to amend the above proposal: the role ARN should be configured in a secret referenced by the Release object (spec.forProvider.chart.pullSecretRef) rather than the ProviderConfig. This is a clearer split between the helm install credentials and the helm pull credentials. And it is more consistent with the current API.
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
name: my-service
spec:
forProvider:
chart:
name: my-chart
repository: s3://repo/charts/
version: v1.2.3
pullSecretRef:
name: s3-role
namespace: crossplane-system
namespace: my-namespace
---
apiVersion: v1
kind: Secret
metadata:
name: s3-role
type: Opaque
data:
roleARN: arn:aws:iam::999999999999:role/s3-rolefrom provider-helm.
turkenh
commented on September 26, 2024
1
This sounds good to me.
However, assuming we are not talking about public buckets only, I am wondering how we are planning to handle the authentication part.
It would be nice to see some examples of how this feature would be used (with public/private buckets) before starting the actual implementation.
from provider-helm.
arunpmohan
commented on September 26, 2024
Another note to add is that terraform helm already supports this plugin.
https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release
from provider-helm.
arunpmohan
commented on September 26, 2024
Sure. Just FYI we are using this https://github.com/hypnoglow/helm-s3 plugin sources to integrate it with s3.
So it would work the way this plugin works for authentication.
from provider-helm.
turkenh
commented on September 26, 2024
So it would work the way this plugin works for authentication.
To be clear, I am more interested in the API, e.g. how users would provide the credentials etc. over k8s api.
from provider-helm.
philippart
commented on September 26, 2024
Currently we are using a S3 bucket policy to grant read-only access from a specific VPC where crossplane is running.
Ideally we would want to use IRSA like provider-aws to authenticate with AWS.
from provider-helm.
philippart
commented on September 26, 2024
Concretely we are proposing to configure the IAM Role ARN into a secret that can be referenced in the ProviderConfig as follows:
apiVersion: helm.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: helm-provider
spec:
credentials:
source: InjectedIdentity
identity:
type: AWSCredentials
source: Secret
secretRef:
name: aws-credentials
namespace: crossplane-system
key: roleArnfrom provider-helm.
johnathan-sq
commented on September 26, 2024
Were there any developments on this issue, I would like to fetch a helm chart from a private s3 bucket. Can't think of any solutions in the current state.
from provider-helm.
Related Issues (20)
- Ability to store secrets in vault
- On Helm release with the specified option pullSecretRef does not find the Secret in the namespace HOT 1
- Establish Ownership and Visibility of Helm Resources in ArgoCD via OwnerReferences HOT 2
- Passing args to configure the Helm provider package to configure the controller and be more verbose HOT 2
- make: *** No rule to make target `local.up', needed by `local-dev'. Stop. HOT 3
- Retry should be enabled by default HOT 1
- Add Proxy Support
- howto debugging reconciling loop HOT 1
- Installation of provider-helm fails with "resource name may not be empty" in air-gapped environment. HOT 1
- Unable to pull Charts from Private Registry HOT 4
- Add x-kubernetes-map-type: granular to release values to support serve side apply
- identity section for AzureAD auth in ProviderConfig should not be processed when the supplied kubeconfig does not require AzureAD auth
- Enable support for Management Policies in Helm Provider HOT 1
- What is the purpose of putting an `*` as an option in an enum?? HOT 2
- Drop v1alpha1 or add conversion webhooks HOT 13
- Release Ready status should be aggregation of readines of object deployed within a release
- Observe data from resources created by Release object
- ProviderConfig does not support "InjectedIdentity" as `source.identity`
- Rollback feature doesn't work as expected.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from provider-helm.