Skip to content

Commit

Permalink
[RFC-0002] Add auth specification for Helm OCI
Browse files Browse the repository at this point in the history 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
  • Loading branch information
@stefanprodan
stefanprodan committed Aug 24, 2022
1 parent 9f26b09 commit 78b836c
Showing 1 changed file with 39 additions and 2 deletions.
41 changes: 39 additions & 2 deletions rfcs/0002-helm-oci/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

**Creation date:** 2022-03-30

**Last update:** 2022-06-07
**Last update:** 2022-08-24

## Summary

Expand Down Expand Up @@ -37,7 +37,43 @@ When not specified, the `spec.type` field defaults to `default` which preserve t

When the `spec.type` field is set to `oci`, the `spec.url` field must be prefixed with `oci://` (to follow the Helm conventions).
For `oci://` URLs, source-controller will use the Helm SDK and the `oras` library to connect to the OCI remote storage.
For authentication, the controller will use Kubernetes secrets of `kubernetes.io/dockerconfigjson` type.

### Pull charts from private repositories

#### Basic auth

For private repositories hosted on GitHub, Quay, self-hosted Docker Registry and others,
the credentials can be supplied with:

```yaml
spec:
secretRef:
name: regcred
```
The `secretRef` points to a Kubernetes secret in the same namespace as the `HelmRepository`.
The secret type must be `kubernetes.io/dockerconfigjson`:

```shell
kubectl create secret docker-registry regcred \
--docker-server=<your-registry-server> \
--docker-username=<your-name> \
--docker-password=<your-pword>
```

#### OIDC auth

When Flux runs on AKS, EKS or GKE, an IAM role (that grants read-only access to ACR, ECR or GCR)
can be used to bind the `source-controller` to the IAM role.

```yaml
spec:
provider: azure
```

The provider accepts the following values: `generic`, `aws`, `azure` and `gcp`. When the provider is
not specified, it defaults to `generic`. When the provider is set to `aws`, `azure` or `gcp`, the
controller will use a specific cloud SDK for authentication purposes.

### User Stories

Expand Down Expand Up @@ -181,3 +217,4 @@ The feature is enabled by default.
### TODOs

* [Add support for container registries with self-signed TLS certs](https://github.com/fluxcd/source-controller/issues/723)
* [Enable contextual login in OCI HelmRepository](https://github.com/fluxcd/source-controller/pull/873)

0 comments on commit 78b836c

Please sign in to comment.