Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add authentication to utility registry #144

Merged
merged 10 commits into from
Nov 5, 2021

Conversation

RothAndrew
Copy link
Contributor

Fixes #5

@RothAndrew RothAndrew self-assigned this Oct 29, 2021
@RothAndrew
Copy link
Contributor Author

@jeff-mccoy what's the best way to get Crane to log in now that the registry requires auth?

I've been trying a few things out but nothing feels right.

Would love to do some pairing on this if you have the time.

@jeff-mccoy
Copy link
Contributor

Can you clarify the question? Under the hood crane uses the docker login info, with zarf you could do a login and pull without docker installed and it would work.

@RothAndrew
Copy link
Contributor Author

I looked at running Crane's login() function HERE, but it isn't exported.

Is there a way to internally call a Cobra command from within the golang codebase?

@RothAndrew
Copy link
Contributor Author

@jeff-mccoy The podinfo example's helm chart does not support imagePullSecrets. I'm proposing we just delete the podinfo example, since it doesn't do anything new that the doom game example doesn't already do.

Alternatively, we'll need to either find a different helm chart or submit a PR to add imagePullSecrets support to Podinfo's helm chart and fork the chart in the meantime.

Thoughts?

@jeff-mccoy
Copy link
Contributor

agreed, let's just drop it

@RothAndrew RothAndrew marked this pull request as ready for review November 3, 2021 23:07
@RothAndrew
Copy link
Contributor Author

/test all

@RothAndrew
Copy link
Contributor Author

/test all

@RothAndrew RothAndrew requested a review from jeff-mccoy November 4, 2021 02:30
@RothAndrew
Copy link
Contributor Author

@jeff-mccoy ready for review on this. Went through and tested all of the examples, they all look good.

…tials

# Conflicts:
#	cli/internal/packager/deploy.go
@RothAndrew
Copy link
Contributor Author

/test all

@jeff-mccoy
Copy link
Contributor

sorry still looking at this, just really hate how much K8s sucks for image things, including private registries. The mirror config with alternate domains will suck to maintain as well as all the image pull secrets will be a pain. The more I think about this, the more it might make sense to leverage the specified hostname/ip for the registry or use internal routes for appliance mode. This would allow us to not use mirror config at all (very important for when we move out of just k3s) and only have one imagepullsecret config that would could potentially just inject as well as a part of the deployment process without forcing the users to maintain that too. Thoughts?

@RothAndrew
Copy link
Contributor Author

The more intuitive (and less "magical") we can make it the better. My worry would be that we make it harder to understand as we make it a bit less verbose. It made total sense to me that I'd have to add new secrets to each namespace that got created for each example, and I was totally fine with it.

If we got rid of image mirroring we'd want to add a zarf prepare patch-k8s just like we have a patch-git, but that's definitely not the end of the world, and it's something we'd need to handle anyway if we were pointing at a separate Zarf utility cluster.

@RothAndrew
Copy link
Contributor Author

We're feeling pain because we have a bunch of these examples to deal with, but an end user won't experience as much churn as we are. IMO this way is fine, as long as we are fine with telling the user they have to do ImagePullSecrets when creating their zarf packages because the registry requires auth.

@RothAndrew
Copy link
Contributor Author

RothAndrew commented Nov 4, 2021

Which I guess brings up a deficiency with this PR, it doesn't update the docs at all. I'd better fix that before @btlghrants notices and gives me a whoopin'

@jeff-mccoy
Copy link
Contributor

With OCI Distribution you shouldn't need to change anything but the hostname of the image, there wouldn't be any funny transformation stuff happening as the registry would just respect the path anyway. We leverage that concept already when push to the registry. My concern is around how this takes some of the simplicity away just because K8s is dumb about private registries. We don't have to go along with it, just like for TLS we don't have people run a bunch of openssl commands to get a valid cert, we do the work for them.

Copy link
Contributor

@jeff-mccoy jeff-mccoy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update docs for this change and then g2g.

@jeff-mccoy
Copy link
Contributor

Gone back and forth on this (and went on a random code tangent to investigate), I do think we can do more later on down the road. But the most important thing right now is that we're not adding direct complexity to the deployer of a zarf package--so I think besides docs this all looks good and satisfies an important missing security piece. Thanks for finally getting this done, I put it off way too long.

cli/internal/utils/auth.go Outdated Show resolved Hide resolved
@RothAndrew
Copy link
Contributor Author

RothAndrew commented Nov 5, 2021

Actually I don't think there is anything to add yet documentation-wise. The changes would happen under "Roll Your Own" #132 which hasn't been written yet.

@btlghrants do you agree?

jeff-mccoy
jeff-mccoy previously approved these changes Nov 5, 2021
@RothAndrew
Copy link
Contributor Author

/test all

@RothAndrew
Copy link
Contributor Author

@jeff-mccoy one more approval please so it's ready to merge if @btlghrants agrees with my assessment that there aren't any docs to update right now.

@btlghrants
Copy link
Contributor

btlghrants commented Nov 5, 2021

Yeah, as far as I know, the game example is the only one we've done any sort of explicit user documentation for and that has the imagePullSecrets added as part of this PR.

I think @RothAndrew right--it'll change how we write "Roll Your Own" #132 but we haven't gotten there yet. Seems fine to merge to me.

@RothAndrew RothAndrew merged commit f96ae20 into master Nov 5, 2021
@RothAndrew RothAndrew deleted the feature/5-utility-registry-requires-credentials branch November 5, 2021 22:03
jeff-mccoy pushed a commit that referenced this pull request Feb 8, 2022
Noxsios pushed a commit that referenced this pull request Mar 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Make utility registry require credentials
4 participants