pulumi-kubernetes
pulumi-kubernetes copied to clipboard
pulumi
Per-resource authentication support for OCI registries
https://github.com/pulumi/pulumi-kubernetes/issues/1914 is a highly upvoted issue for supporting authentication for OCI registries (to enable the use of private registries). Release/v3 and Chart/v4 automatically use the ambient credentials (from docker login or helm registry login). This ticket is about supporting adhoc credentials within the Pulumi program.
To look into: per-resource credentials in addition to ambient creds.
Ambient creds do work.
@blampe what does the Docker provider do about OCI registry authentication, and can we do the same here? My preference would be to use ambient credentials only.
@blampe what does the Docker provider do about OCI registry authentication, and can we do the same here? My preference would be to use ambient credentials only.
I thought we confirmed ambient creds already work but definitely double check that. If they do work, we might want to add something like "Make sure to run helm registry login beforehand..." to the docs if it's not already there.
Ambient creds are tenable, but they can be clunky because you now have some pre-conditions to setup in CI and local dev before your program is runnable. That's especially annoying if you're using short-lived credentials with something like ECR, although I'm not sure how common that is with Helm.
I interpret this issue and #1914 as asking for a way to authenticate as part of the Pulumi program directly. A way to eliminate this step, essentially:
This means that you have to do helm registry login or docker login before running pulumi.
Both of the Docker providers expose credentials on their resources as well as the provider. During an update, it layers credentials from the host, the provider, and the image in that order. The Docker Build provider has two modes, one where it uses an in-memory config file and another where it shells out to the Docker CLI. When running in exec mode we write the merged credentials to a temporary directory and point the CLI process at that by setting DOCKER_CONFIG. Importantly, the credentials provided by the Pulumi program never contaminate the host's ambient credentials, so there's no risk of accidentally leaving yourself logged in to production.
Implementation-wise this is all internal and not easily shared unless the Helm library consumes the docker.Cli interface. It would be really nice to use https://github.com/helm/helm/issues/12584 but it looks like that's slipped to September. As a workaround it looks like Helm uses this library for auth which seems to respect DOCKER_CONFIG, so you could probably do a similar trick with temporary credentials on disk.
is this any ETA to implement OCI login?
const oomkill = new k8s.helm.v4.Chart("oomkill", {
chart: "oci://us-central1-docker.pkg.dev/myprivate-registry/oomkill-exporter",
version: "2.1.2",
repositoryOpts: {
repo: "https://us-central1-docker.pkg.dev/",
password: "some-jwt-token",
username: "oauth2accesstoken",
}
},{
...opts,
parent: this,
})
i have long running stack creation, with a chain of helm release installation.
