source-controller icon indicating copy to clipboard operation
source-controller copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

How can I use a public OSS bucket without any secret.

Open wangyikewxgm opened this issue 2 years ago • 4 comments

I want to use the helm chart https://starship-charts.oss-cn-hangzhou.aliyuncs.com/charts/nacos-2.0.3.tgz as source chart without any secret, because this is public bucket.

wangyikewxgm avatar Mar 11 '22 07:03 wangyikewxgm

Hi, you can create a Bucket object and HelmChart object can refer to the bucket object to get the chart.

apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmChart
metadata:
  name: <name>
  namespace: <namespace>
spec:
  chart: ./path/to/the/chart
  sourceRef:
    kind: Bucket
    name: <bucket-name>

You can also create a helm repo index for it, following the docs here https://helm.sh/docs/helm/helm_repo_index/ . And then you can create a HelmRepository object that points to the index. A HelmChart object can refer to the helm chart in the created HelmRepository and use it. HelmChart expects the reference to be either a GitRepository, a Bucket or a HelmRepository. Refer https://fluxcd.io/docs/components/helm/helmreleases/#helm-chart-template for use with a HelmRelease.

darkowlzz avatar Mar 15 '22 09:03 darkowlzz

@darkowlzz Hi, truly thanks for your patient answer. My question truly is this helm chart is stored in a public bucket, everyone can fetch it without an auth token. But when I create a bucket object pointing to it without token will generate an error which tell me must set one. Can I just use this chart without any secrets?

wangyikewxgm avatar Mar 15 '22 12:03 wangyikewxgm

Sorry for the misunderstanding. So, the question is more about creating a bucket without any credentials. I tried it myself but looks like the underlying minio client that we use still tries to query credentials from IAM service, in case of S3 buckets, to get some metadata about the bucket and that fails. So, we can't use a Bucket object for this. As a workaround, I tried creating a custom helm repo index with an entry for a remote chart, with a URL like you shared. Would be something like this in your case:

apiVersion: v1
entries:
  chart:
  - apiVersion: v2
    appVersion: 1.16.0
    created: "2022-03-15T20:00:07.953858226+05:30"
    description: A Helm chart for Kubernetes
    name: nacos
    type: application
    urls:
    - https://starship-charts.oss-cn-hangzhou.aliyuncs.com/charts/nacos-2.0.3.tgz
    version: 2.0.3
generated: "2022-03-15T20:00:07.953440805+05:30"

Uploaded it to somewhere public with the file name index.yaml. If you don't have the ability to upload this to the same bucket, that's okay, you can upload it anywhere. Then create a HelmRepository object pointing to where you uploaded the index. Create a HelmChart or HelmRelease pointing to the created HelmRepository as a source reference and set the chart name appropriately. That should succeed and download the helm chart.

darkowlzz avatar Mar 15 '22 15:03 darkowlzz

We don't support public buckets. Maybe we should consider a new field in the v1beta2 API spec.public: true for this.

stefanprodan avatar Mar 15 '22 15:03 stefanprodan