helm-s3 icon indicating copy to clipboard operation
helm-s3 copied to clipboard

Published 20 hours ago verified publisher icon hypnoglow

Allow anonymous access or base url in index to be overridden

Open willejs opened this issue 6 years ago • 12 comments

Helm-s3 is really useful for uploading and managing helm charts via in S3. However, I want my repo to be public, so ideally the provider chain would fall back to anonymous access to s3, or a baseurl could be specified to be used in the index.yaml instead?

willejs avatar May 16 '18 15:05 willejs

I had a look at this and put this together https://github.com/hypnoglow/helm-s3/pull/46 I am not sure its the best approach, but it does work 😒

willejs avatar May 16 '18 16:05 willejs

Hi @willejs , thanks for your interest.

Sorry, but I don't get what do you mean by public URLs? Can you please describe your use case in detail? How do you want to upload charts and how you want them to be downloaded?

I think it's easy to get into a mess here. Basically, the helm itself manages repos and their corresponding URLs. And helm has somewhat poor support about multiple URLs per chart entry in the index. But let's see, maybe we can make something useful.

hypnoglow avatar May 20 '18 18:05 hypnoglow

Hi @hypnoglow, In short I want to publish my charts to a public S3 bucket, and allow anyone to download them. So the helm s3 plugin either needs to support an anonymous AWS credential provider or publish the charts with only https:// urls instead of s3:// urls.

The plugin is really useful for managing a private chart repo on S3, but i want my charts to be public, so i need to use https:// s3 bucket urls instead, along side the new --acl flag with 'public-read' flags. Does this make sense?

willejs avatar May 22 '18 08:05 willejs

@hypnoglow any thoughts?

willejs avatar May 29 '18 14:05 willejs

@willejs I had some thoughts about it, and I see two options for now:

  1. As far as I found, aws cli does not support anonymous credentials, but it seems that golang client does. This may work out, I need to investigate and write some tests for this.

  2. More complicated solution. We can add a special option to publish index file and chart files with both public and private urls.

    This way, the plugin user will keep working with s3://... urls when pushing charts, e.g.:

    helm s3 init s3://public-repo-bucket
helm repo add public-repo s3://public-repo-bucket
helm s3 push ./foo-1.2.3.tgz public-repo --publish # note --publish flag

    And, because chart will have both public and private url, other users can only use Helm itself and be able to fetch index and chart by public urls, e.g.:

    helm repo add public-repo https://public-repo-bucket.s3.amazonaws.com
helm fetch public-repo/foo # will use https://public-repo-bucket.s3.amazonaws.com/foo-1.2.3.tgz

    This solution also needs investigation and verification that Helm will be able to fetch chart by public url when there is one.

hypnoglow avatar Jun 12 '18 20:06 hypnoglow

We are highly interested in this option. Would be cool if we could use that in near future. Our use case is that we use the helm s3 plugin to push to a public s3 bucket and we want to rewrite the URLs from s3:// to https://...

skliche avatar Aug 21 '18 11:08 skliche

@skliche @willejs - Agreed - this would be an awesome way to managed public chart repos like the one we currently provide: https://github.com/cloudposse/charts

@hypnoglow The helm-s3 plugin does a better job of managing charts in the S3 bucket than we do, but we need to expose the public bucket url in the index: https://charts.cloudposse.comand not thes3://` bucket.

As far as our use-case goes, we don't need to support the s3:// urls (and probably @skliche as well). Would it simplify the implementation to just support overiding the base URL?

osterman avatar Oct 01 '18 20:10 osterman

I think #46 is perfect =)

osterman avatar Oct 01 '18 20:10 osterman

@osterman yes you are right, we use the s3 plugin only to push to the s3 bucket and expose only https URLs. By the way, I created a fork where I merged this PR and we are using it for almost a month now without a problem.

skliche avatar Oct 02 '18 06:10 skliche

Unfortunately, #46 is not acceptable as it will break some functional, for example, it will be impossible to delete charts from the index when there are http(s):// urls instead of expected s3://. Also, it does not integrate with the reindex operation.

I'm in the process of writing a proposal about public repositories and solving the issue in a way that will keep all the existing features of the plugin working. I'm going to publish it and welcome anyone for the review.

hypnoglow avatar Oct 09 '18 17:10 hypnoglow

Hey folks, I've opened a PR with a proposal, welcome if you're interested. Please check if I'm missing something there. Also, I'm open to alternative solutions if you have ideas.

hypnoglow avatar Oct 11 '18 16:10 hypnoglow

Thanks @hypnoglow !

osterman avatar Oct 15 '18 01:10 osterman