Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set custom registryAuthorizer for Go client #12584

Closed
rynowak opened this issue Nov 20, 2023 · 5 comments · Fixed by #12588
Closed

Set custom registryAuthorizer for Go client #12584

rynowak opened this issue Nov 20, 2023 · 5 comments · Fixed by #12588
Labels
feature keep open

Comments

@rynowak
Copy link
Contributor

rynowak commented Nov 20, 2023

Summary

We're encountering issues doing a programmatic pull from ghcr.io. Specifically, the user might have cached or stale credentials in their docker credential store. The default Helm client will send these credentials even if they are known to be expired.

Our chart is public, and we would be unblocked if we could force the Helm client to use anonymous access.

Solutions

I found this issue: #12144 which seems similar.

If we could override the authorizer using options here then I think this would do what we wanted.

Are you open to a PR that adds an option for this?

I'm thinking it will look something like this:

// ClientOptRegistryAuthorizer returns a function that sets the authorizer used to access to the registry.
func ClientOptRegistryAuthorizer(authorizer auth.Client) ClientOption {
	return func(client *Client) {
		client.authorizer = authorizer
	}
}
@rynowak rynowak mentioned this issue Nov 20, 2023
Closed
2 tasks
@gjenkins8
Copy link
Member

Thanks, a PR for this would be welcome I think. #12144 never received any follow up, so aged out.

Our chart is public, and we would be unblocked if we could force the Helm client to use anonymous access.

Keep in mind, a PR to allow supplying a customer authorizer would only help SDK users. For the Helm CLI, this logic is going to be necessarily fixed.

rynowak added a commit to rynowak/helm that referenced this issue Nov 21, 2023
@rynowak
Make the authorizer and registry authorizer configurable
279c1e8 
Fixes: helm#12584

This change makes the authorizer and registryAuthorizer of the registry client configurable via options. This allows Go SDK users to override the authentication behavior of the client.

This PR makes both the authorizer and registryAuthorizer configurable because depending on the exact scenario that may be needed. The default registryAuthorizer only supports a specific implementation of the authorizer.
@rynowak rynowak mentioned this issue Nov 21, 2023
Merged
3 tasks
@rynowak
Copy link
Contributor Author

rynowak commented Nov 21, 2023
edited
Loading

Keep in mind, a PR to allow supplying a customer authorizer would only help SDK users. For the Helm CLI, this logic is going to be necessarily fixed.

This is OK for my usecase 👍

PR is here: #12588

I verified this locally with the following code in my repo:

        hc := helm.Configuration{}

	// Create a new client that **will not** use authentication. This prevents
	// the user's stale credentials from being used.
	client, err := registry.NewClient(registry.ClientOptAuthorizer(&dockerauth.Client{}))
	if err != nil {
		return nil, err
	}

	hc.RegistryClient = client

rynowak added a commit to rynowak/helm that referenced this issue Nov 21, 2023
@rynowak
Make the authorizer and registry authorizer configurable
1caf41f 
Fixes: helm#12584

This change makes the authorizer and registryAuthorizer of the registry client configurable via options. This allows Go SDK users to override the authentication behavior of the client.

This PR makes both the authorizer and registryAuthorizer configurable because depending on the exact scenario that may be needed. The default registryAuthorizer only supports a specific implementation of the authorizer.

Signed-off-by: Ryan Nowak <[email protected]>
@github-actions GitHub Actions
Copy link

This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs.

@github-actions github-actions bot added the Stale label Feb 20, 2024
@gjenkins8 gjenkins8 added keep open and removed Stale labels Feb 20, 2024
@blampe
Copy link

blampe commented Apr 23, 2024

I have a similar use case and I'm excited to see #12588 is targeted for the 3.15 / May 8 milestone. I see it was approved last year but not merged -- is there anything still holding it back?

@blampe blampe mentioned this issue Jul 3, 2024
Open
@blampe blampe mentioned this issue Sep 30, 2024
Closed
rynowak added a commit to rynowak/helm that referenced this issue Nov 22, 2024
@rynowak
Make the authorizer and registry authorizer configurable
3c2ab91 
Fixes: helm#12584

This change makes the authorizer and registryAuthorizer of the registry client configurable via options. This allows Go SDK users to override the authentication behavior of the client.

This PR makes both the authorizer and registryAuthorizer configurable because depending on the exact scenario that may be needed. The default registryAuthorizer only supports a specific implementation of the authorizer.

Signed-off-by: Ryan Nowak <[email protected]>
@rynowak rynowak mentioned this issue Nov 22, 2024
Merged
3 tasks
@EronWright
Copy link

@gjenkins8 as you mentioned here, there's still need for a fix to to avoid using stale credentials. Is there another issue tracking that, or?

@EronWright EronWright mentioned this issue Dec 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature keep open
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make the authorizer and registry authorizer configurable rynowak/helm
4 participants
@blampe @rynowak @EronWright @gjenkins8