Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support aws s3 bucket as a helm repository #187

Open
arunpmohan opened this issue Apr 4, 2023 · 8 comments
Open

Support aws s3 bucket as a helm repository #187

arunpmohan opened this issue Apr 4, 2023 · 8 comments
Labels
enhancement New feature or request

Comments

@arunpmohan
Copy link

What problem are you facing?

We are running the crossplane in the aws eks environment.
We want to keep our helm charts in aws s3 and pull and install using the helm provider.
However the helm provider today doesn't support s3 plugin.

How could Crossplane help solve your problem?

We would be interested in contributing s3 plugin support in provider helm. Is this something the community/maintainers would agree?
@arunpmohan arunpmohan added the enhancement New feature or request label Apr 4, 2023
@arunpmohan
Copy link
Author

Another note to add is that terraform helm already supports this plugin.

https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release

@turkenh
Copy link
Collaborator

turkenh commented Apr 27, 2023

This sounds good to me.
However, assuming we are not talking about public buckets only, I am wondering how we are planning to handle the authentication part.

It would be nice to see some examples of how this feature would be used (with public/private buckets) before starting the actual implementation.

@arunpmohan
Copy link
Author

Sure. Just FYI we are using this https:/hypnoglow/helm-s3 plugin sources to integrate it with s3.

So it would work the way this plugin works for authentication.

@turkenh
Copy link
Collaborator

turkenh commented Apr 28, 2023

So it would work the way this plugin works for authentication.

To be clear, I am more interested in the API, e.g. how users would provide the credentials etc. over k8s api.

@philippart
Copy link

Currently we are using a S3 bucket policy to grant read-only access from a specific VPC where crossplane is running.
Ideally we would want to use IRSA like provider-aws to authenticate with AWS.

@philippart
Copy link

Concretely we are proposing to configure the IAM Role ARN into a secret that can be referenced in the ProviderConfig as follows:

apiVersion: helm.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: helm-provider
spec:
  credentials:
    source: InjectedIdentity
  identity:
    type: AWSCredentials
     source: Secret
    secretRef:
      name: aws-credentials
      namespace: crossplane-system
      key: roleArn

@philippart
Copy link

I wish to amend the above proposal: the role ARN should be configured in a secret referenced by the Release object (spec.forProvider.chart.pullSecretRef) rather than the ProviderConfig. This is a clearer split between the helm install credentials and the helm pull credentials. And it is more consistent with the current API.

apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
  name: my-service
spec:
  forProvider:
    chart:
      name: my-chart
      repository: s3://repo/charts/
      version: v1.2.3
      pullSecretRef:
        name: s3-role
        namespace: crossplane-system
    namespace: my-namespace
---
apiVersion: v1
kind: Secret
metadata:  
  name: s3-role
type: Opaque
data:
  roleARN: arn:aws:iam::999999999999:role/s3-role

@johnathan-sq
Copy link

Were there any developments on this issue, I would like to fetch a helm chart from a private s3 bucket. Can't think of any solutions in the current state.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@philippart @arunpmohan @turkenh @johnathan-sq