Merge pull request #51 from Skarlso/add-helm-authentications

add authentication to private helm repos

Author: Skarlso

README.md

@@ -104,46 +104,6 @@ the last applied version in its status. Once there is a new one, it applies it t
 It also saves attempted versions. If a version is failed to apply, it will still record it as attempted version in its
 status.
 
-## Validation
-
-Before applying a new CRD there are options to make sure that it doesn't break anything by defining a template to check
-against. It would be awesome if it could list all Objects that belong to a CRD but that's just not possible because of various
-security reasons.
-
-To work around that, the user can define a `template` section in the Bootstrap object. It will use that template and
-validate the CRD it's trying to apply to the cluster first against that template:
-
-```yaml
-apiVersion: delivery.crd-bootstrap/v1alpha1
-kind: Bootstrap
-metadata:
-  name: bootstrap-sample
-  namespace: crd-bootstrap-system
-spec:
-  interval: 10s
-  template:
-    KrokEvent:
-      apiVersion: delivery.krok.app/v1alpha1
-      kind: KrokEvent
-      metadata:
-        name: krokevent-sample
-      spec:
-        thisfield: bla
-  source:
-    configMap:
-      name: crd-bootstrap-sample
-      namespace: crd-bootstrap-system
-  version:
-    semver: 1.0.0
-```
-
-The template is a map of `Kind`: `Template Yaml`. Here, we have a KrokEvent CRD kind. This fails validation because the
-spec field doesn't have `thisfield` in it. A failed validation will immediately stop reconciliation of the bootstrap
-object. User intervention is required to kick it off again to prevent messing up the cluster.
-
-If it's desired to continue on failures, there is a setting for that. Simply set `continueOnValidationError: true` in the
-Bootstrap's spec.
-
 ## Helm Charts
 
 Helm Charts can have CRDs in them according to the [specification](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/).
@@ -152,8 +112,6 @@ Helm Charts can have CRDs in them according to the [specification](https://helm.
 
 After that, the bootstrapper will keep them in sync similar to the other sources.
 
-At the moment, only public repos are supported... I'll add authentication with https://github.com/Skarlso/crd-bootstrap/issues/49.
-
 There are two sources. With regular HTTP:
 
 ```yaml
@@ -190,6 +148,89 @@ spec:
     semver: v0.4.2
 ```
 
+To add access credentials provide a secret that could contain the following keys:
+
+```go
+const (
+	// Helm security access keys.
+	CaFileKey   = "caFile"
+	CertFileKey = "certFile"
+	UsernameKey = "username"
+	PasswordKey = "password"
+)
+```
+
+For example:
+
+```yaml
+  source:
+    helm:
+      chartReference: oci://ghcr.io/private/helm-chart
+      chartName: helm-chart
+      secretRef:
+        name: access-creds
+```
+
+### Authentication
+
+There are two ways to authenticate with Helm.
+
+For OCI repositories, `docker-registry` type secrets are required. To create one, use:
+
+```bash
+kubectl create secret docker-registry git-secret -n crd-bootstrap-system \
+    --docker-server=ghcr.io \
+    --docker-username=$GITHUB_USER \
+    --docker-password=$GITHUB_TOKEN \
+    --docker-email=$GITHUB_EMAIL
+```
+
+For regular repositories use an Opaque secret:
+
+```bash
+kubectl create secret generic git-secret --from-literal=username=Skarlso --from-literal=password=$GITHUB_TOKEN -n crd-bootstrap-system
+```
+
+## Validation
+
+Before applying a new CRD there are options to make sure that it doesn't break anything by defining a template to check
+against. It would be awesome if it could list all Objects that belong to a CRD but that's just not possible because of various
+security reasons.
+
+To work around that, the user can define a `template` section in the Bootstrap object. It will use that template and
+validate the CRD it's trying to apply to the cluster first against that template:
+
+```yaml
+apiVersion: delivery.crd-bootstrap/v1alpha1
+kind: Bootstrap
+metadata:
+  name: bootstrap-sample
+  namespace: crd-bootstrap-system
+spec:
+  interval: 10s
+  template:
+    KrokEvent:
+      apiVersion: delivery.krok.app/v1alpha1
+      kind: KrokEvent
+      metadata:
+        name: krokevent-sample
+      spec:
+        thisfield: bla
+  source:
+    configMap:
+      name: crd-bootstrap-sample
+      namespace: crd-bootstrap-system
+  version:
+    semver: 1.0.0
+```
+
+The template is a map of `Kind`: `Template Yaml`. Here, we have a KrokEvent CRD kind. This fails validation because the
+spec field doesn't have `thisfield` in it. A failed validation will immediately stop reconciliation of the bootstrap
+object. User intervention is required to kick it off again to prevent messing up the cluster.
+
+If it's desired to continue on failures, there is a setting for that. Simply set `continueOnValidationError: true` in the
+Bootstrap's spec.
+
 ## Multiple CRDs in a single file
 
 A single Bootstrap CRD will point to a single file of ConfigMap. But that file, or ConfigMap may contain multiple CRDs.

api/v1alpha1/constants.go

@@ -0,0 +1,10 @@
+package v1alpha1
+
+const (
+	// Helm security access keys.
+	CaFileKey           = "caFile"
+	CertFileKey         = "certFile"
+	UsernameKey         = "username"
+	PasswordKey         = "password"
+	DockerJSONConfigKey = ".dockerconfigjson"
+)

config/samples/delivery_v1alpha1_bootstrap_helm_url.yaml

@@ -9,5 +9,7 @@ spec:
     helm:
       chartReference: https://ibm.github.io/helm101/
       chartName: guestbook
+      secretRef:
+        name: access-creds
   version:
     semver: 0.2.1

docs/release_notes/v0.5.3.md

@@ -0,0 +1,3 @@
+# Release v0.5.3
+
+Add authentication to private helm chart resources.

go.mod

@@ -4,6 +4,7 @@ go 1.21
 
 require (
 	github.com/Masterminds/semver/v3 v3.2.1
+	github.com/docker/cli v25.0.2+incompatible
 	github.com/fluxcd/cli-utils v0.36.0-flux.3
 	github.com/fluxcd/pkg/apis/meta v1.3.0
 	github.com/fluxcd/pkg/runtime v0.44.1
@@ -24,11 +25,7 @@ require (
 require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
-	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
-	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
-	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/Microsoft/hcsshim v0.11.4 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
@@ -41,7 +38,6 @@ require (
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/distribution/reference v0.5.0 // indirect
-	github.com/docker/cli v25.0.2+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker v25.0.2+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.1 // indirect
@@ -51,19 +47,16 @@ require (
 	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
-	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
-	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.20.2 // indirect
 	github.com/go-openapi/jsonreference v0.20.4 // indirect
 	github.com/go-openapi/swag v0.22.9 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
-	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
@@ -77,25 +70,14 @@ require (
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/websocket v1.5.1 // indirect
-	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
-	github.com/hashicorp/errwrap v1.1.0 // indirect
-	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/huandu/xstrings v1.4.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jmoiron/sqlx v1.3.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.17.5 // indirect
-	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
-	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
@@ -115,12 +97,8 @@ require (
 	github.com/prometheus/client_model v0.5.0 // indirect
 	github.com/prometheus/common v0.46.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
-	github.com/rivo/uniseg v0.4.6 // indirect
-	github.com/rubenv/sql-migrate v1.6.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/cobra v1.8.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect