Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Download Blob with Basic Auth Secret #1503

Closed
ChuckQuinnIV opened this issue Jan 26, 2024 · 5 comments · Fixed by #1616
Closed

Download Blob with Basic Auth Secret #1503

ChuckQuinnIV opened this issue Jan 26, 2024 · 5 comments · Fixed by #1616
Assignees
@chenbh

Comments

@ChuckQuinnIV
Copy link
Contributor

Currently, blob downloads need to either be publicly accessible or have the access token in the URL. Basic Authentication can be forced into the URL here, but that results in the username & password being exposed in build logs.

Similar to image pull secrets, it would be ideal to store these credentials in a Kubernetes secret & reference them from the Image CRD.
@zhoufenqin zhoufenqin mentioned this issue Apr 9, 2024
Closed
@chenbh chenbh self-assigned this May 6, 2024
@chenbh
Copy link
Contributor

chenbh commented May 6, 2024

I think we're going to do a similar thing to the git secrets, where we find the first secret that has the annotation kpack.io/blob: some.host.name.com and match on first secret with the same the hostname.

There will be 3 ways of configuring the secret:

  1. username/password that gets encoded as Authorization: Basic <base64encode(username,password)>
  2. bearer which gets encoded as Authorization: Bearer <token>
  3. authorization as an escape hatch for non-standard auth, encoded as Authorization: <authorization>
data:
    username:
    password:
    bearer:
    authorization:

@chenbh
Copy link
Contributor

chenbh commented May 6, 2024
edited

I see a potential enhancement by being able to provide arbitrary headers on the secret. But I'm not sure how useful that would be in reality, so I might just leave it until somebody raises a feature request for it

data:
    headers:
        x-my-special-header: value

@yilims
Copy link

yilims commented May 10, 2024
edited

@chenbh : It's a nice design, is it an ETA for this feature? We are happy to use this feature as we need to download jar file from a private maven repo via http basic authentication and we can't code the username&password in the spec due to securtiy concern.

@chenbh
Copy link
Contributor

chenbh commented May 13, 2024

@yilims I'm hoping to get it in and released by end of this month.

@yilims
Copy link

yilims commented May 14, 2024

Awesome, that's really a cool feature that the community is waiting for!

@chenbh chenbh mentioned this issue May 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chenbh chenbh

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support authentication methods for blobs buildpacks-community/kpack
3 participants
@ChuckQuinnIV @chenbh @yilims