-
Notifications
You must be signed in to change notification settings - Fork 369
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to install plugins from private repo #684
Comments
No not right now. Krew doesn't support downloading plugins from private repos currently. I think this has come up before but it would require some design before we do any kind of implementation for it. |
@esatterwhite Are you using ssh key-based authentication mechanism? If so, I'm surprised this doesn't work. |
Admittedly, this is something we missed during the design phase of custom indexes. We handle retrieving the plugin index from a private repository (as ssh keys or remote helpers can help authenticate users). However, we only fetch the plugin bundle over https and without a way of authenticating. Krew can still fetch the plugin bundle if it was at an unauthenticated (but firewalled endpoint) such as /kind bug |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
@ahmetb after moving things around in our repo we eventually came to that conclusion 😞 . I'm actually glad someone else came across this, are there any plans to make private indexes/custom indexes a first class citizen? I was looking into krew-release-bot for custom indexes and it appears it is an open issue as well. |
@tsunamishaun this is probably a v1.0 blocker for us. so we are eager to hear use cases as well as proposed designs if there are any. people have all sorts of methods to authenticate to private urls. what's yours? |
@ahmetb We were planning to use github packages on private repos. I think most package repos (artifactory/github) would require user:token for pulling binaries with slightly varying requirements. Images storing binaries has had some appeal with those around me which would mean docker credentials. I should have looked but I don't think krew supports container type? Hopefully that was helpful, thanks for the quick response! |
Yeah maybe we can consider supporting OCI layers in addition to https:// URLs and use the docker credentials detection logic docker already has. That would require us to do some work defining the format. I am doubting many other "private access" use cases actually will use a OCI Registry though. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
Rotten issues close after 30d of inactivity. Send feedback to sig-contributor-experience at kubernetes/community. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/reopen |
@millermatt: You can't reopen an issue/PR unless you authored it or you are a collaborator. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@ahmetb can this get reopened? |
/reopen |
@ahmetb: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Any movement on this? Has anyone started a PR yet? |
/cc @chriskim06 |
no there isn't a PR for this yet. @tomelliot16 what is your specific use case here? private github repos was a use case mentioned earlier in this thread and I'm guessing that would be a large portion of use cases. we need to figure out requirements and come up with a design for this feature before working on a PR |
/remove-kind design |
When might the feature design happen? we're closing in on a year. |
@esatterwhite given the user base of the project, this request is only relevant to a very small portion of the users so we didn't prioritize solving this. Open to proposals. |
#816 is a possible solution that could support the features requested here. It's currently pretty rough in it's implementation but I'm looking for feedback on if this path would be viable for other commenters or if a more tailored solution would be better. |
The current fetcher tries to download the releases tarball over https. Unless there is a way to change that with config, I don't think that is possible. Not with out hard coding an access token in the url |
In all likely hood you need more than just a simple HTTP fetcher. Luarocks (package manage for lua) actually does this fairly well where its fetch handler has many backends and uses the protocol in the manfist to pick the right one https://github.com/luarocks/luarocks/tree/master/src/luarocks/fetch |
Cool! That's kind of the direction this is taking in #816 which would enable a set of fetchers. I'd love some feedback on if this would be a solution that could enable your use case. |
@ahmetb recalling our early conversations around use-cases and looking at the proposal in #816 makes me think this would be an extensible way for users to explore and work within the constraints provided by their organizations. If anything this could inform additional more formal protocol support without changing the Plugin schema in the near term. |
This issue also demonstrates a bug in krew not interpreting http 4xx status codes as errors for artifact downloads. #819 |
/remove-lifecycle rotten |
What else needs to happen for this to be implemented? |
I've setup a private git repository on github that houses a krew index. I have a plugin that I can install manually locally, pointed krew at the registry successfully. However, It cannot seem to download the tarball from the registry. It is mostly erroring on comparing the checksums, but the checksum it generates is different on every request, so I don't think it is actually getting the tarball.
and the next time
Is this possible to do? Krew would have to make an authenticated request as far as I can tell.
The text was updated successfully, but these errors were encountered: