chartmuseum icon indicating copy to clipboard operation
chartmuseum copied to clipboard
verified publisher icon helm

GCS - No documentation for non-gke authentication

Open koalalorenzo opened this issue 7 years ago • 10 comments

I have noticed on the helm chart for chartmuseum (stable/chartmuseum) that there is no way to pass the service account private file (.json file generated when creating the Storage Account created on Google Cloud.

What I am trying to do is to deploy chartmuseum, using the helm chart, and connecting it to a bucket on GCS, in a cluster that is not living on GKE. The documentation for both the chart and the chartmuseum does not provide any link or guide to setup Chartmuseum with GCS without GKE (that provides the credentials by default).

What I was able to achieve is to set up the environment variable GOOGLE_APPLICATION_CREDENTIALS in env.secret, but there is no other way to provide the file/mount an extra volume.

Here is the logs after deploying the helm chart:

W0409 18:04:32.223131   29387 cmd.go:353] log is DEPRECATED and will be removed in a future version. Use logs instead.
panic: dialing: google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: open /data/hello-world.json: no such file or directory

goroutine 1 [running]:
github.com/kubernetes-helm/chartmuseum/pkg/storage.NewGoogleCSBackend(0xc420016016, 0x13, 0x0, 0x0, 0x0)
        /go/src/github.com/kubernetes-helm/chartmuseum/pkg/storage/google.go:24 +0x36d
main.googleBackendFromContext(0xc4201b4dc0, 0x6, 0xf38c5a)
        /go/src/github.com/kubernetes-helm/chartmuseum/cmd/chartmuseum/main.go:120 +0xe9
main.backendFromContext(0xc4201b4dc0, 0xd81f60, 0xc4202ce8e0)
        /go/src/github.com/kubernetes-helm/chartmuseum/cmd/chartmuseum/main.go:81 +0x3f9
main.cliHandler(0xc4201b4dc0)
        /go/src/github.com/kubernetes-helm/chartmuseum/cmd/chartmuseum/main.go:38 +0x43
github.com/kubernetes-helm/chartmuseum/vendor/github.com/urfave/cli.HandleAction(0xd7e6e0, 0xf6d800, 0xc4201b4dc0, 0xc4201b90e0, 0x0)
        /go/src/github.com/kubernetes-helm/chartmuseum/vendor/github.com/urfave/cli/app.go:492 +0x7c
github.com/kubernetes-helm/chartmuseum/vendor/github.com/urfave/cli.(*App).Run(0xc420214b60, 0xc42000a1a0, 0x2, 0x2, 0x0, 0x0)
        /go/src/github.com/kubernetes-helm/chartmuseum/vendor/github.com/urfave/cli/app.go:264 +0x6ac
main.main()
        /go/src/github.com/kubernetes-helm/chartmuseum/cmd/chartmuseum/main.go:34 +0x1ef

koalalorenzo avatar Apr 09 '18 18:04 koalalorenzo

Also must keep in mind that in GKE the default access is read-only, so writing charts will fail with {"error":"googleapi: Error 403: Insufficient Permission, insufficientPermissions"} unless you add

https://www.googleapis.com/auth/devstorage.read_write

to scopes / oauth_scopes when creating your GKE cluster. Also that will only work if your GCS bucket is located under the same GCP project as the cluster.

ilyasotkov avatar Apr 10 '18 10:04 ilyasotkov

Yes, my service account is already properly configured and it works if I use the json file in other setup :) I am trying to use it OUTSIDE Google cloud, as I can if I set it up locally... but the chart is not allowing me to do that

koalalorenzo avatar Apr 10 '18 16:04 koalalorenzo

I've just submitted a PR to add this functionality to the chartmuseum chart.

https://github.com/kubernetes/charts/pull/4904

ipedrazas avatar Apr 11 '18 10:04 ipedrazas

@ipedrazas that looks good to me! @koalalorenzo if the change above works for you I can merge it

jdolitsky avatar Apr 11 '18 12:04 jdolitsky

Ideally it should work :) (the code looks kinda-good, but I need to test it) I am going to test this out in few hours.

koalalorenzo avatar Apr 11 '18 16:04 koalalorenzo

I am not able to test because after cloning the repository, changing the branch and directory, then blindly copy-pasting (and editing) I always get:

Error: This command needs 1 argument: chart name

koalalorenzo avatar Apr 15 '18 07:04 koalalorenzo

Which command gives you that error? I've just tested this command:

helm install stable/chartmuseum --debug  --set env.open.GOOGLE_SERVICE_ACCOUNT=true,env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcs-bucket,existing.secret.gcp.enabled=true,existing.secret.gcp.secretName=chartmuseum-secret

And this one that will use the cloned chart:

helm install ./stable/chartmuseum --debug  --set env.open.GOOGLE_SERVICE_ACCOUNT=true,env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcs-bucket,existing.secret.gcp.enabled=true,existing.secret.gcp.secretName=chartmuseum-secret

and both seem to work.

ipedrazas avatar Apr 15 '18 08:04 ipedrazas

The one pointing to the local chart. It works now.

koalalorenzo avatar Apr 15 '18 09:04 koalalorenzo

I found out that the helm chart is not mounting the configmap if GOOGLE_CREDENTIALS_JSON is only set in env.secret. I have reviewed the PR

koalalorenzo avatar Apr 15 '18 09:04 koalalorenzo

@koalalorenzo @ipedrazas good to close this issue?

jdolitsky avatar Jul 17 '18 18:07 jdolitsky