-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature: adding private repo capability #243
base: master
Are you sure you want to change the base?
Conversation
pkg/registry/http.go
Outdated
@@ -72,8 +72,13 @@ func (r SchemaRegistry) DownloadSchema(resourceKind, resourceAPIVersion, k8sVers | |||
return url, b.([]byte), nil | |||
} | |||
} | |||
req, _ := http.NewRequest("GET", url, nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check the error? 🙏
pkg/registry/http.go
Outdated
|
||
resp, err := r.c.Get(url) | ||
if token, exist := os.LookupEnv("GITHUB_TOKEN"); exist { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm having some thoughts on how this will work when using multiple schema registries. When using the default registry plus one private one, we will be passing a GITHUB_TOKEN for the default registry too - does this work? This also won't work for multiple registries that might require different GITHUB_TOKENS, though I might be ok with that simplification for the sake of UI.
Also imagine you have a GITHUB_TOKEN set because you use Github, and run kubeconform against non-Github schema registries - the Github token will be passed 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the first question, if you pass the token to github in a non-authenticated it works (and also all of them will fail if you have an invalid token)
As for using it with the token set and non-github http registries, might be an issue tho... How about if I make a new registry, github-specific and derive it from the http one?
To make it work with generic http registries I think we'll need to change the UI, to get the header name for example 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we can make it 2 env vars?
KUBECONFORM_AUTH_TOKEN
and KUBECONFORM_AUTH_HEADER
? It will still be limited to usage on every registry, but might work... I don't see a way of making it per-registry without changing the interface, maybe introducing a config file or sequential parameters
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh another option might be creating a private registry struct implementing the registerer, and passing the values like -private-schema-location xxx
-private-schema-header xxx
-private-schema-auth xxx
(order should be mandatory tho)
Left a couple comment, but also with regards to #237 it looks like some have the need for authentication for non-GH repos. I'm wondering how we could pass authentication headers to only some schema registries 🤔 |
@vhbfernandes @yannh any follow up on this? is there anything I can help with? |
For Github, we could pass the token as a URL query param
BUT, we would need to change the logic here a bit before that will work: https://github.com/yannh/kubeconform/blob/master/pkg/registry/registry.go#L87 |
Closes #237
Pointing out that I went for the "magic env" approach to avoid breaking the interface and backwards compatibility :)