Download Blob with Basic Auth Secret
ChuckQuinnIV opened this issue · 5 comments
Currently, blob downloads need to either be publicly accessible or have the access token in the URL. Basic Authentication can be forced into the URL here, but that results in the username & password being exposed in build logs.
Similar to image pull secrets, it would be ideal to store these credentials in a Kubernetes secret & reference them from the Image CRD.
I think we're going to do a similar thing to the git secrets, where we find the first secret that has the annotation kpack.io/blob: some.host.name.com
and match on first secret with the same the hostname.
There will be 3 ways of configuring the secret:
username
/password
that gets encoded asAuthorization: Basic <base64encode(username,password)>
bearer
which gets encoded asAuthorization: Bearer <token>
authorization
as an escape hatch for non-standard auth, encoded asAuthorization: <authorization>
data:
username:
password:
bearer:
authorization:
I see a potential enhancement by being able to provide arbitrary headers on the secret. But I'm not sure how useful that would be in reality, so I might just leave it until somebody raises a feature request for it
data:
headers:
x-my-special-header: value
@chenbh : It's a nice design, is it an ETA for this feature? We are happy to use this feature as we need to download jar file from a private maven repo via http basic authentication and we can't code the username&password in the spec due to securtiy concern.
Awesome, that's really a cool feature that the community is waiting for!