Download Blob with Basic Auth Secret

Question

Download Blob with Basic Auth Secret

ChuckQuinnIV opened this issue 9 months ago · 5 comments

Currently, blob downloads need to either be publicly accessible or have the access token in the URL. Basic Authentication can be forced into the URL here, but that results in the username & password being exposed in build logs.

Similar to image pull secrets, it would be ideal to store these credentials in a Kubernetes secret & reference them from the Image CRD.

Answer 1 · 2024-05-06T15:04:25.000Z

I think we're going to do a similar thing to the git secrets, where we find the first secret that has the annotation kpack.io/blob: some.host.name.com and match on first secret with the same the hostname.

There will be 3 ways of configuring the secret:

username/password that gets encoded as Authorization: Basic <base64encode(username,password)>
bearer which gets encoded as Authorization: Bearer <token>
authorization as an escape hatch for non-standard auth, encoded as Authorization: <authorization>

data:
    username:
    password:
    bearer:
    authorization:

Answer 2 · 2024-05-06T15:09:25.000Z

I see a potential enhancement by being able to provide arbitrary headers on the secret. But I'm not sure how useful that would be in reality, so I might just leave it until somebody raises a feature request for it

data:
    headers:
        x-my-special-header: value

Answer 3 · 2024-05-10T07:34:09.000Z

@chenbh : It's a nice design, is it an ETA for this feature? We are happy to use this feature as we need to download jar file from a private maven repo via http basic authentication and we can't code the username&password in the spec due to securtiy concern.

Answer 4 · 2024-05-13T16:25:05.000Z

@yilims I'm hoping to get it in and released by end of this month.

Answer 5 · 2024-05-14T05:34:30.000Z

Awesome, that's really a cool feature that the community is waiting for!