feature: adding private repo capability #243
Conversation
pkg/registry/http.go
Outdated
| @@ -72,8 +72,13 @@ func (r SchemaRegistry) DownloadSchema(resourceKind, resourceAPIVersion, k8sVers | |||
| return url, b.([]byte), nil | |||
| } | |||
| } | |||
| req, _ := http.NewRequest("GET", url, nil) | |||
pkg/registry/http.go
Outdated
|
|
||
| resp, err := r.c.Get(url) | ||
| if token, exist := os.LookupEnv("GITHUB_TOKEN"); exist { |
There was a problem hiding this comment.
I'm having some thoughts on how this will work when using multiple schema registries. When using the default registry plus one private one, we will be passing a GITHUB_TOKEN for the default registry too - does this work? This also won't work for multiple registries that might require different GITHUB_TOKENS, though I might be ok with that simplification for the sake of UI.
Also imagine you have a GITHUB_TOKEN set because you use Github, and run kubeconform against non-Github schema registries - the Github token will be passed 🤔
There was a problem hiding this comment.
For the first question, if you pass the token to github in a non-authenticated it works (and also all of them will fail if you have an invalid token)
As for using it with the token set and non-github http registries, might be an issue tho... How about if I make a new registry, github-specific and derive it from the http one?
To make it work with generic http registries I think we'll need to change the UI, to get the header name for example 🤔
There was a problem hiding this comment.
Maybe we can make it 2 env vars?
KUBECONFORM_AUTH_TOKEN and KUBECONFORM_AUTH_HEADER? It will still be limited to usage on every registry, but might work... I don't see a way of making it per-registry without changing the interface, maybe introducing a config file or sequential parameters
There was a problem hiding this comment.
Oh another option might be creating a private registry struct implementing the registerer, and passing the values like -private-schema-location xxx -private-schema-header xxx -private-schema-auth xxx (order should be mandatory tho)
|
Left a couple comment, but also with regards to #237 it looks like some have the need for authentication for non-GH repos. I'm wondering how we could pass authentication headers to only some schema registries 🤔 |
|
@vhbfernandes @yannh any follow up on this? is there anything I can help with? |
|
For Github, we could pass the token as a URL query param BUT, we would need to change the logic here a bit before that will work: https://github.com/yannh/kubeconform/blob/master/pkg/registry/registry.go#L87 |
Closes #237
Pointing out that I went for the "magic env" approach to avoid breaking the interface and backwards compatibility :)