feat: add private Git repository support and upgrade Alpine 3.19.1 → 3.20.0 for extension installer #15
Conversation
- Add EXTENSION_GIT_TOKEN for private repository access - Support GitHub/GitLab/Bitbucket authentication - Upgrade Alpine base image to 3.20.0 - Maintain backward compatibility for public repos Signed-off-by: Jangjae Lee <[email protected]>
jangjaelee
force-pushed
the
feature/add-git-token-support
branch
from
5f7af85 to
b268bcf
Compare
leoluz
left a comment
leoluz
left a comment
There was a problem hiding this comment.
First of all, thank you for your contribution and I think that this is a great feature to add in the installer. I'd like to suggest a change in how the authorization header is configured. The extension is mainly a file that can be served in any http server. It isn't related specifically to Git. My suggestion is to provide a configuration called EXTENSION_AUTHORIZATION_HEADER and simply provide that value in the Authorization header if present. This will simplify things a bit and will work for more use-cases.
| initContainers: | ||
| - name: extension | ||
| image: quay.io/argoprojlabs/argocd-extension-installer:v0.0.5@sha256:27e72f047298188e2de1a73a1901013c274c4760c92f82e6e46cd5fbd0957c6b | ||
| image: quay.io/argoprojlabs/argocd-extension-installer:v0.0.9 |
There was a problem hiding this comment.
Please add the sha256 for the new version. This is an important security measure to ensure that clients aren't fetching malicious images. The sha can be found in quay.io. We should probably clarify this in the doc somewhere.
| echo "WARNING: Git repository URL detected but no EXTENSION_GIT_TOKEN provided" | ||
| echo "This may fail if the repository is private" |
There was a problem hiding this comment.
I think that the majority of the extensions are going to be public. That being said, I am not sure if it is a good idea to display this warning message every time.
| else | ||
| curl -Lf --max-time $download_max_sec "$ext_url" -o "$ext_file" | ||
| fi | ||
| elif is_git_url "$ext_url" && [ -z "$git_token" ]; then |
There was a problem hiding this comment.
Public extensions can be published in github and won't require token. Example:
https://github.com/argoproj-labs/argocd-ephemeral-access/releases/download/v1.0.0-rc2/extension.tar.gz
not sure if this elif and the else below is required.
| trap finalizer EXIT | ||
|
|
||
| # detect if URL is a Git repository URL | ||
| is_git_url() { |
There was a problem hiding this comment.
I dont think that this Authorization should be git driven. We could have a private http server that requires authentication for providing extensions.
2 participants
Purpose
Add support for downloading extensions from private Git repositories using authentication tokens.
Changes
EXTENSION_GIT_TOKENenvironment variable supportTesting
Checklist
Fixes #13