Comments (6)
ilyesAj
commented on June 18, 2024
1
hi @oliviermichaelis , thanks for your quick response,
let me explain a bit more the situation :
- we deployed a boring-registry on k8s and we exposed it via an ingress
- my question is whether
./boring-registry uploadcan work from my local machine to upload a module to the distant boring-registry.
I hope it's clear .
from boring-registry.
oliviermichaelis
commented on June 18, 2024
Hi @ilyesAj !
- I'm not sure what you mean by distant vs local in your question.
boring-registrydoes not need to run on the same machine as Terraform. It could for example run in the cloud, while Terraform runs on your local machine for example. Maybe you could restate your question, so that I can answer it better :) - You're right, it's currently not possible yet. I think I might give implementing this a shot this evening
from boring-registry.
oliviermichaelis
commented on June 18, 2024
Thanks, it's a lot clearer now.
The upload command actually uploads the modules directly to your storage backend (S3, GCS, MinIO). This means that you need to pass valid credentials for the storage backend to the binary when uploading modules.
Edit:
You could for example run boring-registry upload --recursive=true . in your CI/CD system to recursively upload all modules. Credentials can be passed to the binary with AWS_ACCESS_KEY_ID=xxx environment variables for example. Hope this helps :)
from boring-registry.
ilyesAj
commented on June 18, 2024
yep thanks, but I think boring-registry should be the only one accessing/managing S3 bucket. So I as a user I just need to authenticate via static token to boring registry and boring registry will make internally the calls to s3 alongside with some checks to avoid conflicts on upload.
from boring-registry.
oliviermichaelis
commented on June 18, 2024
That would definitely be nice! The implementation would probably be more complex, though.
With the current approach, we can leverage the sophisticated identity and access management services from cloud vendors for uploading modules/providers to the object storage with little effort. In contrast to relying on the static token and the boring-registries implementation of authorization.
Right now, the boring-registry can only serve what's already there. When attackers gain access to one of boring-registry's static auth token, they can only use what's already there, and not inject arbitrary modules to escalate privileges or exfiltrate data. I guess that's part of what makes the boring-registry boring :)
from boring-registry.
ilyesAj
commented on June 18, 2024
agree, it's a different approach ;)
from boring-registry.
Related Issues (20)
- Unable to reference module from minIO backed registry HOT 9
- Unable to query published provider info and local terraform init got error HOT 5
- helm chart references wrong authentication ENV variable HOT 1
- Multiple Static Authentication tokens in k8s setup HOT 1
- if `--ignore-existing=false` is set, existing modules in storage will clutter CI
- Migrate from hclv1 to hclv2
- Support Azure Blob Storage HOT 8
- OIDC auth
- [Bug] Modules publishing to Cloud Storage are not appending extension HOT 5
- [Feature Request]: Support using local file system as storage HOT 7
- HTTP 500 rather than 404 HOT 2
- 0.11.2 container crashlooping HOT 3
- Flags or environment variables are not being enforced HOT 2
- support `network_mirror` configuration of `.terraformrc` HOT 2
- ghcr.io/boring-registry/boring-registry:v0.12.0 not available for anonymous pull HOT 2
- helm Chart // allow to add a true/false `extraEnv` HOT 1
- Build multi-arch container image HOT 1
- [Feature Request] Serve as proxy for remote storage HOT 7
- [BUG] Boring-registry upload concatenates file name with extension HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from boring-registry.