Skip to content

Support authentication for custom CNI Helm repositories#13294

Open
A-Soltani255 wants to merge 3 commits into
kubernetes-sigs:masterfrom
A-Soltani255:add-custom-cni-helm-repo-auth
Open

Support authentication for custom CNI Helm repositories#13294
A-Soltani255 wants to merge 3 commits into
kubernetes-sigs:masterfrom
A-Soltani255:add-custom-cni-helm-repo-auth

Conversation

@A-Soltani255

@A-Soltani255 A-Soltani255 commented Jun 6, 2026

Copy link
Copy Markdown

What this PR does

This PR adds optional Helm repository authentication support to the custom_cni network plugin role.

It updates:

roles/network_plugin/custom_cni/meta/main.yml

to pass optional username and password values to the helm-apps role when a custom CNI is deployed from a Helm chart repository.

The added fields are:

username: "{{ custom_cni_chart_repository_username | default(omit) }}"
password: "{{ custom_cni_chart_repository_password | default(omit) }}"

This PR also updates the sample custom CNI inventory file:

inventory/sample/group_vars/k8s_cluster/k8s-net-custom-cni.yml

to document the optional variables:

# custom_cni_chart_repository_username: "<helm_repository_username>"
# custom_cni_chart_repository_password: "<helm_repository_password>"

Why this is needed

The current custom_cni Helm chart deployment option supports configuring a Helm repository name and URL, but it does not provide a way to pass authentication credentials for private Helm repositories.

This is useful for environments where the custom CNI chart is stored in an authenticated internal Helm repository, such as:

  • Nexus Repository
  • Harbor
  • ChartMuseum
  • Artifactory
  • Other private Helm chart repositories

Without these variables, users must patch the Kubespray role locally when their Helm repository requires authentication.

Backward compatibility

This change is backward-compatible.

The new fields use default(omit), so they are only passed when the user explicitly defines:

custom_cni_chart_repository_username
custom_cni_chart_repository_password

Existing deployments using public or unauthenticated Helm repositories should continue to work without any change.

Security notes

No real credentials are added in this PR.

The sample inventory only documents placeholder values as commented examples. Users who need repository authentication can define these variables in their own inventory, preferably using Ansible Vault or another secret-management method.

Testing

  • [✔] Ran pre-commit run --all-files
  • [✔] Ran ansible-playbook -i inventory/sample/inventory.ini cluster.yml --syntax-check
  • [✔] Verified with Ansible Core 2.16.14 that a public repository works when neither credential variable is defined
  • [✔] Verified that an authenticated repository accepts the username and password when both variables are defined
  • [✔] Verified that defining only one credential fails with parameters are required together: repo_username, repo_password

Additional context

This change allows Kubespray users to deploy a custom CNI from a private authenticated Helm repository without maintaining a local patch to the custom_cni role.

Release note

Added optional authentication variables for custom CNI Helm chart repositories: `custom_cni_chart_repository_username` and `custom_cni_chart_repository_password`.

Pass optional Helm repository username and password values to the custom CNI chart configuration. These values use default(omit) so authentication fields are only included when explicitly defined by the user.
Add commented sample variables for configuring a username and password when the custom CNI Helm repository requires authentication.
@k8s-ci-robot k8s-ci-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Jun 6, 2026
@linux-foundation-easycla

linux-foundation-easycla Bot commented Jun 6, 2026

Copy link
Copy Markdown

CLA Signed
The committers listed above are authorized under a signed CLA.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Jun 6, 2026
@k8s-ci-robot

Copy link
Copy Markdown
Contributor

Welcome @A-Soltani255!

It looks like this is your first PR to kubernetes-sigs/kubespray 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/kubespray has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 6, 2026
@k8s-ci-robot

Copy link
Copy Markdown
Contributor

Hi @A-Soltani255. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jun 8, 2026
@yankay

yankay commented Jun 9, 2026

Copy link
Copy Markdown
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 9, 2026
@yankay

yankay commented Jun 16, 2026

Copy link
Copy Markdown
Member

Thanks @A-Soltani255
/approve

@k8s-ci-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: A-Soltani255, yankay

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 16, 2026
@yankay yankay requested a review from Copilot June 16, 2026 03:10

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds optional Helm repository authentication support for the custom_cni network plugin when deploying a custom CNI via the helm-apps role.

Changes:

  • Pass optional username/password fields to helm-apps repository definitions using default(omit).
  • Document the new inventory variables in the sample k8s-net-custom-cni.yml.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
roles/network_plugin/custom_cni/meta/main.yml Adds optional Helm repository username/password fields for the custom CNI chart repo.
inventory/sample/group_vars/k8s_cluster/k8s-net-custom-cni.yml Documents the new optional repository credential variables in the sample inventory.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread roles/network_plugin/custom_cni/meta/main.yml
Comment thread inventory/sample/group_vars/k8s_cluster/k8s-net-custom-cni.yml Outdated
Comment thread inventory/sample/group_vars/k8s_cluster/k8s-net-custom-cni.yml Outdated
Document paired repository credentials and secure password storage.
Remove authentication placeholders from the public Cilium example.
@kubernetes-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: A-Soltani255, yankay

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Comment thread inventory/sample/group_vars/k8s_cluster/k8s-net-custom-cni.yml
@A-Soltani255

Copy link
Copy Markdown
Author

The Copilot review feedback has been addressed in commit 59ad0fc.

I updated the credential documentation, clarified that username and password must be configured together, added Ansible Vault guidance, and removed the authentication placeholders from the public Cilium example.

I also verified the following cases with Ansible Core 2.16.14:

  • No credentials defined: public repository succeeds
  • Username and password both defined: authenticated repository succeeds
  • Only one credential defined: the module correctly rejects the configuration

@ErikJiang @tico88612, could you please review the updated changes? If everything looks good, could one of you add /lgtm?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants