From 09fcb2e8e052f7eba821e83ab4839095b8338e30 Mon Sep 17 00:00:00 2001 From: Sanskar Jaiswal Date: Tue, 18 Jul 2023 18:40:48 +0530 Subject: [PATCH] helmrepo: add docs for `.spec.certSecretRef` Signed-off-by: Sanskar Jaiswal --- docs/spec/v1beta2/helmrepositories.md | 34 ++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/docs/spec/v1beta2/helmrepositories.md b/docs/spec/v1beta2/helmrepositories.md index 34ddfe468..3ce4420cd 100644 --- a/docs/spec/v1beta2/helmrepositories.md +++ b/docs/spec/v1beta2/helmrepositories.md @@ -452,15 +452,37 @@ flux create secret oci ghcr-auth \ --password=${GITHUB_PAT} ``` -#### TLS authentication +**Note**: Support for specifying TLS authentication data using this API +has been deprecated. Please use [`.spec.certSecretRef`](#cert-secret-reference) +instead. If the controller uses the secret specfied by this field to configure +TLS, then a `DeprecationWarning` event will be emitted. + +### Cert secret reference **Note:** TLS authentication is not yet supported by OCI Helm repositories. -To provide TLS credentials to use while connecting with the Helm repository, -the referenced Secret is expected to contain `.data.certFile` and -`.data.keyFile`, and/or `.data.caFile` values. +`.spec.certSecretRef.name` is an optional field to specify a secret containing TLS +certificate data. The secret can contain the following keys: -For example: +* `certFile` and `keyFile`: The client certificate and private key used for TLS client +authentication. These must be used in conjunction, i.e. specifying one without the other +will lead to an error. +* `caFile`: The CA certificate used to verify the server, which is required if +the server is using a self-signed certificate. + +If the server is using a self-signed certificate and has TLS client authentication enabled, +all three values are required. + +All the files in the secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have +three files; `client.key`, `client.crt` and `ca.crt` for the client private key, client +certificate and the CA certificate respectively, you can generate the required secret using +the `flux creat secret helm` command: + +```bash +flux create secret helm tls --key-file=client.key --cert-file=client.crt --ca-file=ca.crt +``` + +Example usage: ```yaml --- @@ -472,7 +494,7 @@ metadata: spec: interval: 5m0s url: https://example.com - secretRef: + certSecretRef: name: example-tls --- apiVersion: v1