From 8fc25030d6359076dd7a1bfe31a39712e56fcadb Mon Sep 17 00:00:00 2001
From: Stefan Prodan
Date: Tue, 21 Nov 2023 10:57:01 +0200
Subject: [PATCH] Add `.spec.insecure` to `HelmRepository` Allow connecting to
Helm OCI repositories over plain HTTP (non-TLS endpoint).
Signed-off-by: Stefan Prodan
---
api/v1beta2/helmrepository_types.go | 5 ++++
...ce.toolkit.fluxcd.io_helmrepositories.yaml | 4 ++++
docs/api/v1beta2/source.md | 24 +++++++++++++++++++
docs/spec/v1beta2/helmrepositories.md | 18 ++++++++------
internal/helm/getter/client_opts.go | 1 +
5 files changed, 45 insertions(+), 7 deletions(-)
diff --git a/api/v1beta2/helmrepository_types.go b/api/v1beta2/helmrepository_types.go
index e1df71568..52da54972 100644
--- a/api/v1beta2/helmrepository_types.go
+++ b/api/v1beta2/helmrepository_types.go
@@ -23,6 +23,7 @@ import (
"github.com/fluxcd/pkg/apis/acl"
"github.com/fluxcd/pkg/apis/meta"
+
apiv1 "github.com/fluxcd/source-controller/api/v1"
)
@@ -91,6 +92,10 @@ type HelmRepositorySpec struct {
// +required
Interval metav1.Duration `json:"interval"`
+ // Insecure allows connecting to a non-TLS HTTP container registry.
+ // +optional
+ Insecure bool `json:"insecure,omitempty"`
+
// Timeout is used for the index fetch operation for an HTTPS helm repository,
// and for remote OCI Repository operations like pulling for an OCI helm repository.
// Its default value is 60s.
diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
index 6de6911d8..77c0b9836 100644
--- a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
+++ b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
@@ -313,6 +313,10 @@ spec:
required:
- name
type: object
+ insecure:
+ description: Insecure allows connecting to a non-TLS HTTP container
+ registry.
+ type: boolean
interval:
description: Interval at which the HelmRepository URL is checked for
updates. This interval is approximate and may be subject to jitter
diff --git a/docs/api/v1beta2/source.md b/docs/api/v1beta2/source.md
index edfa29a5b..31973eb77 100644
--- a/docs/api/v1beta2/source.md
+++ b/docs/api/v1beta2/source.md
@@ -873,6 +873,18 @@ efficient use of resources.
+insecure
+
+bool
+
+ |
+
+(Optional)
+ Insecure allows connecting to a non-TLS HTTP container registry.
+ |
+
+
+
timeout
@@ -2590,6 +2602,18 @@ efficient use of resources.
|
+insecure
+
+bool
+
+ |
+
+(Optional)
+ Insecure allows connecting to a non-TLS HTTP container registry.
+ |
+
+
+
timeout
diff --git a/docs/spec/v1beta2/helmrepositories.md b/docs/spec/v1beta2/helmrepositories.md
index ad9e736e0..0baa0fa9d 100644
--- a/docs/spec/v1beta2/helmrepositories.md
+++ b/docs/spec/v1beta2/helmrepositories.md
@@ -158,14 +158,12 @@ valid [DNS subdomain name](https://kubernetes.io/docs/concepts/overview/working-
A HelmRepository also needs a
[`.spec` section](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
-
### Type
`.spec.type` is an optional field that specifies the Helm repository type.
Possible values are `default` for a Helm HTTP/S repository, or `oci` for an OCI Helm repository.
-
### Provider
`.spec.provider` is an optional field that allows specifying an OIDC provider used
@@ -358,6 +356,12 @@ the needed permission is instead `storage.objects.list` which can be bound as pa
of the Container Registry Service Agent role. Take a look at [this guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
for more information about setting up GKE Workload Identity.
+### Insecure
+
+`.spec.insecure` is an optional field to allow connecting to an insecure (HTTP)
+container registry server, if set to `true`. The default value is `false`,
+denying insecure non-TLS connections when fetching Helm chart OCI artifacts.
+
### Interval
`.spec.interval` is a required field that specifies the interval which the
@@ -426,8 +430,8 @@ metadata:
name: example-user
namespace: default
stringData:
- username: example
- password: 123456
+ username: "user-123456"
+ password: "pass-123456"
```
OCI Helm repository example:
@@ -452,8 +456,8 @@ metadata:
name: oci-creds
namespace: default
stringData:
- username: example
- password: 123456
+ username: "user-123456"
+ password: "pass-123456"
```
For OCI Helm repositories, Kubernetes secrets of type [kubernetes.io/dockerconfigjson](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) are also supported.
@@ -469,7 +473,7 @@ flux create secret oci ghcr-auth \
**Warning:** Support for specifying TLS authentication data using this API has been
deprecated. Please use [`.spec.certSecretRef`](#cert-secret-reference) instead.
-If the controller uses the secret specfied by this field to configure TLS, then
+If the controller uses the secret specified by this field to configure TLS, then
a deprecation warning will be logged.
### Cert secret reference
diff --git a/internal/helm/getter/client_opts.go b/internal/helm/getter/client_opts.go
index f746684bd..4dd7c1263 100644
--- a/internal/helm/getter/client_opts.go
+++ b/internal/helm/getter/client_opts.go
@@ -74,6 +74,7 @@ func GetClientOpts(ctx context.Context, c client.Client, obj *helmv1.HelmReposit
helmgetter.WithURL(url),
helmgetter.WithTimeout(obj.Spec.Timeout.Duration),
helmgetter.WithPassCredentialsAll(obj.Spec.PassCredentials),
+ helmgetter.WithPlainHTTP(obj.Spec.Insecure),
},
}
ociRepo := obj.Spec.Type == helmv1.HelmRepositoryTypeOCI
|