From 8fc25030d6359076dd7a1bfe31a39712e56fcadb Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Tue, 21 Nov 2023 10:57:01 +0200 Subject: [PATCH] Add `.spec.insecure` to `HelmRepository` Allow connecting to Helm OCI repositories over plain HTTP (non-TLS endpoint). Signed-off-by: Stefan Prodan --- api/v1beta2/helmrepository_types.go | 5 ++++ ...ce.toolkit.fluxcd.io_helmrepositories.yaml | 4 ++++ docs/api/v1beta2/source.md | 24 +++++++++++++++++++ docs/spec/v1beta2/helmrepositories.md | 18 ++++++++------ internal/helm/getter/client_opts.go | 1 + 5 files changed, 45 insertions(+), 7 deletions(-) diff --git a/api/v1beta2/helmrepository_types.go b/api/v1beta2/helmrepository_types.go index e1df71568..52da54972 100644 --- a/api/v1beta2/helmrepository_types.go +++ b/api/v1beta2/helmrepository_types.go @@ -23,6 +23,7 @@ import ( "github.com/fluxcd/pkg/apis/acl" "github.com/fluxcd/pkg/apis/meta" + apiv1 "github.com/fluxcd/source-controller/api/v1" ) @@ -91,6 +92,10 @@ type HelmRepositorySpec struct { // +required Interval metav1.Duration `json:"interval"` + // Insecure allows connecting to a non-TLS HTTP container registry. + // +optional + Insecure bool `json:"insecure,omitempty"` + // Timeout is used for the index fetch operation for an HTTPS helm repository, // and for remote OCI Repository operations like pulling for an OCI helm repository. // Its default value is 60s. diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml index 6de6911d8..77c0b9836 100644 --- a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml +++ b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml @@ -313,6 +313,10 @@ spec: required: - name type: object + insecure: + description: Insecure allows connecting to a non-TLS HTTP container + registry. + type: boolean interval: description: Interval at which the HelmRepository URL is checked for updates. This interval is approximate and may be subject to jitter diff --git a/docs/api/v1beta2/source.md b/docs/api/v1beta2/source.md index edfa29a5b..31973eb77 100644 --- a/docs/api/v1beta2/source.md +++ b/docs/api/v1beta2/source.md @@ -873,6 +873,18 @@ efficient use of resources.

+insecure
+ +bool + + + +(Optional) +

Insecure allows connecting to a non-TLS HTTP container registry.

+ + + + timeout
@@ -2590,6 +2602,18 @@ efficient use of resources.

+insecure
+ +bool + + + +(Optional) +

Insecure allows connecting to a non-TLS HTTP container registry.

+ + + + timeout
 diff --git a/docs/spec/v1beta2/helmrepositories.md b/docs/spec/v1beta2/helmrepositories.md index ad9e736e0..0baa0fa9d 100644 --- a/docs/spec/v1beta2/helmrepositories.md +++ b/docs/spec/v1beta2/helmrepositories.md @@ -158,14 +158,12 @@ valid [DNS subdomain name](https://kubernetes.io/docs/concepts/overview/working- A HelmRepository also needs a [`.spec` section](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status). - ### Type `.spec.type` is an optional field that specifies the Helm repository type. Possible values are `default` for a Helm HTTP/S repository, or `oci` for an OCI Helm repository. - ### Provider `.spec.provider` is an optional field that allows specifying an OIDC provider used @@ -358,6 +356,12 @@ the needed permission is instead `storage.objects.list` which can be bound as pa of the Container Registry Service Agent role. Take a look at [this guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) for more information about setting up GKE Workload Identity. +### Insecure + +`.spec.insecure` is an optional field to allow connecting to an insecure (HTTP) +container registry server, if set to `true`. The default value is `false`, +denying insecure non-TLS connections when fetching Helm chart OCI artifacts. + ### Interval `.spec.interval` is a required field that specifies the interval which the @@ -426,8 +430,8 @@ metadata: name: example-user namespace: default stringData: - username: example - password: 123456 + username: "user-123456" + password: "pass-123456" ``` OCI Helm repository example: @@ -452,8 +456,8 @@ metadata: name: oci-creds namespace: default stringData: - username: example - password: 123456 + username: "user-123456" + password: "pass-123456" ``` For OCI Helm repositories, Kubernetes secrets of type [kubernetes.io/dockerconfigjson](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) are also supported. @@ -469,7 +473,7 @@ flux create secret oci ghcr-auth \ **Warning:** Support for specifying TLS authentication data using this API has been deprecated. Please use [`.spec.certSecretRef`](#cert-secret-reference) instead. -If the controller uses the secret specfied by this field to configure TLS, then +If the controller uses the secret specified by this field to configure TLS, then a deprecation warning will be logged. ### Cert secret reference diff --git a/internal/helm/getter/client_opts.go b/internal/helm/getter/client_opts.go index f746684bd..4dd7c1263 100644 --- a/internal/helm/getter/client_opts.go +++ b/internal/helm/getter/client_opts.go @@ -74,6 +74,7 @@ func GetClientOpts(ctx context.Context, c client.Client, obj *helmv1.HelmReposit helmgetter.WithURL(url), helmgetter.WithTimeout(obj.Spec.Timeout.Duration), helmgetter.WithPassCredentialsAll(obj.Spec.PassCredentials), + helmgetter.WithPlainHTTP(obj.Spec.Insecure), }, } ociRepo := obj.Spec.Type == helmv1.HelmRepositoryTypeOCI