Skip to content

Commit

Permalink
Add .spec.insecure to HelmRepository
Browse files Browse the repository at this point in the history
Allow connecting to Helm OCI repositories over plain HTTP (non-TLS endpoint).

Signed-off-by: Stefan Prodan <[email protected]>
  • Loading branch information
stefanprodan authored and aryan9600 committed Nov 22, 2023
1 parent f54a59c commit 053f485
Show file tree
Hide file tree
Showing 6 changed files with 54 additions and 9 deletions.
6 changes: 6 additions & 0 deletions api/v1beta2/helmrepository_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (

"github.com/fluxcd/pkg/apis/acl"
"github.com/fluxcd/pkg/apis/meta"

apiv1 "github.com/fluxcd/source-controller/api/v1"
)

Expand Down Expand Up @@ -91,6 +92,11 @@ type HelmRepositorySpec struct {
// +required
Interval metav1.Duration `json:"interval"`

// Insecure allows connecting to a non-TLS HTTP container registry.
// This field is only taken into account if the .spec.type field is set to 'oci'.
// +optional
Insecure bool `json:"insecure,omitempty"`

// Timeout is used for the index fetch operation for an HTTPS helm repository,
// and for remote OCI Repository operations like pulling for an OCI helm repository.
// Its default value is 60s.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,11 @@ spec:
required:
- name
type: object
insecure:
description: Insecure allows connecting to a non-TLS HTTP container
registry. This field is only taken into account if the .spec.type
field is set to 'oci'.
type: boolean
interval:
description: Interval at which the HelmRepository URL is checked for
updates. This interval is approximate and may be subject to jitter
Expand Down
26 changes: 26 additions & 0 deletions docs/api/v1beta2/source.md
Original file line number Diff line number Diff line change
Expand Up @@ -873,6 +873,19 @@ efficient use of resources.</p>
</tr>
<tr>
<td>
<code>insecure</code><br>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Insecure allows connecting to a non-TLS HTTP container registry.
This field is only taken into account if the .spec.type field is set to &lsquo;oci&rsquo;.</p>
</td>
</tr>
<tr>
<td>
<code>timeout</code><br>
<em>
<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">
Expand Down Expand Up @@ -2590,6 +2603,19 @@ efficient use of resources.</p>
</tr>
<tr>
<td>
<code>insecure</code><br>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Insecure allows connecting to a non-TLS HTTP container registry.
This field is only taken into account if the .spec.type field is set to &lsquo;oci&rsquo;.</p>
</td>
</tr>
<tr>
<td>
<code>timeout</code><br>
<em>
<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">
Expand Down
21 changes: 14 additions & 7 deletions docs/spec/v1beta2/helmrepositories.md
Original file line number Diff line number Diff line change
Expand Up @@ -158,14 +158,12 @@ valid [DNS subdomain name](https://kubernetes.io/docs/concepts/overview/working-
A HelmRepository also needs a
[`.spec` section](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).


### Type

`.spec.type` is an optional field that specifies the Helm repository type.

Possible values are `default` for a Helm HTTP/S repository, or `oci` for an OCI Helm repository.


### Provider

`.spec.provider` is an optional field that allows specifying an OIDC provider used
Expand Down Expand Up @@ -358,6 +356,15 @@ the needed permission is instead `storage.objects.list` which can be bound as pa
of the Container Registry Service Agent role. Take a look at [this guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
for more information about setting up GKE Workload Identity.

### Insecure

`.spec.insecure` is an optional field to allow connecting to an insecure (HTTP)
container registry server, if set to `true`. The default value is `false`,
denying insecure non-TLS connections when fetching Helm chart OCI artifacts.

**Note**: The insecure field is supported only for Helm OCI repositories.
The `spec.type` field must be set to `oci`.

### Interval

`.spec.interval` is a required field that specifies the interval which the
Expand Down Expand Up @@ -426,8 +433,8 @@ metadata:
name: example-user
namespace: default
stringData:
username: example
password: 123456
username: "user-123456"
password: "pass-123456"
```

OCI Helm repository example:
Expand All @@ -452,8 +459,8 @@ metadata:
name: oci-creds
namespace: default
stringData:
username: example
password: 123456
username: "user-123456"
password: "pass-123456"
```

For OCI Helm repositories, Kubernetes secrets of type [kubernetes.io/dockerconfigjson](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) are also supported.
Expand All @@ -469,7 +476,7 @@ flux create secret oci ghcr-auth \

**Warning:** Support for specifying TLS authentication data using this API has been
deprecated. Please use [`.spec.certSecretRef`](#cert-secret-reference) instead.
If the controller uses the secret specfied by this field to configure TLS, then
If the controller uses the secret specified by this field to configure TLS, then
a deprecation warning will be logged.

### Cert secret reference
Expand Down
1 change: 1 addition & 0 deletions internal/helm/getter/client_opts.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ func GetClientOpts(ctx context.Context, c client.Client, obj *helmv1.HelmReposit
helmgetter.WithURL(url),
helmgetter.WithTimeout(obj.Spec.Timeout.Duration),
helmgetter.WithPassCredentialsAll(obj.Spec.PassCredentials),
helmgetter.WithPlainHTTP(obj.Spec.Insecure),
},
}
ociRepo := obj.Spec.Type == helmv1.HelmRepositoryTypeOCI
Expand Down
4 changes: 2 additions & 2 deletions internal/helm/getter/client_opts_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ func TestGetClientOpts(t *testing.T) {
},
afterFunc: func(t *WithT, hcOpts *ClientOpts) {
t.Expect(hcOpts.TlsConfig).ToNot(BeNil())
t.Expect(len(hcOpts.GetterOpts)).To(Equal(4))
t.Expect(len(hcOpts.GetterOpts)).To(Equal(5))
},
},
{
Expand All @@ -85,7 +85,7 @@ func TestGetClientOpts(t *testing.T) {
},
afterFunc: func(t *WithT, hcOpts *ClientOpts) {
t.Expect(hcOpts.TlsConfig).ToNot(BeNil())
t.Expect(len(hcOpts.GetterOpts)).To(Equal(4))
t.Expect(len(hcOpts.GetterOpts)).To(Equal(5))
},
err: ErrDeprecatedTLSConfig,
},
Expand Down

0 comments on commit 053f485

Please sign in to comment.