Add .spec.insecure to HelmRepository

Allow connecting to Helm OCI repositories over plain HTTP (non-TLS endpoint).

Signed-off-by: Stefan Prodan <[email protected]>

Author: stefanprodan

api/v1beta2/helmrepository_types.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
+
 	apiv1 "github.com/fluxcd/source-controller/api/v1"
 )
 
@@ -91,6 +92,10 @@ type HelmRepositorySpec struct {
 	// +required
 	Interval metav1.Duration `json:"interval"`
 
+	// Insecure allows connecting to a non-TLS HTTP container registry.
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+
 	// Timeout is used for the index fetch operation for an HTTPS helm repository,
 	// and for remote OCI Repository operations like pulling for an OCI helm repository.
 	// Its default value is 60s.

config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml

@@ -313,6 +313,10 @@ spec:
                 required:
                 - name
                 type: object
+              insecure:
+                description: Insecure allows connecting to a non-TLS HTTP container
+                  registry.
+                type: boolean
               interval:
                 description: Interval at which the HelmRepository URL is checked for
                   updates. This interval is approximate and may be subject to jitter

docs/api/v1beta2/source.md

@@ -873,6 +873,18 @@ efficient use of resources.</p>
 </tr>
 <tr>
 <td>
+<code>insecure</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Insecure allows connecting to a non-TLS HTTP container registry.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>timeout</code><br>
 <em>
 <a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">
@@ -2590,6 +2602,18 @@ efficient use of resources.</p>
 </tr>
 <tr>
 <td>
+<code>insecure</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Insecure allows connecting to a non-TLS HTTP container registry.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>timeout</code><br>
 <em>
 <a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">

docs/spec/v1beta2/helmrepositories.md

@@ -158,14 +158,12 @@ valid [DNS subdomain name](https://kubernetes.io/docs/concepts/overview/working-
 A HelmRepository also needs a
 [`.spec` section](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
 
-
 ### Type
 
 `.spec.type` is an optional field that specifies the Helm repository type. 
 
 Possible values are `default` for a Helm HTTP/S repository, or `oci` for an OCI Helm repository.
 
-
 ### Provider
 
 `.spec.provider` is an optional field that allows specifying an OIDC provider used
@@ -358,6 +356,12 @@ the needed permission is instead `storage.objects.list` which can be bound as pa
 of the Container Registry Service Agent role. Take a look at [this guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
 for more information about setting up GKE Workload Identity.
 
+### Insecure
+
+`.spec.insecure` is an optional field to allow connecting to an insecure (HTTP)
+container registry server, if set to `true`. The default value is `false`,
+denying insecure non-TLS connections when fetching Helm chart OCI artifacts.
+
 ### Interval
 
 `.spec.interval` is a required field that specifies the interval which the
@@ -426,8 +430,8 @@ metadata:
   name: example-user
   namespace: default
 stringData:
-  username: example
-  password: 123456
+  username: "user-123456"
+  password: "pass-123456"
 ```
 
 OCI Helm repository example:
@@ -452,8 +456,8 @@ metadata:
   name: oci-creds
   namespace: default
 stringData:
-  username: example
-  password: 123456
+  username: "user-123456"
+  password: "pass-123456"
 ```
 
 For OCI Helm repositories, Kubernetes secrets of type [kubernetes.io/dockerconfigjson](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) are also supported.
@@ -469,7 +473,7 @@ flux create secret oci ghcr-auth \
 
 **Warning:** Support for specifying TLS authentication data using this API has been
 deprecated. Please use [`.spec.certSecretRef`](#cert-secret-reference) instead.
-If the controller uses the secret specfied by this field to configure TLS, then
+If the controller uses the secret specified by this field to configure TLS, then
 a deprecation warning will be logged.
 
 ### Cert secret reference

internal/helm/getter/client_opts.go

@@ -74,6 +74,7 @@ func GetClientOpts(ctx context.Context, c client.Client, obj *helmv1.HelmReposit
 			helmgetter.WithURL(url),
 			helmgetter.WithTimeout(obj.Spec.Timeout.Duration),
 			helmgetter.WithPassCredentialsAll(obj.Spec.PassCredentials),
+			helmgetter.WithPlainHTTP(obj.Spec.Insecure),
 		},
 	}
 	ociRepo := obj.Spec.Type == helmv1.HelmRepositoryTypeOCI

internal/helm/getter/client_opts_test.go

@@ -68,7 +68,7 @@ func TestGetClientOpts(t *testing.T) {
 			},
 			afterFunc: func(t *WithT, hcOpts *ClientOpts) {
 				t.Expect(hcOpts.TlsConfig).ToNot(BeNil())
-				t.Expect(len(hcOpts.GetterOpts)).To(Equal(4))
+				t.Expect(len(hcOpts.GetterOpts)).To(Equal(5))
 			},
 		},
 		{
@@ -85,7 +85,7 @@ func TestGetClientOpts(t *testing.T) {
 			},
 			afterFunc: func(t *WithT, hcOpts *ClientOpts) {
 				t.Expect(hcOpts.TlsConfig).ToNot(BeNil())
-				t.Expect(len(hcOpts.GetterOpts)).To(Equal(4))
+				t.Expect(len(hcOpts.GetterOpts)).To(Equal(5))
 			},
 			err: ErrDeprecatedTLSConfig,
 		},