Add .spec.insecure to HelmRepository

Allow connecting to Helm OCI repositories over plain HTTP (non-TLS endpoint).

Signed-off-by: Stefan Prodan <[email protected]>

Author: stefanprodan

api/v1beta2/helmrepository_types.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
+
 	apiv1 "github.com/fluxcd/source-controller/api/v1"
 )
 
@@ -92,6 +93,11 @@ type HelmRepositorySpec struct {
 	// +optional
 	Interval metav1.Duration `json:"interval,omitempty"`
 
+	// Insecure allows connecting to a non-TLS HTTP container registry.
+	// This field is only taken into account if the .spec.type field is set to 'oci'.
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+
 	// Timeout is used for the index fetch operation for an HTTPS helm repository,
 	// and for remote OCI Repository operations like pulling for an OCI helm
 	// chart by the associated HelmChart.

config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml

@@ -313,6 +313,11 @@ spec:
                 required:
                 - name
                 type: object
+              insecure:
+                description: Insecure allows connecting to a non-TLS HTTP container
+                  registry. This field is only taken into account if the .spec.type
+                  field is set to 'oci'.
+                type: boolean
               interval:
                 description: Interval at which the HelmRepository URL is checked for
                   updates. This interval is approximate and may be subject to jitter

docs/api/v1beta2/source.md

@@ -874,6 +874,19 @@ efficient use of resources.</p>
 </tr>
 <tr>
 <td>
+<code>insecure</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Insecure allows connecting to a non-TLS HTTP container registry.
+This field is only taken into account if the .spec.type field is set to &lsquo;oci&rsquo;.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>timeout</code><br>
 <em>
 <a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">
@@ -2593,6 +2606,19 @@ efficient use of resources.</p>
 </tr>
 <tr>
 <td>
+<code>insecure</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Insecure allows connecting to a non-TLS HTTP container registry.
+This field is only taken into account if the .spec.type field is set to &lsquo;oci&rsquo;.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>timeout</code><br>
 <em>
 <a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">

docs/spec/v1beta2/helmrepositories.md

@@ -147,14 +147,12 @@ valid [DNS subdomain name](https://kubernetes.io/docs/concepts/overview/working-
 A HelmRepository also needs a
 [`.spec` section](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
 
-
 ### Type
 
 `.spec.type` is an optional field that specifies the Helm repository type. 
 
 Possible values are `default` for a Helm HTTP/S repository, or `oci` for an OCI Helm repository.
 
-
 ### Provider
 
 `.spec.provider` is an optional field that allows specifying an OIDC provider used
@@ -347,6 +345,15 @@ the needed permission is instead `storage.objects.list` which can be bound as pa
 of the Container Registry Service Agent role. Take a look at [this guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
 for more information about setting up GKE Workload Identity.
 
+### Insecure
+
+`.spec.insecure` is an optional field to allow connecting to an insecure (HTTP)
+container registry server, if set to `true`. The default value is `false`,
+denying insecure non-TLS connections when fetching Helm chart OCI artifacts.
+
+**Note**: The insecure field is supported only for Helm OCI repositories.
+The `spec.type` field must be set to `oci`.
+
 ### Interval
 
 **Note:** This field is ineffectual for [OCI Helm
@@ -422,8 +429,8 @@ metadata:
   name: example-user
   namespace: default
 stringData:
-  username: example
-  password: 123456
+  username: "user-123456"
+  password: "pass-123456"
 ```
 
 OCI Helm repository example:
@@ -448,8 +455,8 @@ metadata:
   name: oci-creds
   namespace: default
 stringData:
-  username: example
-  password: 123456
+  username: "user-123456"
+  password: "pass-123456"
 ```
 
 For OCI Helm repositories, Kubernetes secrets of type [kubernetes.io/dockerconfigjson](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) are also supported.
@@ -465,7 +472,7 @@ flux create secret oci ghcr-auth \
 
 **Warning:** Support for specifying TLS authentication data using this API has been
 deprecated. Please use [`.spec.certSecretRef`](#cert-secret-reference) instead.
-If the controller uses the secret specfied by this field to configure TLS, then
+If the controller uses the secret specified by this field to configure TLS, then
 a deprecation warning will be logged.
 
 ### Cert secret reference

internal/helm/getter/client_opts.go

@@ -74,6 +74,7 @@ func GetClientOpts(ctx context.Context, c client.Client, obj *helmv1.HelmReposit
 			helmgetter.WithURL(url),
 			helmgetter.WithTimeout(obj.GetTimeout()),
 			helmgetter.WithPassCredentialsAll(obj.Spec.PassCredentials),
+			helmgetter.WithPlainHTTP(obj.Spec.Insecure),
 		},
 	}
 	ociRepo := obj.Spec.Type == helmv1.HelmRepositoryTypeOCI

internal/helm/getter/client_opts_test.go

@@ -68,7 +68,7 @@ func TestGetClientOpts(t *testing.T) {
 			},
 			afterFunc: func(t *WithT, hcOpts *ClientOpts) {
 				t.Expect(hcOpts.TlsConfig).ToNot(BeNil())
-				t.Expect(len(hcOpts.GetterOpts)).To(Equal(4))
+				t.Expect(len(hcOpts.GetterOpts)).To(Equal(5))
 			},
 		},
 		{
@@ -85,7 +85,7 @@ func TestGetClientOpts(t *testing.T) {
 			},
 			afterFunc: func(t *WithT, hcOpts *ClientOpts) {
 				t.Expect(hcOpts.TlsConfig).ToNot(BeNil())
-				t.Expect(len(hcOpts.GetterOpts)).To(Equal(4))
+				t.Expect(len(hcOpts.GetterOpts)).To(Equal(5))
 			},
 			err: ErrDeprecatedTLSConfig,
 		},