diff --git a/api/v1beta2/helmrepository_types.go b/api/v1beta2/helmrepository_types.go
index 4e53fdfd7..6792e32b1 100644
--- a/api/v1beta2/helmrepository_types.go
+++ b/api/v1beta2/helmrepository_types.go
@@ -98,6 +98,12 @@ type HelmRepositorySpec struct {
// +optional
Insecure bool `json:"insecure,omitempty"`
+ // InsecureSkipVerify allows connecting to a HTTPS container registry without
+ // verifying the server's certificate chain and host name.
+ // This field is only taken into account if the .spec.type field is set to 'oci'.
+ // +optional
+ InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
+
// Timeout is used for the index fetch operation for an HTTPS helm repository,
// and for remote OCI Repository operations like pulling for an OCI helm
// chart by the associated HelmChart.
diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
index 7eb709b94..9f051951c 100644
--- a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
+++ b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
@@ -318,6 +318,11 @@ spec:
registry. This field is only taken into account if the .spec.type
field is set to 'oci'.
type: boolean
+ insecureSkipVerify:
+ description: InsecureSkipVerify allows connecting to a HTTPS container registry
+ without verifying the server's certificate chain and host name.
+ This field is only taken into account if the .spec.type field is set to 'oci'.
+ type: boolean
interval:
description: Interval at which the HelmRepository URL is checked for
updates. This interval is approximate and may be subject to jitter
diff --git a/docs/api/v1beta2/source.md b/docs/api/v1beta2/source.md
index 04c3e328f..35c8f420b 100644
--- a/docs/api/v1beta2/source.md
+++ b/docs/api/v1beta2/source.md
@@ -887,6 +887,20 @@ This field is only taken into account if the .spec.type field is set to ‘o
+insecureSkipVerify
+
+bool
+
+ |
+
+(Optional)
+ InsecureSkipVerify allows connecting to a HTTPS container registry without
+verifying the server’s certificate chain and host name.
+This field is only taken into account if the .spec.type field is set to ‘oci’.
+ |
+
+
+
timeout
@@ -2619,6 +2633,20 @@ This field is only taken into account if the .spec.type field is set to ‘o
|
+insecureSkipVerify
+
+bool
+
+ |
+
+(Optional)
+ InsecureSkipVerify allows connecting to a HTTPS container registry without
+verifying the server’s certificate chain and host name.
+This field is only taken into account if the .spec.type field is set to ‘oci’.
+ |
+
+
+
timeout
diff --git a/docs/spec/v1beta2/helmrepositories.md b/docs/spec/v1beta2/helmrepositories.md
index 0fd33ed00..5c3eab01d 100644
--- a/docs/spec/v1beta2/helmrepositories.md
+++ b/docs/spec/v1beta2/helmrepositories.md
@@ -354,6 +354,15 @@ denying insecure non-TLS connections when fetching Helm chart OCI artifacts.
**Note**: The insecure field is supported only for Helm OCI repositories.
The `spec.type` field must be set to `oci`.
+### InsecureSkipVerify
+
+`.spec.insecureSkipVerify` is an optional field to allow connecting to a secure (HTTPS)
+container registry server without verifying the server's certificate chain and host name,
+if set to `true`. The default value is `false`,
+
+**Note**: The insecureSkipVerify field is supported only for Helm OCI repositories.
+The `spec.type` field must be set to `oci`.
+
### Interval
**Note:** This field is ineffectual for [OCI Helm
diff --git a/internal/helm/getter/client_opts.go b/internal/helm/getter/client_opts.go
index 4dfc97b40..7432778b9 100644
--- a/internal/helm/getter/client_opts.go
+++ b/internal/helm/getter/client_opts.go
@@ -88,7 +88,11 @@ func GetClientOpts(ctx context.Context, c client.Client, obj *helmv1.HelmReposit
err error
)
// Check `.spec.certSecretRef` first for any TLS auth data.
- if obj.Spec.CertSecretRef != nil {
+ if obj.Spec.InsecureSkipVerify {
+ hrOpts.TlsConfig = &tls.Config{
+ InsecureSkipVerify: true,
+ }
+ } else if obj.Spec.CertSecretRef != nil {
certSecret, err = fetchSecret(ctx, c, obj.Spec.CertSecretRef.Name, obj.GetNamespace())
if err != nil {
return nil, "", fmt.Errorf("failed to get TLS authentication secret '%s/%s': %w", obj.GetNamespace(), obj.Spec.CertSecretRef.Name, err)
|