diff --git a/api/v1beta1/helmrepository_types.go b/api/v1beta1/helmrepository_types.go
index a2aef56a..40f918d2 100644
--- a/api/v1beta1/helmrepository_types.go
+++ b/api/v1beta1/helmrepository_types.go
@@ -45,6 +45,15 @@ type HelmRepositorySpec struct {
// +optional
SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+ // PassCredentials allows the credentials from the SecretRef to be passed on to
+ // a host that does not match the host as defined in URL.
+ // This may be required if the host of the advertised chart URLs in the index
+ // differ from the defined URL.
+ // Enabling this should be done with caution, as it can potentially result in
+ // credentials getting stolen in a MITM-attack.
+ // +optional
+ PassCredentials bool `json:"passCredentials,omitempty"`
+
// The interval at which to check the upstream for updates.
// +required
Interval metav1.Duration `json:"interval"`
diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
index 1052694d..4409c0f9 100644
--- a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
+++ b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
@@ -50,6 +50,9 @@ spec:
interval:
description: The interval at which to check the upstream for updates.
type: string
+ passCredentials:
+ description: PassCredentials allows the credentials from the SecretRef to be passed on to a host that does not match the host as defined in URL. This may be required if the host of the advertised chart URLs in the index differ from the defined URL. Enabling this should be done with caution, as it can potentially result in credentials getting stolen in a MITM-attack.
+ type: boolean
secretRef:
description: The name of the secret containing authentication credentials for the Helm repository. For HTTP/S basic auth the secret must contain username and password fields. For TLS the secret must contain a certFile and keyFile, and/or caCert fields.
properties:
diff --git a/controllers/helmchart_controller.go b/controllers/helmchart_controller.go
index 2d59e9bf..93a79509 100644
--- a/controllers/helmchart_controller.go
+++ b/controllers/helmchart_controller.go
@@ -301,7 +301,11 @@ func (r *HelmChartReconciler) getSource(ctx context.Context, chart sourcev1.Helm
func (r *HelmChartReconciler) reconcileFromHelmRepository(ctx context.Context,
repository sourcev1.HelmRepository, chart sourcev1.HelmChart, force bool) (sourcev1.HelmChart, error) {
// Configure ChartRepository getter options
- var clientOpts []getter.Option
+ clientOpts := []getter.Option{
+ getter.WithURL(repository.Spec.URL),
+ getter.WithTimeout(repository.Spec.Timeout.Duration),
+ getter.WithPassCredentialsAll(repository.Spec.PassCredentials),
+ }
if secret, err := r.getHelmRepositorySecret(ctx, &repository); err != nil {
return sourcev1.HelmChartNotReady(chart, sourcev1.AuthenticationFailedReason, err.Error()), err
} else if secret != nil {
@@ -311,10 +315,8 @@ func (r *HelmChartReconciler) reconcileFromHelmRepository(ctx context.Context,
return sourcev1.HelmChartNotReady(chart, sourcev1.AuthenticationFailedReason, err.Error()), err
}
defer cleanup()
-
- clientOpts = opts
+ clientOpts = append(clientOpts, opts...)
}
- clientOpts = append(clientOpts, getter.WithTimeout(repository.Spec.Timeout.Duration))
// Initialize the chart repository and load the index file
chartRepo, err := helm.NewChartRepository(repository.Spec.URL, r.Getters, clientOpts)
@@ -619,13 +621,18 @@ func (r *HelmChartReconciler) reconcileFromTarballArtifact(ctx context.Context,
if err != nil {
repository = &sourcev1.HelmRepository{
Spec: sourcev1.HelmRepositorySpec{
- URL: dep.Repository,
+ URL: dep.Repository,
+ Timeout: &metav1.Duration{Duration: 60 * time.Second},
},
}
}
// Configure ChartRepository getter options
- var clientOpts []getter.Option
+ clientOpts := []getter.Option{
+ getter.WithURL(repository.Spec.URL),
+ getter.WithTimeout(repository.Spec.Timeout.Duration),
+ getter.WithPassCredentialsAll(repository.Spec.PassCredentials),
+ }
if secret, err := r.getHelmRepositorySecret(ctx, repository); err != nil {
return sourcev1.HelmChartNotReady(chart, sourcev1.AuthenticationFailedReason, err.Error()), err
} else if secret != nil {
@@ -635,8 +642,7 @@ func (r *HelmChartReconciler) reconcileFromTarballArtifact(ctx context.Context,
return sourcev1.HelmChartNotReady(chart, sourcev1.AuthenticationFailedReason, err.Error()), err
}
defer cleanup()
-
- clientOpts = opts
+ clientOpts = append(clientOpts, opts...)
}
// Initialize the chart repository and load the index file
diff --git a/controllers/helmchart_controller_test.go b/controllers/helmchart_controller_test.go
index 65af83b3..c88fa339 100644
--- a/controllers/helmchart_controller_test.go
+++ b/controllers/helmchart_controller_test.go
@@ -1015,9 +1015,9 @@ var _ = Describe("HelmChartReconciler", func() {
Name: secretKey.Name,
Namespace: secretKey.Namespace,
},
- Data: map[string][]byte{
- "username": []byte(username),
- "password": []byte(password),
+ StringData: map[string]string{
+ "username": username,
+ "password": password,
},
}
Expect(k8sClient.Create(context.Background(), secret)).Should(Succeed())
diff --git a/controllers/helmrepository_controller.go b/controllers/helmrepository_controller.go
index d7f3bdf1..b7f8cd51 100644
--- a/controllers/helmrepository_controller.go
+++ b/controllers/helmrepository_controller.go
@@ -171,7 +171,11 @@ func (r *HelmRepositoryReconciler) Reconcile(ctx context.Context, req ctrl.Reque
}
func (r *HelmRepositoryReconciler) reconcile(ctx context.Context, repository sourcev1.HelmRepository) (sourcev1.HelmRepository, error) {
- var clientOpts []getter.Option
+ clientOpts := []getter.Option{
+ getter.WithURL(repository.Spec.URL),
+ getter.WithTimeout(repository.Spec.Timeout.Duration),
+ getter.WithPassCredentialsAll(repository.Spec.PassCredentials),
+ }
if repository.Spec.SecretRef != nil {
name := types.NamespacedName{
Namespace: repository.GetNamespace(),
@@ -191,9 +195,8 @@ func (r *HelmRepositoryReconciler) reconcile(ctx context.Context, repository sou
return sourcev1.HelmRepositoryNotReady(repository, sourcev1.AuthenticationFailedReason, err.Error()), err
}
defer cleanup()
- clientOpts = opts
+ clientOpts = append(clientOpts, opts...)
}
- clientOpts = append(clientOpts, getter.WithTimeout(repository.Spec.Timeout.Duration))
chartRepo, err := helm.NewChartRepository(repository.Spec.URL, r.Getters, clientOpts)
if err != nil {
diff --git a/docs/api/source.md b/docs/api/source.md
index 53793291..7b1fede4 100644
--- a/docs/api/source.md
+++ b/docs/api/source.md
@@ -703,6 +703,23 @@ caCert fields.
+passCredentials
+
+bool
+
+ |
+
+(Optional)
+ PassCredentials allows the credentials from the SecretRef to be passed on to
+a host that does not match the host as defined in URL.
+This may be required if the host of the advertised chart URLs in the index
+differ from the defined URL.
+Enabling this should be done with caution, as it can potentially result in
+credentials getting stolen in a MITM-attack.
+ |
+
+
+
interval
@@ -1777,6 +1794,23 @@ caCert fields.
|
+passCredentials
+
+bool
+
+ |
+
+(Optional)
+ PassCredentials allows the credentials from the SecretRef to be passed on to
+a host that does not match the host as defined in URL.
+This may be required if the host of the advertised chart URLs in the index
+differ from the defined URL.
+Enabling this should be done with caution, as it can potentially result in
+credentials getting stolen in a MITM-attack.
+ |
+
+
+
interval
diff --git a/docs/spec/v1beta1/helmrepositories.md b/docs/spec/v1beta1/helmrepositories.md
index f82f6196..e00fd674 100644
--- a/docs/spec/v1beta1/helmrepositories.md
+++ b/docs/spec/v1beta1/helmrepositories.md
@@ -21,9 +21,18 @@ type HelmRepositorySpec struct {
// password fields.
// For TLS the secret must contain a certFile and keyFile, and/or
// caCert fields.
- // +optional
+ // +optional
SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`
+ // PassCredentials allows the credentials from the SecretRef to be passed on to
+ // a host that does not match the host as defined in URL.
+ // This may be required if the host of the advertised chart URLs in the index
+ // differ from the defined URL.
+ // Enabling this should be done with caution, as it can potentially result in
+ // credentials getting stolen in a MITM-attack.
+ // +optional
+ PassCredentials bool `json:"passCredentials,omitempty"`
+
// The interval at which to check the upstream for updates.
// +required
Interval metav1.Duration `json:"interval"`
diff --git a/go.mod b/go.mod
index d48c1eaf..2a40a99f 100644
--- a/go.mod
+++ b/go.mod
@@ -29,7 +29,7 @@ require (
golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b
golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
gotest.tools v2.2.0+incompatible
- helm.sh/helm/v3 v3.6.0
+ helm.sh/helm/v3 v3.6.1
k8s.io/api v0.21.1
k8s.io/apimachinery v0.21.1
k8s.io/client-go v0.21.1
diff --git a/go.sum b/go.sum
index d5edbf59..09a8d045 100644
--- a/go.sum
+++ b/go.sum
@@ -1247,8 +1247,9 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81
gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
-helm.sh/helm/v3 v3.6.0 h1:/9IMxJ2lXJHbvTMHcW1AO71lXQHqDC+3bcpGp7yCsb8=
helm.sh/helm/v3 v3.6.0/go.mod h1:mIIus8EOqj+obtycw3sidsR4ORr2aFDmXMSI3k+oeVY=
+helm.sh/helm/v3 v3.6.1 h1:TQ6q4pAatXr7qh2fbLcb0oNd0I3J7kv26oo5cExKTtc=
+helm.sh/helm/v3 v3.6.1/go.mod h1:mIIus8EOqj+obtycw3sidsR4ORr2aFDmXMSI3k+oeVY=
honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|