From 9986d9918eb4eeaed81024f0e1cf1379879a1ea6 Mon Sep 17 00:00:00 2001 From: Sanskar Jaiswal Date: Tue, 18 Jul 2023 18:36:13 +0530 Subject: [PATCH] helmrepo: add `.spec.certSecretRef` for specifying TLS auth data Add `.spec.certSecretRef` to HelmRepository for specifying TLS auth data in a secret using the `certFile`, `caFile` and `keyFile` keys. Mark support for these keys in the secret specified in `.spec.secretRef` as deprecated. Signed-off-by: Sanskar Jaiswal --- api/v1beta2/helmrepository_types.go | 11 ++++- api/v1beta2/zz_generated.deepcopy.go | 5 +++ ...ce.toolkit.fluxcd.io_helmrepositories.yaml | 17 +++++++- docs/api/v1beta2/source.md | 42 +++++++++++++++++-- 4 files changed, 67 insertions(+), 8 deletions(-) diff --git a/api/v1beta2/helmrepository_types.go b/api/v1beta2/helmrepository_types.go index 44b036a2..4dcf0a45 100644 --- a/api/v1beta2/helmrepository_types.go +++ b/api/v1beta2/helmrepository_types.go @@ -51,11 +51,18 @@ type HelmRepositorySpec struct { // for the HelmRepository. // For HTTP/S basic auth the secret must contain 'username' and 'password' // fields. - // For TLS the secret must contain a 'certFile' and 'keyFile', and/or - // 'caFile' fields. + // Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile' + // keys is deprecated. Please use `.spec.certSecretRef` instead. // +optional SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"` + // CertSecretRef specifies the Secret containing the TLS authentication + // data. The secret must contain a 'certFile' and 'keyFile', and/or 'caFile' + // fields. It takes precedence over the values specified in the Secret + // referred to by `.spec.secretRef`. + // +optional + CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"` + // PassCredentials allows the credentials from the SecretRef to be passed // on to a host that does not match the host as defined in URL. // This may be required if the host of the advertised chart URLs in the diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go index 3a0850fd..5c2169a3 100644 --- a/api/v1beta2/zz_generated.deepcopy.go +++ b/api/v1beta2/zz_generated.deepcopy.go @@ -577,6 +577,11 @@ func (in *HelmRepositorySpec) DeepCopyInto(out *HelmRepositorySpec) { *out = new(meta.LocalObjectReference) **out = **in } + if in.CertSecretRef != nil { + in, out := &in.CertSecretRef, &out.CertSecretRef + *out = new(meta.LocalObjectReference) + **out = **in + } out.Interval = in.Interval if in.Timeout != nil { in, out := &in.Timeout, &out.Timeout diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml index 8cf269ec..8af5734b 100644 --- a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml +++ b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml @@ -296,6 +296,18 @@ spec: required: - namespaceSelectors type: object + certSecretRef: + description: CertSecretRef specifies the Secret containing the TLS + authentication data. The secret must contain a 'certFile' and 'keyFile', + and/or 'caFile' fields. It takes precedence over the values specified + in the Secret referred to by `.spec.secretRef`. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object interval: description: Interval at which to check the URL for updates. pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ @@ -323,8 +335,9 @@ spec: secretRef: description: SecretRef specifies the Secret containing authentication credentials for the HelmRepository. For HTTP/S basic auth the secret - must contain 'username' and 'password' fields. For TLS the secret - must contain a 'certFile' and 'keyFile', and/or 'caFile' fields. + must contain 'username' and 'password' fields. Support for TLS auth + using the 'certFile' and 'keyFile', and/or 'caFile' keys is deprecated. + Please use `.spec.certSecretRef` instead. properties: name: description: Name of the referent. diff --git a/docs/api/v1beta2/source.md b/docs/api/v1beta2/source.md index 35701f25..373e34e6 100644 --- a/docs/api/v1beta2/source.md +++ b/docs/api/v1beta2/source.md @@ -792,8 +792,25 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference for the HelmRepository. For HTTP/S basic auth the secret must contain ‘username’ and ‘password’ fields. -For TLS the secret must contain a ‘certFile’ and ‘keyFile’, and/or -‘caFile’ fields.

+Support for TLS auth using the ‘certFile’ and ‘keyFile’, and/or ‘caFile’ +keys is deprecated. Please use .spec.certSecretRef instead.

+ + + + +certSecretRef
+ + +github.com/fluxcd/pkg/apis/meta.LocalObjectReference + + + + +(Optional) +

CertSecretRef specifies the Secret containing the TLS authentication +data. The secret must contain a ‘certFile’ and ‘keyFile’, and/or ‘caFile’ +fields. It takes precedence over the values specified in the Secret +referred to by .spec.secretRef.

@@ -2459,8 +2476,25 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference for the HelmRepository. For HTTP/S basic auth the secret must contain ‘username’ and ‘password’ fields. -For TLS the secret must contain a ‘certFile’ and ‘keyFile’, and/or -‘caFile’ fields.

+Support for TLS auth using the ‘certFile’ and ‘keyFile’, and/or ‘caFile’ +keys is deprecated. Please use .spec.certSecretRef instead.

+ + + + +certSecretRef
+ + +github.com/fluxcd/pkg/apis/meta.LocalObjectReference + + + + +(Optional) +

CertSecretRef specifies the Secret containing the TLS authentication +data. The secret must contain a ‘certFile’ and ‘keyFile’, and/or ‘caFile’ +fields. It takes precedence over the values specified in the Secret +referred to by .spec.secretRef.