helmrepo: add `.spec.certSecretRef` for specifying TLS auth data

Add `.spec.certSecretRef` to HelmRepository for specifying TLS auth data
in a secret using the `certFile`, `caFile` and `keyFile` keys. Mark
support for these keys in the secret specified in `.spec.secretRef` as
deprecated.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>

api/v1beta2/helmrepository_types.go

@@ -51,11 +51,18 @@ type HelmRepositorySpec struct {
 	// for the HelmRepository.
 	// For HTTP/S basic auth the secret must contain 'username' and 'password'
 	// fields.
-	// For TLS the secret must contain a 'certFile' and 'keyFile', and/or
+	// Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile'
-	// 'caFile' fields.
+	// keys is deprecated. Please use `.spec.certSecretRef` instead.
 	// +optional
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 
+	// CertSecretRef specifies the Secret containing the TLS authentication
+	// data. The secret must contain a 'certFile' and 'keyFile', and/or 'caFile'
+	// fields. It takes precedence over the values specified in the Secret
+	// referred to by `.spec.secretRef`.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+
 	// PassCredentials allows the credentials from the SecretRef to be passed
 	// on to a host that does not match the host as defined in URL.
 	// This may be required if the host of the advertised chart URLs in the

api/v1beta2/zz_generated.deepcopy.go

@@ -577,6 +577,11 @@ func (in *HelmRepositorySpec) DeepCopyInto(out *HelmRepositorySpec) {
 		*out = new(meta.LocalObjectReference)
 		**out = **in
 	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
 	out.Interval = in.Interval
 	if in.Timeout != nil {
 		in, out := &in.Timeout, &out.Timeout

config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml

@@ -296,6 +296,18 @@ spec:
                 required:
                 - namespaceSelectors
                 type: object
+              certSecretRef:
+                description: CertSecretRef specifies the Secret containing the TLS
+                  authentication data. The secret must contain a 'certFile' and 'keyFile',
+                  and/or 'caFile' fields. It takes precedence over the values specified
+                  in the Secret referred to by `.spec.secretRef`.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
               interval:
                 description: Interval at which to check the URL for updates.
                 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
@@ -323,8 +335,9 @@ spec:
               secretRef:
                 description: SecretRef specifies the Secret containing authentication
                   credentials for the HelmRepository. For HTTP/S basic auth the secret
-                  must contain 'username' and 'password' fields. For TLS the secret
+                  must contain 'username' and 'password' fields. Support for TLS auth
-                  must contain a 'certFile' and 'keyFile', and/or 'caFile' fields.
+                  using the 'certFile' and 'keyFile', and/or 'caFile' keys is deprecated.
+                  Please use `.spec.certSecretRef` instead.
                 properties:
                   name:
                     description: Name of the referent.

docs/api/v1beta2/source.md

@@ -792,8 +792,25 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 for the HelmRepository.
 For HTTP/S basic auth the secret must contain ‘username’ and ‘password’
 fields.
-For TLS the secret must contain a ‘certFile’ and ‘keyFile’, and/or
+Support for TLS auth using the ‘certFile’ and ‘keyFile’, and/or ‘caFile’
-&lsquo;caFile&rsquo; fields.</p>
+keys is deprecated. Please use <code>.spec.certSecretRef</code> instead.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>certSecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>CertSecretRef specifies the Secret containing the TLS authentication
+data. The secret must contain a &lsquo;certFile&rsquo; and &lsquo;keyFile&rsquo;, and/or &lsquo;caFile&rsquo;
+fields. It takes precedence over the values specified in the Secret
+referred to by <code>.spec.secretRef</code>.</p>
 </td>
 </tr>
 <tr>
@@ -2459,8 +2476,25 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 for the HelmRepository.
 For HTTP/S basic auth the secret must contain &lsquo;username&rsquo; and &lsquo;password&rsquo;
 fields.
-For TLS the secret must contain a &lsquo;certFile&rsquo; and &lsquo;keyFile&rsquo;, and/or
+Support for TLS auth using the &lsquo;certFile&rsquo; and &lsquo;keyFile&rsquo;, and/or &lsquo;caFile&rsquo;
-&lsquo;caFile&rsquo; fields.</p>
+keys is deprecated. Please use <code>.spec.certSecretRef</code> instead.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>certSecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>CertSecretRef specifies the Secret containing the TLS authentication
+data. The secret must contain a &lsquo;certFile&rsquo; and &lsquo;keyFile&rsquo;, and/or &lsquo;caFile&rsquo;
+fields. It takes precedence over the values specified in the Secret
+referred to by <code>.spec.secretRef</code>.</p>
 </td>
 </tr>
 <tr>