Helm: allow configuration of TLS certs without CA

2020-07-20 21:06:21 +02:00 · 2020-07-20 21:06:21 +02:00 · a0357172bc
parent 63d5f211ca
commit a0357172bc
3 changed files with 24 additions and 17 deletions
--- a/controllers/helmrepository_controller_test.go
+++ b/controllers/helmrepository_controller_test.go
@ -310,7 +310,6 @@ var _ = Describe("HelmRepositoryReconciler", func() {
 			By("Expecting missing field error")
 			secret.Data["certFile"] = examplePublicKey
 			secret.Data["keyFile"] = examplePrivateKey
 			Expect(k8sClient.Update(context.Background(), secret)).Should(Succeed())
 			Eventually(func() bool {
 				got := &sourcev1.HelmRepository{}
@ -324,6 +323,7 @@ var _ = Describe("HelmRepositoryReconciler", func() {
 			}, timeout, interval).Should(BeTrue())
 			By("Expecting artifact")
 			secret.Data["keyFile"] = examplePrivateKey
 			secret.Data["caFile"] = exampleCA
 			Expect(k8sClient.Update(context.Background(), secret)).Should(Succeed())
 			Eventually(func() bool {
--- a/internal/helm/getter.go
+++ b/internal/helm/getter.go
@ -61,8 +61,8 @@ func TLSClientConfigFromSecret(secret corev1.Secret) (getter.Option, func(), err
 	switch {
 	case len(certBytes)+len(keyBytes)+len(caBytes) == 0:
 		return nil, nil, nil
-	case len(certBytes) == 0 || len(keyBytes) == 0 || len(caBytes) == 0:
+	case (len(certBytes) > 0 && len(keyBytes) == 0) || (len(keyBytes) > 0 && len(certBytes) == 0):
-		return nil, nil, fmt.Errorf("invalid '%s' secret data: required fields 'certFile', 'keyFile' and 'caFile'",
+		return nil, nil, fmt.Errorf("invalid '%s' secret data: fields 'certFile' and 'keyFile' require each other's presence",
 			secret.Name)
 	}
@ -73,20 +73,27 @@ func TLSClientConfigFromSecret(secret corev1.Secret) (getter.Option, func(), err
 	}
 	cleanup := func() { os.RemoveAll(tmp) }
-	certFile := filepath.Join(tmp, "cert.crt")
+	var certFile, keyFile, caFile string
-	if err := ioutil.WriteFile(certFile, certBytes, 0644); err != nil {
+
-		cleanup()
+	if len(certBytes) > 0 && len(keyBytes) > 0 {
-		return nil, nil, err
+		certFile = filepath.Join(tmp, "cert.crt")
 		if err := ioutil.WriteFile(certFile, certBytes, 0644); err != nil {
 			cleanup()
 			return nil, nil, err
 		}
 		keyFile = filepath.Join(tmp, "key.crt")
 		if err := ioutil.WriteFile(keyFile, keyBytes, 0644); err != nil {
 			cleanup()
 			return nil, nil, err
 		}
 	}
-	keyFile := filepath.Join(tmp, "key.crt")
+
-	if err := ioutil.WriteFile(keyFile, keyBytes, 0644); err != nil {
+	if len(caBytes) > 0 {
-		cleanup()
+		caFile = filepath.Join(tmp, "ca.pem")
-		return nil, nil, err
+		if err := ioutil.WriteFile(caFile, caBytes, 0644); err != nil {
-	}
+			cleanup()
-	caFile := filepath.Join(tmp, "ca.pem")
+			return nil, nil, err
-	if err := ioutil.WriteFile(caFile, caBytes, 0644); err != nil {
+		}
 		cleanup()
 		return nil, nil, err
 	}
 	return getter.WithTLSClientConfig(certFile, keyFile, caFile), cleanup, nil
--- a/internal/helm/getter_test.go
+++ b/internal/helm/getter_test.go
@ -114,7 +114,7 @@ func TestTLSClientConfigFromSecret(t *testing.T) {
 		{"certFile, keyFile and caFile", tlsSecretFixture, nil, false, false},
 		{"without certFile", tlsSecretFixture, func(s *corev1.Secret) { delete(s.Data, "certFile") }, true, true},
 		{"without keyFile", tlsSecretFixture, func(s *corev1.Secret) { delete(s.Data, "keyFile") }, true, true},
-		{"without caFile", tlsSecretFixture, func(s *corev1.Secret) { delete(s.Data, "caFile") }, true, true},
+		{"without caFile", tlsSecretFixture, func(s *corev1.Secret) { delete(s.Data, "caFile") }, false, false},
 		{"empty", corev1.Secret{}, nil, false, true},
 	}
 	for _, tt := range tests {