Remove ServerName pinning functionality that can cause TLS
verification failures in production environments with redirects,
proxies, and multi-host scenarios.
The Go standard library automatically handles SNI and hostname
verification based on the actual connection target, providing
better compatibility and security than fixed ServerName values.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Update pkg/runtime dependency from v0.76.0 to v0.78.0 and add
WithSystemCertPool() options to maintain backward compatibility
with the existing extend approach (system CAs + user CA).
This ensures source-controller continues to work with both system
and user-provided CA certificates, maintaining the same behavior
as before the pkg/runtime/secrets API changes.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Remove the insecure parameter from TLS configuration function calls to prevent
InsecureSkipVerify from being set when using certificate-based authentication.
This ensures TLS certificate verification is always performed when certificates
are provided, aligning with our security policy.
Updated pkg/runtime to v0.76.0 which no longer accepts the insecure parameter
in TLS configuration functions. For OCIRepository, maintain backward compatibility
by handling the specific case where no certificate is provided and insecure is
explicitly set to true. This is the only allowed exception in Flux controllers.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Add ServerName configuration to TLS config in HelmRepository client
options to ensure proper SNI (Server Name Indication) support for
virtual hosting environments. This addresses the regression introduced
when migrating from internal/tls to runtime/secrets, where ServerName
was not being set automatically.
Without ServerName, TLS handshakes fail with certificate mismatch
errors when connecting to Helm repositories using virtual hosting
where multiple repositories are hosted on the same IP address.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
This commit upgrades pkg/runtime to v0.73.0 and adopts the unified
AuthMethodsFromSecret API for HelmRepository authentication handling.
The change replaces complex manual authentication detection with a
single API call and improves error handling consistency.
Breaking Changes:
- TLS certificate validation is now strictly enforced. Invalid CA
certificates will cause authentication failures even for public
repositories, where they were previously ignored.
- Empty TLS certificate secrets now trigger validation errors instead
of being silently ignored. This affects certSecretRef with empty
Data map - previously ignored, now causes proper error.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Update fluxcd/pkg/auth to v0.18.0 and remove unnecessary authenticator
nil check in Helm OCI repository authentication.
With fluxcd/pkg/auth v0.18.0, GetArtifactRegistryCredentials() returns
valid authenticator when error is nil, making the nil check redundant.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
If implemented, A transport from the pool with safe defaults will be used when creating an oci registry client.
This will enable using the proxy configuration.
Signed-off-by: Soule BA <bah.soule@gmail.com>
Introduces a new verification provider `notation` to verify notation signed artifacts. Currently only cosign is supported and that is a problem if the end user utilises notation.
---------
Signed-off-by: Jason <jagoodse@microsoft.com>
Signed-off-by: JasonTheDeveloper <jagoodse@microsoft.com>
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Co-authored-by: souleb <bah.soule@gmail.com>
Co-authored-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Co-authored-by: Sunny <github@darkowlzz.space>
Rename `OCIChartRepository.insecure` to `OCIChartRepository.insecureHTTP` in
`internal/helm/repository` to match the code docs and the related setter
method.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
With static HelmRepository OCI, the interval become optional. Make
interval optional in the API. Introduce getters for interval, in the
form of GetRequeueAfter(), and timeout with internal default values.
HelmRepository will not have interval and timeout fields unless it's
explicitly set.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Modify `GetHelmClientOpts()` to only configure the TLS login option when
an authentication login option is configured. This prevents the
reconciler from trying to authenticate against public registries.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
This is a regression fix introduced in a302c71 which would wrongly check
for the type of the Secret specified in `.spec.secretRef` while
configuring TLS data.
Introduce `LegacyTLSClientConfigFromSecret` which does not check the
Secret type while constructing the TLS config.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Adopt Kubernetes TLS secrets API to check for TLS data in the Secret
referred to by `.spec.certSecretRef`, i.e. check for keys `tls.crt` and
`tls.key` for the certificate and private key. Use `ca.crt` for the CA
certificate.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
If implemented user will be able to provide their own custom start and
bypass tls verification when interacting with OCI registries over https
to pull helmCharts.
Signed-off-by: Soule BA <soule@weave.works>
Add support for specifying TLS auth data via `.spec.certSecretRef` in
HelmRepository and log a deprecation warning if TLS is configured via
`.spec.secretRef`. Introduce (and refactor) Helm client builder and
auth helpers to reduce duplicated code and increase uniformity and
testability.
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
In #1001 bits around the Helm repository reconciliation logic were
rewritten, mostly based on the documented behavior instead of the
actual code. This resulted in the reintroduction of a YAML marshal of
the (sorted) index YAML instead of reliance of just the checksum of the
file.
This to take situations into account in which a repository would e.g.
provide a new random order on every generation. However, this approach
is (extremely) expensive as the marshal goes through a JSON -> YAML
loop, eating lots of RAM in the process.
As the further (silently) introduced behavior has not resulted in any
reported issues, I deem this approach safe and better than e.g.
encoding to just JSON which would still require a substantial amount of
memory.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This includes changes to the `ChartRepository`, to allow calculating
the revision and digest and tidy things.
In addition, the responsibility of caching the `IndexFile` has been
moved to the reconcilers. As this allowed to remove a lot of
complexities within the `ChartRepository`, and prevented passing on
the cache in general.
Change `HelmRepository`'s Revision to digest
Signed-off-by: Hidde Beydals <hello@hidde.co>
Add chart address in the OCI chart download failure error message to make
it clear about the chart URL that was attempted to download.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Stefan Prodan
cappyzawa
Matheus Pimenta
ricardo.bartels@telekom.de
Soule BA
Robin Breathe
Paulo Canilho
Austin Abro
JasonTheDeveloper
Sunny
Sanskar Jaiswal
Sunny
Hidde Beydals
Somtochi Onyekwere
Soule BA
Hidde Beydals