Update HelmRepository, OCIRepository, and Bucket documentation to use
"Mutual TLS Authentication" section titles instead of "Cert secret
reference". This improves discoverability of mTLS capabilities and
follows GitRepository's established pattern.
The previous generic titles obscured mutual TLS functionality, causing
users to miss this important security feature. Updated descriptions
explicitly mention mutual TLS authentication while maintaining all
existing YAML examples and technical accuracy.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Update pkg/runtime dependency from v0.76.0 to v0.78.0 and add
WithSystemCertPool() options to maintain backward compatibility
with the existing extend approach (system CAs + user CA).
This ensures source-controller continues to work with both system
and user-provided CA certificates, maintaining the same behavior
as before the pkg/runtime/secrets API changes.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Remove the insecure parameter from TLS configuration function calls to prevent
InsecureSkipVerify from being set when using certificate-based authentication.
This ensures TLS certificate verification is always performed when certificates
are provided, aligning with our security policy.
Updated pkg/runtime to v0.76.0 which no longer accepts the insecure parameter
in TLS configuration functions. For OCIRepository, maintain backward compatibility
by handling the specific case where no certificate is provided and insecure is
explicitly set to true. This is the only allowed exception in Flux controllers.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Add ServerName configuration to TLS config in HelmRepository client
options to ensure proper SNI (Server Name Indication) support for
virtual hosting environments. This addresses the regression introduced
when migrating from internal/tls to runtime/secrets, where ServerName
was not being set automatically.
Without ServerName, TLS handshakes fail with certificate mismatch
errors when connecting to Helm repositories using virtual hosting
where multiple repositories are hosted on the same IP address.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Migrates the OCIRepository controller's authentication handling from
internal implementations to the unified runtime/secrets API package.
The migration moves TLS configuration from internal/tls to
runtime/secrets.TLSConfigFromSecretRef and ServiceAccount processing
to secrets.PullSecretsFromServiceAccountRef, providing consistent
authentication handling across all source-controller components.
This change eliminates duplicate secret fetching logic and aligns
the OCIRepository controller with the standardized authentication
patterns used by other controllers in the GitOps Toolkit.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
This commit upgrades pkg/runtime to v0.73.0 and adopts the unified
AuthMethodsFromSecret API for HelmRepository authentication handling.
The change replaces complex manual authentication detection with a
single API call and improves error handling consistency.
Breaking Changes:
- TLS certificate validation is now strictly enforced. Invalid CA
certificates will cause authentication failures even for public
repositories, where they were previously ignored.
- Empty TLS certificate secrets now trigger validation errors instead
of being silently ignored. This affects certSecretRef with empty
Data map - previously ignored, now causes proper error.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
Update fluxcd/pkg/auth to v0.18.0 and remove unnecessary authenticator
nil check in Helm OCI repository authentication.
With fluxcd/pkg/auth v0.18.0, GetArtifactRegistryCredentials() returns
valid authenticator when error is nil, making the nil check redundant.
Signed-off-by: cappyzawa <cappyzawa@gmail.com>
cappyzawa
Matheus Pimenta
Stefan Prodan
dependabot[bot]
Terry Howe
zhaque44