Unable to specify CA for Helm OCI repository

[mnaser]

Describe the bug

At the moment, there is no possibility of using a custom certificate authority against a HelmRepository of type oci. While authentication makes sense to implement later down the line, the ability of trusting a CA should be something that is needed.

Steps to reproduce

1. Create HelmRepository against internal CA OCI repository
2. Use secretRef with caFile set
3. HelmChart build will fail:

openstack-ceph-provisioners           ceph-provisioners           0.1.8     HelmRepository   atmosphere             7m46s   False   chart pull error: failed to download chart for remote reference: failed to do request: Head "https://atmosphere.openstack:5000/v2/charts/ceph-provisioners/manifests/0.1.8": x509: certificate signed by unknown authority

Expected behavior

I expect that it will accept it since I provided a CA file.

Screenshots and recordings

N/A

OS / Distro

N/A

Flux version

v0.37.0

Flux check

root@ctl1:~# flux check
► checking prerequisites
✔ Kubernetes 1.22.17 >=1.20.6-0
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v0.27.0
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v0.31.0
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v0.29.0
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v0.32.1
► checking crds
✔ alerts.notification.toolkit.fluxcd.io/v1beta1
✔ buckets.source.toolkit.fluxcd.io/v1beta2
✔ gitrepositories.source.toolkit.fluxcd.io/v1beta2
✔ helmcharts.source.toolkit.fluxcd.io/v1beta2
✔ helmreleases.helm.toolkit.fluxcd.io/v2beta1
✔ helmrepositories.source.toolkit.fluxcd.io/v1beta2
✔ kustomizations.kustomize.toolkit.fluxcd.io/v1beta2
✔ ocirepositories.source.toolkit.fluxcd.io/v1beta2
✔ providers.notification.toolkit.fluxcd.io/v1beta1
✔ receivers.notification.toolkit.fluxcd.io/v1beta1
✔ all checks passed

Git provider

N/A

Container Registry provider

Distribution (formerly Docker Registry)

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[souleb]

This is blocked upstream. We are working with the helm maintainer to fix it.

In the meantime, what you can do is patch the source-controller deployment to add your certificate in the pod's trusted root certificate store.

[kingdonb]

Link:

• Add support for custom certs in HelmRepositories of Type oci source-controller#723

[joelcomp1]

any updates on this? Trying to migrate my local instances to use OCI in Harbor but having the same issue as mentioned here.

[hiddeco]

As mentioned:

This is blocked upstream. We are working with the helm maintainer to fix it.

See helm/helm#11711

[souleb]

This will be resolved by fluxcd/source-controller#723

[mfilotto]

A satisfaying workaround is to mount CA in source controller using method 3 of this tip

kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml
# Mount custom certificat in source controller
patches:
  - patch: |
      - op: add
        path: /spec/template/spec/volumes/-
        value:
          name: ca-pemstore
          configMap:
            name: ca-pemstore
      - op: add
        path: /spec/template/spec/containers/0/volumeMounts/-
        value:
          name: ca-pemstore
          mountPath: /etc/ssl/certs/my-cert.pem
          subPath: my-cert.pem
          readOnly: true
    target:
      kind: Deployment
      name: source-controller

[makkes]

Great you found that. Paulo also suggested this in #2921 (comment). I suppose we should add it as an item to the FAQ page.

[souleb]

fixed in fluxcd/source-controller#1097