Update Helm to v3.6.1

v3.6.1 is a security update from Helm, and ensures that credentials are always only passed to the repository host. For more information, see: GHSA-56hp-xqp3-w2jf Signed-off-by: Hidde Beydals <hello@hidde.co>
fluxcd · Jun 18, 2021 · 65ffe85 · 65ffe85
1 parent a1581ec
commit 65ffe85
Show file tree

Hide file tree

Showing 9 changed files with 82 additions and 17 deletions.
diff --git a/api/v1beta1/helmrepository_types.go b/api/v1beta1/helmrepository_types.go
@@ -45,6 +45,15 @@ type HelmRepositorySpec struct {
  // +optional
  SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 
+ // PassCredentials allows the credentials from the SecretRef to be send to a host
+ // that does not match the defined URL.
+ // This may be required if the host of the advertised chart URLs in the index
+ // differ from the defined URL.
+ // Enabling this should be done with caution, as it can potentially result in
+ // credentials getting stolen in a MITM-attack.
+ // +optional
+ PassCredentials bool `json:"passCredentials,omitempty"`
+
  // The interval at which to check the upstream for updates.
  // +required
  Interval metav1.Duration `json:"interval"`

diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
@@ -50,6 +50,9 @@ spec:
  interval:
  description: The interval at which to check the upstream for updates.
  type: string
+ passCredentials:
+ description: PassCredentials allows the credentials from the SecretRef to be send to a host that does not match the defined URL. This may be required if the host of the advertised chart URLs in the index differ from the defined URL. Enabling this should be done with caution, as it can potentially result in credentials getting stolen in a MITM-attack.
+ type: boolean
  secretRef:
  description: The name of the secret containing authentication credentials for the Helm repository. For HTTP/S basic auth the secret must contain username and password fields. For TLS the secret must contain a certFile and keyFile, and/or caCert fields.
  properties:

diff --git a/controllers/helmchart_controller.go b/controllers/helmchart_controller.go
@@ -301,7 +301,11 @@ func (r *HelmChartReconciler) getSource(ctx context.Context, chart sourcev1.Helm
 func (r *HelmChartReconciler) reconcileFromHelmRepository(ctx context.Context,
  repository sourcev1.HelmRepository, chart sourcev1.HelmChart, force bool) (sourcev1.HelmChart, error) {
  // Configure ChartRepository getter options
- var clientOpts []getter.Option
+ clientOpts := []getter.Option{
+ getter.WithURL(repository.Spec.URL),
+ getter.WithTimeout(repository.Spec.Timeout.Duration),
+ getter.WithPassCredentialsAll(repository.Spec.PassCredentials),
+ }
  if secret, err := r.getHelmRepositorySecret(ctx, &repository); err != nil {
  return sourcev1.HelmChartNotReady(chart, sourcev1.AuthenticationFailedReason, err.Error()), err
  } else if secret != nil {
@@ -311,10 +315,8 @@ func (r *HelmChartReconciler) reconcileFromHelmRepository(ctx context.Context,
  return sourcev1.HelmChartNotReady(chart, sourcev1.AuthenticationFailedReason, err.Error()), err
  }
  defer cleanup()
-
- clientOpts = opts
+ clientOpts = append(clientOpts, opts...)
  }
- clientOpts = append(clientOpts, getter.WithTimeout(repository.Spec.Timeout.Duration))
 
  // Initialize the chart repository and load the index file
  chartRepo, err := helm.NewChartRepository(repository.Spec.URL, r.Getters, clientOpts)
@@ -619,13 +621,18 @@ func (r *HelmChartReconciler) reconcileFromTarballArtifact(ctx context.Context,
  if err != nil {
  repository = &sourcev1.HelmRepository{
  Spec: sourcev1.HelmRepositorySpec{
- URL: dep.Repository,
+ URL: dep.Repository,
+ Timeout: &metav1.Duration{Duration: 60 * time.Second},
  },
  }
  }
 
  // Configure ChartRepository getter options
- var clientOpts []getter.Option
+ clientOpts := []getter.Option{
+ getter.WithURL(repository.Spec.URL),
+ getter.WithTimeout(repository.Spec.Timeout.Duration),
+ getter.WithPassCredentialsAll(repository.Spec.PassCredentials),
+ }
  if secret, err := r.getHelmRepositorySecret(ctx, repository); err != nil {
  return sourcev1.HelmChartNotReady(chart, sourcev1.AuthenticationFailedReason, err.Error()), err
  } else if secret != nil {
@@ -635,8 +642,7 @@ func (r *HelmChartReconciler) reconcileFromTarballArtifact(ctx context.Context,
  return sourcev1.HelmChartNotReady(chart, sourcev1.AuthenticationFailedReason, err.Error()), err
  }
  defer cleanup()
-
- clientOpts = opts
+ clientOpts = append(clientOpts, opts...)
  }
 
  // Initialize the chart repository and load the index file

diff --git a/controllers/helmchart_controller_test.go b/controllers/helmchart_controller_test.go
@@ -1015,9 +1015,9 @@ var _ = Describe("HelmChartReconciler", func() {
  Name: secretKey.Name,
  Namespace: secretKey.Namespace,
  },
- Data: map[string][]byte{
- "username": []byte(username),
- "password": []byte(password),
+ StringData: map[string]string{
+ "username": username,
+ "password": password,
  },
  }
  Expect(k8sClient.Create(context.Background(), secret)).Should(Succeed())

diff --git a/controllers/helmrepository_controller.go b/controllers/helmrepository_controller.go
@@ -171,7 +171,11 @@ func (r *HelmRepositoryReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 }
 
 func (r *HelmRepositoryReconciler) reconcile(ctx context.Context, repository sourcev1.HelmRepository) (sourcev1.HelmRepository, error) {
- var clientOpts []getter.Option
+ clientOpts := []getter.Option{
+ getter.WithURL(repository.Spec.URL),
+ getter.WithTimeout(repository.Spec.Timeout.Duration),
+ getter.WithPassCredentialsAll(repository.Spec.PassCredentials),
+ }
  if repository.Spec.SecretRef != nil {
  name := types.NamespacedName{
  Namespace: repository.GetNamespace(),
@@ -191,9 +195,8 @@ func (r *HelmRepositoryReconciler) reconcile(ctx context.Context, repository sou
  return sourcev1.HelmRepositoryNotReady(repository, sourcev1.AuthenticationFailedReason, err.Error()), err
  }
  defer cleanup()
- clientOpts = opts
+ clientOpts = append(clientOpts, opts...)
  }
- clientOpts = append(clientOpts, getter.WithTimeout(repository.Spec.Timeout.Duration))
 
  chartRepo, err := helm.NewChartRepository(repository.Spec.URL, r.Getters, clientOpts)
  if err != nil {

diff --git a/docs/api/source.md b/docs/api/source.md
@@ -703,6 +703,23 @@ caCert fields.</p>
 </tr>
 <tr>
 <td>
+<code>passCredentials</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>PassCredentials allows the credentials from the SecretRef to be send to a host
+that does not match the defined URL.
+This may be required if the host of the advertised chart URLs in the index
+differ from the defined URL.
+Enabling this should be done with caution, as it can potentially result in
+credentials getting stolen in a MITM-attack.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>interval</code><br>
 <em>
 <a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">
@@ -1777,6 +1794,23 @@ caCert fields.</p>
 </tr>
 <tr>
 <td>
+<code>passCredentials</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>PassCredentials allows the credentials from the SecretRef to be send to a host
+that does not match the defined URL.
+This may be required if the host of the advertised chart URLs in the index
+differ from the defined URL.
+Enabling this should be done with caution, as it can potentially result in
+credentials getting stolen in a MITM-attack.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>interval</code><br>
 <em>
 <a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">

diff --git a/docs/spec/v1beta1/helmrepositories.md b/docs/spec/v1beta1/helmrepositories.md
@@ -21,9 +21,18 @@ type HelmRepositorySpec struct {
  // password fields.
  // For TLS the secret must contain a certFile and keyFile, and/or
  // caCert fields.
- // +optional
+ // +optional
  SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`
 
+ // PassCredentials allows the credentials from the SecretRef to be send to a host
+ // that does not match the defined URL.
+ // This may be required if the host of the advertised chart URLs in the index
+ // differ from the defined URL.
+ // Enabling this should be done with caution, as it can potentially result in
+ // credentials getting stolen in a MITM-attack.
+ // +optional
+ PassCredentials bool `json:"passCredentials,omitempty"`
+
  // The interval at which to check the upstream for updates.
  // +required
  Interval metav1.Duration `json:"interval"`

diff --git a/go.mod b/go.mod
@@ -29,7 +29,7 @@ require (
  golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b
  golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
  gotest.tools v2.2.0+incompatible
- helm.sh/helm/v3 v3.6.0
+ helm.sh/helm/v3 v3.6.1
  k8s.io/api v0.21.1
  k8s.io/apimachinery v0.21.1
  k8s.io/client-go v0.21.1

diff --git a/go.sum b/go.sum
@@ -1247,8 +1247,9 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
 gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
-helm.sh/helm/v3 v3.6.0 h1:/9IMxJ2lXJHbvTMHcW1AO71lXQHqDC+3bcpGp7yCsb8=
 helm.sh/helm/v3 v3.6.0/go.mod h1:mIIus8EOqj+obtycw3sidsR4ORr2aFDmXMSI3k+oeVY=
+helm.sh/helm/v3 v3.6.1 h1:TQ6q4pAatXr7qh2fbLcb0oNd0I3J7kv26oo5cExKTtc=
+helm.sh/helm/v3 v3.6.1/go.mod h1:mIIus8EOqj+obtycw3sidsR4ORr2aFDmXMSI3k+oeVY=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=