Add spec.insecure to OCIRepository API

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
fluxcd · Aug 31, 2022 · a87cb24 · a87cb24
1 parent 181b217
commit a87cb24
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 3 deletions.
diff --git a/api/v1beta2/ocirepository_types.go b/api/v1beta2/ocirepository_types.go
@@ -113,6 +113,10 @@ type OCIRepositorySpec struct {
 	// +optional
 	Ignore *string `json:"ignore,omitempty"`
 
+	// Insecure allows connecting to a non-TLS HTTP container registry.
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+
 	// This flag tells the controller to suspend the reconciliation of this source.
 	// +optional
 	Suspend bool `json:"suspend,omitempty"`

diff --git a/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml
@@ -72,6 +72,10 @@ spec:
                   a default will be used, consult the documentation for your version
                   to find out what those are.
                 type: string
+              insecure:
+                description: Insecure allows connecting to a non-TLS HTTP container
+                  registry.
+                type: boolean
               interval:
                 description: The interval at which to check for image updates.
                 type: string

diff --git a/controllers/ocirepository_controller.go b/controllers/ocirepository_controller.go
@@ -301,7 +301,7 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, obj *sour
 	ctxTimeout, cancel := context.WithTimeout(ctx, obj.Spec.Timeout.Duration)
 	defer cancel()
 
-	options := r.craneOptions(ctxTimeout)
+	options := r.craneOptions(ctxTimeout, obj.Spec.Insecure)
 
 	// Generate the registry credential keychain either from static credentials or using cloud OIDC
 	keychain, err := r.keychain(ctx, obj)
@@ -684,12 +684,16 @@ func (r *OCIRepositoryReconciler) oidcAuth(ctx context.Context, obj *sourcev1.OC
 
 // craneOptions sets the auth headers, timeout and user agent
 // for all operations against remote container registries.
-func (r *OCIRepositoryReconciler) craneOptions(ctx context.Context) []crane.Option {
+func (r *OCIRepositoryReconciler) craneOptions(ctx context.Context, insecure bool) []crane.Option {
 	options := []crane.Option{
 		crane.WithContext(ctx),
 		crane.WithUserAgent(oci.UserAgent),
 	}
-	options = append(options, crane.Insecure)
+
+	if insecure {
+		options = append(options, crane.Insecure)
+	}
+
 	return options
 }
 

diff --git a/docs/api/source.md b/docs/api/source.md
@@ -1107,6 +1107,18 @@ consult the documentation for your version to find out what those are.</p>
 </tr>
 <tr>
 <td>
+<code>insecure</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Insecure allows connecting to a non-TLS HTTP container registry.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>suspend</code><br>
 <em>
 bool
@@ -2839,6 +2851,18 @@ consult the documentation for your version to find out what those are.</p>
 </tr>
 <tr>
 <td>
+<code>insecure</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Insecure allows connecting to a non-TLS HTTP container registry.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>suspend</code><br>
 <em>
 bool

diff --git a/docs/spec/v1beta2/ocirepositories.md b/docs/spec/v1beta2/ocirepositories.md
@@ -287,6 +287,12 @@ kubectl create secret generic tls-certs \
   --from-file=caFile=ca.crt
 ```
 
+### Insecure
+
+`.spec.insecure` is an optional field to allow connecting to an insecure (HTTP)
+container registry server, if set to `true`. The default value is `false`,
+denying insecure (HTTP) connections.
+
 ### Interval
 
 `.spec.interval` is a required field that specifies the interval at which the