Skip to content

Commit

Permalink
refactoring and fix tests
Browse files Browse the repository at this point in the history
Signed-off-by: Soule BA <soule@weave.works>
  • Loading branch information
souleb committed May 25, 2023
1 parent b66ee24 commit e5a46bf
Show file tree
Hide file tree
Showing 21 changed files with 440 additions and 181 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ TMP_DIR=$$(mktemp -d) ;\
cd $$TMP_DIR ;\
go mod init tmp ;\
echo "Downloading $(2)" ;\
env -i bash -c "GOBIN=$(GOBIN) PATH=$(PATH) GOPATH=$(shell go env GOPATH) GOCACHE=$(shell go env GOCACHE) go install $(2)" ;\
env -i bash -c "GOBIN=$(GOBIN) PATH='$(PATH)' GOPATH=$(shell go env GOPATH) GOCACHE=$(shell go env GOCACHE) go install $(2)" ;\
rm -rf $$TMP_DIR ;\
}
endef
Expand Down
4 changes: 2 additions & 2 deletions api/v1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 7 additions & 7 deletions api/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 9 additions & 9 deletions api/v1beta2/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions docs/api/v1/source.md
Original file line number Diff line number Diff line change
Expand Up @@ -712,8 +712,8 @@ Artifact
<td>
<code>includedArtifacts</code><br>
<em>
<a href="#source.toolkit.fluxcd.io/v1.Artifact">
[]Artifact
<a href="#source.toolkit.fluxcd.io/v1.*github.com/fluxcd/source-controller/api/v1.Artifact">
[]*github.com/fluxcd/source-controller/api/v1.Artifact
</a>
</em>
</td>
Expand Down
4 changes: 2 additions & 2 deletions docs/api/v1beta2/source.md
Original file line number Diff line number Diff line change
Expand Up @@ -1992,8 +1992,8 @@ github.com/fluxcd/source-controller/api/v1.Artifact
<td>
<code>includedArtifacts</code><br>
<em>
<a href="https://pkg.go.dev/github.com/fluxcd/source-controller/api/v1#Artifact">
[]github.com/fluxcd/source-controller/api/v1.Artifact
<a href="https://pkg.go.dev/github.com/fluxcd/source-controller/api/v1#*github.com/fluxcd/source-controller/api/v1.Artifact">
[]*github.com/fluxcd/source-controller/api/v1.Artifact
</a>
</em>
</td>
Expand Down
24 changes: 22 additions & 2 deletions docs/spec/v1beta2/helmrepositories.md
Original file line number Diff line number Diff line change
Expand Up @@ -454,8 +454,6 @@ flux create secret oci ghcr-auth \

#### TLS authentication

**Note:** TLS authentication is not yet supported by OCI Helm repositories.

To provide TLS credentials to use while connecting with the Helm repository,
the referenced Secret is expected to contain `.data.certFile` and
`.data.keyFile`, and/or `.data.caFile` values.
Expand Down Expand Up @@ -487,6 +485,28 @@ data:
caFile: <BASE64>
```

#### Provide TLS credentials in a secret of type kubernetes.io/dockerconfigjson

For OCI Helm repositories, Kubernetes secrets of type [kubernetes.io/dockerconfigjson](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types)
are also supported. It is possible to append TLS credentials to the secret data.

For example:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: example-tls
namespace: default
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: <BASE64>
certFile: <BASE64>
keyFile: <BASE64>
# NOTE: Can be supplied without the above values
caFile: <BASE64>
```

### Pass credentials

`.spec.passCredentials` is an optional field to allow the credentials from the
Expand Down
47 changes: 44 additions & 3 deletions internal/controller/helmchart_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -510,6 +510,8 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
tlsConfig *tls.Config
authenticator authn.Authenticator
keychain authn.Keychain
tlsLoginOpt helmreg.LoginOption
tmpCertsDir string
)
// Used to login with the repository declared provider
ctxTimeout, cancel := context.WithTimeout(ctx, repo.Spec.Timeout.Duration)
Expand Down Expand Up @@ -549,6 +551,22 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
}
clientOpts = append(clientOpts, opts...)
tlsConfig = tlsCfg
tlsLoginOpt, tmpCertsDir, err = makeTLSLoginOption(secret)
if err != nil {
e := &serror.Event{
Err: err,
Reason: sourcev1.AuthenticationFailedReason,
}
conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
// Requeue as content of secret might change
return sreconcile.ResultEmpty, e
}
defer func() {
if err := os.RemoveAll(tmpCertsDir); err != nil {
r.eventLogf(ctx, obj, corev1.EventTypeWarning, meta.FailedReason,
"failed to delete temporary certificates directory: %s", err)
}
}()

// Build registryClient options from secret
keychain, err = registry.LoginOptionFromSecret(normalizedURL, *secret)
Expand Down Expand Up @@ -650,7 +668,11 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
// If login options are configured, use them to login to the registry
// The OCIGetter will later retrieve the stored credentials to pull the chart
if loginOpt != nil {
err = ociChartRepo.Login(loginOpt)
opts := []helmreg.LoginOption{loginOpt}
if tlsLoginOpt != nil {
opts = append(opts, tlsLoginOpt)
}
err = ociChartRepo.Login(opts...)
if err != nil {
e := &serror.Event{
Err: fmt.Errorf("failed to login to OCI registry: %w", err),
Expand Down Expand Up @@ -1023,9 +1045,11 @@ func (r *HelmChartReconciler) garbageCollect(ctx context.Context, obj *helmv1.He
// or a shim with defaults if no object could be found.
// The callback returns an object with a state, so the caller has to do the necessary cleanup.
func (r *HelmChartReconciler) namespacedChartRepositoryCallback(ctx context.Context, name, namespace string) chart.GetChartDownloaderCallback {
return func(url string) (repository.Downloader, error) {
return func(url string) (repo repository.Downloader, err error) {
var (
tlsConfig *tls.Config
tlsLoginOpt helmreg.LoginOption
tmpCertsDir string
authenticator authn.Authenticator
keychain authn.Keychain
)
Expand Down Expand Up @@ -1069,6 +1093,19 @@ func (r *HelmChartReconciler) namespacedChartRepositoryCallback(ctx context.Cont
}
clientOpts = append(clientOpts, opts...)
tlsConfig = tlsCfg
tlsLoginOpt, tmpCertsDir, err = makeTLSLoginOption(secret)
if err != nil {
return nil, err
}
defer func() {
var errs []error
if errf := os.RemoveAll(tmpCertsDir); errf != nil {
errs = append(errs, errf)
}
errs = append(errs, err)
err = kerrors.NewAggregate(errs)
return
}()

// Build registryClient options from secret
keychain, err = registry.LoginOptionFromSecret(normalizedURL, *secret)
Expand Down Expand Up @@ -1119,7 +1156,11 @@ func (r *HelmChartReconciler) namespacedChartRepositoryCallback(ctx context.Cont
// If login options are configured, use them to login to the registry
// The OCIGetter will later retrieve the stored credentials to pull the chart
if loginOpt != nil {
err = ociChartRepo.Login(loginOpt)
opts := []helmreg.LoginOption{loginOpt}
if tlsLoginOpt != nil {
opts = append(opts, tlsLoginOpt)
}
err = ociChartRepo.Login(opts...)
if err != nil {
errs = append(errs, fmt.Errorf("failed to login to OCI chart repository for HelmRepository '%s': %w", obj.Name, err))
// clean up the credentialsFile
Expand Down
Loading

0 comments on commit e5a46bf

Please sign in to comment.