Backport Helm security patch

Signed-off-by: Hidde Beydals <hello@hidde.co>

controllers/gitrepository_controller_test.go

@@ -26,7 +26,6 @@ import (
  "testing"
  "time"
 
- "github.com/fluxcd/pkg/testserver"
  "github.com/go-git/go-billy/v5/memfs"
  gogit "github.com/go-git/go-git/v5"
  "github.com/go-git/go-git/v5/config"
@@ -40,7 +39,6 @@ import (
  apierrors "k8s.io/apimachinery/pkg/api/errors"
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  "k8s.io/apimachinery/pkg/runtime"
- utilruntime "k8s.io/apimachinery/pkg/util/runtime"
  "k8s.io/utils/pointer"
  ctrl "sigs.k8s.io/controller-runtime"
  "sigs.k8s.io/controller-runtime/pkg/client"
@@ -52,6 +50,7 @@ import (
  "github.com/fluxcd/pkg/gittestserver"
  "github.com/fluxcd/pkg/runtime/conditions"
  "github.com/fluxcd/pkg/ssh"
+ "github.com/fluxcd/pkg/testserver"
 
  sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
  "github.com/fluxcd/source-controller/pkg/git"
@@ -316,9 +315,6 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
  },
  }
 
- s := runtime.NewScheme()
- utilruntime.Must(corev1.AddToScheme(s))
-
  t.Run(tt.name, func(t *testing.T) {
  g := NewWithT(t)
 
@@ -371,7 +367,7 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
  tt.beforeFunc(obj)
  }
 
- builder := fakeclient.NewClientBuilder().WithScheme(s)
+ builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
  if secret != nil {
  builder.WithObjects(secret.DeepCopy())
  }
@@ -805,9 +801,7 @@ func TestGitRepositoryReconciler_reconcileInclude(t *testing.T) {
  depObjs = append(depObjs, obj)
  }
 
- s := runtime.NewScheme()
- utilruntime.Must(sourcev1.AddToScheme(s))
- builder := fakeclient.NewClientBuilder().WithScheme(s)
+ builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
  if len(tt.dependencies) > 0 {
  builder.WithObjects(depObjs...)
  }
@@ -988,10 +982,7 @@ func TestGitRepositoryReconciler_verifyCommitSignature(t *testing.T) {
  t.Run(tt.name, func(t *testing.T) {
  g := NewWithT(t)
 
- s := runtime.NewScheme()
- utilruntime.Must(corev1.AddToScheme(s))
-
- builder := fakeclient.NewClientBuilder().WithScheme(s)
+ builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
  if tt.secret != nil {
  builder.WithObjects(tt.secret)
  }

controllers/helmchart_controller_chart.go

@@ -211,6 +211,8 @@ func (r *HelmChartReconciler) getRepositoryIndex(ctx context.Context, obj *sourc
  // Configure Helm client getter options
  clientOpts := []getter.Option{
  getter.WithTimeout(obj.Spec.Interval.Duration),
+ getter.WithURL(repository.Spec.URL),
+ getter.WithPassCredentialsAll(repository.Spec.PassCredentials),
  }
  if repository.Spec.SecretRef != nil {
  name := types.NamespacedName{

controllers/helmchart_controller_source.go

@@ -88,6 +88,8 @@ func (r *HelmChartReconciler) reconcileFromHelmRepository(ctx context.Context, o
  // Configure Helm client to access repository
  clientOpts := []getter.Option{
  getter.WithTimeout(repository.Spec.Timeout.Duration),
+ getter.WithURL(repository.Spec.URL),
+ getter.WithPassCredentialsAll(repository.Spec.PassCredentials),
  }
  if repository.Spec.SecretRef != nil {
  // Attempt to retrieve secret

controllers/helmchart_controller_source_test.go

@@ -15,8 +15,6 @@ import (
  "helm.sh/helm/v3/pkg/chart/loader"
  corev1 "k8s.io/api/core/v1"
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/apimachinery/pkg/runtime"
- utilruntime "k8s.io/apimachinery/pkg/util/runtime"
  ctrl "sigs.k8s.io/controller-runtime"
  fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
  "sigs.k8s.io/controller-runtime/pkg/log"
@@ -152,10 +150,7 @@ func TestHelmChartReconciler_reconcileFromHelmRepository(t *testing.T) {
  },
  }
 
- s := runtime.NewScheme()
- utilruntime.Must(sourcev1.AddToScheme(s))
-
- builder := fakeclient.NewClientBuilder().WithScheme(s)
+ builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
  builder.WithObjects(sourceObj)
 
  r := &HelmChartReconciler{
@@ -371,10 +366,7 @@ func TestHelmChartReconciler_reconcileFromHelmRepository_secretRef(t *testing.T)
  tt.beforeFunc(repository)
  }
 
- s := runtime.NewScheme()
- utilruntime.Must(corev1.AddToScheme(s))
-
- builder := fakeclient.NewClientBuilder().WithScheme(s)
+ builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
  secret := tt.secret.DeepCopy()
  if secret != nil {
  builder.WithObjects(secret.DeepCopy())
@@ -460,10 +452,7 @@ func TestHelmChartReconciler_reconcileFromTarballArtifact(t *testing.T) {
  },
  }
 
- s := runtime.NewScheme()
- utilruntime.Must(sourcev1.AddToScheme(s))
-
- builder := fakeclient.NewClientBuilder().WithScheme(s)
+ builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
 
  r := &HelmChartReconciler{
  Client: builder.Build(),
@@ -576,10 +565,7 @@ func TestHelmChartReconciler_getSource(t *testing.T) {
  },
  }
 
- s := runtime.NewScheme()
- utilruntime.Must(sourcev1.AddToScheme(s))
-
- builder := fakeclient.NewClientBuilder().WithScheme(s)
+ builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
  builder.WithObjects(helmRepo, gitRepo, bucket)
 
  r := &HelmChartReconciler{

controllers/helmrepository_controller.go

@@ -247,6 +247,8 @@ func (r *HelmRepositoryReconciler) reconcileSource(ctx context.Context, obj *sou
  // Configure Helm client to access repository
  clientOpts := []getter.Option{
  getter.WithTimeout(obj.Spec.Timeout.Duration),
+ getter.WithURL(obj.Spec.URL),
+ getter.WithPassCredentialsAll(obj.Spec.PassCredentials),
  }
  if obj.Spec.SecretRef != nil {
  // Attempt to retrieve secret