-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helmrepo: fix Secret type check for TLS via .spec.secretRef
#1220
Conversation
0960c0d
to
5e305df
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code seems to be a little convoluted that's why I needed some time to understand how the change actually fixes the issue but now I'm 99% sure it does. Good job.
internal/tls/config_test.go
Outdated
@@ -111,6 +105,20 @@ func Test_tlsClientConfigFromSecret(t *testing.T) { | |||
} | |||
} | |||
|
|||
func TestKubeTLSConfigFromSecret(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you want to go above and beyond, I'd suggest to add a test for TLSClientConfigFromSecret
to make sure it doesn't fail as it did before.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
I'd like to understand to what level are we walking back with this change. As I see it and also pointed out when we were introducing the breaking behavior, this is not limited to HelmRepository but also affects all the other APIs that had a similar change, OCIRepository, image-reflector-controller ImageRepository and notification-controller Provider. The difference being, except for HelmRepository, other APIs had a separate field for TLS secret in |
yeah, pretty much (at least thats my understanding). in general, the Secret specified in |
It seems like this situation can be interpreted in different ways.
If this reasoning sounds good to others, I'm okay with that. But I think this reasoning is trying to justify a limitation of the current implementation. The reason type check is being performed on an auth secret is because the code in https://github.com/fluxcd/source-controller/blob/v1.1.0/internal/helm/getter/client_opts.go#L118-L121 isn't checking if the given secret contains any TLS data and passing it to a function whose purpose is to parse and build TLS config. The regression in #1218 can be simply addressed by just adding a check to see if the auth secret contains TLS data before trying to construct TLS config from it. Something like the following: diff --git a/internal/helm/getter/client_opts.go b/internal/helm/getter/client_opts.go
index 4e77f29..412bd68 100644
--- a/internal/helm/getter/client_opts.go
+++ b/internal/helm/getter/client_opts.go
@@ -115,9 +115,11 @@ func GetClientOpts(ctx context.Context, c client.Client, obj *helmv1.HelmReposit
}
hrOpts.GetterOpts = append(hrOpts.GetterOpts, opts...)
- // If the TLS config is nil, i.e. one couldn't be constructed using `.spec.certSecretRef`
- // then try to use `.spec.secretRef`.
- if hrOpts.TlsConfig == nil && !ociRepo {
+ // If the TLS config is nil, i.e. one couldn't be constructed using
+ // `.spec.certSecretRef`, and if the secret contains TLS data then try to
+ // use `.spec.secretRef`.
+ if hrOpts.TlsConfig == nil && !ociRepo &&
+ len(authSecret.Data["certFile"])+len(authSecret.Data["keyFile"])+len(authSecret.Data["caFile"]) != 0 {
hrOpts.TlsConfig, tlsBytes, err = stls.TLSClientConfigFromSecret(*authSecret, url)
if err != nil {
return nil, "", fmt.Errorf("failed to construct Helm client's TLS config: %w", err) Creating differences in Removing the secret type restriction only for HelmRepository introduces inconsistencies that can be avoided by keeping things as they are. Nowhere in Flux do we accept TLS data from a Secret type that's not one of the three we expect. |
I tend to agree with Sunny here. When the user references a Secret in |
5e305df
to
8a24a5d
Compare
This is a regression fix introduced in a302c71 which would wrongly check for the type of the Secret specified in `.spec.secretRef` while configuring TLS data. Introduce `LegacyTLSClientConfigFromSecret` which does not check the Secret type while constructing the TLS config. Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
8a24a5d
to
f787fc7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Successfully created backport PR for |
This is a fix for a regression introduced in a302c71 which would wrongly check for the type of the Secret specified in
.spec.secretRef
while configuring TLS data.This introduces a new function that skips the Secret type check and uses that for HTTP HelmRepository TLS.
Fixes #1218