secretRef take precedence over provider

if secretRef is provided, we do not attempt to resolve oidc

Signed-off-by: Soule BA <[email protected]>

Author: souleb

controllers/helmchart_controller.go

@@ -520,10 +520,8 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
 		}
 
 		loginOpts = append([]helmreg.LoginOption{}, loginOpt)
-	}
-
-	if repo.Spec.Provider != sourcev1.GenericOCIProvider && repo.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
-		auth, authErr := oidcAuth(ctxTimeout, repo)
+	} else if repo.Spec.Provider != sourcev1.GenericOCIProvider && repo.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		auth, authErr := oidcAuthFromAdapter(ctxTimeout, repo.Spec.URL, repo.Spec.Provider)
 		if authErr != nil && !errors.Is(authErr, oci.ErrUnconfiguredProvider) {
 			e := &serror.Event{
 				Err:    fmt.Errorf("failed to get credential from %s: %w", repo.Spec.Provider, authErr),
@@ -995,10 +993,8 @@ func (r *HelmChartReconciler) namespacedChartRepositoryCallback(ctx context.Cont
 			}
 
 			loginOpts = append([]helmreg.LoginOption{}, loginOpt)
-		}
-
-		if repo.Spec.Provider != sourcev1.GenericOCIProvider && repo.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
-			auth, authErr := oidcAuth(ctxTimeout, repo)
+		} else if repo.Spec.Provider != sourcev1.GenericOCIProvider && repo.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+			auth, authErr := oidcAuthFromAdapter(ctxTimeout, repo.Spec.URL, repo.Spec.Provider)
 			if authErr != nil && !errors.Is(authErr, oci.ErrUnconfiguredProvider) {
 				return nil, fmt.Errorf("failed to get credential from %s: %w", repo.Spec.Provider, authErr)
 			}

controllers/helmrepository_controller_oci.go

@@ -22,7 +22,6 @@ import (
 	"fmt"
 	"net/url"
 	"os"
-	"strings"
 	"time"
 
 	helmgetter "helm.sh/helm/v3/pkg/getter"
@@ -43,12 +42,10 @@ import (
 
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/oci"
-	"github.com/fluxcd/pkg/oci/auth/login"
 	"github.com/fluxcd/pkg/runtime/conditions"
 	helper "github.com/fluxcd/pkg/runtime/controller"
 	"github.com/fluxcd/pkg/runtime/patch"
 	"github.com/fluxcd/pkg/runtime/predicates"
-	"github.com/google/go-containerregistry/pkg/name"
 
 	"github.com/fluxcd/source-controller/api/v1beta2"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
@@ -301,10 +298,8 @@ func (r *HelmRepositoryOCIReconciler) reconcile(ctx context.Context, obj *v1beta
 		if loginOpt != nil {
 			loginOpts = append(loginOpts, loginOpt)
 		}
-	}
-
-	if obj.Spec.Provider != sourcev1.GenericOCIProvider && obj.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
-		auth, authErr := oidcAuth(ctxTimeout, obj)
+	} else if obj.Spec.Provider != sourcev1.GenericOCIProvider && obj.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		auth, authErr := oidcAuthFromAdapter(ctxTimeout, obj.Spec.URL, obj.Spec.Provider)
 		if authErr != nil && !errors.Is(authErr, oci.ErrUnconfiguredProvider) {
 			e := fmt.Errorf("failed to get credential from %s: %w", obj.Spec.Provider, authErr)
 			conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.AuthenticationFailedReason, e.Error())
@@ -387,41 +382,12 @@ func (r *HelmRepositoryOCIReconciler) eventLogf(ctx context.Context, obj runtime
 	r.Eventf(obj, eventType, reason, msg)
 }
 
-// oidcAuth generates the OIDC credential authenticator based on the specified cloud provider.
-func oidcAuth(ctx context.Context, obj *sourcev1.HelmRepository) (helmreg.LoginOption, error) {
-	url := strings.TrimPrefix(obj.Spec.URL, sourcev1.OCIRepositoryPrefix)
-	ref, err := name.ParseReference(url)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse URL '%s': %w", obj.Spec.URL, err)
-	}
-
-	loginOpt, err := loginWithManager(ctx, obj.Spec.Provider, url, ref)
-	if err != nil {
-		return nil, fmt.Errorf("failed to login to registry '%s': %w", obj.Spec.URL, err)
-	}
-
-	return loginOpt, nil
-}
-
-func loginWithManager(ctx context.Context, provider, url string, ref name.Reference) (helmreg.LoginOption, error) {
-	opts := login.ProviderOptions{}
-	switch provider {
-	case sourcev1.AmazonOCIProvider:
-		opts.AwsAutoLogin = true
-	case sourcev1.AzureOCIProvider:
-		opts.AzureAutoLogin = true
-	case sourcev1.GoogleOCIProvider:
-		opts.GcpAutoLogin = true
-	}
-
-	auth, err := login.NewManager().Login(ctx, url, ref, opts)
+// oidcAuthFromAdapter generates the OIDC credential authenticator based on the specified cloud provider.
+func oidcAuthFromAdapter(ctx context.Context, url, provider string) (helmreg.LoginOption, error) {
+	auth, err := oidcAuth(ctx, url, provider)
 	if err != nil {
 		return nil, err
 	}
 
-	if auth == nil {
-		return nil, nil
-	}
-
 	return registry.OIDCAdaptHelper(auth)
 }

controllers/ocirepository_controller.go

@@ -312,8 +312,8 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, obj *sour
 	}
 	options = append(options, crane.WithAuthFromKeychain(keychain))
 
-	if obj.Spec.Provider != sourcev1.GenericOCIProvider {
-		auth, authErr := r.oidcAuth(ctxTimeout, obj)
+	if obj.Spec.Provider != sourcev1.GenericOCIProvider && keychain == nil {
+		auth, authErr := oidcAuth(ctxTimeout, obj.Spec.URL, obj.Spec.Provider)
 		if authErr != nil && !errors.Is(authErr, oci.ErrUnconfiguredProvider) {
 			e := serror.NewGeneric(
 				fmt.Errorf("failed to get credential from %s: %w", obj.Spec.Provider, authErr),
@@ -593,9 +593,11 @@ func (r *OCIRepositoryReconciler) keychain(ctx context.Context, obj *sourcev1.OC
 		}
 	}
 
-	// if no pullsecrets available return DefaultKeyChain
+	// if no pullsecrets available return nil
+	// we don't return a DefaultKeyChain as we should not rely on the default
+	// docker config file
 	if len(pullSecretNames) == 0 {
-		return authn.DefaultKeychain, nil
+		return nil, nil
 	}
 
 	// lookup image pull secrets
@@ -659,15 +661,15 @@ func (r *OCIRepositoryReconciler) transport(ctx context.Context, obj *sourcev1.O
 }
 
 // oidcAuth generates the OIDC credential authenticator based on the specified cloud provider.
-func (r *OCIRepositoryReconciler) oidcAuth(ctx context.Context, obj *sourcev1.OCIRepository) (authn.Authenticator, error) {
-	url := strings.TrimPrefix(obj.Spec.URL, sourcev1.OCIRepositoryPrefix)
-	ref, err := name.ParseReference(url)
+func oidcAuth(ctx context.Context, url, provider string) (authn.Authenticator, error) {
+	u := strings.TrimPrefix(url, sourcev1.OCIRepositoryPrefix)
+	ref, err := name.ParseReference(u)
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse URL '%s': %w", obj.Spec.URL, err)
+		return nil, fmt.Errorf("failed to parse URL '%s': %w", u, err)
 	}
 
 	opts := login.ProviderOptions{}
-	switch obj.Spec.Provider {
+	switch provider {
 	case sourcev1.AmazonOCIProvider:
 		opts.AwsAutoLogin = true
 	case sourcev1.AzureOCIProvider:
@@ -676,7 +678,7 @@ func (r *OCIRepositoryReconciler) oidcAuth(ctx context.Context, obj *sourcev1.OC
 		opts.GcpAutoLogin = true
 	}
 
-	return login.NewManager().Login(ctx, url, ref, opts)
+	return login.NewManager().Login(ctx, u, ref, opts)
 }
 
 // craneOptions sets the auth headers, timeout and user agent