fluxcd
diff --git a/‎api/v1/zz_generated.deepcopy.go
Lines changed: 2 additions & 2 deletions b/‎api/v1/zz_generated.deepcopy.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎api/v1beta1/zz_generated.deepcopy.go
Lines changed: 7 additions & 7 deletions b/‎api/v1beta1/zz_generated.deepcopy.go
Lines changed: 7 additions & 7 deletions
diff --git a/‎api/v1beta2/zz_generated.deepcopy.go
Lines changed: 9 additions & 9 deletions b/‎api/v1beta2/zz_generated.deepcopy.go
Lines changed: 9 additions & 9 deletions
diff --git a/‎docs/spec/v1beta2/helmrepositories.md
Lines changed: 22 additions & 2 deletions b/‎docs/spec/v1beta2/helmrepositories.md
Lines changed: 22 additions & 2 deletions
diff --git a/‎internal/controller/helmchart_controller.go
Lines changed: 44 additions & 3 deletions b/‎internal/controller/helmchart_controller.go
Lines changed: 44 additions & 3 deletions
@@ -454,8 +454,6 @@ flux create secret oci ghcr-auth \
 
 #### TLS authentication
 
-**Note:** TLS authentication is not yet supported by OCI Helm repositories.
-
 To provide TLS credentials to use while connecting with the Helm repository,
 the referenced Secret is expected to contain `.data.certFile` and
 `.data.keyFile`, and/or `.data.caFile` values.
@@ -487,6 +485,28 @@ data:
   caFile: <BASE64>
 ```
 
+#### Provide TLS credentials in a secret of type kubernetes.io/dockerconfigjson
+
+For OCI Helm repositories, Kubernetes secrets of type [kubernetes.io/dockerconfigjson](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types)
+are also supported. It is possible to append TLS credentials to the secret data.
+
+For example:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: example-tls
+  namespace: default
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: <BASE64>
+  certFile: <BASE64>
+  keyFile: <BASE64>
+  # NOTE: Can be supplied without the above values
+  caFile: <BASE64>
+```
+
 ### Pass credentials
 
 `.spec.passCredentials` is an optional field to allow the credentials from the
 
@@ -510,6 +510,8 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
 		tlsConfig     *tls.Config
 		authenticator authn.Authenticator
 		keychain      authn.Keychain
+		tlsLoginOpt   helmreg.LoginOption
+		tmpCertsDir   string
 	)
 	// Used to login with the repository declared provider
 	ctxTimeout, cancel := context.WithTimeout(ctx, repo.Spec.Timeout.Duration)
@@ -549,6 +551,22 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
 		}
 		clientOpts = append(clientOpts, opts...)
 		tlsConfig = tlsCfg
+		tlsLoginOpt, tmpCertsDir, err = makeTLSLoginOption(secret)
+		if err != nil {
+			e := &serror.Event{
+				Err:    err,
+				Reason: sourcev1.AuthenticationFailedReason,
+			}
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+			// Requeue as content of secret might change
+			return sreconcile.ResultEmpty, e
+		}
+		defer func() {
+			if err := os.RemoveAll(tmpCertsDir); err != nil {
+				r.eventLogf(ctx, obj, corev1.EventTypeWarning, meta.FailedReason,
+					"failed to delete temporary certificates directory: %s", err)
+			}
+		}()
 
 		// Build registryClient options from secret
 		keychain, err = registry.LoginOptionFromSecret(normalizedURL, *secret)
@@ -650,7 +668,11 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
 		// If login options are configured, use them to login to the registry
 		// The OCIGetter will later retrieve the stored credentials to pull the chart
 		if loginOpt != nil {
-			err = ociChartRepo.Login(loginOpt)
+			opts := []helmreg.LoginOption{loginOpt}
+			if tlsLoginOpt != nil {
+				opts = append(opts, tlsLoginOpt)
+			}
+			err = ociChartRepo.Login(opts...)
 			if err != nil {
 				e := &serror.Event{
 					Err:    fmt.Errorf("failed to login to OCI registry: %w", err),
@@ -1023,9 +1045,11 @@ func (r *HelmChartReconciler) garbageCollect(ctx context.Context, obj *helmv1.He
 // or a shim with defaults if no object could be found.
 // The callback returns an object with a state, so the caller has to do the necessary cleanup.
 func (r *HelmChartReconciler) namespacedChartRepositoryCallback(ctx context.Context, name, namespace string) chart.GetChartDownloaderCallback {
-	return func(url string) (repository.Downloader, error) {
+	return func(url string) (repo repository.Downloader, err error) {
 		var (
 			tlsConfig     *tls.Config
+			tlsLoginOpt   helmreg.LoginOption
+			tmpCertsDir   string
 			authenticator authn.Authenticator
 			keychain      authn.Keychain
 		)
@@ -1069,6 +1093,19 @@ func (r *HelmChartReconciler) namespacedChartRepositoryCallback(ctx context.Cont
 			}
 			clientOpts = append(clientOpts, opts...)
 			tlsConfig = tlsCfg
+			tlsLoginOpt, tmpCertsDir, err = makeTLSLoginOption(secret)
+			if err != nil {
+				return nil, err
+			}
+			defer func() {
+				var errs []error
+				if errf := os.RemoveAll(tmpCertsDir); errf != nil {
+					errs = append(errs, errf)
+				}
+				errs = append(errs, err)
+				err = kerrors.NewAggregate(errs)
+				return
+			}()
 
 			// Build registryClient options from secret
 			keychain, err = registry.LoginOptionFromSecret(normalizedURL, *secret)
@@ -1119,7 +1156,11 @@ func (r *HelmChartReconciler) namespacedChartRepositoryCallback(ctx context.Cont
 			// If login options are configured, use them to login to the registry
 			// The OCIGetter will later retrieve the stored credentials to pull the chart
 			if loginOpt != nil {
-				err = ociChartRepo.Login(loginOpt)
+				opts := []helmreg.LoginOption{loginOpt}
+				if tlsLoginOpt != nil {
+					opts = append(opts, tlsLoginOpt)
+				}
+				err = ociChartRepo.Login(opts...)
 				if err != nil {
 					errs = append(errs, fmt.Errorf("failed to login to OCI chart repository for HelmRepository '%s': %w", obj.Name, err))
 					// clean up the credentialsFile