fluxcd
diff --git a/‎api/v1/zz_generated.deepcopy.go
Lines changed: 2 additions & 2 deletions b/‎api/v1/zz_generated.deepcopy.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎api/v1beta1/zz_generated.deepcopy.go
Lines changed: 7 additions & 7 deletions b/‎api/v1beta1/zz_generated.deepcopy.go
Lines changed: 7 additions & 7 deletions
diff --git a/‎api/v1beta2/helmrepository_types.go
Lines changed: 5 additions & 0 deletions b/‎api/v1beta2/helmrepository_types.go
Lines changed: 5 additions & 0 deletions
diff --git a/‎api/v1beta2/zz_generated.deepcopy.go
Lines changed: 9 additions & 9 deletions b/‎api/v1beta2/zz_generated.deepcopy.go
Lines changed: 9 additions & 9 deletions
diff --git a/‎internal/controller/helmchart_controller.go
Lines changed: 10 additions & 2 deletions b/‎internal/controller/helmchart_controller.go
Lines changed: 10 additions & 2 deletions
diff --git a/‎internal/controller/helmrepository_controller.go
Lines changed: 4 additions & 0 deletions b/‎internal/controller/helmrepository_controller.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎internal/controller/helmrepository_controller_oci.go
Lines changed: 31 additions & 18 deletions b/‎internal/controller/helmrepository_controller_oci.go
Lines changed: 31 additions & 18 deletions
diff --git a/‎internal/controller/helmrepository_controller_oci_test.go
Lines changed: 0 additions & 1 deletion b/‎internal/controller/helmrepository_controller_oci_test.go
Lines changed: 0 additions & 1 deletion
diff --git a/‎internal/controller/suite_test.go
Lines changed: 0 additions & 1 deletion b/‎internal/controller/suite_test.go
Lines changed: 0 additions & 1 deletion
diff --git a/‎internal/helm/registry/client.go
Lines changed: 38 additions & 3 deletions b/‎internal/helm/registry/client.go
Lines changed: 38 additions & 3 deletions
@@ -80,6 +80,11 @@ type HelmRepositorySpec struct {
 	// +optional
 	Timeout *metav1.Duration `json:"timeout,omitempty"`
 
+	// InsecureSkipTLSverify skips the validation of the TLS certificate of the
+	// OCI registry endpoint.
+	// +optional
+	InsecureSkipTLSverify bool `json:"insecureSkipTLSverify,omitempty"`
+
 	// Suspend tells the controller to suspend the reconciliation of this
 	// HelmRepository.
 	// +optional
 
@@ -576,6 +576,10 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
 		}
 	}
 
+	if repo.Spec.InsecureSkipTLSverify {
+		tlsConfig.InsecureSkipVerify = true
+	}
+
 	loginOpt, err := makeLoginOption(authenticator, keychain, normalizedURL)
 	if err != nil {
 		e := &serror.Event{
@@ -599,7 +603,7 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
 		// this is needed because otherwise the credentials are stored in ~/.docker/config.json.
 		// TODO@souleb: remove this once the registry move to Oras v2
 		// or rework to enable reusing credentials to avoid the unneccessary handshake operations
-		registryClient, credentialsFile, err := r.RegistryClientGenerator(loginOpt != nil)
+		registryClient, credentialsFile, err := r.RegistryClientGenerator(tlsConfig, loginOpt != nil)
 		if err != nil {
 			e := &serror.Event{
 				Err:    fmt.Errorf("failed to construct Helm client: %w", err),
@@ -1086,14 +1090,18 @@ func (r *HelmChartReconciler) namespacedChartRepositoryCallback(ctx context.Cont
 			}
 		}
 
+		if obj.Spec.InsecureSkipTLSverify {
+			tlsConfig.InsecureSkipVerify = true
+		}
+
 		loginOpt, err := makeLoginOption(authenticator, keychain, normalizedURL)
 		if err != nil {
 			return nil, err
 		}
 
 		var chartRepo repository.Downloader
 		if helmreg.IsOCI(normalizedURL) {
-			registryClient, credentialsFile, err := r.RegistryClientGenerator(loginOpt != nil)
+			registryClient, credentialsFile, err := r.RegistryClientGenerator(tlsConfig, loginOpt != nil)
 			if err != nil {
 				return nil, fmt.Errorf("failed to create registry client for HelmRepository '%s': %w", obj.Name, err)
 			}
 
@@ -441,6 +441,10 @@ func (r *HelmRepositoryReconciler) reconcileSource(ctx context.Context, sp *patc
 		}
 	}
 
+	if obj.Spec.InsecureSkipTLSverify {
+		tlsConfig.InsecureSkipVerify = true
+	}
+
 	// Construct Helm chart repository with options and download index
 	newChartRepo, err := repository.NewChartRepository(obj.Spec.URL, "", r.Getters, tlsConfig, clientOpts...)
 	if err != nil {
 
@@ -18,14 +18,14 @@ package controller
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"net/url"
 	"os"
 	"time"
 
 	"github.com/google/go-containerregistry/pkg/authn"
-	helmgetter "helm.sh/helm/v3/pkg/getter"
 	helmreg "helm.sh/helm/v3/pkg/registry"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -51,6 +51,7 @@ import (
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	helmv1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/fluxcd/source-controller/internal/helm/getter"
 	"github.com/fluxcd/source-controller/internal/helm/registry"
 	"github.com/fluxcd/source-controller/internal/helm/repository"
 	"github.com/fluxcd/source-controller/internal/object"
@@ -78,7 +79,7 @@ type HelmRepositoryOCIReconciler struct {
 	client.Client
 	kuberecorder.EventRecorder
 	helper.Metrics
-	Getters                 helmgetter.Providers
+
 	ControllerName          string
 	RegistryClientGenerator RegistryClientGeneratorFunc
 
@@ -94,7 +95,7 @@ type HelmRepositoryOCIReconciler struct {
 // and an optional file name.
 // The file is used to store the registry client credentials.
 // The caller is responsible for deleting the file.
-type RegistryClientGeneratorFunc func(isLogin bool) (*helmreg.Client, string, error)
+type RegistryClientGeneratorFunc func(tlsConfig *tls.Config, isLogin bool) (*helmreg.Client, string, error)
 
 func (r *HelmRepositoryOCIReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return r.SetupWithManagerAndOptions(mgr, HelmRepositoryReconcilerOptions{})
@@ -307,11 +308,29 @@ func (r *HelmRepositoryOCIReconciler) reconcile(ctx context.Context, sp *patch.S
 	var (
 		authenticator authn.Authenticator
 		keychain      authn.Keychain
+		tlsConfig     *tls.Config
 		err           error
 	)
 	// Configure any authentication related options.
 	if obj.Spec.SecretRef != nil {
-		keychain, err = authFromSecret(ctx, r.Client, obj)
+		// Attempt to retrieve secret.
+		name := types.NamespacedName{
+			Namespace: obj.GetNamespace(),
+			Name:      obj.Spec.SecretRef.Name,
+		}
+		var secret corev1.Secret
+		if err := r.Client.Get(ctx, name, &secret); err != nil {
+			conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.AuthenticationFailedReason, err.Error())
+			result, retErr = ctrl.Result{}, err
+			return
+		}
+		keychain, err = authFromSecret(ctx, r.Client, obj.Spec.URL, secret)
+		if err != nil {
+			conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.AuthenticationFailedReason, err.Error())
+			result, retErr = ctrl.Result{}, err
+			return
+		}
+		tlsConfig, err = getter.TLSClientConfigFromSecret(secret, obj.Spec.URL)
 		if err != nil {
 			conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.AuthenticationFailedReason, err.Error())
 			result, retErr = ctrl.Result{}, err
@@ -330,6 +349,10 @@ func (r *HelmRepositoryOCIReconciler) reconcile(ctx context.Context, sp *patch.S
 		}
 	}
 
+	if obj.Spec.InsecureSkipTLSverify {
+		tlsConfig.InsecureSkipVerify = true
+	}
+
 	loginOpt, err := makeLoginOption(authenticator, keychain, obj.Spec.URL)
 	if err != nil {
 		conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.AuthenticationFailedReason, err.Error())
@@ -338,7 +361,7 @@ func (r *HelmRepositoryOCIReconciler) reconcile(ctx context.Context, sp *patch.S
 	}
 
 	// Create registry client and login if needed.
-	registryClient, file, err := r.RegistryClientGenerator(loginOpt != nil)
+	registryClient, file, err := r.RegistryClientGenerator(tlsConfig, loginOpt != nil)
 	if err != nil {
 		e := fmt.Errorf("failed to create registry client: %w", err)
 		conditions.MarkFalse(obj, meta.ReadyCondition, meta.FailedReason, e.Error())
@@ -409,20 +432,10 @@ func (r *HelmRepositoryOCIReconciler) eventLogf(ctx context.Context, obj runtime
 }
 
 // authFromSecret returns an authn.Keychain for the given HelmRepository.
-// If the HelmRepository does not specify a secretRef, an anonymous keychain is returned.
-func authFromSecret(ctx context.Context, client client.Client, obj *helmv1.HelmRepository) (authn.Keychain, error) {
-	// Attempt to retrieve secret.
-	name := types.NamespacedName{
-		Namespace: obj.GetNamespace(),
-		Name:      obj.Spec.SecretRef.Name,
-	}
-	var secret corev1.Secret
-	if err := client.Get(ctx, name, &secret); err != nil {
-		return nil, fmt.Errorf("failed to get secret '%s': %w", name.String(), err)
-	}
-
+// If the provided secret does not contain credentials, an anonymous keychain is returned.
+func authFromSecret(ctx context.Context, client client.Client, registryURL string, secret corev1.Secret) (authn.Keychain, error) {
 	// Construct login options.
-	keychain, err := registry.LoginOptionFromSecret(obj.Spec.URL, secret)
+	keychain, err := registry.LoginOptionFromSecret(registryURL, secret)
 	if err != nil {
 		return nil, fmt.Errorf("failed to configure Helm client with secret data: %w", err)
 	}
 
@@ -299,7 +299,6 @@ func TestHelmRepositoryOCIReconciler_authStrategy(t *testing.T) {
 			r := &HelmRepositoryOCIReconciler{
 				Client:                  clientBuilder.Build(),
 				EventRecorder:           record.NewFakeRecorder(32),
-				Getters:                 testGetters,
 				RegistryClientGenerator: registry.ClientGenerator,
 				patchOptions:            getPatchOptions(helmRepositoryOCIOwnedConditions, "sc"),
 			}
 
@@ -294,7 +294,6 @@ func TestMain(m *testing.M) {
 		Client:                  testEnv,
 		EventRecorder:           record.NewFakeRecorder(32),
 		Metrics:                 testMetricsH,
-		Getters:                 testGetters,
 		RegistryClientGenerator: registry.ClientGenerator,
 	}).SetupWithManagerAndOptions(testEnv, HelmRepositoryReconcilerOptions{
 		RateLimiter: controller.GetDefaultRateLimiter(),
 
@@ -17,7 +17,9 @@ limitations under the License.
 package registry
 
 import (
+	"crypto/tls"
 	"io"
+	"net/http"
 	"os"
 
 	"helm.sh/helm/v3/pkg/registry"
@@ -27,7 +29,7 @@ import (
 // ClientGenerator generates a registry client and a temporary credential file.
 // The client is meant to be used for a single reconciliation.
 // The file is meant to be used for a single reconciliation and deleted after.
-func ClientGenerator(isLogin bool) (*registry.Client, string, error) {
+func ClientGenerator(tlsConfig *tls.Config, isLogin bool) (*registry.Client, string, error) {
 	if isLogin {
 		// create a temporary file to store the credentials
 		// this is needed because otherwise the credentials are stored in ~/.docker/config.json.
@@ -37,7 +39,7 @@ func ClientGenerator(isLogin bool) (*registry.Client, string, error) {
 		}
 
 		var errs []error
-		rClient, err := registry.NewClient(registry.ClientOptWriter(io.Discard), registry.ClientOptCredentialsFile(credentialsFile.Name()))
+		rClient, err := newClient(credentialsFile.Name(), tlsConfig)
 		if err != nil {
 			errs = append(errs, err)
 			// attempt to delete the temporary file
@@ -52,9 +54,42 @@ func ClientGenerator(isLogin bool) (*registry.Client, string, error) {
 		return rClient, credentialsFile.Name(), nil
 	}
 
-	rClient, err := registry.NewClient(registry.ClientOptWriter(io.Discard))
+	rClient, err := newClient("", tlsConfig)
 	if err != nil {
 		return nil, "", err
 	}
 	return rClient, "", nil
 }
+
+func newClient(credentialsFile string, tlsConfig *tls.Config) (*registry.Client, error) {
+	if tlsConfig != nil {
+		return newClientWithTLS(credentialsFile, tlsConfig)
+	}
+	return newDefaultClient(credentialsFile)
+}
+
+func newDefaultClient(credentialsFile string) (*registry.Client, error) {
+	if credentialsFile == "" {
+		return registry.NewClient(registry.ClientOptWriter(io.Discard))
+	}
+	return registry.NewClient(registry.ClientOptWriter(io.Discard),
+		registry.ClientOptCredentialsFile(credentialsFile))
+}
+
+func newClientWithTLS(credentialsFile string, tlsConfig *tls.Config) (*registry.Client, error) {
+	if credentialsFile == "" {
+		return registry.NewClient(registry.ClientOptWriter(io.Discard),
+			registry.ClientOptHTTPClient(&http.Client{
+				Transport: &http.Transport{
+					TLSClientConfig: tlsConfig,
+				},
+			}))
+	}
+	return registry.NewClient(registry.ClientOptWriter(io.Discard),
+		registry.ClientOptCredentialsFile(credentialsFile),
+		registry.ClientOptHTTPClient(&http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: tlsConfig,
+			},
+		}))
+}
Original file line number	Diff line number	Diff line change
`@@ -441,6 +441,10 @@ func (r HelmRepositoryReconciler) reconcileSource(ctx context.Context, sp patc`
`441`	`441`	`}`
`442`	`442`	`}`
`443`	`443`
	`444`	`+ if obj.Spec.InsecureSkipTLSverify {`
	`445`	`+ tlsConfig.InsecureSkipVerify = true`
	`446`	`+ }`
	`447`	`+`
`444`	`448`	`// Construct Helm chart repository with options and download index`
`445`	`449`	`newChartRepo, err := repository.NewChartRepository(obj.Spec.URL, "", r.Getters, tlsConfig, clientOpts...)`
`446`	`450`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -299,7 +299,6 @@ func TestHelmRepositoryOCIReconciler_authStrategy(t *testing.T) {`
`299`	`299`	`r := &HelmRepositoryOCIReconciler{`
`300`	`300`	`Client: clientBuilder.Build(),`
`301`	`301`	`EventRecorder: record.NewFakeRecorder(32),`
`302`		`- Getters: testGetters,`
`303`	`302`	`RegistryClientGenerator: registry.ClientGenerator,`
`304`	`303`	`patchOptions: getPatchOptions(helmRepositoryOCIOwnedConditions, "sc"),`
`305`	`304`	`}`