Skip to content

Commit 9c6dc33

Browse files
authored
Merge pull request #904 from fluxcd/add-ca-cert
Add custom CA certificates to system certificates
2 parents 20fa94a + 7a13964 commit 9c6dc33

File tree

2 files changed

+34
-2
lines changed

2 files changed

+34
-2
lines changed

controllers/helmrepository_controller_test.go

Lines changed: 30 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -290,13 +290,32 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
290290
name string
291291
protocol string
292292
server options
293+
url string
293294
secret *corev1.Secret
294295
beforeFunc func(t *WithT, obj *sourcev1.HelmRepository, checksum string)
295296
afterFunc func(t *WithT, obj *sourcev1.HelmRepository, artifact sourcev1.Artifact, chartRepo repository.ChartRepository)
296297
want sreconcile.Result
297298
wantErr bool
298299
assertConditions []metav1.Condition
299300
}{
301+
{
302+
name: "HTTPS with secretRef pointing to CA cert but public repo URL succeeds",
303+
protocol: "http",
304+
url: "https://stefanprodan.github.io/podinfo",
305+
want: sreconcile.ResultSuccess,
306+
secret: &corev1.Secret{
307+
ObjectMeta: metav1.ObjectMeta{
308+
Name: "ca-file",
309+
},
310+
Data: map[string][]byte{
311+
"caFile": tlsCA,
312+
},
313+
},
314+
assertConditions: []metav1.Condition{
315+
*conditions.TrueCondition(sourcev1.ArtifactOutdatedCondition, "NewRevision", "new index revision"),
316+
*conditions.TrueCondition(meta.ReconcilingCondition, "NewRevision", "new index revision"),
317+
},
318+
},
300319
{
301320
name: "HTTP without secretRef makes ArtifactOutdated=True",
302321
protocol: "http",
@@ -565,10 +584,16 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
565584
server.Start()
566585
defer server.Stop()
567586
obj.Spec.URL = server.URL()
587+
if tt.url != "" {
588+
obj.Spec.URL = tt.url
589+
}
568590
case "https":
569591
g.Expect(server.StartTLS(tt.server.publicKey, tt.server.privateKey, tt.server.ca, "example.com")).To(Succeed())
570592
defer server.Stop()
571593
obj.Spec.URL = server.URL()
594+
if tt.url != "" {
595+
obj.Spec.URL = tt.url
596+
}
572597
default:
573598
t.Fatalf("unsupported protocol %q", tt.protocol)
574599
}
@@ -596,7 +621,11 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
596621
validSecret = false
597622
}
598623
clientOpts = append(clientOpts, cOpts...)
599-
tOpts, serr = getter.TLSClientConfigFromSecret(*secret, server.URL())
624+
repoURL := server.URL()
625+
if tt.url != "" {
626+
repoURL = tt.url
627+
}
628+
tOpts, serr = getter.TLSClientConfigFromSecret(*secret, repoURL)
600629
if serr != nil {
601630
validSecret = false
602631
}

internal/helm/getter/getter.go

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,10 @@ func TLSClientConfigFromSecret(secret corev1.Secret, repositoryUrl string) (*tls
8181
}
8282

8383
if len(caBytes) > 0 {
84-
cp := x509.NewCertPool()
84+
cp, err := x509.SystemCertPool()
85+
if err != nil {
86+
return nil, fmt.Errorf("cannot retrieve system certificate pool: %w", err)
87+
}
8588
if !cp.AppendCertsFromPEM(caBytes) {
8689
return nil, fmt.Errorf("cannot append certificate into certificate pool: invalid caFile")
8790
}

0 commit comments

Comments
 (0)