Merge pull request #1160 from fluxcd/helm-cert-secret

helmrepo: add `.spec.certSecretRef` for specifying TLS auth data

api/v1beta2/helmrepository_types.go

@@ -51,11 +51,18 @@ type HelmRepositorySpec struct {
 	// for the HelmRepository.
 	// For HTTP/S basic auth the secret must contain 'username' and 'password'
 	// fields.
-	// For TLS the secret must contain a 'certFile' and 'keyFile', and/or
-	// 'caFile' fields.
+	// Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile'
+	// keys is deprecated. Please use `.spec.certSecretRef` instead.
 	// +optional
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 
+	// CertSecretRef specifies the Secret containing the TLS authentication
+	// data. The secret must contain a 'certFile' and 'keyFile', and/or 'caFile'
+	// fields. It takes precedence over the values specified in the Secret
+	// referred to by `.spec.secretRef`.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+
 	// PassCredentials allows the credentials from the SecretRef to be passed
 	// on to a host that does not match the host as defined in URL.
 	// This may be required if the host of the advertised chart URLs in the

config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml

@@ -296,6 +296,18 @@ spec:
                 required:
                 - namespaceSelectors
                 type: object
+              certSecretRef:
+                description: CertSecretRef specifies the Secret containing the TLS
+                  authentication data. The secret must contain a 'certFile' and 'keyFile',
+                  and/or 'caFile' fields. It takes precedence over the values specified
+                  in the Secret referred to by `.spec.secretRef`.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
               interval:
                 description: Interval at which to check the URL for updates.
                 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
@@ -323,8 +335,9 @@ spec:
               secretRef:
                 description: SecretRef specifies the Secret containing authentication
                   credentials for the HelmRepository. For HTTP/S basic auth the secret
-                  must contain 'username' and 'password' fields. For TLS the secret
-                  must contain a 'certFile' and 'keyFile', and/or 'caFile' fields.
+                  must contain 'username' and 'password' fields. Support for TLS auth
+                  using the 'certFile' and 'keyFile', and/or 'caFile' keys is deprecated.
+                  Please use `.spec.certSecretRef` instead.
                 properties:
                   name:
                     description: Name of the referent.

docs/api/v1beta2/source.md

@@ -792,8 +792,25 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 for the HelmRepository.
 For HTTP/S basic auth the secret must contain ‘username’ and ‘password’
 fields.
-For TLS the secret must contain a ‘certFile’ and ‘keyFile’, and/or
-&lsquo;caFile&rsquo; fields.</p>
+Support for TLS auth using the &lsquo;certFile&rsquo; and &lsquo;keyFile&rsquo;, and/or &lsquo;caFile&rsquo;
+keys is deprecated. Please use <code>.spec.certSecretRef</code> instead.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>certSecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>CertSecretRef specifies the Secret containing the TLS authentication
+data. The secret must contain a &lsquo;certFile&rsquo; and &lsquo;keyFile&rsquo;, and/or &lsquo;caFile&rsquo;
+fields. It takes precedence over the values specified in the Secret
+referred to by <code>.spec.secretRef</code>.</p>
 </td>
 </tr>
 <tr>
@@ -2459,8 +2476,25 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 for the HelmRepository.
 For HTTP/S basic auth the secret must contain &lsquo;username&rsquo; and &lsquo;password&rsquo;
 fields.
-For TLS the secret must contain a &lsquo;certFile&rsquo; and &lsquo;keyFile&rsquo;, and/or
-&lsquo;caFile&rsquo; fields.</p>
+Support for TLS auth using the &lsquo;certFile&rsquo; and &lsquo;keyFile&rsquo;, and/or &lsquo;caFile&rsquo;
+keys is deprecated. Please use <code>.spec.certSecretRef</code> instead.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>certSecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>CertSecretRef specifies the Secret containing the TLS authentication
+data. The secret must contain a &lsquo;certFile&rsquo; and &lsquo;keyFile&rsquo;, and/or &lsquo;caFile&rsquo;
+fields. It takes precedence over the values specified in the Secret
+referred to by <code>.spec.secretRef</code>.</p>
 </td>
 </tr>
 <tr>

docs/spec/v1beta2/helmrepositories.md

@@ -452,15 +452,37 @@ flux create secret oci ghcr-auth \
   --password=${GITHUB_PAT}
 ```
 
-#### TLS authentication
+**Note:** Support for specifying TLS authentication data using this API has been
+deprecated. Please use [`.spec.certSecretRef`](#cert-secret-reference) instead.
+If the controller uses the secret specfied by this field to configure TLS, then
+a deprecation warning will be logged.
+
+### Cert secret reference
 
 **Note:** TLS authentication is not yet supported by OCI Helm repositories.
 
-To provide TLS credentials to use while connecting with the Helm repository,
-the referenced Secret is expected to contain `.data.certFile` and
-`.data.keyFile`, and/or `.data.caFile` values.
+`.spec.certSecretRef.name` is an optional field to specify a secret containing TLS
+certificate data. The secret can contain the following keys:
 
-For example:
+* `certFile` and `keyFile`, to specify the client certificate and private key used for
+TLS client authentication. These must be used in conjunction, i.e. specifying one without
+the other will lead to an error.
+* `caFile`, to specify the CA certificate used to verify the server, which is required
+if the server is using a self-signed certificate.
+
+If the server is using a self-signed certificate and has TLS client authentication enabled,
+all three values are required.
+
+All the files in the secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
+three files; `client.key`, `client.crt` and `ca.crt` for the client private key, client
+certificate and the CA certificate respectively, you can generate the required secret using
+the `flux creat secret helm` command:
+
+```sh
+flux create secret helm tls --key-file=client.key --cert-file=client.crt --ca-file=ca.crt
+```
+
+Example usage:
 
 ```yaml
 ---
@@ -472,7 +494,7 @@ metadata:
 spec:
   interval: 5m0s
   url: https://example.com
-  secretRef:
+  certSecretRef:
     name: example-tls
 ---
 apiVersion: v1