From 9965d04881324212609280574af1379c8658d873 Mon Sep 17 00:00:00 2001 From: Tom Wieczorek Date: Wed, 19 Jun 2024 17:34:14 +0200 Subject: [PATCH 1/2] Add docs for Helm Repositories in k0s config Also mark required fields as such and make the rest optional. Signed-off-by: Tom Wieczorek --- docs/helm-charts.md | 12 +++++++++ pkg/apis/k0s/v1beta1/extensions.go | 27 ++++++++++++------- .../k0s.k0sproject.io_clusterconfigs.yaml | 10 +++++++ 3 files changed, 40 insertions(+), 9 deletions(-) diff --git a/docs/helm-charts.md b/docs/helm-charts.md index 4c9643a0a7cc..c3704426aee6 100644 --- a/docs/helm-charts.md +++ b/docs/helm-charts.md @@ -20,6 +20,18 @@ Each chart is processed the same way CLI tool does with following options: It is possible to customize the timeout by using the `timeout' field. +### Repository configuration + +| Field | Default value | Description | +|----------|---------------|-----------------------------------------------------------------| +| name | _(required)_ | The repository name | +| url | _(required)_ | The repository URL | +| caFile | - | CA bundle file to use when verifying HTTPS-enabled servers | +| certFile | - | The TLS certificate file to use for HTTPS client authentication | +| keyfile | - | The TLS key file to use for HTTPS client authentication | +| username | - | Username for Basic HTTP authentication | +| password | - | Password for Basic HTTP authentication | + ### Chart configuration | Field | Default value | Description | diff --git a/pkg/apis/k0s/v1beta1/extensions.go b/pkg/apis/k0s/v1beta1/extensions.go index 9a471fb1daad..e97b191fb6c5 100644 --- a/pkg/apis/k0s/v1beta1/extensions.go +++ b/pkg/apis/k0s/v1beta1/extensions.go @@ -126,18 +126,27 @@ func (c Chart) Validate() error { // Repository describes single repository entry. Fields map to the CLI flags for the "helm add" command type Repository struct { - Name string `json:"name"` - URL string `json:"url"` - CAFile string `json:"caFile"` - CertFile string `json:"certFile"` - Insecure bool `json:"insecure"` - KeyFile string `json:"keyfile"` - Username string `json:"username"` - Password string `json:"password"` + // The repository name + // +kubebuilder:Validation:Required + Name string `json:"name"` + // The repository URL + // +kubebuilder:Validation:Required + URL string `json:"url"` + // CA bundle file to use when verifying HTTPS-enabled servers + CAFile string `json:"caFile,omitempty"` + // The TLS certificate file to use for HTTPS client authentication + CertFile string `json:"certFile,omitempty"` + Insecure bool `json:"insecure,omitempty"` + // The TLS key file to use for HTTPS client authentication + KeyFile string `json:"keyfile,omitempty"` + // Username for Basic HTTP authentication + Username string `json:"username,omitempty"` + // Password for Basic HTTP authentication + Password string `json:"password,omitempty"` } // Validate performs validation -func (r Repository) Validate() error { +func (r *Repository) Validate() error { if r.Name == "" { return errors.New("repository must have Name field not empty") } diff --git a/static/manifests/k0s/CustomResourceDefinition/k0s.k0sproject.io_clusterconfigs.yaml b/static/manifests/k0s/CustomResourceDefinition/k0s.k0sproject.io_clusterconfigs.yaml index f1227133d4b8..c58351d57adc 100644 --- a/static/manifests/k0s/CustomResourceDefinition/k0s.k0sproject.io_clusterconfigs.yaml +++ b/static/manifests/k0s/CustomResourceDefinition/k0s.k0sproject.io_clusterconfigs.yaml @@ -126,20 +126,30 @@ spec: Fields map to the CLI flags for the "helm add" command properties: caFile: + description: CA bundle file to use when verifying HTTPS-enabled + servers type: string certFile: + description: The TLS certificate file to use for HTTPS + client authentication type: string insecure: type: boolean keyfile: + description: The TLS key file to use for HTTPS client + authentication type: string name: + description: The repository name type: string password: + description: Password for Basic HTTP authentication type: string url: + description: The repository URL type: string username: + description: Username for Basic HTTP authentication type: string type: object type: array From b6afccf1ab1b7b965eea8322072aaec60fa022ff Mon Sep 17 00:00:00 2001 From: Tom Wieczorek Date: Wed, 19 Jun 2024 17:35:03 +0200 Subject: [PATCH 2/2] Enable and document the insecure field for Helm Repos The insecure field exists in the CRD for a long time already. Wire it up, so it can actually be used to enable TLS certificate checks. Signed-off-by: Tom Wieczorek --- docs/helm-charts.md | 19 +++++++-------- pkg/apis/k0s/v1beta1/extensions.go | 23 ++++++++++++------- pkg/apis/k0s/v1beta1/zz_generated.deepcopy.go | 13 +++++++++-- pkg/helm/helm.go | 2 +- .../k0s.k0sproject.io_clusterconfigs.yaml | 16 +++++++------ 5 files changed, 46 insertions(+), 27 deletions(-) diff --git a/docs/helm-charts.md b/docs/helm-charts.md index c3704426aee6..a27167f2a61a 100644 --- a/docs/helm-charts.md +++ b/docs/helm-charts.md @@ -22,15 +22,16 @@ It is possible to customize the timeout by using the `timeout' field. ### Repository configuration -| Field | Default value | Description | -|----------|---------------|-----------------------------------------------------------------| -| name | _(required)_ | The repository name | -| url | _(required)_ | The repository URL | -| caFile | - | CA bundle file to use when verifying HTTPS-enabled servers | -| certFile | - | The TLS certificate file to use for HTTPS client authentication | -| keyfile | - | The TLS key file to use for HTTPS client authentication | -| username | - | Username for Basic HTTP authentication | -| password | - | Password for Basic HTTP authentication | +| Field | Default value | Description | +|----------|---------------|--------------------------------------------------------------------------| +| name | _(required)_ | The repository name | +| url | _(required)_ | The repository URL | +| insecure | true | Whether to skip TLS certificate checks when connecting to the repository | +| caFile | - | CA bundle file to use when verifying HTTPS-enabled servers | +| certFile | - | The TLS certificate file to use for HTTPS client authentication | +| keyfile | - | The TLS key file to use for HTTPS client authentication | +| username | - | Username for Basic HTTP authentication | +| password | - | Password for Basic HTTP authentication | ### Chart configuration diff --git a/pkg/apis/k0s/v1beta1/extensions.go b/pkg/apis/k0s/v1beta1/extensions.go index e97b191fb6c5..9a8074941c50 100644 --- a/pkg/apis/k0s/v1beta1/extensions.go +++ b/pkg/apis/k0s/v1beta1/extensions.go @@ -126,25 +126,32 @@ func (c Chart) Validate() error { // Repository describes single repository entry. Fields map to the CLI flags for the "helm add" command type Repository struct { - // The repository name + // The repository name. // +kubebuilder:Validation:Required Name string `json:"name"` - // The repository URL + // The repository URL. // +kubebuilder:Validation:Required URL string `json:"url"` - // CA bundle file to use when verifying HTTPS-enabled servers + // Whether to skip TLS certificate checks when connecting to the repository. + Insecure *bool `json:"insecure,omitempty"` + // CA bundle file to use when verifying HTTPS-enabled servers. CAFile string `json:"caFile,omitempty"` - // The TLS certificate file to use for HTTPS client authentication + // The TLS certificate file to use for HTTPS client authentication. CertFile string `json:"certFile,omitempty"` - Insecure bool `json:"insecure,omitempty"` - // The TLS key file to use for HTTPS client authentication + // The TLS key file to use for HTTPS client authentication. KeyFile string `json:"keyfile,omitempty"` - // Username for Basic HTTP authentication + // Username for Basic HTTP authentication. Username string `json:"username,omitempty"` - // Password for Basic HTTP authentication + // Password for Basic HTTP authentication. Password string `json:"password,omitempty"` } +func (r *Repository) IsInsecure() bool { + // This defaults to true when not explicitly set to false. + // Better have this the other way round in the next API version. + return r == nil || r.Insecure == nil || *r.Insecure +} + // Validate performs validation func (r *Repository) Validate() error { if r.Name == "" { diff --git a/pkg/apis/k0s/v1beta1/zz_generated.deepcopy.go b/pkg/apis/k0s/v1beta1/zz_generated.deepcopy.go index ee2d4b96079d..b266fd07241b 100644 --- a/pkg/apis/k0s/v1beta1/zz_generated.deepcopy.go +++ b/pkg/apis/k0s/v1beta1/zz_generated.deepcopy.go @@ -597,7 +597,9 @@ func (in *HelmExtensions) DeepCopyInto(out *HelmExtensions) { if in.Repositories != nil { in, out := &in.Repositories, &out.Repositories *out = make(RepositoriesSettings, len(*in)) - copy(*out, *in) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } } if in.Charts != nil { in, out := &in.Charts, &out.Charts @@ -895,7 +897,9 @@ func (in RepositoriesSettings) DeepCopyInto(out *RepositoriesSettings) { { in := &in *out = make(RepositoriesSettings, len(*in)) - copy(*out, *in) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } } } @@ -912,6 +916,11 @@ func (in RepositoriesSettings) DeepCopy() RepositoriesSettings { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Repository) DeepCopyInto(out *Repository) { *out = *in + if in.Insecure != nil { + in, out := &in.Insecure, &out.Insecure + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Repository. diff --git a/pkg/helm/helm.go b/pkg/helm/helm.go index 8974c3aed4de..f26997ce086a 100644 --- a/pkg/helm/helm.go +++ b/pkg/helm/helm.go @@ -128,7 +128,7 @@ func (hc *Commands) AddRepository(repoCfg v1beta1.Repository) error { CertFile: repoCfg.CertFile, KeyFile: repoCfg.KeyFile, CAFile: repoCfg.CAFile, - InsecureSkipTLSverify: true, + InsecureSkipTLSverify: repoCfg.IsInsecure(), } r, err := repo.NewChartRepository(&c, getters) diff --git a/static/manifests/k0s/CustomResourceDefinition/k0s.k0sproject.io_clusterconfigs.yaml b/static/manifests/k0s/CustomResourceDefinition/k0s.k0sproject.io_clusterconfigs.yaml index c58351d57adc..b81c5b7b5443 100644 --- a/static/manifests/k0s/CustomResourceDefinition/k0s.k0sproject.io_clusterconfigs.yaml +++ b/static/manifests/k0s/CustomResourceDefinition/k0s.k0sproject.io_clusterconfigs.yaml @@ -127,29 +127,31 @@ spec: properties: caFile: description: CA bundle file to use when verifying HTTPS-enabled - servers + servers. type: string certFile: description: The TLS certificate file to use for HTTPS - client authentication + client authentication. type: string insecure: + description: Whether to skip TLS certificate checks + when connecting to the repository. type: boolean keyfile: description: The TLS key file to use for HTTPS client - authentication + authentication. type: string name: - description: The repository name + description: The repository name. type: string password: - description: Password for Basic HTTP authentication + description: Password for Basic HTTP authentication. type: string url: - description: The repository URL + description: The repository URL. type: string username: - description: Username for Basic HTTP authentication + description: Username for Basic HTTP authentication. type: string type: object type: array