Helm: allow configuration of TLS certs without CA

Author: hiddeco

controllers/helmrepository_controller_test.go

@@ -310,7 +310,6 @@ var _ = Describe("HelmRepositoryReconciler", func() {
 
 			By("Expecting missing field error")
 			secret.Data["certFile"] = examplePublicKey
-			secret.Data["keyFile"] = examplePrivateKey
 			Expect(k8sClient.Update(context.Background(), secret)).Should(Succeed())
 			Eventually(func() bool {
 				got := &sourcev1.HelmRepository{}
@@ -324,6 +323,7 @@ var _ = Describe("HelmRepositoryReconciler", func() {
 			}, timeout, interval).Should(BeTrue())
 
 			By("Expecting artifact")
+			secret.Data["keyFile"] = examplePrivateKey
 			secret.Data["caFile"] = exampleCA
 			Expect(k8sClient.Update(context.Background(), secret)).Should(Succeed())
 			Eventually(func() bool {

internal/helm/getter.go

@@ -61,8 +61,8 @@ func TLSClientConfigFromSecret(secret corev1.Secret) (getter.Option, func(), err
 	switch {
 	case len(certBytes)+len(keyBytes)+len(caBytes) == 0:
 		return nil, nil, nil
-	case len(certBytes) == 0 || len(keyBytes) == 0 || len(caBytes) == 0:
-		return nil, nil, fmt.Errorf("invalid '%s' secret data: required fields 'certFile', 'keyFile' and 'caFile'",
+	case (len(certBytes) > 0 && len(keyBytes) == 0) || (len(keyBytes) > 0 && len(certBytes) == 0):
+		return nil, nil, fmt.Errorf("invalid '%s' secret data: fields 'certFile' and 'keyFile' require each other's presence",
 			secret.Name)
 	}
 
@@ -73,20 +73,27 @@ func TLSClientConfigFromSecret(secret corev1.Secret) (getter.Option, func(), err
 	}
 	cleanup := func() { os.RemoveAll(tmp) }
 
-	certFile := filepath.Join(tmp, "cert.crt")
-	if err := ioutil.WriteFile(certFile, certBytes, 0644); err != nil {
-		cleanup()
-		return nil, nil, err
-	}
-	keyFile := filepath.Join(tmp, "key.crt")
-	if err := ioutil.WriteFile(keyFile, keyBytes, 0644); err != nil {
-		cleanup()
-		return nil, nil, err
+	var certFile, keyFile, caFile string
+
+	if len(certBytes) > 0 && len(keyBytes) > 0 {
+		certFile = filepath.Join(tmp, "cert.crt")
+		if err := ioutil.WriteFile(certFile, certBytes, 0644); err != nil {
+			cleanup()
+			return nil, nil, err
+		}
+		keyFile = filepath.Join(tmp, "key.crt")
+		if err := ioutil.WriteFile(keyFile, keyBytes, 0644); err != nil {
+			cleanup()
+			return nil, nil, err
+		}
 	}
-	caFile := filepath.Join(tmp, "ca.pem")
-	if err := ioutil.WriteFile(caFile, caBytes, 0644); err != nil {
-		cleanup()
-		return nil, nil, err
+
+	if len(caBytes) > 0 {
+		caFile = filepath.Join(tmp, "ca.pem")
+		if err := ioutil.WriteFile(caFile, caBytes, 0644); err != nil {
+			cleanup()
+			return nil, nil, err
+		}
 	}
 
 	return getter.WithTLSClientConfig(certFile, keyFile, caFile), cleanup, nil

internal/helm/getter_test.go

@@ -114,7 +114,7 @@ func TestTLSClientConfigFromSecret(t *testing.T) {
 		{"certFile, keyFile and caFile", tlsSecretFixture, nil, false, false},
 		{"without certFile", tlsSecretFixture, func(s *corev1.Secret) { delete(s.Data, "certFile") }, true, true},
 		{"without keyFile", tlsSecretFixture, func(s *corev1.Secret) { delete(s.Data, "keyFile") }, true, true},
-		{"without caFile", tlsSecretFixture, func(s *corev1.Secret) { delete(s.Data, "caFile") }, true, true},
+		{"without caFile", tlsSecretFixture, func(s *corev1.Secret) { delete(s.Data, "caFile") }, false, false},
 		{"empty", corev1.Secret{}, nil, false, true},
 	}
 	for _, tt := range tests {