helmrepo: only configure tls login option when required

Modify `GetHelmClientOpts()` to only configure the TLS login option when an authentication login option is configured. This prevents the reconciler from trying to authenticate against public registries. Signed-off-by: Sanskar Jaiswal <[email protected]>
fluxcd · Nov 22, 2023 · dfcede0 · dfcede0
1 parent 9ae35e9
commit dfcede0
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 17 deletions.
diff --git a/internal/controller/helmchart_controller_test.go b/internal/controller/helmchart_controller_test.go
@@ -2376,22 +2376,31 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_authStrategy(t *testing.T) {
 			},
 		},
 		{
-			name: "HTTPS With CA cert",
+			name: "HTTPS With CA cert only",
 			want: sreconcile.ResultSuccess,
 			registryOpts: registryOptions{
-				withTLS:            true,
-				withClientCertAuth: true,
-			},
-			secretOpts: secretOptions{
-				username: testRegistryUsername,
-				password: testRegistryPassword,
+				withTLS: true,
 			},
-			secret: &corev1.Secret{
+			certSecret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
-					Name: "auth-secretref",
+					Name: "certs-secretref",
 				},
-				Type: corev1.SecretTypeDockerConfigJson,
-				Data: map[string][]byte{},
+				Type: corev1.SecretTypeOpaque,
+				Data: map[string][]byte{
+					"ca.crt": tlsCA,
+				},
+			},
+			assertConditions: []metav1.Condition{
+				*conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingReason, "building artifact: pulled 'helmchart' chart with version '0.1.0'"),
+				*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: pulled 'helmchart' chart with version '0.1.0'"),
+			},
+		},
+		{
+			name: "HTTPS With CA cert and client cert auth",
+			want: sreconcile.ResultSuccess,
+			registryOpts: registryOptions{
+				withTLS:            true,
+				withClientCertAuth: true,
 			},
 			certSecret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
@@ -2526,8 +2535,12 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_authStrategy(t *testing.T) {
 			sp := patch.NewSerialPatcher(obj, r.Client)
 
 			got, err := r.reconcileSource(ctx, sp, obj, &b)
-			g.Expect(err != nil).To(Equal(tt.wantErr))
-			g.Expect(got).To(Equal(tt.want))
+			if tt.wantErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(got).To(Equal(tt.want))
+			}
 			g.Expect(obj.Status.Conditions).To(conditions.MatchConditions(tt.assertConditions))
 		})
 	}

diff --git a/internal/helm/getter/client_opts.go b/internal/helm/getter/client_opts.go
@@ -162,10 +162,10 @@ func GetClientOpts(ctx context.Context, c client.Client, obj *helmv1.HelmReposit
 		}
 		if loginOpt != nil {
 			hrOpts.RegLoginOpts = []helmreg.LoginOption{loginOpt}
-		}
-		tlsLoginOpt := registry.TLSLoginOption(certFile, keyFile, caFile)
-		if tlsLoginOpt != nil {
-			hrOpts.RegLoginOpts = append(hrOpts.RegLoginOpts, tlsLoginOpt)
+			tlsLoginOpt := registry.TLSLoginOption(certFile, keyFile, caFile)
+			if tlsLoginOpt != nil {
+				hrOpts.RegLoginOpts = append(hrOpts.RegLoginOpts, tlsLoginOpt)
+			}
 		}
 	}
 	if deprecatedTLSConfig {