Enable authentication to private registries in helm-controller

[caroline-suse-rancher]

Is your feature request related to a problem? Please describe.

The HelmChart custom resource does not support authenticating to private repositories. Currently, the HelmChart custom resource does not provide any mechanisms to allow private helm chart repository authentication.

Describe the solution you'd like

The HelmChart custom resource should have an 'authentication secret' field to allow users to provide a secret name containing username and password credentials for private helm chart repository authentication.

Describe alternatives you've considered

No current workarounds

Additional context

Related k3s.io upstream Github issues:

can't use private repos
ability to add private registries

Potentially Affected Code:

HelmChartSpec struct declaration
helm-controller job initialization
Args passed to helm job container at runtime

Related PRs:

Support private repository with username and password #34: This PR is for klipper-helm. A PR to allow the helm-controller to receive username/password creds would need to accompany it.
This PR was closed as the solution posed too much of a security risk

Related Jira ticket: https://jira.suse.com/browse/SURE-4489

[brandond]

Fixed in v1.27.2 but not tested by QA - adding to next milestone.

[ShylajaDevadiga]

Validated using rke2 version v1.27.5+rke2r1

Using the test manifest k3s-io/helm-controller#192 (comment)

$ kubectl get pods -A |grep cert-manager
cert-manager   cert-manager-6d6769565c-2prbz                                         1/1     Running     0          2m45s
cert-manager   cert-manager-cainjector-744bb89575-wvjqd                              1/1     Running     0          2m45s
cert-manager   cert-manager-webhook-759d6dcbf7-wcj62                                 1/1     Running     0          2m45s
kube-system    helm-install-cert-manager-6nmdn                                       0/1     Completed   0          2m58s

$ helm list -A
NAME                            	NAMESPACE   	REVISION	UPDATED                                	STATUS  	CHART                                       	APP VERSION
cert-manager                    	cert-manager	1       	2023-09-14 16:58:44.361081038 +0000 UTC	deployed	cert-manager-v1.11.0                        	v1.11.0  

$ kubectl get secrets -A |grep jet
kube-system    jetstack-auth                                                    kubernetes.io/basic-auth   2      3m33s

From the logs:

$ kubectl logs -n kube-system helm-install-cert-manager-6nmdn 
if [[ ${KUBERNETES_SERVICE_HOST} =~ .*:.* ]]; then
	echo "KUBERNETES_SERVICE_HOST is using IPv6"
	CHART="${CHART//%\{KUBERNETES_API\}%/[${KUBERNETES_SERVICE_HOST}]:${KUBERNETES_SERVICE_PORT}}"
else
	CHART="${CHART//%\{KUBERNETES_API\}%/${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}}"
fi

set +v -x
+ [[ '' != \t\r\u\e ]]
+ export HELM_HOST=127.0.0.1:44134
+ HELM_HOST=127.0.0.1:44134
+ helm_v2 init --skip-refresh --client-only --stable-repo-url https://charts.helm.sh/stable/
+ tiller --listen=127.0.0.1:44134 --storage=secret
[main] 2023/09/14 16:58:43 Starting Tiller v2.17.0 (tls=false)
[main] 2023/09/14 16:58:43 GRPC listening on 127.0.0.1:44134
[main] 2023/09/14 16:58:43 Probes listening on :44135
[main] 2023/09/14 16:58:43 Storage driver is Secret
[main] 2023/09/14 16:58:43 Max history per release is 0
Creating /home/klipper-helm/.helm 
Creating /home/klipper-helm/.helm/repository 
Creating /home/klipper-helm/.helm/repository/cache 
Creating /home/klipper-helm/.helm/repository/local 
Creating /home/klipper-helm/.helm/plugins 
Creating /home/klipper-helm/.helm/starters 
Creating /home/klipper-helm/.helm/cache/archive 
Creating /home/klipper-helm/.helm/repository/repositories.yaml 
Adding stable repo with URL: https://charts.helm.sh/stable/ 
Adding local repo with URL: http://127.0.0.1:8879/charts 
$HELM_HOME has been configured at /home/klipper-helm/.helm.
Not installing Tiller due to 'client-only' flag having been set
++ timeout -s KILL 30 helm_v2 ls --all '^cert-manager$' --output json
++ jq -r '.Releases | length'
[storage] 2023/09/14 16:58:43 listing all releases with filter
+ V2_CHART_EXISTS=
+ [[ '' == \1 ]]
+ [[ '' == \v\2 ]]
+ shopt -s nullglob
+ [[ -f /config/ca-file.pem ]]
+ for CA_FILE in ${CA_DIR}/*
+ echo
+ cat /ca-files/ca.crt
+ [[ -f /tmp/ca-file.pem ]]
+ CA_FILE_ARG='--ca-file /tmp/ca-file.pem'
+ [[ -n '' ]]
+ helm_content_decode
+ set -e
+ ENC_CHART_PATH=/chart/cert-manager.tgz.base64
+ CHART_PATH=/tmp/cert-manager.tgz
+ [[ ! -f /chart/cert-manager.tgz.base64 ]]
+ return
+ [[ install != \d\e\l\e\t\e ]]
+ helm_repo_init
+ grep -q -e 'https\?://'
+ [[ helm_v3 == \h\e\l\m\_\v\3 ]]
+ [[ cert-manager/cert-manager == stable/* ]]
+ [[ -n https://charts.jetstack.io ]]
+ [[ -f /auth/username ]]
+ [[ -f /auth/password ]]
+ [[ helm_v3 == \h\e\l\m\_\v\2 ]]
+ [[ false == \t\r\u\e ]]
+ cat /auth/password
++ cat /auth/username
+ helm_v3 repo add --ca-file /tmp/ca-file.pem --username user --password-stdin cert-manager https://charts.jetstack.io
"cert-manager" has been added to your repositories
+ helm_v3 repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "cert-manager" chart repository
Update Complete. ⎈Happy Helming!⎈
+ helm_update install --namespace cert-manager --version v1.11.0 --set installCRDs=true
+ [[ helm_v3 == \h\e\l\m\_\v\3 ]]
++ helm_v3 ls --all -f '^cert-manager$' --namespace cert-manager --output json
++ tr '[:upper:]' '[:lower:]'
++ jq -r '"\(.[0].app_version),\(.[0].status)"'
+ LINE=null,null
+ IFS=,
+ read -r INSTALLED_VERSION STATUS _
+ VALUES=
+ [[ install = \d\e\l\e\t\e ]]
+ [[ null =~ ^(|null)$ ]]
+ [[ null =~ ^(|null)$ ]]
+ echo 'Installing helm_v3 chart'
+ helm_v3 install --namespace cert-manager --version v1.11.0 --set installCRDs=true cert-manager cert-manager/cert-manager --ca-file /tmp/ca-file.pem
NAME: cert-manager
LAST DEPLOYED: Thu Sep 14 16:58:44 2023
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.11.0 has been deployed successfully!