Skip to content

Commit 5d07419

Browse files
committed
Update Helm to v3.6.1
v3.6.1 is a security update from Helm, and ensures that credentials are always only passed to the repository host. For more information, see: GHSA-56hp-xqp3-w2jf Signed-off-by: Hidde Beydals <hello@hidde.co>
1 parent a1581ec commit 5d07419

File tree

8 files changed

+71
-10
lines changed

8 files changed

+71
-10
lines changed

api/v1beta1/helmrepository_types.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,15 @@ type HelmRepositorySpec struct {
4545
// +optional
4646
SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
4747

48+
// PassCredentials allows the credentials from the SecretRef to be send to a host
49+
// that does not match the defined URL.
50+
// This may be required if the host of the advertised chart URLs in the index
51+
// differ from the defined URL.
52+
// Enabling this should be done with caution, as it can potentially result in
53+
// credentials getting stolen in a MITM-attack.
54+
// +optional
55+
PassCredentials bool `json:"passCredentials,omitempty"`
56+
4857
// The interval at which to check the upstream for updates.
4958
// +required
5059
Interval metav1.Duration `json:"interval"`

config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,9 @@ spec:
5050
interval:
5151
description: The interval at which to check the upstream for updates.
5252
type: string
53+
passCredentials:
54+
description: PassCredentials allows the credentials from the SecretRef to be send to a host that does not match the defined URL. This may be required if the host of the advertised chart URLs in the index differ from the defined URL. Enabling this should be done with caution, as it can potentially result in credentials getting stolen in a MITM-attack.
55+
type: boolean
5356
secretRef:
5457
description: The name of the secret containing authentication credentials for the Helm repository. For HTTP/S basic auth the secret must contain username and password fields. For TLS the secret must contain a certFile and keyFile, and/or caCert fields.
5558
properties:

controllers/helmchart_controller.go

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -301,7 +301,11 @@ func (r *HelmChartReconciler) getSource(ctx context.Context, chart sourcev1.Helm
301301
func (r *HelmChartReconciler) reconcileFromHelmRepository(ctx context.Context,
302302
repository sourcev1.HelmRepository, chart sourcev1.HelmChart, force bool) (sourcev1.HelmChart, error) {
303303
// Configure ChartRepository getter options
304-
var clientOpts []getter.Option
304+
clientOpts := []getter.Option{
305+
getter.WithURL(repository.Spec.URL),
306+
getter.WithTimeout(repository.Spec.Timeout.Duration),
307+
getter.WithPassCredentialsAll(repository.Spec.PassCredentials),
308+
}
305309
if secret, err := r.getHelmRepositorySecret(ctx, &repository); err != nil {
306310
return sourcev1.HelmChartNotReady(chart, sourcev1.AuthenticationFailedReason, err.Error()), err
307311
} else if secret != nil {
@@ -311,10 +315,8 @@ func (r *HelmChartReconciler) reconcileFromHelmRepository(ctx context.Context,
311315
return sourcev1.HelmChartNotReady(chart, sourcev1.AuthenticationFailedReason, err.Error()), err
312316
}
313317
defer cleanup()
314-
315-
clientOpts = opts
318+
clientOpts = append(clientOpts, opts...)
316319
}
317-
clientOpts = append(clientOpts, getter.WithTimeout(repository.Spec.Timeout.Duration))
318320

319321
// Initialize the chart repository and load the index file
320322
chartRepo, err := helm.NewChartRepository(repository.Spec.URL, r.Getters, clientOpts)

controllers/helmrepository_controller.go

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -171,7 +171,11 @@ func (r *HelmRepositoryReconciler) Reconcile(ctx context.Context, req ctrl.Reque
171171
}
172172

173173
func (r *HelmRepositoryReconciler) reconcile(ctx context.Context, repository sourcev1.HelmRepository) (sourcev1.HelmRepository, error) {
174-
var clientOpts []getter.Option
174+
clientOpts := []getter.Option{
175+
getter.WithURL(repository.Spec.URL),
176+
getter.WithTimeout(repository.Spec.Timeout.Duration),
177+
getter.WithPassCredentialsAll(repository.Spec.PassCredentials),
178+
}
175179
if repository.Spec.SecretRef != nil {
176180
name := types.NamespacedName{
177181
Namespace: repository.GetNamespace(),
@@ -191,9 +195,8 @@ func (r *HelmRepositoryReconciler) reconcile(ctx context.Context, repository sou
191195
return sourcev1.HelmRepositoryNotReady(repository, sourcev1.AuthenticationFailedReason, err.Error()), err
192196
}
193197
defer cleanup()
194-
clientOpts = opts
198+
clientOpts = append(clientOpts, opts...)
195199
}
196-
clientOpts = append(clientOpts, getter.WithTimeout(repository.Spec.Timeout.Duration))
197200

198201
chartRepo, err := helm.NewChartRepository(repository.Spec.URL, r.Getters, clientOpts)
199202
if err != nil {

docs/api/source.md

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -703,6 +703,23 @@ caCert fields.</p>
703703
</tr>
704704
<tr>
705705
<td>
706+
<code>passCredentials</code><br>
707+
<em>
708+
bool
709+
</em>
710+
</td>
711+
<td>
712+
<em>(Optional)</em>
713+
<p>PassCredentials allows the credentials from the SecretRef to be send to a host
714+
that does not match the defined URL.
715+
This may be required if the host of the advertised chart URLs in the index
716+
differ from the defined URL.
717+
Enabling this should be done with caution, as it can potentially result in
718+
credentials getting stolen in a MITM-attack.</p>
719+
</td>
720+
</tr>
721+
<tr>
722+
<td>
706723
<code>interval</code><br>
707724
<em>
708725
<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">
@@ -1777,6 +1794,23 @@ caCert fields.</p>
17771794
</tr>
17781795
<tr>
17791796
<td>
1797+
<code>passCredentials</code><br>
1798+
<em>
1799+
bool
1800+
</em>
1801+
</td>
1802+
<td>
1803+
<em>(Optional)</em>
1804+
<p>PassCredentials allows the credentials from the SecretRef to be send to a host
1805+
that does not match the defined URL.
1806+
This may be required if the host of the advertised chart URLs in the index
1807+
differ from the defined URL.
1808+
Enabling this should be done with caution, as it can potentially result in
1809+
credentials getting stolen in a MITM-attack.</p>
1810+
</td>
1811+
</tr>
1812+
<tr>
1813+
<td>
17801814
<code>interval</code><br>
17811815
<em>
17821816
<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">

docs/spec/v1beta1/helmrepositories.md

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,9 +21,18 @@ type HelmRepositorySpec struct {
2121
// password fields.
2222
// For TLS the secret must contain a certFile and keyFile, and/or
2323
// caCert fields.
24-
// +optional
24+
// +optional
2525
SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`
2626

27+
// PassCredentials allows the credentials from the SecretRef to be send to a host
28+
// that does not match the defined URL.
29+
// This may be required if the host of the advertised chart URLs in the index
30+
// differ from the defined URL.
31+
// Enabling this should be done with caution, as it can potentially result in
32+
// credentials getting stolen in a MITM-attack.
33+
// +optional
34+
PassCredentials bool `json:"passCredentials,omitempty"`
35+
2736
// The interval at which to check the upstream for updates.
2837
// +required
2938
Interval metav1.Duration `json:"interval"`

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ require (
2929
golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b
3030
golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
3131
gotest.tools v2.2.0+incompatible
32-
helm.sh/helm/v3 v3.6.0
32+
helm.sh/helm/v3 v3.6.1
3333
k8s.io/api v0.21.1
3434
k8s.io/apimachinery v0.21.1
3535
k8s.io/client-go v0.21.1

go.sum

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1247,8 +1247,9 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81
12471247
gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
12481248
gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
12491249
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
1250-
helm.sh/helm/v3 v3.6.0 h1:/9IMxJ2lXJHbvTMHcW1AO71lXQHqDC+3bcpGp7yCsb8=
12511250
helm.sh/helm/v3 v3.6.0/go.mod h1:mIIus8EOqj+obtycw3sidsR4ORr2aFDmXMSI3k+oeVY=
1251+
helm.sh/helm/v3 v3.6.1 h1:TQ6q4pAatXr7qh2fbLcb0oNd0I3J7kv26oo5cExKTtc=
1252+
helm.sh/helm/v3 v3.6.1/go.mod h1:mIIus8EOqj+obtycw3sidsR4ORr2aFDmXMSI3k+oeVY=
12521253
honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
12531254
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
12541255
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

0 commit comments

Comments
 (0)