Skip to content

Commit e9b371b

Browse files
committed
Backport Helm security patch
Signed-off-by: Hidde Beydals <hello@hidde.co>
1 parent 416392b commit e9b371b

5 files changed

+14
-31
lines changed

controllers/gitrepository_controller_test.go

Lines changed: 4 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,6 @@ import (
2626
"testing"
2727
"time"
2828

29-
"github.com/fluxcd/pkg/testserver"
3029
"github.com/go-git/go-billy/v5/memfs"
3130
gogit "github.com/go-git/go-git/v5"
3231
"github.com/go-git/go-git/v5/config"
@@ -40,7 +39,6 @@ import (
4039
apierrors "k8s.io/apimachinery/pkg/api/errors"
4140
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
4241
"k8s.io/apimachinery/pkg/runtime"
43-
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
4442
"k8s.io/utils/pointer"
4543
ctrl "sigs.k8s.io/controller-runtime"
4644
"sigs.k8s.io/controller-runtime/pkg/client"
@@ -52,6 +50,7 @@ import (
5250
"github.com/fluxcd/pkg/gittestserver"
5351
"github.com/fluxcd/pkg/runtime/conditions"
5452
"github.com/fluxcd/pkg/ssh"
53+
"github.com/fluxcd/pkg/testserver"
5554

5655
sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
5756
"github.com/fluxcd/source-controller/pkg/git"
@@ -316,9 +315,6 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
316315
},
317316
}
318317

319-
s := runtime.NewScheme()
320-
utilruntime.Must(corev1.AddToScheme(s))
321-
322318
t.Run(tt.name, func(t *testing.T) {
323319
g := NewWithT(t)
324320

@@ -371,7 +367,7 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
371367
tt.beforeFunc(obj)
372368
}
373369

374-
builder := fakeclient.NewClientBuilder().WithScheme(s)
370+
builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
375371
if secret != nil {
376372
builder.WithObjects(secret.DeepCopy())
377373
}
@@ -805,9 +801,7 @@ func TestGitRepositoryReconciler_reconcileInclude(t *testing.T) {
805801
depObjs = append(depObjs, obj)
806802
}
807803

808-
s := runtime.NewScheme()
809-
utilruntime.Must(sourcev1.AddToScheme(s))
810-
builder := fakeclient.NewClientBuilder().WithScheme(s)
804+
builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
811805
if len(tt.dependencies) > 0 {
812806
builder.WithObjects(depObjs...)
813807
}
@@ -988,10 +982,7 @@ func TestGitRepositoryReconciler_verifyCommitSignature(t *testing.T) {
988982
t.Run(tt.name, func(t *testing.T) {
989983
g := NewWithT(t)
990984

991-
s := runtime.NewScheme()
992-
utilruntime.Must(corev1.AddToScheme(s))
993-
994-
builder := fakeclient.NewClientBuilder().WithScheme(s)
985+
builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
995986
if tt.secret != nil {
996987
builder.WithObjects(tt.secret)
997988
}

controllers/helmchart_controller_chart.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -211,6 +211,8 @@ func (r *HelmChartReconciler) getRepositoryIndex(ctx context.Context, obj *sourc
211211
// Configure Helm client getter options
212212
clientOpts := []getter.Option{
213213
getter.WithTimeout(obj.Spec.Interval.Duration),
214+
getter.WithURL(repository.Spec.URL),
215+
getter.WithPassCredentialsAll(repository.Spec.PassCredentials),
214216
}
215217
if repository.Spec.SecretRef != nil {
216218
name := types.NamespacedName{

controllers/helmchart_controller_source.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,8 @@ func (r *HelmChartReconciler) reconcileFromHelmRepository(ctx context.Context, o
8888
// Configure Helm client to access repository
8989
clientOpts := []getter.Option{
9090
getter.WithTimeout(repository.Spec.Timeout.Duration),
91+
getter.WithURL(repository.Spec.URL),
92+
getter.WithPassCredentialsAll(repository.Spec.PassCredentials),
9193
}
9294
if repository.Spec.SecretRef != nil {
9395
// Attempt to retrieve secret

controllers/helmchart_controller_source_test.go

Lines changed: 4 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,6 @@ import (
1515
"helm.sh/helm/v3/pkg/chart/loader"
1616
corev1 "k8s.io/api/core/v1"
1717
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
18-
"k8s.io/apimachinery/pkg/runtime"
19-
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
2018
ctrl "sigs.k8s.io/controller-runtime"
2119
fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
2220
"sigs.k8s.io/controller-runtime/pkg/log"
@@ -152,10 +150,7 @@ func TestHelmChartReconciler_reconcileFromHelmRepository(t *testing.T) {
152150
},
153151
}
154152

155-
s := runtime.NewScheme()
156-
utilruntime.Must(sourcev1.AddToScheme(s))
157-
158-
builder := fakeclient.NewClientBuilder().WithScheme(s)
153+
builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
159154
builder.WithObjects(sourceObj)
160155

161156
r := &HelmChartReconciler{
@@ -371,10 +366,7 @@ func TestHelmChartReconciler_reconcileFromHelmRepository_secretRef(t *testing.T)
371366
tt.beforeFunc(repository)
372367
}
373368

374-
s := runtime.NewScheme()
375-
utilruntime.Must(corev1.AddToScheme(s))
376-
377-
builder := fakeclient.NewClientBuilder().WithScheme(s)
369+
builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
378370
secret := tt.secret.DeepCopy()
379371
if secret != nil {
380372
builder.WithObjects(secret.DeepCopy())
@@ -460,10 +452,7 @@ func TestHelmChartReconciler_reconcileFromTarballArtifact(t *testing.T) {
460452
},
461453
}
462454

463-
s := runtime.NewScheme()
464-
utilruntime.Must(sourcev1.AddToScheme(s))
465-
466-
builder := fakeclient.NewClientBuilder().WithScheme(s)
455+
builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
467456

468457
r := &HelmChartReconciler{
469458
Client: builder.Build(),
@@ -576,10 +565,7 @@ func TestHelmChartReconciler_getSource(t *testing.T) {
576565
},
577566
}
578567

579-
s := runtime.NewScheme()
580-
utilruntime.Must(sourcev1.AddToScheme(s))
581-
582-
builder := fakeclient.NewClientBuilder().WithScheme(s)
568+
builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
583569
builder.WithObjects(helmRepo, gitRepo, bucket)
584570

585571
r := &HelmChartReconciler{

controllers/helmrepository_controller.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -247,6 +247,8 @@ func (r *HelmRepositoryReconciler) reconcileSource(ctx context.Context, obj *sou
247247
// Configure Helm client to access repository
248248
clientOpts := []getter.Option{
249249
getter.WithTimeout(obj.Spec.Timeout.Duration),
250+
getter.WithURL(obj.Spec.URL),
251+
getter.WithPassCredentialsAll(obj.Spec.PassCredentials),
250252
}
251253
if obj.Spec.SecretRef != nil {
252254
// Attempt to retrieve secret

0 commit comments

Comments
 (0)