Backport Helm security patch

Signed-off-by: Hidde Beydals <hello@hidde.co>

Author: hiddeco

controllers/gitrepository_controller_test.go

@@ -26,7 +26,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/fluxcd/pkg/testserver"
 	"github.com/go-git/go-billy/v5/memfs"
 	gogit "github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/config"
@@ -40,7 +39,6 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/utils/pointer"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -52,6 +50,7 @@ import (
 	"github.com/fluxcd/pkg/gittestserver"
 	"github.com/fluxcd/pkg/runtime/conditions"
 	"github.com/fluxcd/pkg/ssh"
+	"github.com/fluxcd/pkg/testserver"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/fluxcd/source-controller/pkg/git"
@@ -316,9 +315,6 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
 			},
 		}
 
-		s := runtime.NewScheme()
-		utilruntime.Must(corev1.AddToScheme(s))
-
 		t.Run(tt.name, func(t *testing.T) {
 			g := NewWithT(t)
 
@@ -371,7 +367,7 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
 				tt.beforeFunc(obj)
 			}
 
-			builder := fakeclient.NewClientBuilder().WithScheme(s)
+			builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
 			if secret != nil {
 				builder.WithObjects(secret.DeepCopy())
 			}
@@ -805,9 +801,7 @@ func TestGitRepositoryReconciler_reconcileInclude(t *testing.T) {
 				depObjs = append(depObjs, obj)
 			}
 
-			s := runtime.NewScheme()
-			utilruntime.Must(sourcev1.AddToScheme(s))
-			builder := fakeclient.NewClientBuilder().WithScheme(s)
+			builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
 			if len(tt.dependencies) > 0 {
 				builder.WithObjects(depObjs...)
 			}
@@ -988,10 +982,7 @@ func TestGitRepositoryReconciler_verifyCommitSignature(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			g := NewWithT(t)
 
-			s := runtime.NewScheme()
-			utilruntime.Must(corev1.AddToScheme(s))
-
-			builder := fakeclient.NewClientBuilder().WithScheme(s)
+			builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
 			if tt.secret != nil {
 				builder.WithObjects(tt.secret)
 			}

controllers/helmchart_controller_chart.go

@@ -211,6 +211,8 @@ func (r *HelmChartReconciler) getRepositoryIndex(ctx context.Context, obj *sourc
 	// Configure Helm client getter options
 	clientOpts := []getter.Option{
 		getter.WithTimeout(obj.Spec.Interval.Duration),
+		getter.WithURL(repository.Spec.URL),
+		getter.WithPassCredentialsAll(repository.Spec.PassCredentials),
 	}
 	if repository.Spec.SecretRef != nil {
 		name := types.NamespacedName{

controllers/helmchart_controller_source.go

@@ -88,6 +88,8 @@ func (r *HelmChartReconciler) reconcileFromHelmRepository(ctx context.Context, o
 	// Configure Helm client to access repository
 	clientOpts := []getter.Option{
 		getter.WithTimeout(repository.Spec.Timeout.Duration),
+		getter.WithURL(repository.Spec.URL),
+		getter.WithPassCredentialsAll(repository.Spec.PassCredentials),
 	}
 	if repository.Spec.SecretRef != nil {
 		// Attempt to retrieve secret

controllers/helmchart_controller_source_test.go

@@ -15,8 +15,6 @@ import (
 	"helm.sh/helm/v3/pkg/chart/loader"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -152,10 +150,7 @@ func TestHelmChartReconciler_reconcileFromHelmRepository(t *testing.T) {
 		},
 	}
 
-	s := runtime.NewScheme()
-	utilruntime.Must(sourcev1.AddToScheme(s))
-
-	builder := fakeclient.NewClientBuilder().WithScheme(s)
+	builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
 	builder.WithObjects(sourceObj)
 
 	r := &HelmChartReconciler{
@@ -371,10 +366,7 @@ func TestHelmChartReconciler_reconcileFromHelmRepository_secretRef(t *testing.T)
 				tt.beforeFunc(repository)
 			}
 
-			s := runtime.NewScheme()
-			utilruntime.Must(corev1.AddToScheme(s))
-
-			builder := fakeclient.NewClientBuilder().WithScheme(s)
+			builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
 			secret := tt.secret.DeepCopy()
 			if secret != nil {
 				builder.WithObjects(secret.DeepCopy())
@@ -460,10 +452,7 @@ func TestHelmChartReconciler_reconcileFromTarballArtifact(t *testing.T) {
 		},
 	}
 
-	s := runtime.NewScheme()
-	utilruntime.Must(sourcev1.AddToScheme(s))
-
-	builder := fakeclient.NewClientBuilder().WithScheme(s)
+	builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
 
 	r := &HelmChartReconciler{
 		Client:  builder.Build(),
@@ -576,10 +565,7 @@ func TestHelmChartReconciler_getSource(t *testing.T) {
 		},
 	}
 
-	s := runtime.NewScheme()
-	utilruntime.Must(sourcev1.AddToScheme(s))
-
-	builder := fakeclient.NewClientBuilder().WithScheme(s)
+	builder := fakeclient.NewClientBuilder().WithScheme(env.GetScheme())
 	builder.WithObjects(helmRepo, gitRepo, bucket)
 
 	r := &HelmChartReconciler{

controllers/helmrepository_controller.go

@@ -247,6 +247,8 @@ func (r *HelmRepositoryReconciler) reconcileSource(ctx context.Context, obj *sou
 	// Configure Helm client to access repository
 	clientOpts := []getter.Option{
 		getter.WithTimeout(obj.Spec.Timeout.Duration),
+		getter.WithURL(obj.Spec.URL),
+		getter.WithPassCredentialsAll(obj.Spec.PassCredentials),
 	}
 	if obj.Spec.SecretRef != nil {
 		// Attempt to retrieve secret