add custom CA certificates to system certificates

When a custom CA certificate is provided in a Secret's `caCert` field referenced in `HelmRelease.spec.secretRef` then that CA cert is now added to the list of system certificates instead of it replacing the system certificates. This makes HelmRepositories work in mixed environments where charts are pulled from both, a public repository and a private repository (e.g. through a chart dependency). The test that is added as part of this change will fail without the change and passes with it. closes #866 closes fluxcd/helm-controller#519 Signed-off-by: Max Jonas Werner <[email protected]>
fluxcd · Sep 20, 2022 · e0b7ed8 · e0b7ed8
1 parent 54d706a
commit e0b7ed8
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 2 deletions.
diff --git a/controllers/helmrepository_controller_test.go b/controllers/helmrepository_controller_test.go
@@ -290,13 +290,32 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
 		name             string
 		protocol         string
 		server           options
+		url              string
 		secret           *corev1.Secret
 		beforeFunc       func(t *WithT, obj *sourcev1.HelmRepository, checksum string)
 		afterFunc        func(t *WithT, obj *sourcev1.HelmRepository, artifact sourcev1.Artifact, chartRepo repository.ChartRepository)
 		want             sreconcile.Result
 		wantErr          bool
 		assertConditions []metav1.Condition
 	}{
+		{
+			name:     "HTTPS with secretRef pointing to CA cert but public repo URL succeeds",
+			protocol: "http",
+			url:      "https://stefanprodan.github.io/podinfo",
+			want:     sreconcile.ResultSuccess,
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "ca-file",
+				},
+				Data: map[string][]byte{
+					"caFile": tlsCA,
+				},
+			},
+			assertConditions: []metav1.Condition{
+				*conditions.TrueCondition(sourcev1.ArtifactOutdatedCondition, "NewRevision", "new index revision"),
+				*conditions.TrueCondition(meta.ReconcilingCondition, "NewRevision", "new index revision"),
+			},
+		},
 		{
 			name:     "HTTP without secretRef makes ArtifactOutdated=True",
 			protocol: "http",
@@ -565,10 +584,16 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
 				server.Start()
 				defer server.Stop()
 				obj.Spec.URL = server.URL()
+				if tt.url != "" {
+					obj.Spec.URL = tt.url
+				}
 			case "https":
 				g.Expect(server.StartTLS(tt.server.publicKey, tt.server.privateKey, tt.server.ca, "example.com")).To(Succeed())
 				defer server.Stop()
 				obj.Spec.URL = server.URL()
+				if tt.url != "" {
+					obj.Spec.URL = tt.url
+				}
 			default:
 				t.Fatalf("unsupported protocol %q", tt.protocol)
 			}
@@ -596,7 +621,11 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
 					validSecret = false
 				}
 				clientOpts = append(clientOpts, cOpts...)
-				tOpts, serr = getter.TLSClientConfigFromSecret(*secret, server.URL())
+				repoURL := server.URL()
+				if tt.url != "" {
+					repoURL = tt.url
+				}
+				tOpts, serr = getter.TLSClientConfigFromSecret(*secret, repoURL)
 				if serr != nil {
 					validSecret = false
 				}

diff --git a/internal/helm/getter/getter.go b/internal/helm/getter/getter.go
@@ -81,7 +81,10 @@ func TLSClientConfigFromSecret(secret corev1.Secret, repositoryUrl string) (*tls
 	}
 
 	if len(caBytes) > 0 {
-		cp := x509.NewCertPool()
+		cp, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, fmt.Errorf("cannot retrieve system certificate pool: %w", err)
+		}
 		if !cp.AppendCertsFromPEM(caBytes) {
 			return nil, fmt.Errorf("cannot append certificate into certificate pool: invalid caFile")
 		}