Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add client certificate auth support to HelmChart controller / job image #10124

Closed
brandond opened this issue May 17, 2024 · 1 comment
Closed

Add client certificate auth support to HelmChart controller / job image #10124

brandond opened this issue May 17, 2024 · 1 comment
Assignees
@brandond @fmoral2
Milestone
v1.30.2+k3s1

Comments

@brandond
Copy link
Contributor

Currently the HelmChart spec.authSecret must be a Basic authentication Secret to auth to repos using username and password.

We should add support for TLS Secrets to allow authenticating to chart repos using TLS Client Certificate Authentication.
@brandond brandond self-assigned this May 17, 2024
@brandond brandond added this to the v1.30.2+k3s1 milestone May 17, 2024
This was referenced May 17, 2024
Closed
Merged
Merged
Merged
Merged
This was referenced May 28, 2024
Closed
Closed
Closed
@fmoral2
Copy link
Contributor

fmoral2 commented Jun 4, 2024

Validated on Version:

-$ k3s version v1.30.1+k3s-1268779e (1268779e))

Environment Details

Infrastructure
Cloud EC2 instance

Node(s) CPU architecture, OS, and Version:
Ubuntu
AMD

Cluster Configuration:
-1 node

example-repo-auth.yaml:

apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
 namespace: kube-system
 name: example-app
spec:
 targetNamespace: kube-system
 createNamespace: true
 version: v1.2.3
 chart: example-app
 repo: https://secure-repo.example.com
 authSecret:
   name: secret-tls2
 # repoCAConfigMap:
 #   name: example-repo-ca
 valuesContent: |-
   image:
     tag: v1.2.2
---
apiVersion: v1
kind: Secret
metadata:
 namespace: kube-system
 name: secret-tls3 
type: kubernetes.io/tls
stringData:
 # values are base64 encoded, which obscures them but does NOT provide
 # any useful level of confidentiality
 tls.crt: |
   test 
 # In this example, the key data is not a real PEM-encoded private key
 tls.key: |
   test==   
---

Steps to validate the fix

  1. start k3s
  2. Validate create auth with tls

Reproduction Issue:

 $ k3s -v
k3s version v1.30.1+k3s-6e6f7995 (6e6f7995)
go version go1.22.2



k logs helm-install-example-app-  -n kube-system

ERROR does not mention creation of TLS 

Error: looks like "https://secure-repo.example.com" is not a valid chart repository or cannot be reached: Get "https://secure-repo.example.com/index.yaml": dial tcp: lookup secure-repo.example.com on 10.43.0.10:53: no such host

Validation Results:

 kubectl create secret tls secret-tls2  --cert=client.crt --key=client.key -n kube-system

kubectl apply -f example-repo-auth.yaml

k logs helm-install-example-app-  -n kube-system


ERROR mentioned that it tried to create TLS

Error: looks like "https://secure-repo.example.com" is not a valid chart repository or cannot be reached: can't create TLS config for client: can't load key pair from cert /auth/tls.crt and key /auth/tls.key: tls: failed to find any PEM data in certificate input

@fmoral2 fmoral2 closed this as completed Jun 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@fmoral2 fmoral2

Labels
None yet
Projects
K3s Development
Status: Done Issue
Milestone
v1.30.2+k3s1
Development

No branches or pull requests
2 participants
@brandond @fmoral2