Update Helm to v3.6.1

v3.6.1 is a security update from Helm, and ensures that credentials are
always only passed to the repository host.

For more information, see:
GHSA-56hp-xqp3-w2jf

Signed-off-by: Hidde Beydals <hello@hidde.co>

controllers/helmchart_controller.go

@@ -301,7 +301,10 @@ func (r *HelmChartReconciler) getSource(ctx context.Context, chart sourcev1.Helm
 func (r *HelmChartReconciler) reconcileFromHelmRepository(ctx context.Context,
 	repository sourcev1.HelmRepository, chart sourcev1.HelmChart, force bool) (sourcev1.HelmChart, error) {
 	// Configure ChartRepository getter options
-	var clientOpts []getter.Option
+	clientOpts := []getter.Option{
+		getter.WithTimeout(repository.Spec.Timeout.Duration),
+		getter.WithURL(repository.Spec.URL),
+	}
 	if secret, err := r.getHelmRepositorySecret(ctx, &repository); err != nil {
 		return sourcev1.HelmChartNotReady(chart, sourcev1.AuthenticationFailedReason, err.Error()), err
 	} else if secret != nil {
@@ -311,10 +314,8 @@ func (r *HelmChartReconciler) reconcileFromHelmRepository(ctx context.Context,
 			return sourcev1.HelmChartNotReady(chart, sourcev1.AuthenticationFailedReason, err.Error()), err
 		}
 		defer cleanup()
-
-		clientOpts = opts
+		clientOpts = append(clientOpts, opts...)
 	}
-	clientOpts = append(clientOpts, getter.WithTimeout(repository.Spec.Timeout.Duration))
 
 	// Initialize the chart repository and load the index file
 	chartRepo, err := helm.NewChartRepository(repository.Spec.URL, r.Getters, clientOpts)

controllers/helmrepository_controller.go

@@ -171,7 +171,10 @@ func (r *HelmRepositoryReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 }
 
 func (r *HelmRepositoryReconciler) reconcile(ctx context.Context, repository sourcev1.HelmRepository) (sourcev1.HelmRepository, error) {
-	var clientOpts []getter.Option
+	clientOpts := []getter.Option{
+		getter.WithTimeout(repository.Spec.Timeout.Duration),
+		getter.WithURL(repository.Spec.URL),
+	}
 	if repository.Spec.SecretRef != nil {
 		name := types.NamespacedName{
 			Namespace: repository.GetNamespace(),
@@ -191,9 +194,8 @@ func (r *HelmRepositoryReconciler) reconcile(ctx context.Context, repository sou
 			return sourcev1.HelmRepositoryNotReady(repository, sourcev1.AuthenticationFailedReason, err.Error()), err
 		}
 		defer cleanup()
-		clientOpts = opts
+		clientOpts = append(clientOpts, opts...)
 	}
-	clientOpts = append(clientOpts, getter.WithTimeout(repository.Spec.Timeout.Duration))
 
 	chartRepo, err := helm.NewChartRepository(repository.Spec.URL, r.Getters, clientOpts)
 	if err != nil {

go.mod

@@ -29,7 +29,7 @@ require (
 	golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b
 	golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
 	gotest.tools v2.2.0+incompatible
-	helm.sh/helm/v3 v3.6.0
+	helm.sh/helm/v3 v3.6.1
 	k8s.io/api v0.21.1
 	k8s.io/apimachinery v0.21.1
 	k8s.io/client-go v0.21.1

go.sum

@@ -1247,8 +1247,9 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
 gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
-helm.sh/helm/v3 v3.6.0 h1:/9IMxJ2lXJHbvTMHcW1AO71lXQHqDC+3bcpGp7yCsb8=
 helm.sh/helm/v3 v3.6.0/go.mod h1:mIIus8EOqj+obtycw3sidsR4ORr2aFDmXMSI3k+oeVY=
+helm.sh/helm/v3 v3.6.1 h1:TQ6q4pAatXr7qh2fbLcb0oNd0I3J7kv26oo5cExKTtc=
+helm.sh/helm/v3 v3.6.1/go.mod h1:mIIus8EOqj+obtycw3sidsR4ORr2aFDmXMSI3k+oeVY=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=