Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Regression: can't use dockerconfigjson Secret for HelmRepository authentication since 1.1.0 #1218

Closed
artem-nefedov opened this issue Aug 29, 2023 · 5 comments · Fixed by #1220
Closed

[bug] Regression: can't use dockerconfigjson Secret for HelmRepository authentication since 1.1.0 #1218

artem-nefedov opened this issue Aug 29, 2023 · 5 comments · Fixed by #1220
Labels
area/helm Helm related issues and pull requests bug Something isn't working

Comments

@artem-nefedov
Copy link

artem-nefedov commented Aug 29, 2023
edited
Loading

Since release of source-controller 1.1.0 (flux 2.1.0), we see a problem preventing HelmRepository from being reconciled with an error:

✗ HelmRepository reconciliation failed: 'failed to construct Helm client's TLS config: cannot use secret 'secretname' to construct TLS config: invalid secret type: 'kubernetes.io/dockerconfigjson''

We only use secretRef to provide authentication, the Secret doesn't have any TLS-related contents.
Secret in question has is of type "kubernetes.io/dockerconfigjson", and has 3 data fields: .dockerconfigjson, username, and password.
HelmRepository is of regular indexed type (not OCI).

Furthermore, the help for --secret-ref option of flux create source helm command still shows that it can be a docker secret:

      --secret-ref string   the name of an existing secret containing TLS, basic auth or docker-config credentials
@artem-nefedov artem-nefedov changed the title [bug] Regression: can't use dockerconfigjson Secret for authentication since 1.1.0 [bug] Regression: can't use dockerconfigjson Secret for HelmRepository authentication since 1.1.0 Aug 29, 2023
@aryan9600
Copy link
Member

Does switching the Secret to type: Opaque resolve this issue?

@artem-nefedov
Copy link
Author

@aryan9600 I tested it, and yes, type: Opaque works.
But that isn't really a good solution for us, since we use same Secret as imagePullSecret for Pods, as well as secretRef for OCIRepository objects, and would rather keep it that way.
And it was working well since flux 0.x.x times all the way until flux 2.1.0.

@makkes
Copy link
Member

makkes commented Aug 29, 2023

The long-term solution should really be to change the type of your Secret to Opaque as aryan9600 suggested. Why? It is pretty uncommon to use a Secret of type kubernetes.io/dockerconfigjson for anything but serving a JSON-serialized docker config file in the .dockerconfigjson field and it is not unlikely that Flux won't support your particular Secret of that type for long.

@artem-nefedov
Copy link
Author

artem-nefedov commented Aug 29, 2023
edited
Loading

@makkes Even if that's the case, I would at least expect such changes to be explicitly listed as "breaking changes", because it was functionality that was provided before, but isn't anymore.

And the fact that --secret-ref help in cli still shows that secret can be "docker-config credentials" also doesn't help.

@makkes
Copy link
Member

makkes commented Aug 29, 2023

Yes, I'm not disputing this. It was clearly an oversight on our side.

@aryan9600 aryan9600 added bug Something isn't working area/helm Helm related issues and pull requests labels Aug 31, 2023
@aryan9600 aryan9600 mentioned this issue Aug 31, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/helm Helm related issues and pull requests bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

helmrepo: fix Secret type check for TLS via .spec.secretRef fluxcd/source-controller
3 participants
@makkes @artem-nefedov @aryan9600