HELM-613: Reject basic auth over non-HTTPS for Helm chart repositories

[sowmya-sl]

Enforce HTTPS when basic auth credentials are configured on HelmChartRepository and ProjectHelmChartRepository CRs to prevent sending credentials over plain HTTP. This adds backend server-side validation matching the existing frontend check.

Summary by CodeRabbit

• Bug Fixes

  • Added validation to reject repository configurations where basic authentication is used with non-HTTPS URLs, failing early with clear error messages.

• Tests

  • Expanded test coverage for repository configuration validation, including scenarios for basic authentication with both HTTPS and HTTP connections.

[openshift-ci-robot]

@sowmya-sl: This pull request references HELM-613 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Enforce HTTPS when basic auth credentials are configured on HelmChartRepository and ProjectHelmChartRepository CRs to prevent sending credentials over plain HTTP. This adds server-side validation matching the existing frontend check.

Analysis / Root cause:

Solution description:

Screenshots / screen recording:

Test setup:

Test cases:

Browser conformance:

• Chrome
• Firefox
• Safari (or Epiphany on Linux)

Additional info:

Reviewers and assignees:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes add scheme validation for Helm repositories configured with basic authentication, enforcing HTTPS URLs. When a repository has basic auth configuration but is not HTTPS, the unmarshalling now fails early with a descriptive error. The test suite is updated to parametrize the clusterScoped boolean across test cases and includes new coverage validating basic auth constraints. Test cases exercise both valid (HTTPS with cluster scope) and invalid (HTTP) configurations to ensure the validation logic operates correctly.

🚥 Pre-merge checks | ✅ 9 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Test code lacks deferred cleanup, missing diagnostic messages in assertions, includes a flawed test case that validates secret lookup rather than HTTPS enforcement, and relies on hardcoded sleep values instead of proper timeout management.	Use t.Cleanup() for resource cleanup, add diagnostic messages to all assertions, fix the cluster-scope basic-auth test to validate success paths, and replace hardcoded sleeps with context-based timeouts.
Description check	⚠️ Warning	The PR description lacks required template sections and detailed context about analysis, solution, test cases, and setup needed for thorough review and verification.	Complete the PR description template by filling in: Analysis/Root cause, Solution description (beyond one-liner), Test setup, Test cases, and any relevant additional info about the validation logic and edge cases.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: enforcing HTTPS requirement for basic auth in Helm chart repositories, matching the code changes in the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The custom check targets Ginkgo test constructs, but the pull request modifies standard Go table-driven tests without Ginkgo, making this check not applicable.
Microshift Test Compatibility	✅ Passed	The pull request modifies only standard Go unit tests in pkg/helm/chartproxy/repos_test.go using testing.T pattern, not Ginkgo e2e tests, making this MicroShift compatibility check inapplicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains standard Go unit tests in repos_test.go, not Ginkgo e2e tests. Custom check targets Ginkgo e2e tests with SNO compatibility concerns; check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies Helm chart repository validation logic to enforce HTTPS with basic auth credentials—a security check, not a scheduling constraint. Contains no deployment manifests, operator code, controllers, or topology-related assumptions.
Ote Binary Stdout Contract	✅ Passed	PR introduces validation logic and test cases for basic auth enforcement but no process-level stdout writes violate the OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Changes are Go unit tests using testing.T framework, not Ginkgo e2e tests. No IPv4 assumptions, external connectivity requirements, or network dependencies detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/helm/chartproxy/repos_test.go (1)

618-643: Tighten the HTTP negative test to assert the expected error reason.

Line 639 currently accepts any error. Prefer checking that error text matches the HTTPS enforcement path, so this test can’t pass for unrelated failures. (Also, there’s a typo in the test name: “respositories”.)

Suggested assertion refinement

 tests := []struct {
 	name            string
 	helmCRS         *unstructured.Unstructured
 	repoName        string
 	wantsErr        bool
+	errContains     string
 	createSecret    bool
 	namespace       string
 	createNamespace bool
 	clusterScoped   bool
 }{
@@
 		{
-			name: "Basic auth is supported only for https respositories",
+			name: "Basic auth is supported only for https repositories",
@@
 			repoName:        "repo7",
 			wantsErr:        true,
+			errContains:     "basic auth is only supported for https repository",
 			createSecret:    false,
 			createNamespace: false,
 			clusterScoped:   false,
 		},
@@
-			if tt.wantsErr {
-				require.Error(t, err)
+			if tt.wantsErr {
+				require.Error(t, err)
+				if tt.errContains != "" {
+					require.ErrorContains(t, err, tt.errContains)
+				}
 			} else {
 				require.NoError(t, err)
 			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/helm/chartproxy/repos_test.go` around lines 618 - 643, Update the
negative test so it asserts the specific HTTPS-enforcement error instead of any
error and fix the typo in the test name: rename the case title string "Basic
auth is supported only for https respositories" to "Basic auth is supported only
for https repositories" and, where the test currently checks wantsErr == true,
replace the loose check with an assertion that the returned error message
contains both "basic auth" and "https" (or otherwise matches the specific
enforcement error text from the validation logic); locate the failing test case
by the helmCRS object literal and the test case name and add the tighter error
message assertion there.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/helm/chartproxy/repos_test.go`:
- Around line 590-616: The HTTPS cluster-scope test case "Basic auth is
supported for https repositories - cluster scope" is asserting the wrong
outcome; update the test case so it expects success by setting wantsErr: false
and ensure the referenced secret exists by setting createSecret: true (leave
createNamespace as-is since cluster-scoped tests use an empty namespace). Modify
the test case fields wantsErr and createSecret in the HelmChartRepository test
table to reflect the intended success path.

---

Nitpick comments:
In `@pkg/helm/chartproxy/repos_test.go`:
- Around line 618-643: Update the negative test so it asserts the specific
HTTPS-enforcement error instead of any error and fix the typo in the test name:
rename the case title string "Basic auth is supported only for https
respositories" to "Basic auth is supported only for https repositories" and,
where the test currently checks wantsErr == true, replace the loose check with
an assertion that the returned error message contains both "basic auth" and
"https" (or otherwise matches the specific enforcement error text from the
validation logic); locate the failing test case by the helmCRS object literal
and the test case name and add the tighter error message assertion there.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 3ed1785b-0dad-46eb-bc84-9d0436f607ab

📥 Commits

Reviewing files that changed from the base of the PR and between 412dd25 and a913d31.

📒 Files selected for processing (2)

• pkg/helm/chartproxy/repos.go
• pkg/helm/chartproxy/repos_test.go

📜 Review details

🔇 Additional comments (2)

pkg/helm/chartproxy/repos.go (1)

231-233: Security check is correctly placed and fail-fast.

Line 231-Line 233 correctly enforce HTTPS before any basic-auth secret retrieval, which is the right security boundary.

pkg/helm/chartproxy/repos_test.go (1)

534-535: Good improvement: scope is now part of test inputs.

Passing clusterScoped through to Line 670 is a solid testability improvement for cluster-vs-namespace behavior.

Also applies to: 562-563, 588-589, 670-670

[openshift-ci]

@sowmya-sl: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[webbnh]

The change looks good to me, but Code Rabbit identified a couple of things that you should consider addressing.

/lgtm

[webbnh]

As Code Rabbit pointed out, you've got an extra 's' in "repositories", here.

[webbnh]

I concur with Code Rabbit that it would be better if wantsErr identified the expected error rather than being just a boolean. (That is, it could be nil or an empty string for the non-error case, and an error or a string to match in the error case.) That way, the test would only pass if it received the right error response, and we wouldn't get a false positive in other cases.

Since none of the existing test cases test error paths, it wouldn't be too hard to make this change.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sowmya-sl, webbnh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/helm/OWNERS [sowmya-sl,webbnh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment