HELM-703: Add authentication for Helm chart URLs

frontend/packages/helm-plugin/locales/en/helm-plugin.json

@@ -126,12 +126,16 @@
   "The OCI URL or HTTP/HTTPS tar file for the Helm chart; for example - oci://registry.example.com/charts/mychart or https://example.com/chart-1.0.0.tgz.": "The OCI URL or HTTP/HTTPS tar file for the Helm chart; for example - oci://registry.example.com/charts/mychart or https://example.com/chart-1.0.0.tgz.",
   "Unique name for Helm release.": "Unique name for Helm release.",
   "The version of chart to install.": "The version of chart to install.",
+  "Secret for basic authentication.": "Secret for basic authentication.",
+  "Select a secret": "Select a secret",
+  "A secret with \"username\" and \"password\" keys for OCI/HTTP(S) authentication": "A secret with \"username\" and \"password\" keys for OCI/HTTP(S) authentication",
   "Next": "Next",
   "Install Helm chart from Helm registry.": "Install Helm chart from Helm registry.",
   "Helm release": "Helm release",
   "Complete the form to create a Helm release. The Helm chart authors might have provided some default values.": "Complete the form to create a Helm release. The Helm chart authors might have provided some default values.",
   "Configure Helm release": "Configure Helm release",
   "Version": "Version",
+  "Secret for basic authentication": "Secret for basic authentication",
   "Install": "Install",
   "Back": "Back",
   "Display Name": "Display Name",

frontend/packages/helm-plugin/src/components/forms/url-chart/HelmURLChartForm.tsx

@@ -1,10 +1,21 @@
 import type { FC } from 'react';
-import { useEffect } from 'react';
+import { useEffect, useMemo } from 'react';
 import { TextInputTypes, Grid, GridItem } from '@patternfly/react-core';
 import type { FormikProps } from 'formik';
+import * as fuzzy from 'fuzzysearch';
 import { useTranslation } from 'react-i18next';
 import FormSection from '@console/dev-console/src/components/import/section/FormSection';
-import { InputField, FormFooter, FormBody, FormHeader, FlexForm } from '@console/shared';
+import { useK8sWatchResources } from '@console/internal/components/utils/k8s-watch-hook';
+import { SecretModel } from '@console/internal/models';
+import type { K8sResourceKind } from '@console/internal/module/k8s';
+import {
+  InputField,
+  FormFooter,
+  FormBody,
+  FormHeader,
+  FlexForm,
+  ResourceDropdownField,
+} from '@console/shared';
 import type { HelmURLChartFormData } from './types';
 
 export interface HelmURLChartFormProps {
@@ -17,6 +28,7 @@ const HelmURLChartForm: FC<FormikProps<HelmURLChartFormData> & HelmURLChartFormP
   status,
   isSubmitting,
   onNext,
+  namespace,
   isValid,
   dirty,
   values,
@@ -25,6 +37,34 @@ const HelmURLChartForm: FC<FormikProps<HelmURLChartFormData> & HelmURLChartFormP
 }) => {
   const { t } = useTranslation();
 
+  const autocompleteFilter = (strText: string, item: any): boolean =>
+    fuzzy(strText, item?.props?.name);
+
+  const watchedResources = useK8sWatchResources<{
+    secrets: K8sResourceKind[];
+  }>({
+    secrets: {
+      isList: true,
+      kind: SecretModel.kind,
+      namespace,
+      optional: true,
+    },
+  });
+  const secretResources = useMemo(
+    () => [
+      {
+        data: watchedResources.secrets?.data,
+        loaded: watchedResources.secrets?.loaded,
+        loadError: watchedResources.secrets?.loadError,
+        kind: SecretModel.kind,
+      },
+    ],
+    [
+      watchedResources.secrets?.data,
+      watchedResources.secrets?.loaded,
+      watchedResources.secrets?.loadError,
+    ],
+  );
   const isNextDisabled = !isValid || !dirty || isSubmitting;
 
   // Auto-populate releaseName and chartVersion from URL
@@ -116,6 +156,21 @@ const HelmURLChartForm: FC<FormikProps<HelmURLChartFormData> & HelmURLChartFormP
                 data-test="oci-chart-version"
               />
             </GridItem>
+            <GridItem md={12}>
+              <ResourceDropdownField
+                name="basicAuthSecretName"
+                label={t('helm-plugin~Secret for basic authentication.')}
+                resources={secretResources}
+                dataSelector={['metadata', 'name']}
+                fullWidth
+                placeholder={t('helm-plugin~Select a secret')}
+                showBadge
+                autocompleteFilter={autocompleteFilter}
+                helpText={t(
+                  'helm-plugin~A secret with "username" and "password" keys for OCI/HTTP(S) authentication',
+                )}
+              />
+            </GridItem>
           </Grid>
         </FormSection>
       </FormBody>

frontend/packages/helm-plugin/src/components/forms/url-chart/HelmURLChartInstallPage.tsx

@@ -65,38 +65,48 @@ const HelmURLChartInstallPage: FunctionComponent = () => {
     chartURL: '',
     chartVersion: '',
     namespace,
+    basicAuthSecretName: '',
   };
 
-  const fetchChartData = useCallback(async (chartURL: string, chartVersion: string) => {
-    setIsLoadingChart(true);
-    setChartError(null);
+  const fetchChartData = useCallback(
+    async (chartURL: string, chartVersion: string, basicAuthSecretName: string) => {
+      setIsLoadingChart(true);
+      setChartError(null);
 
-    try {
-      const fullChartURL = getFullChartURL(chartURL, chartVersion);
-      const apiUrl = `/api/helm/chart?url=${encodeURIComponent(fullChartURL)}&noRepo=true`;
+      try {
+        const fullChartURL = getFullChartURL(chartURL, chartVersion);
+        let authParam = '';
+        if (basicAuthSecretName) {
+          authParam = `&basic_auth_secret_name=${encodeURIComponent(basicAuthSecretName)}`;
+        }
+        const apiUrl = `/api/helm/chart?url=${encodeURIComponent(
+          fullChartURL,
+        )}&noRepo=true&namespace=${namespace}${authParam}`;
 
-      const res = await coFetchJSON(apiUrl);
-      const chart: HelmChart = res?.chart || res;
-      const valuesYAML = getChartValuesYAML(chart);
-      const valuesJSON = chart?.values ?? {};
-      const valuesSchema = chart?.schema && JSON.parse(atob(chart?.schema));
+        const res = await coFetchJSON(apiUrl);
+        const chart: HelmChart = res?.chart || res;
+        const valuesYAML = getChartValuesYAML(chart);
+        const valuesJSON = chart?.values ?? {};
+        const valuesSchema = chart?.schema && JSON.parse(atob(chart?.schema));
 
-      setInitialYamlData(valuesYAML);
-      setInitialFormData(valuesJSON as Record<string, unknown>);
-      setInitialFormSchema(valuesSchema);
-      setChartHasValues(!!valuesYAML);
-      setChartData(chart);
-    } catch (e) {
-      setChartError(e as Error);
-    } finally {
-      setIsLoadingChart(false);
-    }
-  }, []);
+        setInitialYamlData(valuesYAML);
+        setInitialFormData(valuesJSON as Record<string, unknown>);
+        setInitialFormSchema(valuesSchema);
+        setChartHasValues(!!valuesYAML);
+        setChartData(chart);
+      } catch (e) {
+        setChartError(e as Error);
+      } finally {
+        setIsLoadingChart(false);
+      }
+    },
+    [namespace],
+  );
 
   const handleNextStep = useCallback(
     (values: HelmURLChartFormData) => {
       setChartDetails(values);
-      fetchChartData(values.chartURL, values.chartVersion);
+      fetchChartData(values.chartURL, values.chartVersion, values.basicAuthSecretName);
       setCurrentStep(WizardStep.ConfigureInstall);
     },
     [fetchChartData],
@@ -112,7 +122,15 @@ const HelmURLChartInstallPage: FunctionComponent = () => {
     values: HelmURLInstallFormData,
     actions: FormikHelpers<HelmURLInstallFormData>,
   ) => {
-    const { releaseName, chartURL, chartVersion, yamlData, formData, editorType } = values;
+    const {
+      releaseName,
+      chartURL,
+      chartVersion,
+      yamlData,
+      formData,
+      editorType,
+      basicAuthSecretName,
+    } = values;
 
     let valuesObj: Record<string, unknown> | undefined;
     if (editorType === EditorType.Form) {
@@ -153,6 +171,7 @@ const HelmURLChartInstallPage: FunctionComponent = () => {
       chart_url: fullChartURL, // eslint-disable-line @typescript-eslint/naming-convention
       ...(chartVersion ? { chart_version: chartVersion } : {}), // eslint-disable-line @typescript-eslint/naming-convention
       ...(valuesObj ? { values: valuesObj } : {}),
+      ...(basicAuthSecretName ? { basic_auth_secret_name: basicAuthSecretName } : {}), // eslint-disable-line @typescript-eslint/naming-convention
       noRepo: true,
     };
 
@@ -197,6 +216,7 @@ const HelmURLChartInstallPage: FunctionComponent = () => {
       chartURL: chartDetails?.chartURL || '',
       chartVersion: chartDetails?.chartVersion || '',
       namespace,
+      basicAuthSecretName: chartDetails?.basicAuthSecretName || '',
       chartName: chartData?.metadata?.name || '',
       appVersion: chartData?.metadata?.appVersion || '',
       chartReadme: getChartReadme(chartData),

frontend/packages/helm-plugin/src/components/forms/url-chart/HelmURLInstallForm.tsx

@@ -2,11 +2,16 @@ import type { ReactNode, FC } from 'react';
 import { useMemo } from 'react';
 import { TextInputTypes, Grid, GridItem, Button, Alert } from '@patternfly/react-core';
 import type { FormikProps } from 'formik';
+import * as fuzzy from 'fuzzysearch';
 import * as _ from 'lodash';
 import { Trans, useTranslation } from 'react-i18next';
 import FormSection from '@console/dev-console/src/components/import/section/FormSection';
+import { useK8sWatchResources } from '@console/internal/components/utils/k8s-watch-hook';
+import { SecretModel } from '@console/internal/models';
+import type { K8sResourceKind } from '@console/internal/module/k8s';
 import {
   InputField,
+  ResourceDropdownField,
   FormFooter,
   FormBody,
   CodeEditorField,
@@ -36,12 +41,44 @@ const HelmURLInstallForm: FC<FormikProps<HelmURLInstallFormData> & HelmURLInstal
   values,
   chartMetaDescription,
   chartError,
+  namespace,
   onBack,
 }) => {
   const { t } = useTranslation();
   const { chartReadme, formData, formSchema } = values;
 
-  const helmReadmeModalLauncher = useHelmReadmeModalLauncher({ readme: chartReadme });
+  const autocompleteFilter = (strText: string, item: string): boolean => fuzzy(strText, item);
+
+  const watchedResources = useK8sWatchResources<{
+    secrets: K8sResourceKind[];
+  }>({
+    secrets: {
+      isList: true,
+      kind: SecretModel.kind,
+      namespace,
+      optional: true,
+    },
+  });
+
+  const secretResources = useMemo(
+    () => [
+      {
+        data: watchedResources.secrets?.data,
+        loaded: watchedResources.secrets?.loaded,
+        loadError: watchedResources.secrets?.loadError,
+        kind: SecretModel.kind,
+      },
+    ],
+    [
+      watchedResources.secrets?.data,
+      watchedResources.secrets?.loaded,
+      watchedResources.secrets?.loadError,
+    ],
+  );
+
+  const helmReadmeModalLauncher = useHelmReadmeModalLauncher({
+    readme: chartReadme,
+  });
 
   const isSubmitDisabled = isSubmitting || !_.isEmpty(errors) || !!chartError;
 
@@ -142,6 +179,22 @@ const HelmURLInstallForm: FC<FormikProps<HelmURLInstallFormData> & HelmURLInstal
                 data-test="chart-version"
               />
             </GridItem>
+            <GridItem xl={3} lg={3} md={12}>
+              <ResourceDropdownField
+                name="basicAuthSecretName"
+                label={t('helm-plugin~Secret for basic authentication')}
+                resources={secretResources}
+                dataSelector={['metadata', 'name']}
+                fullWidth
+                placeholder={t('helm-plugin~Select a secret')}
+                showBadge
+                autocompleteFilter={autocompleteFilter}
+                disabled
+                helpText={t(
+                  'helm-plugin~A secret with "username" and "password" keys for OCI/HTTP(S) authentication',
+                )}
+              />
+            </GridItem>
           </Grid>
         </FormSection>
         {!chartError &&

frontend/packages/helm-plugin/src/components/forms/url-chart/types.ts

@@ -6,6 +6,7 @@ export interface HelmURLChartFormData {
   chartURL: string;
   chartVersion: string;
   namespace: string;
+  basicAuthSecretName?: string;
 }
 
 export interface HelmURLInstallFormData extends HelmURLChartFormData {

frontend/packages/helm-plugin/src/utils/helm-utils.ts

@@ -357,13 +357,15 @@ export const installChartFromURL = (
   chartURL: string,
   chartVersion?: string,
   values?: Record<string, unknown>,
+  basicAuthSecretName?: string,
 ) => {
   return coFetchJSON.post('/api/helm/release/async', {
     namespace,
     name: releaseName,
     chart_url: chartURL, // eslint-disable-line @typescript-eslint/naming-convention
     ...(chartVersion ? { chart_version: chartVersion } : {}), // eslint-disable-line @typescript-eslint/naming-convention
     ...(values ? { values } : {}),
+    ...(basicAuthSecretName ? { basic_auth_secret_name: basicAuthSecretName } : {}), // eslint-disable-line @typescript-eslint/naming-convention
     noRepo: true,
   });
 };

pkg/helm/actions/get_chart.go

@@ -63,13 +63,25 @@ func GetChart(url string, conf *action.Configuration, repositoryNamespace string
 	return loader.Load(chartPath)
 }
 
-func GetChartFromURL(url string, conf *action.Configuration, namespace string, client dynamic.Interface, coreClient corev1client.CoreV1Interface, filesCleanup bool) (*chart.Chart, error) {
+// GetChartFromURL loads a chart from an OCI or direct HTTP(S) URL. basicAuthSecretName names a
+// Secret in namespace with username and password keys when the registry requires authentication.
+func GetChartFromURL(url string, conf *action.Configuration, namespace string, client dynamic.Interface, coreClient corev1client.CoreV1Interface, filesCleanup bool, basicAuthSecretName string) (*chart.Chart, error) {
 
 	if !isValidChartURL(url) {
 		return nil, fmt.Errorf("invalid chart URL: %s, must be oci:// URL or http(s)://*.tgz", url)
 	}
 	cmd := action.NewInstall(conf)
 	cmd.Namespace = namespace
+	if err := applyBasicAuthFromSecret(cmd, coreClient, namespace, basicAuthSecretName); err != nil {
+		return nil, err
+	}
+	if basicAuthSecretName != "" {
+		rc, err := RegistryClientWithBasicAuth(false, false, cmd.Username, cmd.Password)
+		if err != nil {
+			return nil, fmt.Errorf("failed to configure OCI registry client: %w", err)
+		}
+		cmd.SetRegistryClient(rc)
+	}
 	chartLocation, err := cmd.ChartPathOptions.LocateChart(url, settings)
 	if err != nil {
 		return nil, fmt.Errorf("error getting chart from URL: %v", err)

pkg/helm/actions/get_registry.go

@@ -12,14 +12,8 @@ import (
 // newRegistryClient is a package-level variable to allow mocking in tests
 var newRegistryClient = registry.NewClient
 
-func GetDefaultOCIRegistry(conf *action.Configuration) error {
-	return GetOCIRegistry(conf, false, false)
-}
-
-func GetOCIRegistry(conf *action.Configuration, skipTLSVerify bool, plainHTTP bool) error {
-	if conf == nil {
-		return fmt.Errorf("action configuration cannot be nil")
-	}
+// registryClientOptions returns the same options used by GetOCIRegistry for TLS / plain-HTTP behavior.
+func registryClientOptions(skipTLSVerify, plainHTTP bool) []registry.ClientOption {
 	opts := []registry.ClientOption{
 		registry.ClientOptDebug(false),
 	}
@@ -33,7 +27,28 @@ func GetOCIRegistry(conf *action.Configuration, skipTLSVerify bool, plainHTTP bo
 		}
 		opts = append(opts, registry.ClientOptHTTPClient(&http.Client{Transport: transport}))
 	}
-	registryClient, err := newRegistryClient(opts...)
+	return opts
+}
+
+// RegistryClientWithBasicAuth builds a registry.Client with the same TLS/plain-HTTP settings as
+// GetDefaultOCIRegistry (skipTLSVerify=false, plainHTTP=false) plus OCI basic auth.
+// Helm's OCI getter uses Configuration.RegistryClient when set and does not apply ChartPathOptions
+// username/password to that client; credentials must be set on the registry client via ClientOptBasicAuth.
+func RegistryClientWithBasicAuth(skipTLSVerify, plainHTTP bool, username, password string) (*registry.Client, error) {
+	opts := registryClientOptions(skipTLSVerify, plainHTTP)
+	opts = append(opts, registry.ClientOptBasicAuth(username, password))
+	return newRegistryClient(opts...)
+}
+
+func GetDefaultOCIRegistry(conf *action.Configuration) error {
+	return GetOCIRegistry(conf, false, false)
+}
+
+func GetOCIRegistry(conf *action.Configuration, skipTLSVerify bool, plainHTTP bool) error {
+	if conf == nil {
+		return fmt.Errorf("action configuration cannot be nil")
+	}
+	registryClient, err := newRegistryClient(registryClientOptions(skipTLSVerify, plainHTTP)...)
 	if err != nil {
 		return fmt.Errorf("failed to create registry client: %w", err)
 	}