fix: add tls when get repository index. (#6195)

* fix: add tls when get repository index. Signed-off-by: joyceliu <joyceliu@yunify.com> * Update staging/src/kubesphere.io/utils/helm/repo_index.go Signed-off-by: hongming <coder.scala@gmail.com> * fix: add tls when get repository index. Signed-off-by: joyceliu <joyceliu@yunify.com> --------- Signed-off-by: joyceliu <joyceliu@yunify.com> Signed-off-by: hongming <coder.scala@gmail.com> Co-authored-by: joyceliu <joyceliu@yunify.com> Co-authored-by: hongming <coder.scala@gmail.com>
2024-09-23 15:05:14 +08:00
parent df4553131f
commit ecdffc7d73
11 changed files with 216 additions and 76 deletions
--- a/staging/src/kubesphere.io/api/core/v1alpha1/repository_types.go
+++ b/staging/src/kubesphere.io/api/core/v1alpha1/repository_types.go
@@ -18,14 +18,17 @@ type BasicAuth struct {
 }

 type RepositorySpec struct {
+	// DEPRECATED: the field will remove in future versions, please use url.
 	Image          string          `json:"image,omitempty"`
 	URL            string          `json:"url,omitempty"`
 	Description    string          `json:"description,omitempty"`
 	BasicAuth      *BasicAuth      `json:"basicAuth,omitempty"`
 	UpdateStrategy *UpdateStrategy `json:"updateStrategy,omitempty"`
-	// +optional The caBundle (base64 string) is used in helmExecutor to verify the helm server.
-	// if the caBundle is empty, use --insecure-skip-tls-verify.
+	// The caBundle (base64 string) is used in helmExecutor to verify the helm server.
+	// +optional
 	CABundle string `json:"caBundle,omitempty"`
+	// --insecure-skip-tls-verify. default false
+	Insecure bool `json:"insecure,omitempty"`
 }

 type RepositoryStatus struct {
--- a/staging/src/kubesphere.io/utils/helm/repo_index.go
+++ b/staging/src/kubesphere.io/utils/helm/repo_index.go
@@ -24,7 +24,7 @@ func LoadRepoIndex(ctx context.Context, u string, cred RepoCredential) (*helmrep
 		u = fmt.Sprintf("%s%s", u, IndexYaml)
 	}

-	resp, err := loadData(ctx, u, cred)
+	resp, err := LoadData(ctx, u, cred)
 	if err != nil {
 		return nil, err
 	}
@@ -52,7 +52,7 @@ func loadIndex(data []byte) (*helmrepo.IndexFile, error) {
 	return i, nil
 }

-func loadData(ctx context.Context, u string, cred RepoCredential) (*bytes.Buffer, error) {
+func LoadData(ctx context.Context, u string, cred RepoCredential) (*bytes.Buffer, error) {
 	parsedURL, err := url.Parse(u)
 	if err != nil {
 		return nil, err
@@ -81,18 +81,11 @@ func loadData(ctx context.Context, u string, cred RepoCredential) (*bytes.Buffer

 		resp = bytes.NewBuffer(data)
 	} else {
-		skipTLS := true
-		if cred.InsecureSkipTLSVerify != nil && !*cred.InsecureSkipTLSVerify {
-			skipTLS = false
-		}
-
-		indexURL := parsedURL.String()
 		// TODO add user-agent
 		g, _ := getter.NewHTTPGetter()
-		resp, err = g.Get(indexURL,
+		resp, err = g.Get(parsedURL.String(),
 			getter.WithTimeout(5*time.Minute),
-			getter.WithURL(u),
-			getter.WithInsecureSkipVerifyTLS(skipTLS),
+			getter.WithInsecureSkipVerifyTLS(cred.InsecureSkipTLSVerify),
 			getter.WithTLSClientConfig(cred.CertFile, cred.KeyFile, cred.CAFile),
 			getter.WithBasicAuth(cred.Username, cred.Password),
 		)
@@ -135,7 +128,7 @@ type RepoCredential struct {
 	// verify certificates of HTTPS-enabled servers using this CA bundle
 	CAFile string `json:"caFile,omitempty"`
 	// skip tls certificate checks for the repository, default is ture
-	InsecureSkipTLSVerify *bool `json:"insecureSkipTLSVerify,omitempty"`
+	InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"`

 	S3Config `json:",inline"`
 }