diff --git a/cmd/helm/flags.go b/cmd/helm/flags.go index 3f89aae29..a8f25cb35 100644 --- a/cmd/helm/flags.go +++ b/cmd/helm/flags.go @@ -61,6 +61,7 @@ func addChartPathOptionsFlags(f *pflag.FlagSet, c *action.ChartPathOptions) { f.StringVar(&c.CertFile, "cert-file", "", "identify HTTPS client using this SSL certificate file") f.StringVar(&c.KeyFile, "key-file", "", "identify HTTPS client using this SSL key file") f.BoolVar(&c.InsecureSkipTLSverify, "insecure-skip-tls-verify", false, "skip tls certificate checks for the chart download") + f.BoolVar(&c.PlainHTTP, "plain-http", false, "use insecure HTTP connections for the chart download") f.StringVar(&c.CaFile, "ca-file", "", "verify certificates of HTTPS-enabled servers using this CA bundle") f.BoolVar(&c.PassCredentialsAll, "pass-credentials", false, "pass credentials to all domains") } diff --git a/cmd/helm/install.go b/cmd/helm/install.go index 13c674066..7a23fa71f 100644 --- a/cmd/helm/install.go +++ b/cmd/helm/install.go @@ -136,7 +136,8 @@ func newInstallCmd(cfg *action.Configuration, out io.Writer) *cobra.Command { return compInstall(args, toComplete, client) }, RunE: func(_ *cobra.Command, args []string) error { - registryClient, err := newRegistryClient(client.CertFile, client.KeyFile, client.CaFile, client.InsecureSkipTLSverify) + registryClient, err := newRegistryClient(client.CertFile, client.KeyFile, client.CaFile, + client.InsecureSkipTLSverify, client.PlainHTTP) if err != nil { return fmt.Errorf("missing registry client: %w", err) } diff --git a/cmd/helm/pull.go b/cmd/helm/pull.go index 2d3747f28..af3092aff 100644 --- a/cmd/helm/pull.go +++ b/cmd/helm/pull.go @@ -64,7 +64,8 @@ func newPullCmd(cfg *action.Configuration, out io.Writer) *cobra.Command { client.Version = ">0.0.0-0" } - registryClient, err := newRegistryClient(client.CertFile, client.KeyFile, client.CaFile, client.InsecureSkipTLSverify) + registryClient, err := newRegistryClient(client.CertFile, client.KeyFile, client.CaFile, + client.InsecureSkipTLSverify, client.PlainHTTP) if err != nil { return fmt.Errorf("missing registry client: %w", err) } diff --git a/cmd/helm/push.go b/cmd/helm/push.go index b1e3e60af..3375155ed 100644 --- a/cmd/helm/push.go +++ b/cmd/helm/push.go @@ -39,6 +39,7 @@ type registryPushOptions struct { keyFile string caFile string insecureSkipTLSverify bool + plainHTTP bool } func newPushCmd(cfg *action.Configuration, out io.Writer) *cobra.Command { @@ -67,7 +68,7 @@ func newPushCmd(cfg *action.Configuration, out io.Writer) *cobra.Command { return nil, cobra.ShellCompDirectiveNoFileComp }, RunE: func(cmd *cobra.Command, args []string) error { - registryClient, err := newRegistryClient(o.certFile, o.keyFile, o.caFile, o.insecureSkipTLSverify) + registryClient, err := newRegistryClient(o.certFile, o.keyFile, o.caFile, o.insecureSkipTLSverify, o.plainHTTP) if err != nil { return fmt.Errorf("missing registry client: %w", err) } @@ -77,6 +78,7 @@ func newPushCmd(cfg *action.Configuration, out io.Writer) *cobra.Command { client := action.NewPushWithOpts(action.WithPushConfig(cfg), action.WithTLSClientConfig(o.certFile, o.keyFile, o.caFile), action.WithInsecureSkipTLSVerify(o.insecureSkipTLSverify), + action.WithPlainHTTP(o.plainHTTP), action.WithPushOptWriter(out)) client.Settings = settings output, err := client.Run(chartRef, remote) @@ -93,6 +95,7 @@ func newPushCmd(cfg *action.Configuration, out io.Writer) *cobra.Command { f.StringVar(&o.keyFile, "key-file", "", "identify registry client using this SSL key file") f.StringVar(&o.caFile, "ca-file", "", "verify certificates of HTTPS-enabled servers using this CA bundle") f.BoolVar(&o.insecureSkipTLSverify, "insecure-skip-tls-verify", false, "skip tls certificate checks for the chart upload") + f.BoolVar(&o.plainHTTP, "plain-http", false, "use insecure HTTP connections for the chart upload") return cmd } diff --git a/cmd/helm/root.go b/cmd/helm/root.go index 5bccdf5bf..dd95b1df2 100644 --- a/cmd/helm/root.go +++ b/cmd/helm/root.go @@ -152,7 +152,7 @@ func newRootCmd(actionConfig *action.Configuration, out io.Writer, args []string flags.ParseErrorsWhitelist.UnknownFlags = true flags.Parse(args) - registryClient, err := newDefaultRegistryClient() + registryClient, err := newDefaultRegistryClient(false) if err != nil { return nil, err } @@ -257,7 +257,7 @@ func checkForExpiredRepos(repofile string) { } -func newRegistryClient(certFile, keyFile, caFile string, insecureSkipTLSverify bool) (*registry.Client, error) { +func newRegistryClient(certFile, keyFile, caFile string, insecureSkipTLSverify, plainHTTP bool) (*registry.Client, error) { if certFile != "" && keyFile != "" || caFile != "" || insecureSkipTLSverify { registryClient, err := newRegistryClientWithTLS(certFile, keyFile, caFile, insecureSkipTLSverify) if err != nil { @@ -265,21 +265,26 @@ func newRegistryClient(certFile, keyFile, caFile string, insecureSkipTLSverify b } return registryClient, nil } - registryClient, err := newDefaultRegistryClient() + registryClient, err := newDefaultRegistryClient(plainHTTP) if err != nil { return nil, err } return registryClient, nil } -func newDefaultRegistryClient() (*registry.Client, error) { - // Create a new registry client - registryClient, err := registry.NewClient( +func newDefaultRegistryClient(plainHTTP bool) (*registry.Client, error) { + opts := []registry.ClientOption{ registry.ClientOptDebug(settings.Debug), registry.ClientOptEnableCache(true), registry.ClientOptWriter(os.Stderr), registry.ClientOptCredentialsFile(settings.RegistryConfig), - ) + } + if plainHTTP { + opts = append(opts, registry.ClientOptPlainHTTP()) + } + + // Create a new registry client + registryClient, err := registry.NewClient(opts...) if err != nil { return nil, err } diff --git a/cmd/helm/show.go b/cmd/helm/show.go index a2edd1931..28eb9756d 100644 --- a/cmd/helm/show.go +++ b/cmd/helm/show.go @@ -226,7 +226,8 @@ func runShow(args []string, client *action.Show) (string, error) { } func addRegistryClient(client *action.Show) error { - registryClient, err := newRegistryClient(client.CertFile, client.KeyFile, client.CaFile, client.InsecureSkipTLSverify) + registryClient, err := newRegistryClient(client.CertFile, client.KeyFile, client.CaFile, + client.InsecureSkipTLSverify, client.PlainHTTP) if err != nil { return fmt.Errorf("missing registry client: %w", err) } diff --git a/cmd/helm/template.go b/cmd/helm/template.go index 3bc70f995..dae3e059a 100644 --- a/cmd/helm/template.go +++ b/cmd/helm/template.go @@ -73,7 +73,8 @@ func newTemplateCmd(cfg *action.Configuration, out io.Writer) *cobra.Command { client.KubeVersion = parsedKubeVersion } - registryClient, err := newRegistryClient(client.CertFile, client.KeyFile, client.CaFile, client.InsecureSkipTLSverify) + registryClient, err := newRegistryClient(client.CertFile, client.KeyFile, client.CaFile, + client.InsecureSkipTLSverify, client.PlainHTTP) if err != nil { return fmt.Errorf("missing registry client: %w", err) } diff --git a/cmd/helm/upgrade.go b/cmd/helm/upgrade.go index 145d342b7..173cd4242 100644 --- a/cmd/helm/upgrade.go +++ b/cmd/helm/upgrade.go @@ -90,7 +90,8 @@ func newUpgradeCmd(cfg *action.Configuration, out io.Writer) *cobra.Command { RunE: func(cmd *cobra.Command, args []string) error { client.Namespace = settings.Namespace() - registryClient, err := newRegistryClient(client.CertFile, client.KeyFile, client.CaFile, client.InsecureSkipTLSverify) + registryClient, err := newRegistryClient(client.CertFile, client.KeyFile, client.CaFile, + client.InsecureSkipTLSverify, client.PlainHTTP) if err != nil { return fmt.Errorf("missing registry client: %w", err) } diff --git a/pkg/action/install.go b/pkg/action/install.go index d5c34cef7..354b6e557 100644 --- a/pkg/action/install.go +++ b/pkg/action/install.go @@ -114,6 +114,7 @@ type ChartPathOptions struct { CertFile string // --cert-file KeyFile string // --key-file InsecureSkipTLSverify bool // --insecure-skip-verify + PlainHTTP bool // --plain-http Keyring string // --keyring Password string // --password PassCredentialsAll bool // --pass-credentials @@ -733,6 +734,7 @@ func (c *ChartPathOptions) LocateChart(name string, settings *cli.EnvSettings) ( getter.WithPassCredentialsAll(c.PassCredentialsAll), getter.WithTLSClientConfig(c.CertFile, c.KeyFile, c.CaFile), getter.WithInsecureSkipVerifyTLS(c.InsecureSkipTLSverify), + getter.WithPlainHTTP(c.PlainHTTP), }, RepositoryConfig: settings.RepositoryConfig, RepositoryCache: settings.RepositoryCache, diff --git a/pkg/action/pull.go b/pkg/action/pull.go index 37ff144de..787553125 100644 --- a/pkg/action/pull.go +++ b/pkg/action/pull.go @@ -90,6 +90,7 @@ func (p *Pull) Run(chartRef string) (string, error) { getter.WithPassCredentialsAll(p.PassCredentialsAll), getter.WithTLSClientConfig(p.CertFile, p.KeyFile, p.CaFile), getter.WithInsecureSkipVerifyTLS(p.InsecureSkipTLSverify), + getter.WithPlainHTTP(p.PlainHTTP), }, RegistryClient: p.cfg.RegistryClient, RepositoryConfig: p.Settings.RepositoryConfig, diff --git a/pkg/action/push.go b/pkg/action/push.go index 892006406..68d2ba42d 100644 --- a/pkg/action/push.go +++ b/pkg/action/push.go @@ -36,6 +36,7 @@ type Push struct { keyFile string caFile string insecureSkipTLSverify bool + plainHTTP bool out io.Writer } @@ -65,6 +66,13 @@ func WithInsecureSkipTLSVerify(insecureSkipTLSVerify bool) PushOpt { } } +// WithPlainHTTP configures the use of plain HTTP connections. +func WithPlainHTTP(plainHTTP bool) PushOpt { + return func(p *Push) { + p.plainHTTP = plainHTTP + } +} + // WithOptWriter sets the registryOut field on the push configuration object. func WithPushOptWriter(out io.Writer) PushOpt { return func(p *Push) { @@ -91,6 +99,7 @@ func (p *Push) Run(chartRef string, remote string) (string, error) { Options: []pusher.Option{ pusher.WithTLSClientConfig(p.certFile, p.keyFile, p.caFile), pusher.WithInsecureSkipTLSVerify(p.insecureSkipTLSverify), + pusher.WithPlainHTTP(p.plainHTTP), }, } diff --git a/pkg/getter/getter.go b/pkg/getter/getter.go index 653b032fe..a0a2b49c8 100644 --- a/pkg/getter/getter.go +++ b/pkg/getter/getter.go @@ -37,6 +37,7 @@ type options struct { caFile string unTar bool insecureSkipVerifyTLS bool + plainHTTP bool username string password string passCredentialsAll bool @@ -96,6 +97,12 @@ func WithTLSClientConfig(certFile, keyFile, caFile string) Option { } } +func WithPlainHTTP(plainHTTP bool) Option { + return func(opts *options) { + opts.plainHTTP = plainHTTP + } +} + // WithTimeout sets the timeout for requests func WithTimeout(timeout time.Duration) Option { return func(opts *options) { diff --git a/pkg/getter/ocigetter.go b/pkg/getter/ocigetter.go index 1705fca91..209786bd7 100644 --- a/pkg/getter/ocigetter.go +++ b/pkg/getter/ocigetter.go @@ -137,12 +137,15 @@ func (g *OCIGetter) newRegistryClient() (*registry.Client, error) { g.transport.TLSClientConfig = tlsConf } - client, err := registry.NewClient( - registry.ClientOptHTTPClient(&http.Client{ - Transport: g.transport, - Timeout: g.opts.timeout, - }), - ) + opts := []registry.ClientOption{registry.ClientOptHTTPClient(&http.Client{ + Transport: g.transport, + Timeout: g.opts.timeout, + })} + if g.opts.plainHTTP { + opts = append(opts, registry.ClientOptPlainHTTP()) + } + + client, err := registry.NewClient(opts...) if err != nil { return nil, err diff --git a/pkg/pusher/ocipusher.go b/pkg/pusher/ocipusher.go index ea5e164c2..94154d389 100644 --- a/pkg/pusher/ocipusher.go +++ b/pkg/pusher/ocipusher.go @@ -139,9 +139,12 @@ func (pusher *OCIPusher) newRegistryClient() (*registry.Client, error) { return registryClient, nil } - registryClient, err := registry.NewClient( - registry.ClientOptEnableCache(true), - ) + opts := []registry.ClientOption{registry.ClientOptEnableCache(true)} + if pusher.opts.plainHTTP { + opts = append(opts, registry.ClientOptPlainHTTP()) + } + + registryClient, err := registry.NewClient(opts...) if err != nil { return nil, err } diff --git a/pkg/pusher/pusher.go b/pkg/pusher/pusher.go index e325ce498..c99d97b35 100644 --- a/pkg/pusher/pusher.go +++ b/pkg/pusher/pusher.go @@ -32,6 +32,7 @@ type options struct { keyFile string caFile string insecureSkipTLSverify bool + plainHTTP bool } // Option allows specifying various settings configurable by the user for overriding the defaults @@ -61,6 +62,12 @@ func WithInsecureSkipTLSVerify(insecureSkipTLSVerify bool) Option { } } +func WithPlainHTTP(plainHTTP bool) Option { + return func(opts *options) { + opts.plainHTTP = plainHTTP + } +} + // Pusher is an interface to support upload to the specified URL. type Pusher interface { // Push file content by url string diff --git a/pkg/registry/client.go b/pkg/registry/client.go index f9569b62b..00ea159f1 100644 --- a/pkg/registry/client.go +++ b/pkg/registry/client.go @@ -61,6 +61,7 @@ type ( registryAuthorizer *registryauth.Client resolver remotes.Resolver httpClient *http.Client + plainHTTP bool } // ClientOption allows specifying various settings configurable by the user for overriding the defaults @@ -93,6 +94,9 @@ func NewClient(options ...ClientOption) (*Client, error) { if client.httpClient != nil { opts = append(opts, auth.WithResolverClient(client.httpClient)) } + if client.plainHTTP { + opts = append(opts, auth.WithResolverPlainHTTP()) + } resolver, err := client.authorizer.ResolverWithOpts(opts...) if err != nil { return nil, err @@ -177,6 +181,12 @@ func ClientOptHTTPClient(httpClient *http.Client) ClientOption { } } +func ClientOptPlainHTTP() ClientOption { + return func(c *Client) { + c.plainHTTP = true + } +} + type ( // LoginOption allows specifying various settings on login LoginOption func(*loginOperation) @@ -626,23 +636,14 @@ func (c *Client) Tags(ref string) ([]string, error) { repository := registryremote.Repository{ Reference: parsedReference, Client: c.registryAuthorizer, + PlainHTTP: c.plainHTTP, } var registryTags []string - for { - registryTags, err = registry.Tags(ctx(c.out, c.debug), &repository) - if err != nil { - // Fallback to http based request - if !repository.PlainHTTP && strings.Contains(err.Error(), "server gave HTTP response") { - repository.PlainHTTP = true - continue - } - return nil, err - } - - break - + registryTags, err = registry.Tags(ctx(c.out, c.debug), &repository) + if err != nil { + return nil, err } var tagVersions []*semver.Version