Add --insecure-skip-tls-verify for repositories (#7254)

* added --insecure-skip-tls-verify for chart repos Signed-off-by: Matthias Riegler <me@xvzf.tech> * fixed not passing the insecureSkipTLSverify option Signed-off-by: Matthias Riegler <me@xvzf.tech> * fixed testcase Signed-off-by: Matthias Riegler <me@xvzf.tech> * pass proxy when using insecureSkipVerify Signed-off-by: Matthias Riegler <me@xvzf.tech> * Add testcases for insecureSkipVerifyTLS Signed-off-by: Matthias Riegler <me@xvzf.tech> * added missing err check Signed-off-by: Matthias Riegler <me@xvzf.tech> * panic after json marshal fails Signed-off-by: Matthias Riegler <me@xvzf.tech>
4 years ago · dc26128fb4
parent b1959a309e
commit dc26128fb4
5 changed files with 119 additions and 24 deletions
--- a/cmd/helm/repo_add.go
+++ b/cmd/helm/repo_add.go
@ -43,9 +43,10 @@ type repoAddOptions struct {
 	password string
 	noUpdate bool

-	certFile string
-	keyFile  string
-	caFile   string
+	certFile              string
+	keyFile               string
+	caFile                string
+	insecureSkipTLSverify bool

 	repoFile  string
 	repoCache string
@ -75,6 +76,7 @@ func newRepoAddCmd(out io.Writer) *cobra.Command {
 	f.StringVar(&o.certFile, "cert-file", "", "identify HTTPS client using this SSL certificate file")
 	f.StringVar(&o.keyFile, "key-file", "", "identify HTTPS client using this SSL key file")
 	f.StringVar(&o.caFile, "ca-file", "", "verify certificates of HTTPS-enabled servers using this CA bundle")
+	f.BoolVar(&o.insecureSkipTLSverify, "insecure-skip-tls-verify", false, "skip tls certificate checks for the repository")

 	return cmd
 }
@ -113,13 +115,14 @@ func (o *repoAddOptions) run(out io.Writer) error {
 	}

 	c := repo.Entry{
-		Name:     o.name,
-		URL:      o.url,
-		Username: o.username,
-		Password: o.password,
-		CertFile: o.certFile,
-		KeyFile:  o.keyFile,
-		CAFile:   o.caFile,
+		Name:                  o.name,
+		URL:                   o.url,
+		Username:              o.username,
+		Password:              o.password,
+		CertFile:              o.certFile,
+		KeyFile:               o.keyFile,
+		CAFile:                o.caFile,
+		InsecureSkipTLSverify: o.insecureSkipTLSverify,
 	}

 	r, err := repo.NewChartRepository(&c, getter.All(settings))
--- a/pkg/getter/getter.go
+++ b/pkg/getter/getter.go
@ -28,13 +28,14 @@ import (
 //
 // Getters may or may not ignore these parameters as they are passed in.
 type options struct {
-	url       string
-	certFile  string
-	keyFile   string
-	caFile    string
-	username  string
-	password  string
-	userAgent string
+	url                   string
+	certFile              string
+	keyFile               string
+	caFile                string
+	insecureSkipVerifyTLS bool
+	username              string
+	password              string
+	userAgent             string
 }

 // Option allows specifying various settings configurable by the user for overriding the defaults
@ -64,6 +65,13 @@ func WithUserAgent(userAgent string) Option {
 	}
 }

+// WithInsecureSkipVerifyTLS determines if a TLS Certificate will be checked
+func WithInsecureSkipVerifyTLS(insecureSkipVerifyTLS bool) Option {
+	return func(opts *options) {
+		opts.insecureSkipVerifyTLS = insecureSkipVerifyTLS
+	}
+}
+
 // WithTLSClientConfig sets the client auth with the provided credentials.
 func WithTLSClientConfig(certFile, keyFile, caFile string) Option {
 	return func(opts *options) {
--- a/pkg/getter/httpgetter.go
+++ b/pkg/getter/httpgetter.go
@ -17,6 +17,7 @@ package getter

 import (
 	"bytes"
+	"crypto/tls"
 	"io"
 	"net/http"

@ -111,5 +112,19 @@ func (g *HTTPGetter) httpClient() (*http.Client, error) {

 		return client, nil
 	}
+
+	if g.opts.insecureSkipVerifyTLS {
+		client := &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{
+					InsecureSkipVerify: true,
+				},
+				Proxy: http.ProxyFromEnvironment,
+			},
+		}
+
+		return client, nil
+	}
+
 	return http.DefaultClient, nil
 }
--- a/pkg/getter/httpgetter_test.go
+++ b/pkg/getter/httpgetter_test.go
@ -44,12 +44,14 @@ func TestHTTPGetter(t *testing.T) {
 	cd := "../../testdata"
 	join := filepath.Join
 	ca, pub, priv := join(cd, "rootca.crt"), join(cd, "crt.pem"), join(cd, "key.pem")
+	insecure := false

 	// Test with options
 	g, err = NewHTTPGetter(
 		WithBasicAuth("I", "Am"),
 		WithUserAgent("Groot"),
 		WithTLSClientConfig(pub, priv, ca),
+		WithInsecureSkipVerifyTLS(insecure),
 	)
 	if err != nil {
 		t.Fatal(err)
@ -83,6 +85,29 @@ func TestHTTPGetter(t *testing.T) {
 	if hg.opts.caFile != ca {
 		t.Errorf("Expected NewHTTPGetter to contain %q as the CA file, got %q", ca, hg.opts.caFile)
 	}
+
+	if hg.opts.insecureSkipVerifyTLS != insecure {
+		t.Errorf("Expected NewHTTPGetter to contain %t as InsecureSkipVerifyTLs flag, got %t", false, hg.opts.insecureSkipVerifyTLS)
+	}
+
+	// Test if setting insecureSkipVerifyTLS is being passed to the ops
+	insecure = true
+
+	g, err = NewHTTPGetter(
+		WithInsecureSkipVerifyTLS(insecure),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	hg, ok = g.(*HTTPGetter)
+	if !ok {
+		t.Fatal("expected NewHTTPGetter to produce an *HTTPGetter")
+	}
+
+	if hg.opts.insecureSkipVerifyTLS != insecure {
+		t.Errorf("Expected NewHTTPGetter to contain %t as InsecureSkipVerifyTLs flag, got %t", insecure, hg.opts.insecureSkipVerifyTLS)
+	}
 }

 func TestDownload(t *testing.T) {
@ -191,3 +216,35 @@ func TestDownloadTLS(t *testing.T) {
 		t.Error(err)
 	}
 }
+
+func TestDownloadInsecureSkipTLSVerify(t *testing.T) {
+	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
+	defer ts.Close()
+
+	u, _ := url.ParseRequestURI(ts.URL)
+
+	// Ensure the default behaviour did not change
+	g, err := NewHTTPGetter(
+		WithURL(u.String()),
+	)
+	if err != nil {
+		t.Error(err)
+	}
+
+	if _, err := g.Get(u.String()); err == nil {
+		t.Errorf("Expected Getter to throw an error, got %s", err)
+	}
+
+	// Test certificate check skip
+	g, err = NewHTTPGetter(
+		WithURL(u.String()),
+		WithInsecureSkipVerifyTLS(true),
+	)
+	if err != nil {
+		t.Error(err)
+	}
+	if _, err = g.Get(u.String()); err != nil {
+		t.Error(err)
+	}
+
+}
--- a/pkg/repo/chartrepo.go
+++ b/pkg/repo/chartrepo.go
@ -19,8 +19,10 @@ package repo // import "helm.sh/helm/v3/pkg/repo"
 import (
 	"crypto/rand"
 	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"log"
 	"net/url"
 	"os"
 	"path"
@ -38,13 +40,14 @@ import (

 // Entry represents a collection of parameters for chart repository
 type Entry struct {
-	Name     string `json:"name"`
-	URL      string `json:"url"`
-	Username string `json:"username"`
-	Password string `json:"password"`
-	CertFile string `json:"certFile"`
-	KeyFile  string `json:"keyFile"`
-	CAFile   string `json:"caFile"`
+	Name                  string `json:"name"`
+	URL                   string `json:"url"`
+	Username              string `json:"username"`
+	Password              string `json:"password"`
+	CertFile              string `json:"certFile"`
+	KeyFile               string `json:"keyFile"`
+	CAFile                string `json:"caFile"`
+	InsecureSkipTLSverify bool   `json:"insecure_skip_tls_verify"`
 }

 // ChartRepository represents a chart repository
@ -121,6 +124,7 @@ func (r *ChartRepository) DownloadIndexFile() (string, error) {
 	// TODO add user-agent
 	resp, err := r.Client.Get(indexURL,
 		getter.WithURL(r.Config.URL),
+		getter.WithInsecureSkipVerifyTLS(r.Config.InsecureSkipTLSverify),
 		getter.WithTLSClientConfig(r.Config.CertFile, r.Config.KeyFile, r.Config.CAFile),
 		getter.WithBasicAuth(r.Config.Username, r.Config.Password),
 	)
@ -271,3 +275,11 @@ func ResolveReferenceURL(baseURL, refURL string) (string, error) {
 	parsedBaseURL.Path = strings.TrimSuffix(parsedBaseURL.Path, "/") + "/"
 	return parsedBaseURL.ResolveReference(parsedRefURL).String(), nil
 }
+
+func (e *Entry) String() string {
+	buf, err := json.Marshal(e)
+	if err != nil {
+		log.Panic(err)
+	}
+	return string(buf)
+}