There's not a simple way to add a helm repo with a custom CA

[ipedrazas]

It's not easy to add your own repository configuration to the chart.

The setting Values.helmOperator.configureRepositories.enable allow you toinject a secret, however, if there's a repo that needs a CA there's not a standard way to add the CA into the deployment provided by the chart.

Note that Values.helmOperator.tls.verify is used as a flag to configure tiller tls and not repo.

If you jump into the helmOperator pod and create the file ca.crt and then execute:

helm repo add myrepo https://myhelmrepo.com --ca-file ca.crt

the HelmRelease can use a helm repo with a self-signed cert. This means that the operator needs 2 things to install releases from a helm repo under a self-signed cert:

• The CA certificate.
• The entry in the repositories.yaml with the location of the ca certificate.

[squaremo]

@ipedrazas Would it be sufficient (if not ideal) to be able to specify a secret for certificates to be mounted, as well as the repository.yaml?

It looks like fluxcd/flux#1893 will let you specify a CA cert for a repository entry, which may help.

[ipedrazas]

fluxcd/flux#1893 allows you to define your own repositories.yaml but it doesn't add/mount the CA, the CA location is defined in the repositories.yaml entry, but yes, we could adapt it to add the CA into that secret and mount it inside the deployment template.

[squaremo]

Is it possible to include the CA cert in the same secret that has the repositories.yaml? It requires knowing where the secret will be mounted, such that you can use the path in the repositories.yaml file. But I think it would work.

[hiddeco]

I think this got resolved in #183 (cert path configuration is now possible, and the chart allows you to add additional mounts), and will be further improved with #142.

[kav]

Just wanted to leave a note in case anyone else goes down the rabbit hole here. It appears you should do something like the following.

First create a repositories.yaml as described in the docs. Add a line for that reads:

  ... 
  caFile: /root/.helm/certs/ca.crt
  ...

for any repository using your new ca.

Then run:
kubectl create secret generic helm-repositories -n flux --from-file=repositories.yaml --from-file=ca.crt

Then use these values with the helm-operator helm chart (presented as yaml but you can get crazy with command line opts if you want...

...
configureRepositories:
  enable: true
  secretName: helm-repositories
extraVolumeMounts:
- name: repositories-yaml
  mountPath: /root/.helm/certs/ca.crt
  subPath: ca.crt

obviously you can tweak this for multiple certificate authorities or just move stuff around as you like.

Note: Your HelmRelease should continue to use the url of the repo not the name.