Auth for private Helm registries

[shane-davidson]

There was nothing in the documentation in regards to using authentication for a helm chart registry.

helm:
    secret: secretName

Can we add the ability to either add a secret or username/password for private registries

gz#14091
gz#14979

[ron1]

Also add ssh auth for charts with ssh go-getter urls.

[StrongMonkey]

QA: #334 docs PR are here for testing.

[StrongMonkey]

Available to test in v0.3.5-rc4

[bmdepesa]

rancher/rancher:v2.5.8-rc3
fleet v0.3.5-rc4

Tested 3 scenarios

• Create a Helm repo requiring basic auth
• Create a Helm repo with a custom CA and basic auth
• Reference a Helm chart using ssh protocol (go-getter URL)

For the first two scenarios requiring basic auth:

• Reference the helm repo in a fleet bundle:

helm:
  releaseName: guestbook
  chart: "guestbook"
  repo: "https://xx.xx.xx.xx.xip.io"

• Create secrets in the same namespace as the GitRepo object, supplying the user, password, and CA if needed:

kubectl create secret -n fleet-default generic helm-secret \
  --from-literal=username=user1 \
  --from-literal=password=testabc123$%^ \
  --from-file=cacerts=ca.pem

• In the GitRepo, for helmSecretName, specify the secret

kind: GitRepo
apiVersion: fleet.cattle.io/v1alpha1
metadata:
  name: helm
  namespace: fleet-default
spec:
  branch: helmtest
  # bad secret name
  helmSecretName: helm-secret
  repo: https://git-repo-url
  paths:
  - single-cluster/helm
  targets:
    - clusterSelector: {}

• Save the GitRepo and the bundle deploys correctly

For the Helm chart using ssh:

• Tested with both OpenSSH and RSA keys
• Create the secret in the same namespace as the GitRepo:

kubectl create secret -n fleet-default generic helm-ssh \
  --from-file=ssh-privatekey=key.pem

• Reference the chart in the bundle:

helm:
  releaseName: guestbook
  chart: "git@github.com:privategit/privaterepo.git/guestbook-0.0.0.tgz"
  repo: ""

• Save the GitRepo
• The bundle deploys correctly

Notes / Issues

• If a custom CA is required but not provided, the GitRepo will correctly show an x509 error
• For Helm charts using ssh protocol, keys with passphrase are not supported: [Docs]Private helm docs #334 (comment)
• If a secret name is provided but doesn't exist, the GitRepo will be in an Active state when it should show an error: GitRepo does not show an error state when credential secret doesn't exist when using Helm authentication #340
• If a username/password is required but not provided or is set incorrectly, the error shows a JSON unmarshaling error instead of an authentication error: JSON unmarshalling error when incorrect or no password is provided for Helm basic auth #341
• Issue to expose helmSecretName in Dashboard UI: Expose helmSecretName for GitRepo in Fleet/Continuous Delivery UI dashboard#2706

[timofey-drozhzhin]

For anyone having issues - the top example has an improper chart URL format. The URL should look something like this: git@github.com:privategit/privaterepo.git//guestbook-0.0.0.tgz (note the double trailing-slash //). That's because the field is using a go-getter format.

For more information about the Go-Getter format, refer to https://pkg.go.dev/github.com/hashicorp/go-getter#readme-subdirectories and https://fleet.rancher.io/gitrepo-structure/#reference