Add support for external helm repo for services with self-signed certificate

[thehejik]

#2530 brings support for external helm chart repo for services but I don't see a way how to provide a self-signed CA certificate there.

The secret with the CA certificate can be created by something like:

$ kubectl create secret generic -n epinio oci-secret \
   --from-literal=username=PAT --from-literal=password=PAT --from-file=cert=./CA.pem

but then we would need to use the certificate to be able pull the chart for the service from that helm repo.

This is current state in v1.10.0-rc1 when trying to pull from external self-hosted registry:

$ epinio-1.10 service create nginx-dev nginx

🚢  Creating Service...
Catalog: nginx-dev
Service: nginx
Wait For Completion: false

❌  error creating service: service create failed: error deploying service helm chart: logging into the helm registry: Get "https://10.100.103.16.nip.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority

Note: providing the CA.pem certificate to nodes is not sufficient. (by sudo cp CA.pem /etc/pki/trust/anchors/; sudo update-ca-certificates)

[andreas-kupries]

Note 1908642

• Changes in helm/client.go extending RegistryLogin to allow options.
• Calling place in api/v1/application/export.go feeding in WithCAFile() option.

[andreas-kupries]

Ok. Going through the code and reading https://docs.epinio.io/howtos/customization/create_custom_service
I believe I understand what is missing, and what has to be done.

The service spec has an additional secret ref (by name) in the helm-repo sub-object.
The convertUnstructuredIntoCatalogService in internal/services/catalog.go reads the name, the secret S, and then extracts user/password information from S. This foes into the Auth HelmAuth field of the internal HelmRepo structure.

On deploying the service the auth is passed into the RegistryLogin (OCI) or AddOrUpdateChartRepo (anything else).

To be done:

• Read a field cert from the secret when creating the catalog structures.
• Save the cert data into a (tmp) file F and remember F's path in the catalog (extended HelmAuth likely best, already kept hidden).
• Pass the saved path into RegistryLogin, as we do for export to OCI.
• Unclear right now how to do this for AddOrUpdateChartRepo as well.

[andreas-kupries]

Track mittwald/go-helm-client#182 status