Add insecure skip tls verify support (#882)

* feat: add insecure-skip-tls-verify support

Signed-off-by: yxxhero <aiopsclub@163.com>

.github/workflows/ci.yaml

@@ -72,7 +72,7 @@ jobs:
            # we will mark this combination as failable,
            # and instruct users to upgrade helm and helm-secrets at once.
            plugin-secrets-version: 4.0.0
-           plugin-diff-version: 3.8.0
+           plugin-diff-version: 3.8.1
            extra-helmfile-flags:
            v1mode:
          - helm-version: v3.12.0
@@ -84,14 +84,14 @@ jobs:
          - helm-version: v3.12.0
            kustomize-version: v4.5.7
            plugin-secrets-version: 4.0.0
-           plugin-diff-version: 3.8.0
+           plugin-diff-version: 3.8.1
            extra-helmfile-flags:
            v1mode:
          # Helmfile v1
          - helm-version: v3.12.0
            kustomize-version: v4.5.7
            plugin-secrets-version: 4.0.0
-           plugin-diff-version: 3.8.0
+           plugin-diff-version: 3.8.1
            extra-helmfile-flags:
            v1mode: "true"
          # In case you need to test some optional helmfile features,
@@ -99,7 +99,7 @@ jobs:
          - helm-version: v3.12.0
            kustomize-version: v4.5.7
            plugin-secrets-version: 4.0.0
-           plugin-diff-version: 3.8.0
+           plugin-diff-version: 3.8.1
            extra-helmfile-flags: "--enable-live-output"
            v1mode:
     steps:

Dockerfile

@@ -92,7 +92,7 @@ RUN set -x && \
     [ "$(age --version)" = "${AGE_VERSION}" ] && \
     [ "$(age-keygen --version)" = "${AGE_VERSION}" ]
 
-RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.0 && \
+RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.1 && \
     helm plugin install https://github.com/jkroepke/helm-secrets --version v4.1.1 && \
     helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.14.0 && \
     helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 && \

Dockerfile.debian-stable-slim

@@ -97,7 +97,7 @@ RUN set -x && \
     [ "$(age --version)" = "${AGE_VERSION}" ] && \
     [ "$(age-keygen --version)" = "${AGE_VERSION}" ]
 
-RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.0 && \
+RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.1 && \
     helm plugin install https://github.com/jkroepke/helm-secrets --version v4.1.1 && \
     helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.14.0 && \
     helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 && \

Dockerfile.ubuntu

@@ -97,7 +97,7 @@ RUN set -x && \
     [ "$(age --version)" = "${AGE_VERSION}" ] && \
     [ "$(age-keygen --version)" = "${AGE_VERSION}" ]
 
-RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.0 && \
+RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.1 && \
     helm plugin install https://github.com/jkroepke/helm-secrets --version v4.1.1 && \
     helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.14.0 && \
     helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 && \

docs/index.md

@@ -211,6 +211,8 @@ helmDefaults:
   postRenderer: "path/to/postRenderer"
   #	cascade `--cascade` to helmv3 delete, available values: background, foreground, or orphan, default: background
   cascade: "background" 
+  # insecureSkipTLSVerify is true if the TLS verification should be skipped when fetching remote chart
+  insecureSkipTLSVerify: false
 
 # these labels will be applied to all releases in a Helmfile. Useful in templating if you have a helmfile per environment or customer and don't want to copy the same label to each release
 commonLabels:
@@ -311,6 +313,8 @@ releases:
     postRenderer: "path/to/postRenderer"
     # cascade `--cascade` to helmv3 delete, available values: background, foreground, or orphan, default: background
     cascade: "background" 
+    # insecureSkipTLSVerify is true if the TLS verification should be skipped when fetching remote chart
+    insecureSkipTLSVerify: false
 
   # Local chart example
   - name: grafana                            # name of this release

pkg/app/init.go

@@ -19,7 +19,7 @@ import (
 const (
 	HelmRequiredVersion           = "v3.10.3"
 	HelmRecommendedVersion        = "v3.12.0"
-	HelmDiffRecommendedVersion    = "v3.4.0"
+	HelmDiffRecommendedVersion    = "v3.8.1"
 	HelmSecretsRecommendedVersion = "v4.1.1"
 	HelmGitRecommendedVersion     = "v0.12.0"
 	HelmS3RecommendedVersion      = "v0.14.0"

pkg/state/create.go

@@ -309,8 +309,7 @@ func (c *StateCreator) scatterGatherEnvSecretFiles(st *HelmState, envSecretFiles
 		func(id int) {
 			for secret := range secrets {
 				release := &ReleaseSpec{}
-				flags := st.appendConnectionFlags([]string{}, release)
+				decFile, err := helm.DecryptSecret(st.createHelmContext(release, 0), secret.path)
-				decFile, err := helm.DecryptSecret(st.createHelmContext(release, 0), secret.path, flags...)
 				if err != nil {
 					results <- secretResult{secret.id, nil, err, secret.path}
 					continue

pkg/state/envvals_loader_test.go

@@ -103,7 +103,7 @@ func TestEnvValsLoad_EnvironmentNameFile(t *testing.T) {
 func TestEnvValsLoad_SingleValuesFileRemote(t *testing.T) {
 	l := newLoader()
 
-	actual, err := l.LoadEnvironmentValues(nil, []interface{}{"git::https://github.com/helm/helm.git@cmd/helm/testdata/output/values.yaml?ref=v3.8.0"}, nil, "")
+	actual, err := l.LoadEnvironmentValues(nil, []interface{}{"git::https://github.com/helm/helm.git@cmd/helm/testdata/output/values.yaml?ref=v3.8.1"}, nil, "")
 	if err != nil {
 		t.Fatal(err)
 	}

pkg/state/state.go

@@ -18,11 +18,13 @@ import (
 	"text/template"
 	"time"
 
+	"github.com/Masterminds/semver/v3"
 	"github.com/helmfile/chartify"
 	"github.com/helmfile/vals"
 	"github.com/imdario/mergo"
 	"github.com/tatsushid/go-prettytable"
 	"go.uber.org/zap"
+	"helm.sh/helm/v3/pkg/cli"
 
 	"github.com/helmfile/helmfile/pkg/environment"
 	"github.com/helmfile/helmfile/pkg/event"
@@ -192,6 +194,8 @@ type HelmSpec struct {
 
 	DisableValidation        *bool `yaml:"disableValidation,omitempty"`
 	DisableOpenAPIValidation *bool `yaml:"disableOpenAPIValidation,omitempty"`
+	// InsecureSkipTLSVerify is true if the TLS verification should be skipped when fetching remote chart
+	InsecureSkipTLSVerify bool `yaml:"insecureSkipTLSVerify,omitempty"`
 }
 
 // RepositorySpec that defines values for a helm repo
@@ -310,6 +314,9 @@ type ReleaseSpec struct {
 
 	KubeContext string `yaml:"kubeContext,omitempty"`
 
+	// InsecureSkipTLSVerify is true if the TLS verification should be skipped when fetching remote chart.
+	InsecureSkipTLSVerify bool `yaml:"insecureSkipTLSVerify,omitempty"`
+
 	// These values are used in templating
 	VerifyTemplate    *string `yaml:"verifyTemplate,omitempty"`
 	WaitTemplate      *string `yaml:"waitTemplate,omitempty"`
@@ -983,7 +990,7 @@ func (st *HelmState) SyncReleases(affectedReleases *AffectedReleases, helm helme
 }
 
 func (st *HelmState) listReleases(context helmexec.HelmContext, helm helmexec.Interface, release *ReleaseSpec) (string, error) {
-	flags := st.connectionFlags(release)
+	flags := st.kubeConnectionFlags(release)
 	if release.Namespace != "" {
 		flags = append(flags, "--namespace", release.Namespace)
 	}
@@ -2113,6 +2120,7 @@ func (st *HelmState) TestReleases(helm helmexec.Interface, cleanup bool, timeout
 		}
 
 		flags = st.appendConnectionFlags(flags, &release)
+		flags = st.appendChartDownloadTLSFlags(flags, &release)
 
 		return helm.TestRelease(st.createHelmContext(&release, workerIndex), release.Name, flags...)
 	})
@@ -2428,12 +2436,12 @@ func findChartDirectory(topLevelDir string) (string, error) {
 
 // appendConnectionFlags append all the helm command-line flags related to K8s API including the kubecontext
 func (st *HelmState) appendConnectionFlags(flags []string, release *ReleaseSpec) []string {
-	adds := st.connectionFlags(release)
+	kubeFlagAdds := st.kubeConnectionFlags(release)
-	flags = append(flags, adds...)
+	flags = append(flags, kubeFlagAdds...)
 	return flags
 }
 
-func (st *HelmState) connectionFlags(release *ReleaseSpec) []string {
+func (st *HelmState) kubeConnectionFlags(release *ReleaseSpec) []string {
 	flags := []string{}
 	if release.KubeContext != "" {
 		flags = append(flags, "--kube-context", release.KubeContext)
@@ -2442,7 +2450,16 @@ func (st *HelmState) connectionFlags(release *ReleaseSpec) []string {
 	} else if st.HelmDefaults.KubeContext != "" {
 		flags = append(flags, "--kube-context", st.HelmDefaults.KubeContext)
 	}
+	return flags
+}
 
+func (st *HelmState) appendChartDownloadTLSFlags(flags []string, release *ReleaseSpec) []string {
+	switch {
+	case release.InsecureSkipTLSVerify:
+		flags = append(flags, "--insecure-skip-tls-verify")
+	case st.HelmDefaults.InsecureSkipTLSVerify:
+		flags = append(flags, "--insecure-skip-tls-verify")
+	}
 	return flags
 }
 
@@ -2515,6 +2532,7 @@ func (st *HelmState) flagsForUpgrade(helm helmexec.Interface, release *ReleaseSp
 	}
 
 	flags = st.appendConnectionFlags(flags, release)
+	flags = st.appendChartDownloadTLSFlags(flags, release)
 
 	flags = st.appendHelmXFlags(flags, release)
 
@@ -2555,6 +2573,7 @@ func (st *HelmState) flagsForTemplate(helm helmexec.Interface, release *ReleaseS
 }
 
 func (st *HelmState) flagsForDiff(helm helmexec.Interface, release *ReleaseSpec, disableValidation bool, workerIndex int, opt *DiffOpts) ([]string, []string, error) {
+	settings := cli.New()
 	flags := st.chartVersionFlags(release)
 
 	disableOpenAPIValidation := false
@@ -2586,6 +2605,20 @@ func (st *HelmState) flagsForDiff(helm helmexec.Interface, release *ReleaseSpec,
 
 	flags = st.appendConnectionFlags(flags, release)
 
+	if st.HelmDefaults.InsecureSkipTLSVerify || release.InsecureSkipTLSVerify {
+		diffVersion, err := helmexec.GetPluginVersion("diff", settings.PluginsDirectory)
+		if err != nil {
+			return nil, nil, err
+		}
+		dv, _ := semver.NewVersion("v3.8.1")
+
+		if diffVersion.LessThan(dv) {
+			return nil, nil, fmt.Errorf("insecureSkipTLSVerify is not supported by helm-diff plugin version %s, please use at least v3.8.1", diffVersion)
+		}
+	}
+
+	flags = st.appendChartDownloadTLSFlags(flags, release)
+
 	flags = st.appendHelmXFlags(flags, release)
 
 	postRenderer := ""
@@ -2930,8 +2963,7 @@ func (st *HelmState) generateSecretValuesFiles(helm helmexec.Interface, release
 		}
 		path := paths[0]
 
-		decryptFlags := st.appendConnectionFlags([]string{}, release)
+		valfile, err := helm.DecryptSecret(st.createHelmContext(release, workerIndex), path)
-		valfile, err := helm.DecryptSecret(st.createHelmContext(release, workerIndex), path, decryptFlags...)
 		if err != nil {
 			return nil, err
 		}

pkg/state/state_test.go

@@ -3344,3 +3344,44 @@ func TestCommonDiffFlags(t *testing.T) {
 		require.Equal(t, tt.expected, result)
 	}
 }
+
+func TestAppendChartDownloadTLSFlags(t *testing.T) {
+	tests := []struct {
+		name                         string
+		defaultInsecureSkipTLSVerify bool
+		releaseInsecureSkipTLSVerify bool
+		expected                     []string
+	}{
+		{
+			name:                         "defaultInsecureSkipTLSVerify is true and releaseInsecureSkipTLSVerify is false",
+			defaultInsecureSkipTLSVerify: true,
+			releaseInsecureSkipTLSVerify: false,
+			expected:                     []string{"--insecure-skip-tls-verify"},
+		},
+		{
+			name:                         "defaultInsecureSkipTLSVerify is false and releaseInsecureSkipTLSVerify is true",
+			defaultInsecureSkipTLSVerify: false,
+			releaseInsecureSkipTLSVerify: true,
+			expected:                     []string{"--insecure-skip-tls-verify"},
+		},
+		{
+			name:                         "defaultInsecureSkipTLSVerify is false and releaseInsecureSkipTLSVerify is false",
+			defaultInsecureSkipTLSVerify: false,
+			releaseInsecureSkipTLSVerify: false,
+			expected:                     []string{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			st := &HelmState{}
+			release := &ReleaseSpec{}
+			st.HelmDefaults.InsecureSkipTLSVerify = tt.defaultInsecureSkipTLSVerify
+			release.InsecureSkipTLSVerify = tt.releaseInsecureSkipTLSVerify
+
+			result := st.appendChartDownloadTLSFlags([]string{}, release)
+
+			require.Equal(t, tt.expected, result)
+		})
+	}
+}

pkg/state/temp_test.go

@@ -38,39 +38,39 @@ func TestGenerateID(t *testing.T) {
 	run(testcase{
 		subject: "baseline",
 		release: ReleaseSpec{Name: "foo", Chart: "incubator/raw"},
-		want:    "foo-values-fc7df494d",
+		want:    "foo-values-58d856f487",
 	})
 
 	run(testcase{
 		subject: "different bytes content",
 		release: ReleaseSpec{Name: "foo", Chart: "incubator/raw"},
 		data:    []byte(`{"k":"v"}`),
-		want:    "foo-values-56b47664f5",
+		want:    "foo-values-6d96d874f6",
 	})
 
 	run(testcase{
 		subject: "different map content",
 		release: ReleaseSpec{Name: "foo", Chart: "incubator/raw"},
 		data:    map[string]interface{}{"k": "v"},
-		want:    "foo-values-558ff84c89",
+		want:    "foo-values-77cdb7dbb6",
 	})
 
 	run(testcase{
 		subject: "different chart",
 		release: ReleaseSpec{Name: "foo", Chart: "stable/envoy"},
-		want:    "foo-values-5595f4fc5c",
+		want:    "foo-values-66cd476bbb",
 	})
 
 	run(testcase{
 		subject: "different name",
 		release: ReleaseSpec{Name: "bar", Chart: "incubator/raw"},
-		want:    "bar-values-5bf654bff9",
+		want:    "bar-values-5d59565d5b",
 	})
 
 	run(testcase{
 		subject: "specific ns",
 		release: ReleaseSpec{Name: "foo", Chart: "incubator/raw", Namespace: "myns"},
-		want:    "myns-foo-values-c685d945",
+		want:    "myns-foo-values-644b7dfd78",
 	})
 
 	for id, n := range ids {

test/integration/run.sh

@@ -26,7 +26,7 @@ export HELM_DATA_HOME="${helm_dir}/data"
 export HELM_HOME="${HELM_DATA_HOME}"
 export HELM_PLUGINS="${HELM_DATA_HOME}/plugins"
 export HELM_CONFIG_HOME="${helm_dir}/config"
-HELM_DIFF_VERSION="${HELM_DIFF_VERSION:-3.8.0}"
+HELM_DIFF_VERSION="${HELM_DIFF_VERSION:-3.8.1}"
 HELM_SECRETS_VERSION="${HELM_SECRETS_VERSION:-3.15.0}"
 export GNUPGHOME="${PWD}/${dir}/.gnupg"
 export SOPS_PGP_FP="B2D6D7BBEC03B2E66571C8C00AD18E16CFDEF700"