Allow specifying a custom CA certificate in Bucket API

[makkes]

As a user that has a custom S3 implementation such as MinIO running in my cluster, I want to be able to use an encrypted connection between s-c and the S3 server. For that to work, I need to be able to define a custom CA certificate in the caFile field of the Secret referred to in the .spec.secretRef. Using the caFile field is in line with other resources such as GitRepositories and {HelmRepositories](https://fluxcd.io/flux/components/source/helmrepositories/#tls-authentication).

[pjbgf]

This may be impacted by fluxcd/flux2#3366.

[makkes]

I would say let's put this one on hold until fluxcd/flux2#3366 is addressed.

[tboerger]

Are there any chances to get this resolved even that #3366 covers a larger scope? At least for other resources like HelmRepository there have been already a fix but currently I'm missing exactly for this Bucket resource a CA certificate validation (or even a skip of the verification) for a setup where I would store helm chart artifacts within an S3-compatible storage because I don't have access to helm repositories.

[stefanprodan]

In Flux 2.4 we plan to ship Bucket GA so we can get started working on improvements to this API next.

We should add .spec.certSecretRef to the Bucket API similar with what we have in OCIRepository https://fluxcd.io/flux/components/source/ocirepositories/#cert-secret-reference basically supporting self-signed certs by providing the CA in a secret and also mTLS by providing the client certs. cc @matheuscscp

PS. @tboerger using a Bucket full of Chart tgz will not work with Flux, you should push the charts to your container registry and use Helm OCI.

[matheuscscp]

I'd like to work on this!

cc @stefanprodan

[tboerger]

Good to know that it won't work as I was planning to do it. Sadly most charts I want to use aren't published as oci images so far.

[matheuscscp]

Good to know that it won't work as I was planning to do it. Sadly most charts I want to use aren't published as oci images so far.

@tboerger

If you are planning on vendoring helm chart tarballs in a private bucket you can probably still do that, but using the HelmChart API instead and something like https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/set-up-a-helm-v3-chart-repository-in-amazon-s3.html.

I think you can probably achieve the equivalent of this AWS s3 setup using MinIO, i.e. make it work like a vanilla HTTP helm repo.

But if you are taking the time to vendor charts in a private bucket you would probably want to consider vendoring through OCI helm repos instead, the effort is probably on the same scale of vendoring through vanilla HTTP. See this: https://docs.aws.amazon.com/AmazonECR/latest/userguide/push-oci-artifact.html