From ad14db425b6ae3ec90b5f07cd86138fd39ed2806 Mon Sep 17 00:00:00 2001
From: Unai Arrien <unaittxu@gmail.com>
Date: Wed, 24 Jan 2024 19:51:35 +0100
Subject: [PATCH 1/2] Add `.spec.insecureSkipVerify` to `HelmRepository` for
 type: `oci`

Signed-off-by: Unai Arrien <unaittxu@gmail.com>
---
 api/v1beta2/helmrepository_types.go           |  6 ++++
 ...ce.toolkit.fluxcd.io_helmrepositories.yaml |  5 ++++
 docs/api/v1beta2/source.md                    | 28 +++++++++++++++++++
 docs/spec/v1beta2/helmrepositories.md         |  9 ++++++
 internal/helm/getter/client_opts.go           |  6 +++-
 5 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/api/v1beta2/helmrepository_types.go b/api/v1beta2/helmrepository_types.go
index 4e53fdfd7..6792e32b1 100644
--- a/api/v1beta2/helmrepository_types.go
+++ b/api/v1beta2/helmrepository_types.go
@@ -98,6 +98,12 @@ type HelmRepositorySpec struct {
 	// +optional
 	Insecure bool `json:"insecure,omitempty"`
 
+	// InsecureSkipVerify allows connecting to a HTTPS container registry without
+	// verifying the server's certificate chain and host name.
+	// This field is only taken into account if the .spec.type field is set to 'oci'.
+	// +optional
+	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
+
 	// Timeout is used for the index fetch operation for an HTTPS helm repository,
 	// and for remote OCI Repository operations like pulling for an OCI helm
 	// chart by the associated HelmChart.
diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
index 7eb709b94..46da55132 100644
--- a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
+++ b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
@@ -318,6 +318,11 @@ spec:
                   registry. This field is only taken into account if the .spec.type
                   field is set to 'oci'.
                 type: boolean
+              insecureSkipVerify:
+                description: Insecure allows connecting to a HTTPS container registry
+                  without verifying the server's certificate chain and host name.
+                  This field is only taken into account if the .spec.type field is set to 'oci'.
+                type: boolean
               interval:
                 description: Interval at which the HelmRepository URL is checked for
                   updates. This interval is approximate and may be subject to jitter
diff --git a/docs/api/v1beta2/source.md b/docs/api/v1beta2/source.md
index 04c3e328f..6d6ace131 100644
--- a/docs/api/v1beta2/source.md
+++ b/docs/api/v1beta2/source.md
@@ -887,6 +887,20 @@ This field is only taken into account if the .spec.type field is set to &lsquo;o
 </tr>
 <tr>
 <td>
+<code>insecureskipverify</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>InsecureSkipVerify allows connecting to a HTTPS container registry without
+verifying the server&rsquo;s certificate chain and host name.
+This field is only taken into account if the .spec.type field is set to &lsquo;oci&rsquo;.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>timeout</code><br>
 <em>
 <a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">
@@ -2619,6 +2633,20 @@ This field is only taken into account if the .spec.type field is set to &lsquo;o
 </tr>
 <tr>
 <td>
+<code>insecureskipverify</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>InsecureSkipVerify allows connecting to a HTTPS container registry without
+verifying the server&rsquo;s certificate chain and host name.
+This field is only taken into account if the .spec.type field is set to &lsquo;oci&rsquo;.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>timeout</code><br>
 <em>
 <a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">
diff --git a/docs/spec/v1beta2/helmrepositories.md b/docs/spec/v1beta2/helmrepositories.md
index 0fd33ed00..5c3eab01d 100644
--- a/docs/spec/v1beta2/helmrepositories.md
+++ b/docs/spec/v1beta2/helmrepositories.md
@@ -354,6 +354,15 @@ denying insecure non-TLS connections when fetching Helm chart OCI artifacts.
 **Note**: The insecure field is supported only for Helm OCI repositories.
 The `spec.type` field must be set to `oci`.
 
+### InsecureSkipVerify
+
+`.spec.insecureSkipVerify` is an optional field to allow connecting to a secure (HTTPS)
+container registry server without verifying the server's certificate chain and host name,
+if set to `true`. The default value is `false`,
+
+**Note**: The insecureSkipVerify field is supported only for Helm OCI repositories.
+The `spec.type` field must be set to `oci`.
+
 ### Interval
 
 **Note:** This field is ineffectual for [OCI Helm
diff --git a/internal/helm/getter/client_opts.go b/internal/helm/getter/client_opts.go
index 4dfc97b40..7432778b9 100644
--- a/internal/helm/getter/client_opts.go
+++ b/internal/helm/getter/client_opts.go
@@ -88,7 +88,11 @@ func GetClientOpts(ctx context.Context, c client.Client, obj *helmv1.HelmReposit
 		err        error
 	)
 	// Check `.spec.certSecretRef` first for any TLS auth data.
-	if obj.Spec.CertSecretRef != nil {
+	if obj.Spec.InsecureSkipVerify {
+		hrOpts.TlsConfig = &tls.Config{
+			InsecureSkipVerify: true,
+		}
+	} else if obj.Spec.CertSecretRef != nil {
 		certSecret, err = fetchSecret(ctx, c, obj.Spec.CertSecretRef.Name, obj.GetNamespace())
 		if err != nil {
 			return nil, "", fmt.Errorf("failed to get TLS authentication secret '%s/%s': %w", obj.GetNamespace(), obj.Spec.CertSecretRef.Name, err)

From 6ade3d593384d45e12abb2d8427fefa556fac7c4 Mon Sep 17 00:00:00 2001
From: Unai Arrien <unaittxu@gmail.com>
Date: Wed, 24 Jan 2024 20:00:25 +0100
Subject: [PATCH 2/2] Fix typo

Signed-off-by: Unai Arrien <unaittxu@gmail.com>
---
 .../crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml  | 2 +-
 docs/api/v1beta2/source.md                                    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
index 46da55132..9f051951c 100644
--- a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
+++ b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
@@ -319,7 +319,7 @@ spec:
                   field is set to 'oci'.
                 type: boolean
               insecureSkipVerify:
-                description: Insecure allows connecting to a HTTPS container registry
+                description: InsecureSkipVerify allows connecting to a HTTPS container registry
                   without verifying the server's certificate chain and host name.
                   This field is only taken into account if the .spec.type field is set to 'oci'.
                 type: boolean
diff --git a/docs/api/v1beta2/source.md b/docs/api/v1beta2/source.md
index 6d6ace131..35c8f420b 100644
--- a/docs/api/v1beta2/source.md
+++ b/docs/api/v1beta2/source.md
@@ -887,7 +887,7 @@ This field is only taken into account if the .spec.type field is set to &lsquo;o
 </tr>
 <tr>
 <td>
-<code>insecureskipverify</code><br>
+<code>insecureSkipVerify</code><br>
 <em>
 bool
 </em>
@@ -2633,7 +2633,7 @@ This field is only taken into account if the .spec.type field is set to &lsquo;o
 </tr>
 <tr>
 <td>
-<code>insecureskipverify</code><br>
+<code>insecureSkipVerify</code><br>
 <em>
 bool
 </em>