Skip to content

Commit 4a55ce2

Browse files
aryan9600aryan9600
committed
helmrepo: add docs for .spec.certSecretRef
Signed-off-by: Sanskar Jaiswal <[email protected]>
1 parent 79adec5 commit 4a55ce2

File tree

1 file changed

+28
-6
lines changed

1 file changed

+28
-6
lines changed

docs/spec/v1beta2/helmrepositories.md

Lines changed: 28 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -452,15 +452,37 @@ flux create secret oci ghcr-auth \
452452
--password=${GITHUB_PAT}
453453
```
454454

455-
#### TLS authentication
455+
**Note:** Support for specifying TLS authentication data using this API has been
456+
deprecated. Please use [`.spec.certSecretRef`](#cert-secret-reference) instead.
457+
If the controller uses the secret specfied by this field to configure TLS, then
458+
a deprecation warning will be logged.
459+
460+
### Cert secret reference
456461

457462
**Note:** TLS authentication is not yet supported by OCI Helm repositories.
458463

459-
To provide TLS credentials to use while connecting with the Helm repository,
460-
the referenced Secret is expected to contain `.data.certFile` and
461-
`.data.keyFile`, and/or `.data.caFile` values.
464+
`.spec.certSecretRef.name` is an optional field to specify a secret containing TLS
465+
certificate data. The secret can contain the following keys:
462466

463-
For example:
467+
* `certFile` and `keyFile`, to specify the client certificate and private key used for
468+
TLS client authentication. These must be used in conjunction, i.e. specifying one without
469+
the other will lead to an error.
470+
* `caFile`, to specify the CA certificate used to verify the server, which is required
471+
if the server is using a self-signed certificate.
472+
473+
If the server is using a self-signed certificate and has TLS client authentication enabled,
474+
all three values are required.
475+
476+
All the files in the secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
477+
three files; `client.key`, `client.crt` and `ca.crt` for the client private key, client
478+
certificate and the CA certificate respectively, you can generate the required secret using
479+
the `flux creat secret helm` command:
480+
481+
```sh
482+
flux create secret helm tls --key-file=client.key --cert-file=client.crt --ca-file=ca.crt
483+
```
484+
485+
Example usage:
464486

465487
```yaml
466488
---
@@ -472,7 +494,7 @@ metadata:
472494
spec:
473495
interval: 5m0s
474496
url: https://example.com
475-
secretRef:
497+
certSecretRef:
476498
name: example-tls
477499
---
478500
apiVersion: v1

0 commit comments

Comments
 (0)