helm: Remove the TLS tmp dir logic

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

Author: stefanprodan

internal/controller/helmchart_controller.go

@@ -524,7 +524,7 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
 		return chartRepoConfigErrorReturn(err, obj)
 	}
 
-	clientOpts, certsTmpDir, err := getter.GetClientOpts(ctxTimeout, r.Client, repo, normalizedURL)
+	clientOpts, err := getter.GetClientOpts(ctxTimeout, r.Client, repo, normalizedURL)
 	if err != nil && !errors.Is(err, getter.ErrDeprecatedTLSConfig) {
 		e := serror.NewGeneric(
 			err,
@@ -533,14 +533,6 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
 		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
-	if certsTmpDir != "" {
-		defer func() {
-			if err := os.RemoveAll(certsTmpDir); err != nil {
-				r.eventLogf(ctx, obj, corev1.EventTypeWarning, meta.FailedReason,
-					"failed to delete temporary certificates directory: %s", err)
-			}
-		}()
-	}
 
 	getterOpts := clientOpts.GetterOpts
 
@@ -1019,7 +1011,7 @@ func (r *HelmChartReconciler) namespacedChartRepositoryCallback(ctx context.Cont
 		ctxTimeout, cancel := context.WithTimeout(ctx, obj.GetTimeout())
 		defer cancel()
 
-		clientOpts, certsTmpDir, err := getter.GetClientOpts(ctxTimeout, r.Client, obj, normalizedURL)
+		clientOpts, err := getter.GetClientOpts(ctxTimeout, r.Client, obj, normalizedURL)
 		if err != nil && !errors.Is(err, getter.ErrDeprecatedTLSConfig) {
 			return nil, err
 		}
@@ -1038,7 +1030,6 @@ func (r *HelmChartReconciler) namespacedChartRepositoryCallback(ctx context.Cont
 			ociChartRepo, err := repository.NewOCIChartRepository(normalizedURL, repository.WithOCIGetter(r.Getters),
 				repository.WithOCIGetterOptions(getterOpts),
 				repository.WithOCIRegistryClient(registryClient),
-				repository.WithCertificatesStore(certsTmpDir),
 				repository.WithCredentialsFile(credentialsFile))
 			if err != nil {
 				errs = append(errs, fmt.Errorf("failed to create OCI chart repository: %w", err))

internal/controller/helmrepository_controller.go

@@ -416,7 +416,7 @@ func (r *HelmRepositoryReconciler) reconcileSource(ctx context.Context, sp *patc
 		return sreconcile.ResultEmpty, e
 	}
 
-	clientOpts, _, err := getter.GetClientOpts(ctx, r.Client, obj, normalizedURL)
+	clientOpts, err := getter.GetClientOpts(ctx, r.Client, obj, normalizedURL)
 	if err != nil {
 		if errors.Is(err, getter.ErrDeprecatedTLSConfig) {
 			ctrl.LoggerFrom(ctx).

internal/helm/getter/client_opts.go

@@ -21,8 +21,6 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
-	"os"
-	"path"
 
 	"github.com/google/go-containerregistry/pkg/authn"
 	helmgetter "helm.sh/helm/v3/pkg/getter"
@@ -69,7 +67,7 @@ func (o ClientOpts) MustLoginToRegistry() bool {
 // auth mechanisms.
 // A temporary directory is created to store the certs files if needed and its path is returned along with the options object. It is the
 // caller's responsibility to clean up the directory.
-func GetClientOpts(ctx context.Context, c client.Client, obj *sourcev1.HelmRepository, url string) (*ClientOpts, string, error) {
+func GetClientOpts(ctx context.Context, c client.Client, obj *sourcev1.HelmRepository, url string) (*ClientOpts, error) {
 	// This function configures authentication for Helm repositories based on the provided secrets:
 	// - CertSecretRef: TLS client certificates (always takes priority)
 	// - SecretRef: Can contain Basic Auth or TLS certificates (deprecated)
@@ -84,17 +82,16 @@ func GetClientOpts(ctx context.Context, c client.Client, obj *sourcev1.HelmRepos
 	}
 
 	// Process secrets and configure authentication
-	deprecatedTLS, certSecret, authSecret, err := configureAuthentication(ctx, c, obj, opts, url)
+	deprecatedTLS, _, authSecret, err := configureAuthentication(ctx, c, obj, opts)
 	if err != nil {
-		return nil, "", err
+		return nil, err
 	}
 
 	// Setup OCI registry specific configurations if needed
-	var tempCertDir string
 	if obj.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
-		tempCertDir, err = configureOCIRegistryWithSecrets(ctx, obj, opts, url, certSecret, authSecret)
+		err = configureOCIRegistryWithSecrets(ctx, obj, opts, url, authSecret)
 		if err != nil {
-			return nil, "", err
+			return nil, err
 		}
 	}
 
@@ -103,15 +100,15 @@ func GetClientOpts(ctx context.Context, c client.Client, obj *sourcev1.HelmRepos
 		deprecatedErr = ErrDeprecatedTLSConfig
 	}
 
-	return opts, tempCertDir, deprecatedErr
+	return opts, deprecatedErr
 }
 
 // configureAuthentication processes all secret references and sets up authentication.
 // Returns (deprecatedTLS, certSecret, authSecret, error) where:
 // - deprecatedTLS: true if TLS config comes from SecretRef (deprecated pattern)
 // - certSecret: the secret from CertSecretRef (nil if not specified)
 // - authSecret: the secret from SecretRef (nil if not specified)
-func configureAuthentication(ctx context.Context, c client.Client, obj *sourcev1.HelmRepository, opts *ClientOpts, url string) (bool, *corev1.Secret, *corev1.Secret, error) {
+func configureAuthentication(ctx context.Context, c client.Client, obj *sourcev1.HelmRepository, opts *ClientOpts) (bool, *corev1.Secret, *corev1.Secret, error) {
 	var deprecatedTLS bool
 	var certSecret, authSecret *corev1.Secret
 
@@ -171,12 +168,12 @@ func configureAuthentication(ctx context.Context, c client.Client, obj *sourcev1
 }
 
 // configureOCIRegistryWithSecrets sets up OCI-specific configurations using pre-fetched secrets
-func configureOCIRegistryWithSecrets(ctx context.Context, obj *sourcev1.HelmRepository, opts *ClientOpts, url string, certSecret, authSecret *corev1.Secret) (string, error) {
+func configureOCIRegistryWithSecrets(ctx context.Context, obj *sourcev1.HelmRepository, opts *ClientOpts, url string, authSecret *corev1.Secret) error {
 	// Configure OCI authentication from authSecret if available
 	if authSecret != nil {
 		keychain, err := registry.LoginOptionFromSecret(url, *authSecret)
 		if err != nil {
-			return "", fmt.Errorf("failed to configure login options: %w", err)
+			return fmt.Errorf("failed to configure login options: %w", err)
 		}
 		opts.Keychain = keychain
 	}
@@ -185,48 +182,22 @@ func configureOCIRegistryWithSecrets(ctx context.Context, obj *sourcev1.HelmRepo
 	if obj.Spec.SecretRef == nil && obj.Spec.Provider != "" && obj.Spec.Provider != sourcev1.GenericOCIProvider {
 		authenticator, err := soci.OIDCAuth(ctx, url, obj.Spec.Provider)
 		if err != nil {
-			return "", fmt.Errorf("failed to get credential from '%s': %w", obj.Spec.Provider, err)
+			return fmt.Errorf("failed to get credential from '%s': %w", obj.Spec.Provider, err)
 		}
 		opts.Authenticator = authenticator
 	}
 
 	// Setup registry login options
 	loginOpt, err := registry.NewLoginOption(opts.Authenticator, opts.Keychain, url)
 	if err != nil {
-		return "", err
+		return err
 	}
 
 	if loginOpt != nil {
 		opts.RegLoginOpts = []helmreg.LoginOption{loginOpt, helmreg.LoginOptInsecure(obj.Spec.Insecure)}
 	}
 
-	// Handle TLS certificate files for OCI
-	var tempCertDir string
-	if opts.TlsConfig != nil {
-		tempCertDir, err = os.MkdirTemp("", "helm-repo-oci-certs")
-		if err != nil {
-			return "", fmt.Errorf("cannot create temporary directory: %w", err)
-		}
-
-		var tlsSecret *corev1.Secret
-		if certSecret != nil {
-			tlsSecret = certSecret
-		} else if authSecret != nil {
-			tlsSecret = authSecret
-		}
-
-		certFile, keyFile, caFile, err := storeTLSCertificateFilesForOCI(ctx, tlsSecret, nil, tempCertDir)
-		if err != nil {
-			return "", fmt.Errorf("cannot write certs files to path: %w", err)
-		}
-
-		tlsLoginOpt := registry.TLSLoginOption(certFile, keyFile, caFile)
-		if tlsLoginOpt != nil {
-			opts.RegLoginOpts = append(opts.RegLoginOpts, tlsLoginOpt)
-		}
-	}
-
-	return tempCertDir, nil
+	return nil
 }
 
 func fetchSecret(ctx context.Context, c client.Client, name, namespace string) (*corev1.Secret, error) {
@@ -240,57 +211,3 @@ func fetchSecret(ctx context.Context, c client.Client, name, namespace string) (
 	}
 	return &secret, nil
 }
-
-// storeTLSCertificateFilesForOCI writes TLS certificate data from secrets to files for OCI registry authentication.
-// Helm OCI registry client requires certificate file paths rather than in-memory data,
-// so we need to temporarily write the certificate data to disk.
-// Returns paths to the written cert, key, and CA files (any of which may be empty if not present).
-func storeTLSCertificateFilesForOCI(ctx context.Context, certSecret, authSecret *corev1.Secret, path string) (string, string, string, error) {
-	var (
-		certFile string
-		keyFile  string
-		caFile   string
-		err      error
-	)
-
-	// Try to get TLS data from certSecret first, then authSecret
-	var tlsSecret *corev1.Secret
-	if certSecret != nil {
-		tlsSecret = certSecret
-	} else if authSecret != nil {
-		tlsSecret = authSecret
-	}
-
-	if tlsSecret != nil {
-		if certData, exists := tlsSecret.Data[secrets.KeyTLSCert]; exists {
-			if keyData, keyExists := tlsSecret.Data[secrets.KeyTLSPrivateKey]; keyExists {
-				certFile, err = writeToFile(certData, certFileName, path)
-				if err != nil {
-					return "", "", "", err
-				}
-				keyFile, err = writeToFile(keyData, keyFileName, path)
-				if err != nil {
-					return "", "", "", err
-				}
-			}
-		}
-
-		if caData, exists := tlsSecret.Data[secrets.KeyCACert]; exists {
-			caFile, err = writeToFile(caData, caFileName, path)
-			if err != nil {
-				return "", "", "", err
-			}
-		}
-	}
-
-	return certFile, keyFile, caFile, nil
-}
-
-func writeToFile(data []byte, filename, tmpDir string) (string, error) {
-	file := path.Join(tmpDir, filename)
-	err := os.WriteFile(file, data, 0o600)
-	if err != nil {
-		return "", err
-	}
-	return file, nil
-}

internal/helm/getter/client_opts_test.go

@@ -164,7 +164,7 @@ func TestGetClientOpts(t *testing.T) {
 			}
 			c := clientBuilder.Build()
 
-			clientOpts, _, err := GetClientOpts(context.TODO(), c, helmRepo, "https://ghcr.io/dummy")
+			clientOpts, err := GetClientOpts(context.TODO(), c, helmRepo, "https://ghcr.io/dummy")
 			if tt.err != nil {
 				g.Expect(err).To(Equal(tt.err))
 			} else {
@@ -207,7 +207,7 @@ func TestGetClientOpts_registryTLSLoginOption(t *testing.T) {
 					"password": []byte("pass"),
 				},
 			},
-			loginOptsN: 3,
+			loginOptsN: 2,
 		},
 		{
 			name: "without caFile",
@@ -271,7 +271,7 @@ func TestGetClientOpts_registryTLSLoginOption(t *testing.T) {
 			}
 			c := clientBuilder.Build()
 
-			clientOpts, tmpDir, err := GetClientOpts(context.TODO(), c, helmRepo, "https://ghcr.io/dummy")
+			clientOpts, err := GetClientOpts(context.TODO(), c, helmRepo, "https://ghcr.io/dummy")
 			if tt.wantErrMsg != "" {
 				if err == nil {
 					t.Errorf("GetClientOpts() expected error but got none")
@@ -287,9 +287,6 @@ func TestGetClientOpts_registryTLSLoginOption(t *testing.T) {
 				t.Errorf("GetClientOpts() error = %v", err)
 				return
 			}
-			if tmpDir != "" {
-				defer os.RemoveAll(tmpDir)
-			}
 			if tt.loginOptsN != len(clientOpts.RegLoginOpts) {
 				// we should have a login option but no TLS option
 				t.Errorf("expected length of %d for clientOpts.RegLoginOpts but got %d", tt.loginOptsN, len(clientOpts.RegLoginOpts))