Add helm insecure skip tls verify (#901) (#925)

This is a backport of PR #901 as merged into main (914a16e).
SUMMARY
Added the option insecure_skip_tls_verify  to the following helm modules:

helm_repository
helm
Unified the option with alias in helm_pull

For helm, added the option to the helm diff call, as it got fixed upstream.
Upstream Issue: databus23/helm-diff#503
Fixed with: helm/helm#12856
Fixes #694
ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME

kubernetes.core.helm
kubernetes.core.helm_repository
kubernetes.core.helm_pull

ADDITIONAL INFORMATION
Basically the option was added in the parameters set in the ansible job, in the docs and then injected in the helm and helm diff binary calls if set. Defaults to False.
Example
---
- name: Test helm modules
  tasks:
    - name: Test helm repository insecure
      kubernetes.core.helm_repository:
        name: insecure
        repo_url: "<helm-repo-with-self-signed-tls>"
        state: present
        insecure_skip_tls_verify: true
    - name: Test helm pull insecure
      kubernetes.core.helm_pull:
        chart_ref: "oci://<helm-repo-with-self-signed-tls>/ptroject"
        destination: /tmp
        insecure_skip_tls_verify: true
    - name: Test helm insecure
      kubernetes.core.helm:
        name: insecure
        chart_ref: "oci://<helm-repo-with-self-signed-tls>/project"
        namespace: helm-insecure-test
        state: present
        insecure_skip_tls_verify: true
Note
Might need an alias for telm_template, as the option is called insecure_registry, in the manual and docs of helm it would be --insecure-skip-tls-verify as well though.
Not included, as it was recently merged with #805

Reviewed-by: Bianca Henderson <beeankha@gmail.com>
Reviewed-by: Mike Graves <mgraves@redhat.com>

tests/integration/targets/helm/defaults/main.yml

@@ -3,6 +3,7 @@ helm_default_archive_name: "helm-{{ helm_version }}-{{ ansible_system | lower }}
 helm_binary: "/tmp/helm/{{ ansible_system | lower }}-amd64/helm"
 
 chart_test: "ingress-nginx"
+chart_test_oci: "oci://registry-1.docker.io/bitnamicharts/redis"
 chart_test_local_path: "nginx-ingress"
 chart_test_version: 4.2.4
 chart_test_version_local_path: 1.32.0
@@ -27,3 +28,4 @@ test_namespace:
   - "helm-reuse-values"
   - "helm-chart-with-space-into-name"
   - "helm-reset-then-reuse-values"
+  - "helm-insecure"

tests/integration/targets/helm/tasks/main.yml

@@ -4,4 +4,5 @@
   loop_control:
     loop_var: helm_version
   with_items:
+    - "v3.15.4"
     - "v3.16.0"

tests/integration/targets/helm/tasks/run_test.yml

@@ -44,6 +44,9 @@
 - name: Test Skip CRDS feature in helm chart install
   include_tasks: test_crds.yml
 
+- name: Test insecure registry flag feature
+  include_tasks: test_helm_insecure.yml
+
 - name: Clean helm install
   file:
     path: "{{ item }}"

tests/integration/targets/helm/tasks/test_crds.yml

@@ -3,78 +3,89 @@
   vars:
     test_chart: "test-crds"
     helm_namespace: "{{ test_namespace[0] }}"
+    helm_binary: helm
   block:
     - name: Create namespace
       k8s:
         kind: Namespace
         name: "{{ helm_namespace }}"
 
-    - name: Copy test chart
-      copy:
-        src: "{{ test_chart }}"
-        dest: "/tmp/helm_test_crds/"
-
-    - name: Install chart while skipping CRDs
-      helm:
-        binary_path: "{{ helm_binary }}"
-        chart_ref: "/tmp/helm_test_crds/{{ test_chart }}"
-        namespace: "{{ helm_namespace }}"
-        name: test-crds
-        skip_crds: true
-      register: install
-
-    - assert:
-        that:
-          - install is changed
-          - install.status.name == "test-crds"
-
-    - name: Fail to create custom resource
-      k8s:
-        definition:
-          apiVersion: ansible.com/v1
-          kind: Foo
-          metadata:
-            namespace: "{{ helm_namespace }}"
-            name: test-foo
-          foobar: footest
+    - name: Check if CRD resource is already present
+      k8s_info:
+        namespace: default
+        kind: Foo
+        api_version: ansible.com/v1
       ignore_errors: true
-      register: result
+      register: crd_check
 
-    - assert:
-        that:
-          - result is failed
-          - "result.msg.startswith('Failed to find exact match for ansible.com/v1.Foo')"
+    - when: crd_check is failed
+      block:
+        - name: Copy test chart
+          copy:
+            src: "{{ test_chart }}"
+            dest: "/tmp/helm_test_crds/"
 
-    # Helm won't install CRDs into an existing release, so we need to delete this, first
-    - name: Uninstall chart
-      helm:
-        binary_path: "{{ helm_binary }}"
-        namespace: "{{ helm_namespace }}"
-        name: test-crds
-        state: absent
-
-    - name: Install chart with CRDs
-      helm:
-        binary_path: "{{ helm_binary }}"
-        chart_ref: "/tmp/helm_test_crds/{{ test_chart }}"
-        namespace: "{{ helm_namespace }}"
-        name: test-crds
-
-    - name: Create custom resource
-      k8s:
-        definition:
-          apiVersion: ansible.com/v1
-          kind: Foo
-          metadata:
+        - name: Install chart while skipping CRDs
+          helm:
+            binary_path: "{{ helm_binary }}"
+            chart_ref: "/tmp/helm_test_crds/{{ test_chart }}"
             namespace: "{{ helm_namespace }}"
-            name: test-foo
-          foobar: footest
-      register: result
+            name: test-crds
+            skip_crds: true
+          register: install
 
-    - assert:
-        that:
-          - result is changed
-          - result.result.foobar == "footest"
+        - assert:
+            that:
+              - install is changed
+              - install.status.name == "test-crds"
+
+        - name: Fail to create custom resource
+          k8s:
+            definition:
+              apiVersion: ansible.com/v1
+              kind: Foo
+              metadata:
+                namespace: "{{ helm_namespace }}"
+                name: test-foo
+              foobar: footest
+          ignore_errors: true
+          register: result
+
+        - assert:
+            that:
+              - result is failed
+              - "result.msg.startswith('Failed to find exact match for ansible.com/v1.Foo')"
+
+        # Helm won't install CRDs into an existing release, so we need to delete this, first
+        - name: Uninstall chart
+          helm:
+            binary_path: "{{ helm_binary }}"
+            namespace: "{{ helm_namespace }}"
+            name: test-crds
+            state: absent
+
+        - name: Install chart with CRDs
+          helm:
+            binary_path: "{{ helm_binary }}"
+            chart_ref: "/tmp/helm_test_crds/{{ test_chart }}"
+            namespace: "{{ helm_namespace }}"
+            name: test-crds
+
+        - name: Create custom resource
+          k8s:
+            definition:
+              apiVersion: ansible.com/v1
+              kind: Foo
+              metadata:
+                namespace: "{{ helm_namespace }}"
+                name: test-foo
+              foobar: footest
+          register: result
+
+        - assert:
+            that:
+              - result is changed
+              - result.result.foobar == "footest"
 
   always:
     - name: Remove chart

tests/integration/targets/helm/tasks/test_helm_insecure.yml

@@ -0,0 +1,52 @@
+---
+- name: Test helm insecure
+  vars:
+    helm_namespace: "{{ test_namespace[12] }}"
+  block:
+
+    - name: Initial chart installation (no flag set)
+      helm:
+        binary_path: "{{ helm_binary }}"
+        chart_ref: "{{ chart_test_oci }}"
+        release_name: test-secure
+        release_namespace: "{{ helm_namespace }}"
+        create_namespace: true
+      register: install
+
+    - name: Validate that insecure flag is not set
+      assert:
+        that:
+          - install is changed
+          - '"--insecure-skip-tls-verify" not in install.command'
+
+    - name: Initial chart installation (insecure flag set)
+      helm:
+        binary_path: "{{ helm_binary }}"
+        chart_ref: "{{ chart_test_oci }}"
+        release_name: test-insecure
+        release_namespace: "{{ helm_namespace }}"
+        insecure_skip_tls_verify: true
+      register: install
+      ignore_errors: true
+
+    - name: Validate that insecure flag IS set if helm version is >= 3.16.0
+      assert:
+        that:
+          - install is changed
+          - '"--insecure-skip-tls-verify" in install.command'
+      when: '"v3.16.0" <= helm_version'
+
+    - name: Validate that feature fails for helm < 3.16.0
+      assert:
+        that:
+          - install is failed
+          - '"insecure_skip_tls_verify requires helm >= 3.16.0" in install.msg'
+      when: 'helm_version < "v3.16.0"'
+
+  always:
+    - name: Remove helm namespace
+      k8s:
+        api_version: v1
+        kind: Namespace
+        name: "{{ helm_namespace }}"
+        state: absent

tests/integration/targets/helm_repository/meta/main.yml

@@ -1,3 +1,5 @@
 ---
+collections:
+  - kubernetes.core
 dependencies:
   - install_helm

tests/integration/targets/helm_repository/tasks/main.yml

@@ -16,6 +16,7 @@
   assert:
     that:
       - repository is changed
+      - '"--insecure-skip-tls-verify" not in repository.command'
 
 - name: Check idempotency
   helm_repository:
@@ -78,3 +79,23 @@
   assert:
     that:
       - repository is not changed
+
+- name: Add test_helm_repo chart repository as insecure
+  helm_repository:
+    binary_path: "{{ helm_binary }}"
+    name: test_helm_repo
+    repo_url: "{{ chart_test_repo }}"
+    insecure_skip_tls_verify: true
+  register: repository
+
+- name: Assert that repository added and flag set
+  assert:
+    that:
+      - repository is changed
+      - '"--insecure-skip-tls-verify" in repository.command'
+
+- name: Clean test_helm_repo chart repository
+  helm_repository:
+    binary_path: "{{ helm_binary }}"
+    name: test_helm_repo
+    state: absent