diff --git a/changelogs/fragments/694-add-insecure-skip-tls-verify.yml b/changelogs/fragments/694-add-insecure-skip-tls-verify.yml new file mode 100644 index 00000000..08e94a69 --- /dev/null +++ b/changelogs/fragments/694-add-insecure-skip-tls-verify.yml @@ -0,0 +1,4 @@ +--- +minor_changes: + - helm - add support for ``insecure_skip_tls_verify`` option to helm and + helm_repository(https://github.com/ansible-collections/kubernetes.core/issues/694). diff --git a/plugins/modules/helm.py b/plugins/modules/helm.py index 548b2724..8940158d 100644 --- a/plugins/modules/helm.py +++ b/plugins/modules/helm.py @@ -228,6 +228,15 @@ options: - mutually exclusive with with C(replace). type: int version_added: 2.2.0 + insecure_skip_tls_verify: + description: + - Skip tls certificate checks for the chart download. + - Do not confuse with the C(validate_certs) option. + - This option is only available for helm >= 3.16.0. + type: bool + default: False + aliases: [ skip_tls_certs_check ] + version_added: 5.3.0 extends_documentation_fragment: - kubernetes.core.helm_common_options """ @@ -486,12 +495,15 @@ def run_dep_update(module, chart_ref): rc, out, err = module.run_helm_command(dep_update) -def fetch_chart_info(module, command, chart_ref): +def fetch_chart_info(module, command, chart_ref, insecure_skip_tls_verify=False): """ Get chart info """ inspect_command = command + f" show chart '{chart_ref}'" + if insecure_skip_tls_verify: + inspect_command += " --insecure-skip-tls-verify" + rc, out, err = module.run_helm_command(inspect_command) return yaml.safe_load(out) @@ -520,6 +532,7 @@ def deploy( reuse_values=None, reset_values=True, reset_then_reuse_values=False, + insecure_skip_tls_verify=False, ): """ Install/upgrade/rollback release chart @@ -571,6 +584,17 @@ def deploy( if create_namespace: deploy_command += " --create-namespace" + if insecure_skip_tls_verify: + helm_version = module.get_helm_version() + if LooseVersion(helm_version) < LooseVersion("3.16.0"): + module.fail_json( + msg="insecure_skip_tls_verify requires helm >= 3.16.0, current version is {0}".format( + helm_version + ) + ) + else: + deploy_command += " --insecure-skip-tls-verify" + if values_files: for value_file in values_files: deploy_command += " --values=" + value_file @@ -665,6 +689,7 @@ def helmdiff_check( reuse_values=None, reset_values=True, reset_then_reuse_values=False, + insecure_skip_tls_verify=False, ): """ Use helm diff to determine if a release would change by upgrading a chart. @@ -717,6 +742,9 @@ def helmdiff_check( else: cmd += " --reset-then-reuse-values" + if insecure_skip_tls_verify: + cmd += " --insecure-skip-tls-verify" + rc, out, err = module.run_helm_command(cmd) return (len(out.strip()) > 0, out.strip()) @@ -777,6 +805,9 @@ def argument_spec(): reuse_values=dict(type="bool"), reset_values=dict(type="bool", default=True), reset_then_reuse_values=dict(type="bool", default=False), + insecure_skip_tls_verify=dict( + type="bool", default=False, aliases=["skip_tls_certs_check"] + ), ) ) return arg_spec @@ -830,6 +861,7 @@ def main(): reuse_values = module.params.get("reuse_values") reset_values = module.params.get("reset_values") reset_then_reuse_values = module.params.get("reset_then_reuse_values") + insecure_skip_tls_verify = module.params.get("insecure_skip_tls_verify") if update_repo_cache: run_repo_update(module) @@ -867,7 +899,9 @@ def main(): helm_cmd += " --repo=" + chart_repo_url # Fetch chart info to have real version and real name for chart_ref from archive, folder or url - chart_info = fetch_chart_info(module, helm_cmd, chart_ref) + chart_info = fetch_chart_info( + module, helm_cmd, chart_ref, insecure_skip_tls_verify + ) if dependency_update: if chart_info.get("dependencies"): @@ -927,6 +961,7 @@ def main(): reuse_values=reuse_values, reset_values=reset_values, reset_then_reuse_values=reset_then_reuse_values, + insecure_skip_tls_verify=insecure_skip_tls_verify, ) changed = True @@ -953,6 +988,7 @@ def main(): reuse_values=reuse_values, reset_values=reset_values, reset_then_reuse_values=reset_then_reuse_values, + insecure_skip_tls_verify=insecure_skip_tls_verify, ) if would_change and module._diff: opt_result["diff"] = {"prepared": prepared} @@ -989,6 +1025,7 @@ def main(): reuse_values=reuse_values, reset_values=reset_values, reset_then_reuse_values=reset_then_reuse_values, + insecure_skip_tls_verify=insecure_skip_tls_verify, ) changed = True diff --git a/plugins/modules/helm_pull.py b/plugins/modules/helm_pull.py index 943d4c51..b6ec273e 100644 --- a/plugins/modules/helm_pull.py +++ b/plugins/modules/helm_pull.py @@ -75,9 +75,10 @@ options: skip_tls_certs_check: description: - Whether or not to check tls certificate for the chart download. - - Requires helm >= 3.3.0. + - Requires helm >= 3.3.0. Alias C(insecure_skip_tls_verify) added in 5.3.0. type: bool default: False + aliases: [ insecure_skip_tls_verify ] chart_devel: description: - Use development versions, too. Equivalent to version '>0.0.0-0'. @@ -190,7 +191,9 @@ def main(): type="str", no_log=True, aliases=["password", "chart_repo_password"] ), pass_credentials=dict(type="bool", default=False, no_log=False), - skip_tls_certs_check=dict(type="bool", default=False), + skip_tls_certs_check=dict( + type="bool", default=False, aliases=["insecure_skip_tls_verify"] + ), chart_devel=dict(type="bool"), untar_chart=dict(type="bool", default=False), destination=dict(type="path", required=True), diff --git a/plugins/modules/helm_repository.py b/plugins/modules/helm_repository.py index 2165e088..fabb83d4 100644 --- a/plugins/modules/helm_repository.py +++ b/plugins/modules/helm_repository.py @@ -119,6 +119,13 @@ options: aliases: [ force ] default: False version_added: 2.4.0 + insecure_skip_tls_verify: + description: + - Skip tls certificate checks for the repository url. + type: bool + default: False + aliases: [ skip_tls_certs_check ] + version_added: "5.3.0" """ EXAMPLES = r""" @@ -226,6 +233,7 @@ def install_repository( repository_password, pass_credentials, force_update, + insecure_skip_tls_verify, ): install_command = command + " repo add " + repository_name + " " + repository_url @@ -239,6 +247,9 @@ def install_repository( if force_update: install_command += " --force-update" + if insecure_skip_tls_verify: + install_command += " --insecure-skip-tls-verify" + return install_command @@ -262,6 +273,9 @@ def argument_spec(): ), pass_credentials=dict(type="bool", default=False, no_log=True), force_update=dict(type="bool", default=False, aliases=["force"]), + insecure_skip_tls_verify=dict( + type="bool", default=False, aliases=["skip_tls_certs_check"] + ), ) ) return arg_spec @@ -290,6 +304,7 @@ def main(): repo_state = module.params.get("repo_state") pass_credentials = module.params.get("pass_credentials") force_update = module.params.get("force_update") + insecure_skip_tls_verify = module.params.get("insecure_skip_tls_verify") helm_cmd = module.get_helm_binary() @@ -308,6 +323,7 @@ def main(): repo_password, pass_credentials, force_update, + insecure_skip_tls_verify, ) changed = True elif repository_status["url"] != repo_url: diff --git a/tests/integration/targets/helm/defaults/main.yml b/tests/integration/targets/helm/defaults/main.yml index 2148766e..a6263619 100644 --- a/tests/integration/targets/helm/defaults/main.yml +++ b/tests/integration/targets/helm/defaults/main.yml @@ -3,6 +3,7 @@ helm_default_archive_name: "helm-{{ helm_version }}-{{ ansible_system | lower }} helm_binary: "/tmp/helm/{{ ansible_system | lower }}-amd64/helm" chart_test: "ingress-nginx" +chart_test_oci: "oci://registry-1.docker.io/bitnamicharts/redis" chart_test_local_path: "nginx-ingress" chart_test_version: 4.2.4 chart_test_version_local_path: 1.32.0 @@ -27,3 +28,4 @@ test_namespace: - "helm-reuse-values" - "helm-chart-with-space-into-name" - "helm-reset-then-reuse-values" + - "helm-insecure" diff --git a/tests/integration/targets/helm/tasks/main.yml b/tests/integration/targets/helm/tasks/main.yml index 9eb7faea..a5f69a9d 100644 --- a/tests/integration/targets/helm/tasks/main.yml +++ b/tests/integration/targets/helm/tasks/main.yml @@ -4,4 +4,5 @@ loop_control: loop_var: helm_version with_items: + - "v3.15.4" - "v3.16.0" diff --git a/tests/integration/targets/helm/tasks/run_test.yml b/tests/integration/targets/helm/tasks/run_test.yml index 52212230..01c7f553 100644 --- a/tests/integration/targets/helm/tasks/run_test.yml +++ b/tests/integration/targets/helm/tasks/run_test.yml @@ -44,6 +44,9 @@ - name: Test Skip CRDS feature in helm chart install include_tasks: test_crds.yml +- name: Test insecure registry flag feature + include_tasks: test_helm_insecure.yml + - name: Clean helm install file: path: "{{ item }}" diff --git a/tests/integration/targets/helm/tasks/test_crds.yml b/tests/integration/targets/helm/tasks/test_crds.yml index 0534869b..7c051b3c 100644 --- a/tests/integration/targets/helm/tasks/test_crds.yml +++ b/tests/integration/targets/helm/tasks/test_crds.yml @@ -3,78 +3,89 @@ vars: test_chart: "test-crds" helm_namespace: "{{ test_namespace[0] }}" + helm_binary: helm block: - name: Create namespace k8s: kind: Namespace name: "{{ helm_namespace }}" - - name: Copy test chart - copy: - src: "{{ test_chart }}" - dest: "/tmp/helm_test_crds/" - - - name: Install chart while skipping CRDs - helm: - binary_path: "{{ helm_binary }}" - chart_ref: "/tmp/helm_test_crds/{{ test_chart }}" - namespace: "{{ helm_namespace }}" - name: test-crds - skip_crds: true - register: install - - - assert: - that: - - install is changed - - install.status.name == "test-crds" - - - name: Fail to create custom resource - k8s: - definition: - apiVersion: ansible.com/v1 - kind: Foo - metadata: - namespace: "{{ helm_namespace }}" - name: test-foo - foobar: footest + - name: Check if CRD resource is already present + k8s_info: + namespace: default + kind: Foo + api_version: ansible.com/v1 ignore_errors: true - register: result + register: crd_check - - assert: - that: - - result is failed - - "result.msg.startswith('Failed to find exact match for ansible.com/v1.Foo')" + - when: crd_check is failed + block: + - name: Copy test chart + copy: + src: "{{ test_chart }}" + dest: "/tmp/helm_test_crds/" - # Helm won't install CRDs into an existing release, so we need to delete this, first - - name: Uninstall chart - helm: - binary_path: "{{ helm_binary }}" - namespace: "{{ helm_namespace }}" - name: test-crds - state: absent - - - name: Install chart with CRDs - helm: - binary_path: "{{ helm_binary }}" - chart_ref: "/tmp/helm_test_crds/{{ test_chart }}" - namespace: "{{ helm_namespace }}" - name: test-crds - - - name: Create custom resource - k8s: - definition: - apiVersion: ansible.com/v1 - kind: Foo - metadata: + - name: Install chart while skipping CRDs + helm: + binary_path: "{{ helm_binary }}" + chart_ref: "/tmp/helm_test_crds/{{ test_chart }}" namespace: "{{ helm_namespace }}" - name: test-foo - foobar: footest - register: result + name: test-crds + skip_crds: true + register: install - - assert: - that: - - result is changed - - result.result.foobar == "footest" + - assert: + that: + - install is changed + - install.status.name == "test-crds" + + - name: Fail to create custom resource + k8s: + definition: + apiVersion: ansible.com/v1 + kind: Foo + metadata: + namespace: "{{ helm_namespace }}" + name: test-foo + foobar: footest + ignore_errors: true + register: result + + - assert: + that: + - result is failed + - "result.msg.startswith('Failed to find exact match for ansible.com/v1.Foo')" + + # Helm won't install CRDs into an existing release, so we need to delete this, first + - name: Uninstall chart + helm: + binary_path: "{{ helm_binary }}" + namespace: "{{ helm_namespace }}" + name: test-crds + state: absent + + - name: Install chart with CRDs + helm: + binary_path: "{{ helm_binary }}" + chart_ref: "/tmp/helm_test_crds/{{ test_chart }}" + namespace: "{{ helm_namespace }}" + name: test-crds + + - name: Create custom resource + k8s: + definition: + apiVersion: ansible.com/v1 + kind: Foo + metadata: + namespace: "{{ helm_namespace }}" + name: test-foo + foobar: footest + register: result + + - assert: + that: + - result is changed + - result.result.foobar == "footest" always: - name: Remove chart diff --git a/tests/integration/targets/helm/tasks/test_helm_insecure.yml b/tests/integration/targets/helm/tasks/test_helm_insecure.yml new file mode 100644 index 00000000..2da16a68 --- /dev/null +++ b/tests/integration/targets/helm/tasks/test_helm_insecure.yml @@ -0,0 +1,52 @@ +--- +- name: Test helm insecure + vars: + helm_namespace: "{{ test_namespace[12] }}" + block: + + - name: Initial chart installation (no flag set) + helm: + binary_path: "{{ helm_binary }}" + chart_ref: "{{ chart_test_oci }}" + release_name: test-secure + release_namespace: "{{ helm_namespace }}" + create_namespace: true + register: install + + - name: Validate that insecure flag is not set + assert: + that: + - install is changed + - '"--insecure-skip-tls-verify" not in install.command' + + - name: Initial chart installation (insecure flag set) + helm: + binary_path: "{{ helm_binary }}" + chart_ref: "{{ chart_test_oci }}" + release_name: test-insecure + release_namespace: "{{ helm_namespace }}" + insecure_skip_tls_verify: true + register: install + ignore_errors: true + + - name: Validate that insecure flag IS set if helm version is >= 3.16.0 + assert: + that: + - install is changed + - '"--insecure-skip-tls-verify" in install.command' + when: '"v3.16.0" <= helm_version' + + - name: Validate that feature fails for helm < 3.16.0 + assert: + that: + - install is failed + - '"insecure_skip_tls_verify requires helm >= 3.16.0" in install.msg' + when: 'helm_version < "v3.16.0"' + + always: + - name: Remove helm namespace + k8s: + api_version: v1 + kind: Namespace + name: "{{ helm_namespace }}" + state: absent diff --git a/tests/integration/targets/helm_repository/meta/main.yml b/tests/integration/targets/helm_repository/meta/main.yml index cf4590de..c36db956 100644 --- a/tests/integration/targets/helm_repository/meta/main.yml +++ b/tests/integration/targets/helm_repository/meta/main.yml @@ -1,3 +1,5 @@ --- +collections: + - kubernetes.core dependencies: - install_helm diff --git a/tests/integration/targets/helm_repository/tasks/main.yml b/tests/integration/targets/helm_repository/tasks/main.yml index dfd649fe..4f05b227 100644 --- a/tests/integration/targets/helm_repository/tasks/main.yml +++ b/tests/integration/targets/helm_repository/tasks/main.yml @@ -16,6 +16,7 @@ assert: that: - repository is changed + - '"--insecure-skip-tls-verify" not in repository.command' - name: Check idempotency helm_repository: @@ -78,3 +79,23 @@ assert: that: - repository is not changed + +- name: Add test_helm_repo chart repository as insecure + helm_repository: + binary_path: "{{ helm_binary }}" + name: test_helm_repo + repo_url: "{{ chart_test_repo }}" + insecure_skip_tls_verify: true + register: repository + +- name: Assert that repository added and flag set + assert: + that: + - repository is changed + - '"--insecure-skip-tls-verify" in repository.command' + +- name: Clean test_helm_repo chart repository + helm_repository: + binary_path: "{{ helm_binary }}" + name: test_helm_repo + state: absent