From 914a16ec5cfb806ccc529d610295c9481da4566b Mon Sep 17 00:00:00 2001 From: Noah Lehmann <62204532+noahlehmann@users.noreply.github.com> Date: Fri, 2 May 2025 18:24:26 +0200 Subject: [PATCH] Add helm insecure skip tls verify (#901) SUMMARY Added the option insecure_skip_tls_verify to the following helm modules: helm_repository helm Unified the option with alias in helm_pull For helm, added the option to the helm diff call, as it got fixed upstream. Upstream Issue: databus23/helm-diff#503 Fixed with: helm/helm#12856 Fixes #694 ISSUE TYPE Bugfix Pull Request COMPONENT NAME kubernetes.core.helm kubernetes.core.helm_repository kubernetes.core.helm_pull ADDITIONAL INFORMATION Basically the option was added in the parameters set in the ansible job, in the docs and then injected in the helm and helm diff binary calls if set. Defaults to False. Example --- - name: Test helm modules tasks: - name: Test helm repository insecure kubernetes.core.helm_repository: name: insecure repo_url: "" state: present insecure_skip_tls_verify: true - name: Test helm pull insecure kubernetes.core.helm_pull: chart_ref: "oci:///ptroject" destination: /tmp insecure_skip_tls_verify: true - name: Test helm insecure kubernetes.core.helm: name: insecure chart_ref: "oci:///project" namespace: helm-insecure-test state: present insecure_skip_tls_verify: true Note Might need an alias for telm_template, as the option is called insecure_registry, in the manual and docs of helm it would be --insecure-skip-tls-verify as well though. Not included, as it was recently merged with #805 Reviewed-by: Yuriy Novostavskiy Reviewed-by: Noah Lehmann Reviewed-by: Bikouo Aubin Reviewed-by: Bianca Henderson Reviewed-by: Mike Graves --- .../694-add-insecure-skip-tls-verify.yml | 4 + plugins/modules/helm.py | 41 +++++- plugins/modules/helm_pull.py | 7 +- plugins/modules/helm_repository.py | 16 +++ .../targets/helm/defaults/main.yml | 2 + tests/integration/targets/helm/tasks/main.yml | 1 + .../targets/helm/tasks/run_test.yml | 3 + .../targets/helm/tasks/test_crds.yml | 133 ++++++++++-------- .../targets/helm/tasks/test_helm_insecure.yml | 52 +++++++ .../targets/helm_repository/meta/main.yml | 2 + .../targets/helm_repository/tasks/main.yml | 21 +++ 11 files changed, 217 insertions(+), 65 deletions(-) create mode 100644 changelogs/fragments/694-add-insecure-skip-tls-verify.yml create mode 100644 tests/integration/targets/helm/tasks/test_helm_insecure.yml diff --git a/changelogs/fragments/694-add-insecure-skip-tls-verify.yml b/changelogs/fragments/694-add-insecure-skip-tls-verify.yml new file mode 100644 index 00000000..08e94a69 --- /dev/null +++ b/changelogs/fragments/694-add-insecure-skip-tls-verify.yml @@ -0,0 +1,4 @@ +--- +minor_changes: + - helm - add support for ``insecure_skip_tls_verify`` option to helm and + helm_repository(https://github.com/ansible-collections/kubernetes.core/issues/694). diff --git a/plugins/modules/helm.py b/plugins/modules/helm.py index 548b2724..8940158d 100644 --- a/plugins/modules/helm.py +++ b/plugins/modules/helm.py @@ -228,6 +228,15 @@ options: - mutually exclusive with with C(replace). type: int version_added: 2.2.0 + insecure_skip_tls_verify: + description: + - Skip tls certificate checks for the chart download. + - Do not confuse with the C(validate_certs) option. + - This option is only available for helm >= 3.16.0. + type: bool + default: False + aliases: [ skip_tls_certs_check ] + version_added: 5.3.0 extends_documentation_fragment: - kubernetes.core.helm_common_options """ @@ -486,12 +495,15 @@ def run_dep_update(module, chart_ref): rc, out, err = module.run_helm_command(dep_update) -def fetch_chart_info(module, command, chart_ref): +def fetch_chart_info(module, command, chart_ref, insecure_skip_tls_verify=False): """ Get chart info """ inspect_command = command + f" show chart '{chart_ref}'" + if insecure_skip_tls_verify: + inspect_command += " --insecure-skip-tls-verify" + rc, out, err = module.run_helm_command(inspect_command) return yaml.safe_load(out) @@ -520,6 +532,7 @@ def deploy( reuse_values=None, reset_values=True, reset_then_reuse_values=False, + insecure_skip_tls_verify=False, ): """ Install/upgrade/rollback release chart @@ -571,6 +584,17 @@ def deploy( if create_namespace: deploy_command += " --create-namespace" + if insecure_skip_tls_verify: + helm_version = module.get_helm_version() + if LooseVersion(helm_version) < LooseVersion("3.16.0"): + module.fail_json( + msg="insecure_skip_tls_verify requires helm >= 3.16.0, current version is {0}".format( + helm_version + ) + ) + else: + deploy_command += " --insecure-skip-tls-verify" + if values_files: for value_file in values_files: deploy_command += " --values=" + value_file @@ -665,6 +689,7 @@ def helmdiff_check( reuse_values=None, reset_values=True, reset_then_reuse_values=False, + insecure_skip_tls_verify=False, ): """ Use helm diff to determine if a release would change by upgrading a chart. @@ -717,6 +742,9 @@ def helmdiff_check( else: cmd += " --reset-then-reuse-values" + if insecure_skip_tls_verify: + cmd += " --insecure-skip-tls-verify" + rc, out, err = module.run_helm_command(cmd) return (len(out.strip()) > 0, out.strip()) @@ -777,6 +805,9 @@ def argument_spec(): reuse_values=dict(type="bool"), reset_values=dict(type="bool", default=True), reset_then_reuse_values=dict(type="bool", default=False), + insecure_skip_tls_verify=dict( + type="bool", default=False, aliases=["skip_tls_certs_check"] + ), ) ) return arg_spec @@ -830,6 +861,7 @@ def main(): reuse_values = module.params.get("reuse_values") reset_values = module.params.get("reset_values") reset_then_reuse_values = module.params.get("reset_then_reuse_values") + insecure_skip_tls_verify = module.params.get("insecure_skip_tls_verify") if update_repo_cache: run_repo_update(module) @@ -867,7 +899,9 @@ def main(): helm_cmd += " --repo=" + chart_repo_url # Fetch chart info to have real version and real name for chart_ref from archive, folder or url - chart_info = fetch_chart_info(module, helm_cmd, chart_ref) + chart_info = fetch_chart_info( + module, helm_cmd, chart_ref, insecure_skip_tls_verify + ) if dependency_update: if chart_info.get("dependencies"): @@ -927,6 +961,7 @@ def main(): reuse_values=reuse_values, reset_values=reset_values, reset_then_reuse_values=reset_then_reuse_values, + insecure_skip_tls_verify=insecure_skip_tls_verify, ) changed = True @@ -953,6 +988,7 @@ def main(): reuse_values=reuse_values, reset_values=reset_values, reset_then_reuse_values=reset_then_reuse_values, + insecure_skip_tls_verify=insecure_skip_tls_verify, ) if would_change and module._diff: opt_result["diff"] = {"prepared": prepared} @@ -989,6 +1025,7 @@ def main(): reuse_values=reuse_values, reset_values=reset_values, reset_then_reuse_values=reset_then_reuse_values, + insecure_skip_tls_verify=insecure_skip_tls_verify, ) changed = True diff --git a/plugins/modules/helm_pull.py b/plugins/modules/helm_pull.py index 943d4c51..b6ec273e 100644 --- a/plugins/modules/helm_pull.py +++ b/plugins/modules/helm_pull.py @@ -75,9 +75,10 @@ options: skip_tls_certs_check: description: - Whether or not to check tls certificate for the chart download. - - Requires helm >= 3.3.0. + - Requires helm >= 3.3.0. Alias C(insecure_skip_tls_verify) added in 5.3.0. type: bool default: False + aliases: [ insecure_skip_tls_verify ] chart_devel: description: - Use development versions, too. Equivalent to version '>0.0.0-0'. @@ -190,7 +191,9 @@ def main(): type="str", no_log=True, aliases=["password", "chart_repo_password"] ), pass_credentials=dict(type="bool", default=False, no_log=False), - skip_tls_certs_check=dict(type="bool", default=False), + skip_tls_certs_check=dict( + type="bool", default=False, aliases=["insecure_skip_tls_verify"] + ), chart_devel=dict(type="bool"), untar_chart=dict(type="bool", default=False), destination=dict(type="path", required=True), diff --git a/plugins/modules/helm_repository.py b/plugins/modules/helm_repository.py index 2165e088..fabb83d4 100644 --- a/plugins/modules/helm_repository.py +++ b/plugins/modules/helm_repository.py @@ -119,6 +119,13 @@ options: aliases: [ force ] default: False version_added: 2.4.0 + insecure_skip_tls_verify: + description: + - Skip tls certificate checks for the repository url. + type: bool + default: False + aliases: [ skip_tls_certs_check ] + version_added: "5.3.0" """ EXAMPLES = r""" @@ -226,6 +233,7 @@ def install_repository( repository_password, pass_credentials, force_update, + insecure_skip_tls_verify, ): install_command = command + " repo add " + repository_name + " " + repository_url @@ -239,6 +247,9 @@ def install_repository( if force_update: install_command += " --force-update" + if insecure_skip_tls_verify: + install_command += " --insecure-skip-tls-verify" + return install_command @@ -262,6 +273,9 @@ def argument_spec(): ), pass_credentials=dict(type="bool", default=False, no_log=True), force_update=dict(type="bool", default=False, aliases=["force"]), + insecure_skip_tls_verify=dict( + type="bool", default=False, aliases=["skip_tls_certs_check"] + ), ) ) return arg_spec @@ -290,6 +304,7 @@ def main(): repo_state = module.params.get("repo_state") pass_credentials = module.params.get("pass_credentials") force_update = module.params.get("force_update") + insecure_skip_tls_verify = module.params.get("insecure_skip_tls_verify") helm_cmd = module.get_helm_binary() @@ -308,6 +323,7 @@ def main(): repo_password, pass_credentials, force_update, + insecure_skip_tls_verify, ) changed = True elif repository_status["url"] != repo_url: diff --git a/tests/integration/targets/helm/defaults/main.yml b/tests/integration/targets/helm/defaults/main.yml index 2148766e..a6263619 100644 --- a/tests/integration/targets/helm/defaults/main.yml +++ b/tests/integration/targets/helm/defaults/main.yml @@ -3,6 +3,7 @@ helm_default_archive_name: "helm-{{ helm_version }}-{{ ansible_system | lower }} helm_binary: "/tmp/helm/{{ ansible_system | lower }}-amd64/helm" chart_test: "ingress-nginx" +chart_test_oci: "oci://registry-1.docker.io/bitnamicharts/redis" chart_test_local_path: "nginx-ingress" chart_test_version: 4.2.4 chart_test_version_local_path: 1.32.0 @@ -27,3 +28,4 @@ test_namespace: - "helm-reuse-values" - "helm-chart-with-space-into-name" - "helm-reset-then-reuse-values" + - "helm-insecure" diff --git a/tests/integration/targets/helm/tasks/main.yml b/tests/integration/targets/helm/tasks/main.yml index 9eb7faea..a5f69a9d 100644 --- a/tests/integration/targets/helm/tasks/main.yml +++ b/tests/integration/targets/helm/tasks/main.yml @@ -4,4 +4,5 @@ loop_control: loop_var: helm_version with_items: + - "v3.15.4" - "v3.16.0" diff --git a/tests/integration/targets/helm/tasks/run_test.yml b/tests/integration/targets/helm/tasks/run_test.yml index 52212230..01c7f553 100644 --- a/tests/integration/targets/helm/tasks/run_test.yml +++ b/tests/integration/targets/helm/tasks/run_test.yml @@ -44,6 +44,9 @@ - name: Test Skip CRDS feature in helm chart install include_tasks: test_crds.yml +- name: Test insecure registry flag feature + include_tasks: test_helm_insecure.yml + - name: Clean helm install file: path: "{{ item }}" diff --git a/tests/integration/targets/helm/tasks/test_crds.yml b/tests/integration/targets/helm/tasks/test_crds.yml index 0534869b..7c051b3c 100644 --- a/tests/integration/targets/helm/tasks/test_crds.yml +++ b/tests/integration/targets/helm/tasks/test_crds.yml @@ -3,78 +3,89 @@ vars: test_chart: "test-crds" helm_namespace: "{{ test_namespace[0] }}" + helm_binary: helm block: - name: Create namespace k8s: kind: Namespace name: "{{ helm_namespace }}" - - name: Copy test chart - copy: - src: "{{ test_chart }}" - dest: "/tmp/helm_test_crds/" - - - name: Install chart while skipping CRDs - helm: - binary_path: "{{ helm_binary }}" - chart_ref: "/tmp/helm_test_crds/{{ test_chart }}" - namespace: "{{ helm_namespace }}" - name: test-crds - skip_crds: true - register: install - - - assert: - that: - - install is changed - - install.status.name == "test-crds" - - - name: Fail to create custom resource - k8s: - definition: - apiVersion: ansible.com/v1 - kind: Foo - metadata: - namespace: "{{ helm_namespace }}" - name: test-foo - foobar: footest + - name: Check if CRD resource is already present + k8s_info: + namespace: default + kind: Foo + api_version: ansible.com/v1 ignore_errors: true - register: result + register: crd_check - - assert: - that: - - result is failed - - "result.msg.startswith('Failed to find exact match for ansible.com/v1.Foo')" + - when: crd_check is failed + block: + - name: Copy test chart + copy: + src: "{{ test_chart }}" + dest: "/tmp/helm_test_crds/" - # Helm won't install CRDs into an existing release, so we need to delete this, first - - name: Uninstall chart - helm: - binary_path: "{{ helm_binary }}" - namespace: "{{ helm_namespace }}" - name: test-crds - state: absent - - - name: Install chart with CRDs - helm: - binary_path: "{{ helm_binary }}" - chart_ref: "/tmp/helm_test_crds/{{ test_chart }}" - namespace: "{{ helm_namespace }}" - name: test-crds - - - name: Create custom resource - k8s: - definition: - apiVersion: ansible.com/v1 - kind: Foo - metadata: + - name: Install chart while skipping CRDs + helm: + binary_path: "{{ helm_binary }}" + chart_ref: "/tmp/helm_test_crds/{{ test_chart }}" namespace: "{{ helm_namespace }}" - name: test-foo - foobar: footest - register: result + name: test-crds + skip_crds: true + register: install - - assert: - that: - - result is changed - - result.result.foobar == "footest" + - assert: + that: + - install is changed + - install.status.name == "test-crds" + + - name: Fail to create custom resource + k8s: + definition: + apiVersion: ansible.com/v1 + kind: Foo + metadata: + namespace: "{{ helm_namespace }}" + name: test-foo + foobar: footest + ignore_errors: true + register: result + + - assert: + that: + - result is failed + - "result.msg.startswith('Failed to find exact match for ansible.com/v1.Foo')" + + # Helm won't install CRDs into an existing release, so we need to delete this, first + - name: Uninstall chart + helm: + binary_path: "{{ helm_binary }}" + namespace: "{{ helm_namespace }}" + name: test-crds + state: absent + + - name: Install chart with CRDs + helm: + binary_path: "{{ helm_binary }}" + chart_ref: "/tmp/helm_test_crds/{{ test_chart }}" + namespace: "{{ helm_namespace }}" + name: test-crds + + - name: Create custom resource + k8s: + definition: + apiVersion: ansible.com/v1 + kind: Foo + metadata: + namespace: "{{ helm_namespace }}" + name: test-foo + foobar: footest + register: result + + - assert: + that: + - result is changed + - result.result.foobar == "footest" always: - name: Remove chart diff --git a/tests/integration/targets/helm/tasks/test_helm_insecure.yml b/tests/integration/targets/helm/tasks/test_helm_insecure.yml new file mode 100644 index 00000000..2da16a68 --- /dev/null +++ b/tests/integration/targets/helm/tasks/test_helm_insecure.yml @@ -0,0 +1,52 @@ +--- +- name: Test helm insecure + vars: + helm_namespace: "{{ test_namespace[12] }}" + block: + + - name: Initial chart installation (no flag set) + helm: + binary_path: "{{ helm_binary }}" + chart_ref: "{{ chart_test_oci }}" + release_name: test-secure + release_namespace: "{{ helm_namespace }}" + create_namespace: true + register: install + + - name: Validate that insecure flag is not set + assert: + that: + - install is changed + - '"--insecure-skip-tls-verify" not in install.command' + + - name: Initial chart installation (insecure flag set) + helm: + binary_path: "{{ helm_binary }}" + chart_ref: "{{ chart_test_oci }}" + release_name: test-insecure + release_namespace: "{{ helm_namespace }}" + insecure_skip_tls_verify: true + register: install + ignore_errors: true + + - name: Validate that insecure flag IS set if helm version is >= 3.16.0 + assert: + that: + - install is changed + - '"--insecure-skip-tls-verify" in install.command' + when: '"v3.16.0" <= helm_version' + + - name: Validate that feature fails for helm < 3.16.0 + assert: + that: + - install is failed + - '"insecure_skip_tls_verify requires helm >= 3.16.0" in install.msg' + when: 'helm_version < "v3.16.0"' + + always: + - name: Remove helm namespace + k8s: + api_version: v1 + kind: Namespace + name: "{{ helm_namespace }}" + state: absent diff --git a/tests/integration/targets/helm_repository/meta/main.yml b/tests/integration/targets/helm_repository/meta/main.yml index cf4590de..c36db956 100644 --- a/tests/integration/targets/helm_repository/meta/main.yml +++ b/tests/integration/targets/helm_repository/meta/main.yml @@ -1,3 +1,5 @@ --- +collections: + - kubernetes.core dependencies: - install_helm diff --git a/tests/integration/targets/helm_repository/tasks/main.yml b/tests/integration/targets/helm_repository/tasks/main.yml index dfd649fe..4f05b227 100644 --- a/tests/integration/targets/helm_repository/tasks/main.yml +++ b/tests/integration/targets/helm_repository/tasks/main.yml @@ -16,6 +16,7 @@ assert: that: - repository is changed + - '"--insecure-skip-tls-verify" not in repository.command' - name: Check idempotency helm_repository: @@ -78,3 +79,23 @@ assert: that: - repository is not changed + +- name: Add test_helm_repo chart repository as insecure + helm_repository: + binary_path: "{{ helm_binary }}" + name: test_helm_repo + repo_url: "{{ chart_test_repo }}" + insecure_skip_tls_verify: true + register: repository + +- name: Assert that repository added and flag set + assert: + that: + - repository is changed + - '"--insecure-skip-tls-verify" in repository.command' + +- name: Clean test_helm_repo chart repository + helm_repository: + binary_path: "{{ helm_binary }}" + name: test_helm_repo + state: absent