Add helm insecure skip tls verify (#901)

SUMMARY Added the option insecure_skip_tls_verify to the following helm modules: helm_repository helm Unified the option with alias in helm_pull For helm, added the option to the helm diff call, as it got fixed upstream. Upstream Issue: databus23/helm-diff#503 Fixed with: helm/helm#12856 Fixes #694 ISSUE TYPE Bugfix Pull Request COMPONENT NAME kubernetes.core.helm kubernetes.core.helm_repository kubernetes.core.helm_pull ADDITIONAL INFORMATION Basically the option was added in the parameters set in the ansible job, in the docs and then injected in the helm and helm diff binary calls if set. Defaults to False. Example --- - name: Test helm modules tasks: - name: Test helm repository insecure kubernetes.core.helm_repository: name: insecure repo_url: "<helm-repo-with-self-signed-tls>" state: present insecure_skip_tls_verify: true - name: Test helm pull insecure kubernetes.core.helm_pull: chart_ref: "oci://<helm-repo-with-self-signed-tls>/ptroject" destination: /tmp insecure_skip_tls_verify: true - name: Test helm insecure kubernetes.core.helm: name: insecure chart_ref: "oci://<helm-repo-with-self-signed-tls>/project" namespace: helm-insecure-test state: present insecure_skip_tls_verify: true Note Might need an alias for telm_template, as the option is called insecure_registry, in the manual and docs of helm it would be --insecure-skip-tls-verify as well though. Not included, as it was recently merged with #805 Reviewed-by: Yuriy Novostavskiy Reviewed-by: Noah Lehmann Reviewed-by: Bikouo Aubin Reviewed-by: Bianca Henderson <beeankha@gmail.com> Reviewed-by: Mike Graves <mgraves@redhat.com>
2026-03-26 21:33:02 +00:00 · 2025-05-02 18:24:26 +02:00
parent cb2070c93f
commit 914a16ec5c
11 changed files with 217 additions and 65 deletions
--- a/plugins/modules/helm.py
+++ b/plugins/modules/helm.py
@@ -228,6 +228,15 @@ options:
      - mutually exclusive with with C(replace).
    type: int
    version_added: 2.2.0
+  insecure_skip_tls_verify:
+    description:
+      - Skip tls certificate checks for the chart download.
+      - Do not confuse with the C(validate_certs) option.
+      - This option is only available for helm >= 3.16.0.
+    type: bool
+    default: False
+    aliases: [ skip_tls_certs_check ]
+    version_added: 5.3.0
 extends_documentation_fragment:
  - kubernetes.core.helm_common_options
 """
@@ -486,12 +495,15 @@ def run_dep_update(module, chart_ref):
    rc, out, err = module.run_helm_command(dep_update)


-def fetch_chart_info(module, command, chart_ref):
+def fetch_chart_info(module, command, chart_ref, insecure_skip_tls_verify=False):
    """
    Get chart info
    """
    inspect_command = command + f" show chart '{chart_ref}'"

+    if insecure_skip_tls_verify:
+        inspect_command += " --insecure-skip-tls-verify"
+
    rc, out, err = module.run_helm_command(inspect_command)

    return yaml.safe_load(out)
@@ -520,6 +532,7 @@ def deploy(
    reuse_values=None,
    reset_values=True,
    reset_then_reuse_values=False,
+    insecure_skip_tls_verify=False,
 ):
    """
    Install/upgrade/rollback release chart
@@ -571,6 +584,17 @@ def deploy(
    if create_namespace:
        deploy_command += " --create-namespace"

+    if insecure_skip_tls_verify:
+        helm_version = module.get_helm_version()
+        if LooseVersion(helm_version) < LooseVersion("3.16.0"):
+            module.fail_json(
+                msg="insecure_skip_tls_verify requires helm >= 3.16.0, current version is {0}".format(
+                    helm_version
+                )
+            )
+        else:
+            deploy_command += " --insecure-skip-tls-verify"
+
    if values_files:
        for value_file in values_files:
            deploy_command += " --values=" + value_file
@@ -665,6 +689,7 @@ def helmdiff_check(
    reuse_values=None,
    reset_values=True,
    reset_then_reuse_values=False,
+    insecure_skip_tls_verify=False,
 ):
    """
    Use helm diff to determine if a release would change by upgrading a chart.
@@ -717,6 +742,9 @@ def helmdiff_check(
        else:
            cmd += " --reset-then-reuse-values"

+    if insecure_skip_tls_verify:
+        cmd += " --insecure-skip-tls-verify"
+
    rc, out, err = module.run_helm_command(cmd)
    return (len(out.strip()) > 0, out.strip())

@@ -777,6 +805,9 @@ def argument_spec():
            reuse_values=dict(type="bool"),
            reset_values=dict(type="bool", default=True),
            reset_then_reuse_values=dict(type="bool", default=False),
+            insecure_skip_tls_verify=dict(
+                type="bool", default=False, aliases=["skip_tls_certs_check"]
+            ),
        )
    )
    return arg_spec
@@ -830,6 +861,7 @@ def main():
    reuse_values = module.params.get("reuse_values")
    reset_values = module.params.get("reset_values")
    reset_then_reuse_values = module.params.get("reset_then_reuse_values")
+    insecure_skip_tls_verify = module.params.get("insecure_skip_tls_verify")

    if update_repo_cache:
        run_repo_update(module)
@@ -867,7 +899,9 @@ def main():
            helm_cmd += " --repo=" + chart_repo_url

        # Fetch chart info to have real version and real name for chart_ref from archive, folder or url
-        chart_info = fetch_chart_info(module, helm_cmd, chart_ref)
+        chart_info = fetch_chart_info(
+            module, helm_cmd, chart_ref, insecure_skip_tls_verify
+        )

        if dependency_update:
            if chart_info.get("dependencies"):
@@ -927,6 +961,7 @@ def main():
                reuse_values=reuse_values,
                reset_values=reset_values,
                reset_then_reuse_values=reset_then_reuse_values,
+                insecure_skip_tls_verify=insecure_skip_tls_verify,
            )
            changed = True

@@ -953,6 +988,7 @@ def main():
                    reuse_values=reuse_values,
                    reset_values=reset_values,
                    reset_then_reuse_values=reset_then_reuse_values,
+                    insecure_skip_tls_verify=insecure_skip_tls_verify,
                )
                if would_change and module._diff:
                    opt_result["diff"] = {"prepared": prepared}
@@ -989,6 +1025,7 @@ def main():
                    reuse_values=reuse_values,
                    reset_values=reset_values,
                    reset_then_reuse_values=reset_then_reuse_values,
+                    insecure_skip_tls_verify=insecure_skip_tls_verify,
                )
                changed = True

--- a/plugins/modules/helm_pull.py
+++ b/plugins/modules/helm_pull.py
@@ -75,9 +75,10 @@ options:
  skip_tls_certs_check:
    description:
    - Whether or not to check tls certificate for the chart download.
-    - Requires helm >= 3.3.0.
+    - Requires helm >= 3.3.0. Alias C(insecure_skip_tls_verify) added in 5.3.0.
    type: bool
    default: False
+    aliases: [ insecure_skip_tls_verify ]
  chart_devel:
    description:
    - Use development versions, too. Equivalent to version '>0.0.0-0'.
@@ -190,7 +191,9 @@ def main():
            type="str", no_log=True, aliases=["password", "chart_repo_password"]
        ),
        pass_credentials=dict(type="bool", default=False, no_log=False),
-        skip_tls_certs_check=dict(type="bool", default=False),
+        skip_tls_certs_check=dict(
+            type="bool", default=False, aliases=["insecure_skip_tls_verify"]
+        ),
        chart_devel=dict(type="bool"),
        untar_chart=dict(type="bool", default=False),
        destination=dict(type="path", required=True),
--- a/plugins/modules/helm_repository.py
+++ b/plugins/modules/helm_repository.py
@@ -119,6 +119,13 @@ options:
    aliases: [ force ]
    default: False
    version_added: 2.4.0
+  insecure_skip_tls_verify:
+    description:
+      - Skip tls certificate checks for the repository url.
+    type: bool
+    default: False
+    aliases: [ skip_tls_certs_check ]
+    version_added: "5.3.0"
 """

 EXAMPLES = r"""
@@ -226,6 +233,7 @@ def install_repository(
    repository_password,
    pass_credentials,
    force_update,
+    insecure_skip_tls_verify,
 ):
    install_command = command + " repo add " + repository_name + " " + repository_url

@@ -239,6 +247,9 @@ def install_repository(
    if force_update:
        install_command += " --force-update"

+    if insecure_skip_tls_verify:
+        install_command += " --insecure-skip-tls-verify"
+
    return install_command


@@ -262,6 +273,9 @@ def argument_spec():
            ),
            pass_credentials=dict(type="bool", default=False, no_log=True),
            force_update=dict(type="bool", default=False, aliases=["force"]),
+            insecure_skip_tls_verify=dict(
+                type="bool", default=False, aliases=["skip_tls_certs_check"]
+            ),
        )
    )
    return arg_spec
@@ -290,6 +304,7 @@ def main():
    repo_state = module.params.get("repo_state")
    pass_credentials = module.params.get("pass_credentials")
    force_update = module.params.get("force_update")
+    insecure_skip_tls_verify = module.params.get("insecure_skip_tls_verify")

    helm_cmd = module.get_helm_binary()

@@ -308,6 +323,7 @@ def main():
                repo_password,
                pass_credentials,
                force_update,
+                insecure_skip_tls_verify,
            )
            changed = True
        elif repository_status["url"] != repo_url: