Skip to content

Helm chart reconciler tries to login with empty credentials when TLS is set #1902

Closed
#1904
#1903
Closed
Helm chart reconciler tries to login with empty credentials when TLS is set#1902
#1904
#1903
Labels
area/helmHelm related issues and pull requestsbugSomething isn't working
@stefanprodan

Description

@stefanprodan
stefanprodan
opened on Oct 2, 2025

Running the SC tests on my mac shows that we send empty credentials when certSecretRef if set:

=== RUN   TestHelmChartReconciler_reconcileSourceFromOCI_authStrategy/HTTPS_With_CA_cert_only
    helmchart_controller_test.go:2722: 
        Unexpected error:
            <*error.Generic | 0x140010ec240>: 
            failed to login to OCI registry: no credentials username
            {
                Reason: "AuthenticationFailed",
                Err: <*fmt.wrapError | 0x14000fa4220>{
                    msg: "failed to login to OCI registry: no credentials username",
                    err: <*errors.errorString | 0x1400170c3c0>{
                        s: "no credentials username",
                    },
                },
                Config: {Event: "Warning", Log: false, Notification: true, Ignore: false},
            }
        occurred
--- FAIL: TestHelmChartReconciler_reconcileSourceFromOCI_authStrategy/HTTPS_With_CA_cert_only (0.08s)

=== RUN   TestHelmChartReconciler_reconcileSourceFromOCI_authStrategy/HTTPS_With_CA_cert_and_client_cert_auth
    helmchart_controller_test.go:2722: 
        Unexpected error:
            <*error.Generic | 0x140010ed500>: 
            failed to login to OCI registry: no credentials username
            {
                Reason: "AuthenticationFailed",
                Err: <*fmt.wrapError | 0x14000fa57e0>{
                    msg: "failed to login to OCI registry: no credentials username",
                    err: <*errors.errorString | 0x1400170d000>{
                        s: "no credentials username",
                    },
                },
                Config: {Event: "Warning", Log: false, Notification: true, Ignore: false},
            }
        occurred
--- FAIL: TestHelmChartReconciler_reconcileSourceFromOCI_authStrategy/HTTPS_With_CA_cert_and_client_cert_auth (0.08s)

We wrongly append the TLS config here:

source-controller/internal/helm/getter/client_opts.go

Lines 223 to 226 in 326a22a

tlsLoginOpt := registry.TLSLoginOption(certFile, keyFile, caFile)
if tlsLoginOpt != nil {
opts.RegLoginOpts = append(opts.RegLoginOpts, tlsLoginOpt)
}

Then these causes the reconciler to login with empty credentials:

source-controller/internal/helm/getter/client_opts.go

Lines 60 to 64 in 326a22a

// MustLoginToRegistry returns true if the client options contain at least
// one registry login option.
func (o ClientOpts) MustLoginToRegistry() bool {
return len(o.RegLoginOpts) > 0 && o.RegLoginOpts[0] != nil
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/helmHelm related issues and pull requestsbugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions