Add a temporary credential file for login operation

Signed-off-by: Soule BA <soule@weave.works>
fluxcd · May 10, 2022 · c921cbd · c921cbd
1 parent 0c0095c
commit c921cbd
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 0 deletions.
diff --git a/controllers/helmchart_controller.go b/controllers/helmchart_controller.go
@@ -515,6 +515,19 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
 			}
 
 			logOpts := append([]registry.LoginOption{}, logOpt)
+
+			// create a temporary file to store the credentials
+			// this is needed because otherwise the credentials are stored in ~/.docker/config.json.
+			// TODO@souleb: remove this once the registry move to Oras v2
+			// or rework to enable reusing credentials to avoid the unneccessary handshake operations
+			credentialFile, err := os.CreateTemp("", "credentials")
+			if err != nil {
+				return chartRepoErrorReturn(err, obj)
+			}
+			defer os.Remove(credentialFile.Name())
+
+			// set the credentials file to the registry client
+			registry.ClientOptCredentialsFile(credentialFile.Name())(r.RegistryClient)
 			err = ociChartRepo.Login(logOpts...)
 			if err != nil {
 				return chartRepoErrorReturn(err, obj)

diff --git a/controllers/helmrepository_controller_oci.go b/controllers/helmrepository_controller_oci.go
@@ -19,6 +19,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"
 	"time"
 
@@ -305,6 +306,21 @@ func (r *HelmRepositoryOCIReconciler) validateSource(ctx context.Context, obj *s
 
 	// Attempt to login to the registry if credentials are provided.
 	if loginOpts != nil {
+		// create a temporary file to store the credentials
+		// this is needed because otherwise the credentials are stored in ~/.docker/config.json.
+		credentialFile, err := os.CreateTemp("", "credentials")
+		if err != nil {
+			e := &serror.Event{
+				Err:    fmt.Errorf("failed to create temporary file: %w", err),
+				Reason: "ValidationError",
+			}
+			conditions.MarkFalse(obj, sourcev1.SourceValidCondition, e.Reason, e.Err.Error())
+			return sreconcile.ResultEmpty, e
+		}
+		defer os.Remove(credentialFile.Name())
+
+		// set the credentials file to the registry client
+		registry.ClientOptCredentialsFile(credentialFile.Name())(r.RegistryClient)
 		err = chartRepo.Login(loginOpts...)
 		if err != nil {
 			e := &serror.Event{

diff --git a/docs/api/source.md b/docs/api/source.md
@@ -848,6 +848,19 @@ references to this object.
 NOTE: Not implemented, provisional as of <a href="https://github.com/fluxcd/flux2/pull/2092">https://github.com/fluxcd/flux2/pull/2092</a></p>
 </td>
 </tr>
+<tr>
+<td>
+<code>type</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Type of the HelmRepository.
+When this field is set to  &ldquo;OCI&rdquo;, the URL field value must be prefixed with &ldquo;oci://&rdquo;.</p>
+</td>
+</tr>
 </table>
 </td>
 </tr>
@@ -2093,6 +2106,19 @@ references to this object.
 NOTE: Not implemented, provisional as of <a href="https://github.com/fluxcd/flux2/pull/2092">https://github.com/fluxcd/flux2/pull/2092</a></p>
 </td>
 </tr>
+<tr>
+<td>
+<code>type</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Type of the HelmRepository.
+When this field is set to  &ldquo;OCI&rdquo;, the URL field value must be prefixed with &ldquo;oci://&rdquo;.</p>
+</td>
+</tr>
 </tbody>
 </table>
 </div>