Skip to content

Commit d5c5dfc

Browse files
aryan9600aryan9600
committed
helmrepo: add docs for .spec.certSecretRef
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
1 parent 8de875f commit d5c5dfc

File tree

1 file changed

+30
-6
lines changed

1 file changed

+30
-6
lines changed

docs/spec/v1beta2/helmrepositories.md

+30-6
Original file line numberDiff line numberDiff line change
@@ -452,15 +452,39 @@ flux create secret oci ghcr-auth \
452452
--password=${GITHUB_PAT}
453453
```
454454

455-
#### TLS authentication
455+
{{< warning >}}
456+
Support for specifying TLS authentication data using this API has been
457+
deprecated. Please use [`.spec.certSecretRef`](#cert-secret-reference) instead.
458+
If the controller uses the secret specfied by this field to configure TLS, then
459+
a warning message will be logged.
460+
{{< /warning >}}
461+
462+
### Cert secret reference
456463

457464
**Note:** TLS authentication is not yet supported by OCI Helm repositories.
458465

459-
To provide TLS credentials to use while connecting with the Helm repository,
460-
the referenced Secret is expected to contain `.data.certFile` and
461-
`.data.keyFile`, and/or `.data.caFile` values.
466+
`.spec.certSecretRef.name` is an optional field to specify a secret containing TLS
467+
certificate data. The secret can contain the following keys:
462468

463-
For example:
469+
* `certFile` and `keyFile`, to specify the client certificate and private key used for
470+
TLS client authentication. These must be used in conjunction, i.e. specifying one without
471+
the other will lead to an error.
472+
* `caFile`, to specify the CA certificate used to verify the server, which is required
473+
if the server is using a self-signed certificate.
474+
475+
If the server is using a self-signed certificate and has TLS client authentication enabled,
476+
all three values are required.
477+
478+
All the files in the secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
479+
three files; `client.key`, `client.crt` and `ca.crt` for the client private key, client
480+
certificate and the CA certificate respectively, you can generate the required secret using
481+
the `flux creat secret helm` command:
482+
483+
```sh
484+
flux create secret helm tls --key-file=client.key --cert-file=client.crt --ca-file=ca.crt
485+
```
486+
487+
Example usage:
464488

465489
```yaml
466490
---
@@ -472,7 +496,7 @@ metadata:
472496
spec:
473497
interval: 5m0s
474498
url: https://example.com
475-
secretRef:
499+
certSecretRef:
476500
name: example-tls
477501
---
478502
apiVersion: v1

0 commit comments

Comments
 (0)