Skip to content

HelmRepository URL Query Parameter Mangling #1018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mflanneryii opened this issue Feb 2, 2023 · 1 comment · Fixed by #1015
Closed

HelmRepository URL Query Parameter Mangling #1018

mflanneryii opened this issue Feb 2, 2023 · 1 comment · Fixed by #1015

Comments

@mflanneryii
Copy link

It seems source-controller v0.26.0 and later are doing some query parameter manipulation that breaks using SAS tokens in a HelmRepository URL to access a private Azure Blob.

Example:

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: example-helm-repo
  namespace: flux-system
spec:
  interval: 1m0s
  provider: generic
  timeout: 60s
  url: https://(STORAGE ACCOUNT NAME).blob.core.windows.net/helm?(SAS TOKEN)

The HelmRepository resource reconciles fine and returns:

$ flux get source helm
NAME               REVISION   SUSPENDED   READY   MESSAGE                                                                                         
example-helm-repo  (SHA)      False       True    stored artifact for revision '(SHA)'

HelmReleases referencing this HelmRepository however end up failing:

$ flux get helmrelease -A
NAMESPACE   NAME       REVISION          SUSPENDED   READY   MESSAGE                                                        
(NS)        (CHART)    (CHART-VERSION)   False       False   HelmChart 'flux-system/(NS)-(CHART)' is not ready

The HelmChart resource itself shows an error wherein the SAS token has been mangled and includes a bunch of !!(MISSING) strings after any spot where there was a urlencoded %(whatever) code and gets a 403 back from Azure: (wordwrapped slightly for readability)

$ flux get source chart
NAME           REVISION   SUSPENDED  READY   MESSAGE                                                                                                                                                                                                                                                                                                                                                                                                                                      
(NS)-(CHART)              False      False   chart pull error: failed to download chart for remote reference: 
                                             failed to fetch https://(STORAGE ACCOUNT NAME).blob \
                                             .core.windows.net/helm/(CHART)-(CHART-VERSION).tgz?(MANGLED SAS) :
                                             403 Server failed to authenticate the request. Make sure the value
                                             of Authorization header is formed correctly including the signature.

This exact same configuration works fine on source-controller v0.25.11 and earlier.
@mflanneryii
Copy link
Author

File as per request from @stefanprodan.

Slack thread: https://cloud-native.slack.com/archives/CLAJ40HV3/p1674684583471219

This is already being worked in #1015

@stefanprodan stefanprodan mentioned this issue Feb 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: Normalize helm repository url with query params properly somtochiama/source-controller
1 participant
@mflanneryii