Add support for repo auth Secret and CA ConfigMap

[brandond]

• Update wrangler to v1.1.1
• Add support for spec.authSecret - should be a secret of type kubernetes.io/basic-auth with the username and password keys set.
• Add support for spec.repoCAConfigMap. The values of all keys in this ConfigMap will be merged with the value of spec.repoCA, and passed into helm as the --ca-file argument.
• Move to storing chart values in a Secret instead of ConfigMap, to prevent accidental exposure of confidential information stored in chart ValuesContent.

Linked Issues:

• Enable authentication to private registries in helm-controller rancher/rke2#4114
• repoCA as a secret reference #187

[brandond]

Manifest to test:

---
apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  namespace: kube-system
  name: cert-manager
spec:
  targetNamespace: cert-manager
  version: v1.11.0
  chart: cert-manager
  repo: https://charts.jetstack.io
  authSecret:
    name: jetstack-auth
  repoCAConfigMap:
    name: jetstack-ca
  set:
    installCRDs: "true"
---
apiVersion: v1
kind: Secret
metadata:
  namespace: kube-system
  name: jetstack-auth
type: kubernetes.io/basic-auth
stringData:
  username: user
  password: pass
---
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: kube-system
  name: jetstack-ca
data:
  ca.crt: |-
    -----BEGIN CERTIFICATE-----
    MIIDzTCCArWgAwIBAgIQCjeHZF5ftIwiTv0b7RQMPDANBgkqhkiG9w0BAQsFADBa
    MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl
    clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTIw
    MDEyNzEyNDgwOFoXDTI0MTIzMTIzNTk1OVowSjELMAkGA1UEBhMCVVMxGTAXBgNV
    BAoTEENsb3VkZmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkZmxhcmUgSW5jIEVD
    QyBDQS0zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEua1NZpkUC0bsH4HRKlAe
    nQMVLzQSfS2WuIg4m4Vfj7+7Te9hRsTJc9QkT+DuHM5ss1FxL2ruTAUJd9NyYqSb
    16OCAWgwggFkMB0GA1UdDgQWBBSlzjfq67B1DpRniLRF+tkkEIeWHzAfBgNVHSME
    GDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l
    BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYI
    KwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
    b20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL09t
    bmlyb290MjAyNS5jcmwwbQYDVR0gBGYwZDA3BglghkgBhv1sAQEwKjAoBggrBgEF
    BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzALBglghkgBhv1sAQIw
    CAYGZ4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEB
    AAUkHd0bsCrrmNaF4zlNXmtXnYJX/OvoMaJXkGUFvhZEOFp3ArnPEELG4ZKk40Un
    +ABHLGioVplTVI+tnkDB0A+21w0LOEhsUCxJkAZbZB2LzEgwLt4I4ptJIsCSDBFe
    lpKU1fwg3FZs5ZKTv3ocwDfjhUkV+ivhdDkYD7fa86JXWGBPzI6UAPxGezQxPk1H
    goE6y/SJXQ7vTQ1unBuCJN0yJV0ReFEQPaA1IwQvZW+cwdFD19Ae8zFnWSfda9J1
    CZMRJCQUzym+5iPDuI9yP+kHyCREU3qzuWFloUwOxkgAyXVjBYdwRVKD05WdRerw
    6DEdfgkfCv4+3ao8XnTSrLE=
    -----END CERTIFICATE-----

Logs from pulling from a local repo that requires auth:

if [[ ${KUBERNETES_SERVICE_HOST} =~ .*:.* ]]; then
	echo "KUBERNETES_SERVICE_HOST is using IPv6"
	CHART="${CHART//%\{KUBERNETES_API\}%/[${KUBERNETES_SERVICE_HOST}]:${KUBERNETES_SERVICE_PORT}}"
else
	CHART="${CHART//%\{KUBERNETES_API\}%/${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}}"
fi

set +v -x
+ [[ '' != \t\r\u\e ]]
+ export HELM_HOST=127.0.0.1:44134
+ HELM_HOST=127.0.0.1:44134
+ helm_v2 init --skip-refresh --client-only --stable-repo-url https://charts.helm.sh/stable/
+ tiller --listen=127.0.0.1:44134 --storage=secret
Creating /home/klipper-helm/.helm
Creating /home/klipper-helm/.helm/repository
Creating /home/klipper-helm/.helm/repository/cache
Creating /home/klipper-helm/.helm/repository/local
Creating /home/klipper-helm/.helm/plugins
Creating /home/klipper-helm/.helm/starters
Creating /home/klipper-helm/.helm/cache/archive
Creating /home/klipper-helm/.helm/repository/repositories.yaml
Adding stable repo with URL: https://charts.helm.sh/stable/
Adding local repo with URL: http://127.0.0.1:8879/charts
$HELM_HOME has been configured at /home/klipper-helm/.helm.
Not installing Tiller due to 'client-only' flag having been set
[main] 2023/05/10 18:19:26 Starting Tiller v2.17.0 (tls=false)
[main] 2023/05/10 18:19:26 GRPC listening on 127.0.0.1:44134
[main] 2023/05/10 18:19:26 Probes listening on :44135
[main] 2023/05/10 18:19:26 Storage driver is Secret
[main] 2023/05/10 18:19:26 Max history per release is 0
++ timeout -s KILL 30 helm_v2 ls --all '^cert-manager$' --output json
++ jq -r '.Releases | length'
[storage] 2023/05/10 18:19:26 listing all releases with filter
+ V2_CHART_EXISTS=
+ [[ '' == \1 ]]
+ [[ v3 == \v\2 ]]
+ shopt -s nullglob
+ [[ -f /config/ca-file.pem ]]
+ for CA_FILE in ${CA_DIR}/*
+ echo
+ cat /ca-files/ca.crt
+ [[ -f /tmp/ca-file.pem ]]
+ CA_FILE_ARG='--ca-file /tmp/ca-file.pem'
+ [[ -n '' ]]
+ helm_content_decode
+ set -e
+ ENC_CHART_PATH=/chart/cert-manager.tgz.base64
+ CHART_PATH=/tmp/cert-manager.tgz
+ [[ ! -f /chart/cert-manager.tgz.base64 ]]
+ return
+ [[ install != \d\e\l\e\t\e ]]
+ helm_repo_init
+ grep -q -e 'https\?://'
+ [[ helm_v3 == \h\e\l\m\_\v\3 ]]
+ [[ cert-manager/x/y/cert-manager == stable/* ]]
+ [[ -n http://172.17.0.3:8080 ]]
+ [[ -f /auth/username ]]
+ [[ -f /auth/password ]]
+ [[ helm_v3 == \h\e\l\m\_\v\2 ]]
+ [[ true == \t\r\u\e ]]
+ PASS_CREDENTIALS_ARG=--pass-credentials
+ cat /auth/password
++ cat /auth/username
+ helm_v3 repo add --ca-file /tmp/ca-file.pem --pass-credentials --username user --password-stdin cert-manager http://172.17.0.3:8080
"cert-manager" has been added to your repositories
+ helm_v3 repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "cert-manager" chart repository
Update Complete. ⎈Happy Helming!⎈
+ helm_update install --namespace cert-manager --version v1.11.0 --set installCRDs=true
+ [[ helm_v3 == \h\e\l\m\_\v\3 ]]
++ helm_v3 ls --all -f '^cert-manager$' --namespace cert-manager --output json
++ jq -r '"\(.[0].app_version),\(.[0].status)"'
++ tr '[:upper:]' '[:lower:]'
+ LINE=null,null
+ IFS=,
+ read -r INSTALLED_VERSION STATUS _
+ VALUES=
+ [[ install = \d\e\l\e\t\e ]]
+ [[ null =~ ^(|null)$ ]]
+ [[ null =~ ^(|null)$ ]]
+ echo 'Installing helm_v3 chart'
+ helm_v3 install --namespace cert-manager --version v1.11.0 --set installCRDs=true cert-manager cert-manager/x/y/cert-manager --ca-file /tmp/ca-file.pem
NAME: cert-manager
LAST DEPLOYED: Wed May 10 18:19:26 2023
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.11.0 has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

https://cert-manager.io/docs/configuration/

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:

https://cert-manager.io/docs/usage/ingress/
+ exit

[brandond]

This seems a bit confusing, but it works with how the klipper-helm script installs the chart.

1. the chart repo is added using chart.Name as the repo name
2. the chart needs to be referenced as repo/chart in order for credentials specified when the repo is added to be used when installing or updating the chart. If the chart is referenced without a repo/ prefix, but the bare repo URL passed in the --repo flag, the credentials will not be used.

[brandond]

see above - we are now prefixing the repo name instead of passing the URL as a flag.

I suspect that because we were always passing this flag, the repo definition that we added with helm repo add was never being used at all.