Allow specifying a custom CA certificate in Bucket API #973
Comments
|
This may be impacted by fluxcd/flux2#3366. |
|
I would say let's put this one on hold until fluxcd/flux2#3366 is addressed. |
makkes
added
hold
|
Are there any chances to get this resolved even that #3366 covers a larger scope? At least for other resources like HelmRepository there have been already a fix but currently I'm missing exactly for this Bucket resource a CA certificate validation (or even a skip of the verification) for a setup where I would store helm chart artifacts within an S3-compatible storage because I don't have access to helm repositories. |
|
In Flux 2.4 we plan to ship Bucket GA so we can get started working on improvements to this API next. We should add PS. @tboerger using a Bucket full of Chart tgz will not work with Flux, you should push the charts to your container registry and use Helm OCI. |
|
I'd like to work on this! |
|
Good to know that it won't work as I was planning to do it. Sadly most charts I want to use aren't published as oci images so far. |
If you are planning on vendoring helm chart tarballs in a private bucket you can probably still do that, but using the HelmChart API instead and something like https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/set-up-a-helm-v3-chart-repository-in-amazon-s3.html. I think you can probably achieve the equivalent of this AWS s3 setup using MinIO, i.e. make it work like a vanilla HTTP helm repo. But if you are taking the time to vendor charts in a private bucket you would probably want to consider vendoring through OCI helm repos instead, the effort is probably on the same scale of vendoring through vanilla HTTP. See this: https://docs.aws.amazon.com/AmazonECR/latest/userguide/push-oci-artifact.html |
stefanprodan
changed the title
As a user that has a custom S3 implementation such as MinIO running in my cluster, I want to be able to use an encrypted connection between s-c and the S3 server. For that to work, I need to be able to define a custom CA certificate in the
caFilefield of the Secret referred to in the.spec.secretRef. Using thecaFilefield is in line with other resources such as GitRepositories and {HelmRepositories](https://fluxcd.io/flux/components/source/helmrepositories/#tls-authentication).The text was updated successfully, but these errors were encountered: