feat: oci repo-creds

Now repository credential templates can be used for OCI repos.

Signed-off-by: Blake Pettersson <[email protected]>

pkg/apis/application/v1alpha1/repository_types.go

@@ -50,6 +50,8 @@ type RepoCreds struct {
 	ForceHttpBasicAuth bool `json:"forceHttpBasicAuth,omitempty" protobuf:"bytes,20,opt,name=forceHttpBasicAuth"`
 	// NoProxy specifies a list of targets where the proxy isn't used, applies only in cases where the proxy is applied
 	NoProxy string `json:"noProxy,omitempty" protobuf:"bytes,23,opt,name=noProxy"`
+	// InsecureOCIForceHttp specifies whether the connection to the repository uses TLS at _all_. If true, no TLS. This flag is applicable for OCI repos only.
+	InsecureOCIForceHttp bool `json:"insecureOCIForceHttp,omitempty" protobuf:"bytes,24,opt,name=insecureOCIForceHttp"`
 }
 
 // Repository is a repository holding application configurations
@@ -197,6 +199,12 @@ func (repo *Repository) CopyCredentialsFrom(source *RepoCreds) {
 		if repo.NoProxy == "" {
 			repo.NoProxy = source.NoProxy
 		}
+		if repo.Type == "" {
+			repo.Type = source.Type
+		}
+
+		repo.EnableOCI = source.EnableOCI
+		repo.InsecureOCIForceHttp = source.InsecureOCIForceHttp
 		repo.ForceHttpBasicAuth = source.ForceHttpBasicAuth
 	}
 }

ui/src/app/settings/components/repos-list/repos-list.tsx

@@ -87,6 +87,7 @@ interface NewSSHRepoCredsParams {
 
 interface NewHTTPSRepoCredsParams {
     url: string;
+    type: string;
     username: string;
     password: string;
     tlsClientCertData: string;
@@ -95,6 +96,7 @@ interface NewHTTPSRepoCredsParams {
     noProxy: string;
     forceHttpBasicAuth: boolean;
     enableOCI: boolean;
+    insecureOCIForceHttp: boolean;
     // write should be true if saving as a write credential.
     write: boolean;
 }
@@ -209,7 +211,8 @@ export class ReposList extends React.Component<
                 return {
                     url:
                         (!httpsValues.url && 'Repository URL is required') ||
-                        (this.credsTemplate && !this.isHTTPSUrl(httpsValues.url) && !httpsValues.enableOCI && 'Not a valid HTTPS URL'),
+                        (this.credsTemplate && !this.isHTTPSUrl(httpsValues.url) && !httpsValues.enableOCI && httpsValues.type != 'oci' && 'Not a valid HTTPS URL') ||
+                        (this.credsTemplate && !this.isOCIUrl(httpsValues.url) && 'Not a valid OCI URL'),
                     name: httpsValues.type === 'helm' && !httpsValues.name && 'Name is required',
                     username: !httpsValues.username && httpsValues.password && 'Username is required if password is given.',
                     password: !httpsValues.password && httpsValues.username && 'Password is required if username is given.',
@@ -274,7 +277,7 @@ export class ReposList extends React.Component<
                 return (params: FormValues) => this.connectSSHRepo(params as NewSSHRepoParams);
             case ConnectionMethod.HTTPS:
                 return (params: FormValues) => {
-                    params.url = params.enableOCI ? this.stripProtocol(params.url) : params.url;
+                    params.url = params.enableOCI && params.type != 'oci' ? this.stripProtocol(params.url) : params.url;
                     return this.connectHTTPSRepo(params as NewHTTPSRepoParams);
                 };
             case ConnectionMethod.GITHUBAPP:
@@ -854,6 +857,15 @@ export class ReposList extends React.Component<
         }
     }
 
+    // Whether url is an oci url (simple version)
+    private isOCIUrl(url: string) {
+        if (url.match(/^oci:\/\/.*$/gi)) {
+            return true;
+        } else {
+            return false;
+        }
+    }
+
     private stripProtocol(url: string) {
         return url.replace('https://', '').replace('oci://', '');
     }
@@ -917,7 +929,8 @@ export class ReposList extends React.Component<
     // Connect a new repository or create a repository credentials for HTTPS repositories
     private async connectHTTPSRepo(params: NewHTTPSRepoParams) {
         if (this.credsTemplate) {
-            this.createHTTPSCreds({
+            await this.createHTTPSCreds({
+                type: params.type,
                 url: params.url,
                 username: params.username,
                 password: params.password,
@@ -927,6 +940,7 @@ export class ReposList extends React.Component<
                 noProxy: params.noProxy,
                 forceHttpBasicAuth: params.forceHttpBasicAuth,
                 enableOCI: params.enableOCI,
+                insecureOCIForceHttp: params.insecureOCIForceHttp,
                 write: params.write
             });
         } else {

ui/src/app/shared/services/repo-service.ts

@@ -104,7 +104,8 @@ export class RepositoriesService {
                 noProxy: q.noProxy,
                 project: q.project,
                 forceHttpBasicAuth: q.forceHttpBasicAuth,
-                enableOCI: q.enableOCI
+                enableOCI: q.enableOCI,
+                insecureOCIForceHttp: q.insecureOCIForceHttp
             })
             .then(res => res.body as models.Repository);
     }
@@ -126,7 +127,8 @@ export class RepositoriesService {
                 noProxy: q.noProxy,
                 project: q.project,
                 forceHttpBasicAuth: q.forceHttpBasicAuth,
-                enableOCI: q.enableOCI
+                enableOCI: q.enableOCI,
+                insecureOCIForceHttp: q.insecureOCIForceHttp
             })
             .then(res => res.body as models.Repository);
     }
@@ -148,7 +150,8 @@ export class RepositoriesService {
                 noProxy: q.noProxy,
                 project: q.project,
                 forceHttpBasicAuth: q.forceHttpBasicAuth,
-                enableOCI: q.enableOCI
+                enableOCI: q.enableOCI,
+                insecureOCIForceHttp: q.insecureOCIForceHttp
             })
             .then(res => res.body as models.Repository);
     }
@@ -170,7 +173,8 @@ export class RepositoriesService {
                 noProxy: q.noProxy,
                 project: q.project,
                 forceHttpBasicAuth: q.forceHttpBasicAuth,
-                enableOCI: q.enableOCI
+                enableOCI: q.enableOCI,
+                insecureOCIForceHttp: q.insecureOCIForceHttp
             })
             .then(res => res.body as models.Repository);
     }

ui/src/app/shared/services/repocreds-service.ts

@@ -7,8 +7,11 @@ export interface HTTPSCreds {
     password: string;
     tlsClientCertData: string;
     tlsClientCertKey: string;
+    type: string;
     proxy: string;
     noProxy: string;
+    enableOCI: boolean;
+    insecureOCIForceHttp: boolean;
 }
 
 export interface SSHCreds {

util/db/repository_secrets.go

@@ -421,6 +421,12 @@ func (s *secretsRepositoryBackend) secretToRepoCred(secret *corev1.Secret) (*app
 	}
 	repository.EnableOCI = enableOCI
 
+	insecureOCIForceHttp, err := boolOrFalse(secret, "insecureOCIForceHttp")
+	if err != nil {
+		return repository, err
+	}
+	repository.InsecureOCIForceHttp = insecureOCIForceHttp
+
 	githubAppID, err := intOrZero(secret, "githubAppID")
 	if err != nil {
 		return repository, err
@@ -452,6 +458,7 @@ func repoCredsToSecret(repoCreds *appsv1.RepoCreds, secret *corev1.Secret) {
 	updateSecretString(secret, "password", repoCreds.Password)
 	updateSecretString(secret, "sshPrivateKey", repoCreds.SSHPrivateKey)
 	updateSecretBool(secret, "enableOCI", repoCreds.EnableOCI)
+	updateSecretBool(secret, "insecureOCIForceHttp", repoCreds.InsecureOCIForceHttp)
 	updateSecretString(secret, "tlsClientCertData", repoCreds.TLSClientCertData)
 	updateSecretString(secret, "tlsClientCertKey", repoCreds.TLSClientCertKey)
 	updateSecretString(secret, "type", repoCreds.Type)