validate_certs=no not work in helm module

[cc3630]

SUMMARY

install oci chart from our self-built harbor registry with validate_certs=no, but show erros.
It is success to use helm cli directly with --insecure-skip-tls-verify

# error
tls: failed to verify certificate: x509: “harbor.example.com” certificate is not trusted"

ISSUE TYPE

• Bug Report

COMPONENT NAME

helm module

ANSIBLE VERSION

ansible              9.2.0
ansible-core         2.16.3

COLLECTION VERSION

kubernetes.core                          3.0.1

[noahlehmann]

I get the same error with the helm module when referencing a self hosted harbor registry in our test environment.
However the module documentation says:
validate_certs: 'Whether or not to verify the API server’s SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL environment variable.'

I interpret this to be the connection to the k8s API only, not any other resources connected to via helm or k8s.

Retrying the commands ansible logs on the server directly does indeed show, that helm tries to contact the oci address without any 'insecure' flags. Example:

helm show chart 'oci://<url>/repo'

results in:

Error: failed to do request: Head "https://<url>/v2/<path>/manifests/<tag>": tls: failed to verify certificate: x509: certificate signed by unknown authority

Which is the expected behaviour.

I would rather mark this thread as feature request, as you cannot set the --insecure-skip-tls-verify flag via the ansible module as far as I have seen. This makes the module unusable in this scenario.

Doing this would result in the following:

helm show chart 'oci://<url>/repor' --insecure-skip-tls-verify

output:

Pulled: <url>/repo:tag
Digest: sha256:xxxxxxxxxxxxxxxxx
apiVersion: xx
appVersion: xxxx
description: xxxxxxxxxxxxx
name: xxxxxx
type: application

EDIT: Looking at the code, I would be happy to supply a pull request, as it seems quite easy to integrate on first glance, however for this I would need some time. Let me know, if I can help.

[gravesm]

@noahlehmann If you would like to submit a PR, we can review it. Thanks for being willing to contribute to this collection!

[noahlehmann]

@gravesm, will do, thanks for the reply.
I found that the flag is missing in some other places as well, would the correct way be to limit the PR to the issue it addresses or also add the functionality in the other places? Total files changed would be 4.

Would appreciate your advise, this would be my first contribution.

[gravesm]

With 4 files, I would just bundle those changes into one PR. They're all addressing the same issue and it shouldn't be too big.

[noahlehmann]

Currently have a finished implementation for review done, but will need to wait for helm diff upstream issue to be resolved and merged.

helm 3.10.0 helm diff --insecure-skip-tls-verify Error: unknown flag: --insecure-skip-tls-verify #503.

Will add the PR as draft if this helps for first feedback @gravesm.

For anyone stumbling upon this add the self signed cert of the repo to the trusted certs of the host running the helm tasks for now, e.g. in ubuntu:

cp self-signed.crt /usr/local/share/ca-certificates
update-ca-certificates

Might be the safer solution anyways.