Add plain_http parameter to helm, helm_pull and helm_template

.github/workflows/integration-tests.yaml

@@ -145,9 +145,11 @@ jobs:
           source_path: ${{ env.community_general }}
 
       - name: create kubernetes cluster
+        id: kind
         uses: helm/[email protected]
         with:
           node_image: "kindest/node:v1.29.2"
+          registry: true
 
       - name: Run integration tests
         uses: ansible-network/github_actions/.github/actions/ansible_test_integration@main

changelogs/fragments/20250522-add-plain-http-for-oci-registries.yaml

@@ -0,0 +1,4 @@
+minor_changes:
+  -  helm - Parameter plain_http added for working with insecure OCI registries (https://github.com/ansible-collections/kubernetes.core/pull/934).
+  -  helm_pull - Parameter plain_http added for working with insecure OCI registries (https://github.com/ansible-collections/kubernetes.core/pull/934).
+  -  helm_template - Parameter plain_http added for working with insecure OCI registries (https://github.com/ansible-collections/kubernetes.core/pull/934).

docs/kubernetes.core.helm_module.rst

@@ -693,6 +693,26 @@ Parameters
                         <div>The use of <em>wait_timeout</em> to wait for kubernetes commands to complete has been deprecated and will be removed after 2022-12-01.</div>
                 </td>
             </tr>
+            <tr>
+              <td colspan="2">
+                  <div class="ansibleOptionAnchor" id="parameter-"></div>
+                  <b>plain_http</b>
+                  <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a>
+                  <div style="font-size: small">
+                      <span style="color: purple">boolean</span>
+                  </div>
+                  <div style="font-style: italic; font-size: small; color: darkgreen">added in 5.1.0</div>
+              </td>
+              <td>
+                      <ul style="margin: 0; padding: 0"><b>Choices:</b>
+                                  <li><div style="color: blue"><b>no</b>&nbsp;&larr;</div></li>
+                                  <li>yes</li>
+                      </ul>
+              </td>
+              <td>
+                      <div>Use HTTP instead of HTTPS when working with OCI registries</div>
+              </td>
+            </tr>
     </table>
     <br/>
 

docs/kubernetes.core.helm_pull_module.rst

@@ -335,6 +335,26 @@ Parameters
                         <div>location of public keys used for verification.</div>
                 </td>
             </tr>
+            <tr>
+              <td colspan="2">
+                  <div class="ansibleOptionAnchor" id="parameter-"></div>
+                  <b>plain_http</b>
+                  <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a>
+                  <div style="font-size: small">
+                      <span style="color: purple">boolean</span>
+                  </div>
+                  <div style="font-style: italic; font-size: small; color: darkgreen">added in 5.1.0</div>
+              </td>
+              <td>
+                      <ul style="margin: 0; padding: 0"><b>Choices:</b>
+                                  <li><div style="color: blue"><b>no</b>&nbsp;&larr;</div></li>
+                                  <li>yes</li>
+                      </ul>
+              </td>
+              <td>
+                      <div>Use HTTP instead of HTTPS when working with OCI registries</div>
+              </td>
+            </tr>
     </table>
     <br/>
 

docs/kubernetes.core.helm_template_module.rst

@@ -361,6 +361,26 @@ Parameters
                         <div>Paths are evaluated in the order the paths are specified.</div>
                 </td>
             </tr>
+            <tr>
+              <td colspan="2">
+                  <div class="ansibleOptionAnchor" id="parameter-"></div>
+                  <b>plain_http</b>
+                  <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a>
+                  <div style="font-size: small">
+                      <span style="color: purple">boolean</span>
+                  </div>
+                  <div style="font-style: italic; font-size: small; color: darkgreen">added in 5.1.0</div>
+              </td>
+              <td>
+                      <ul style="margin: 0; padding: 0"><b>Choices:</b>
+                                  <li><div style="color: blue"><b>no</b>&nbsp;&larr;</div></li>
+                                  <li>yes</li>
+                      </ul>
+              </td>
+              <td>
+                      <div>Use HTTP instead of HTTPS when working with OCI registries</div>
+              </td>
+            </tr>
     </table>
     <br/>
 

plugins/modules/helm.py

@@ -237,6 +237,13 @@
     default: False
     aliases: [ skip_tls_certs_check ]
     version_added: 5.3.0
+  plain_http:
+    description:
+      - Use HTTP instead of HTTPS when working with OCI registries
+      - Requires Helm >= 3.13.0
+    type: bool
+    default: False
+    version_added: 6.1.0
 extends_documentation_fragment:
   - kubernetes.core.helm_common_options
 """
@@ -319,6 +326,12 @@
     chart_ref: "https://github.com/grafana/helm-charts/releases/download/grafana-5.6.0/grafana-5.6.0.tgz"
     release_namespace: monitoring
 
+- name: Deploy Bitnami's MongoDB latest chart from OCI registry
+  kubernetes.core.helm:
+    name: test
+    chart_ref: "oci://registry-1.docker.io/bitnamicharts/mongodb"
+    release_namespace: database
+
 # Using complex Values
 - name: Deploy new-relic client chart
   kubernetes.core.helm:
@@ -495,7 +508,9 @@ def run_dep_update(module, chart_ref):
     rc, out, err = module.run_helm_command(dep_update)
 
 
-def fetch_chart_info(module, command, chart_ref, insecure_skip_tls_verify=False):
+def fetch_chart_info(
+    module, command, chart_ref, insecure_skip_tls_verify=False, plain_http=False
+):
     """
     Get chart info
     """
@@ -504,6 +519,17 @@ def fetch_chart_info(module, command, chart_ref, insecure_skip_tls_verify=False)
     if insecure_skip_tls_verify:
         inspect_command += " --insecure-skip-tls-verify"
 
+    if plain_http:
+        helm_version = module.get_helm_version()
+        if LooseVersion(helm_version) < LooseVersion("3.13.0"):
+            module.fail_json(
+                msg="plain_http requires helm >= 3.13.0, current version is {0}".format(
+                    helm_version
+                )
+            )
+        else:
+            inspect_command += " --plain-http"
+
     rc, out, err = module.run_helm_command(inspect_command)
 
     return yaml.safe_load(out)
@@ -533,6 +559,7 @@ def deploy(
     reset_values=True,
     reset_then_reuse_values=False,
     insecure_skip_tls_verify=False,
+    plain_http=False,
 ):
     """
     Install/upgrade/rollback release chart
@@ -595,6 +622,17 @@ def deploy(
         else:
             deploy_command += " --insecure-skip-tls-verify"
 
+    if plain_http:
+        helm_version = module.get_helm_version()
+        if LooseVersion(helm_version) < LooseVersion("3.13.0"):
+            module.fail_json(
+                msg="plain_http requires helm >= 3.13.0, current version is {0}".format(
+                    helm_version
+                )
+            )
+        else:
+            deploy_command += " --plain-http"
+
     if values_files:
         for value_file in values_files:
             deploy_command += " --values=" + value_file
@@ -690,6 +728,7 @@ def helmdiff_check(
     reset_values=True,
     reset_then_reuse_values=False,
     insecure_skip_tls_verify=False,
+    plain_http=False,
 ):
     """
     Use helm diff to determine if a release would change by upgrading a chart.
@@ -745,6 +784,17 @@ def helmdiff_check(
     if insecure_skip_tls_verify:
         cmd += " --insecure-skip-tls-verify"
 
+    if plain_http:
+        helm_version = module.get_helm_version()
+        if LooseVersion(helm_version) < LooseVersion("3.13.0"):
+            module.fail_json(
+                msg="plain_http requires helm >= 3.13.0, current version is {0}".format(
+                    helm_version
+                )
+            )
+        else:
+            cmd += " --plain-http"
+
     rc, out, err = module.run_helm_command(cmd)
     return (len(out.strip()) > 0, out.strip())
 
@@ -808,6 +858,7 @@ def argument_spec():
             insecure_skip_tls_verify=dict(
                 type="bool", default=False, aliases=["skip_tls_certs_check"]
             ),
+            plain_http=dict(type="bool", default=False),
         )
     )
     return arg_spec
@@ -862,6 +913,7 @@ def main():
     reset_values = module.params.get("reset_values")
     reset_then_reuse_values = module.params.get("reset_then_reuse_values")
     insecure_skip_tls_verify = module.params.get("insecure_skip_tls_verify")
+    plain_http = module.params.get("plain_http")
 
     if update_repo_cache:
         run_repo_update(module)
@@ -900,7 +952,7 @@ def main():
 
         # Fetch chart info to have real version and real name for chart_ref from archive, folder or url
         chart_info = fetch_chart_info(
-            module, helm_cmd, chart_ref, insecure_skip_tls_verify
+            module, helm_cmd, chart_ref, insecure_skip_tls_verify, plain_http
         )
 
         if dependency_update:
@@ -962,6 +1014,7 @@ def main():
                 reset_values=reset_values,
                 reset_then_reuse_values=reset_then_reuse_values,
                 insecure_skip_tls_verify=insecure_skip_tls_verify,
+                plain_http=plain_http,
             )
             changed = True
 
@@ -989,6 +1042,7 @@ def main():
                     reset_values=reset_values,
                     reset_then_reuse_values=reset_then_reuse_values,
                     insecure_skip_tls_verify=insecure_skip_tls_verify,
+                    plain_http=plain_http,
                 )
                 if would_change and module._diff:
                     opt_result["diff"] = {"prepared": prepared}
@@ -1026,6 +1080,7 @@ def main():
                     reset_values=reset_values,
                     reset_then_reuse_values=reset_then_reuse_values,
                     insecure_skip_tls_verify=insecure_skip_tls_verify,
+                    plain_http=plain_http,
                 )
                 changed = True
 

plugins/modules/helm_pull.py

@@ -114,6 +114,13 @@
       - The path of a helm binary to use.
     required: false
     type: path
+  plain_http:
+    description:
+      - Use HTTP instead of HTTPS when working with OCI registries
+      - Requires Helm >= 3.13.0
+    type: bool
+    default: False
+    version_added: 6.1.0
 """
 
 EXAMPLES = r"""
@@ -201,6 +208,7 @@ def main():
         chart_ssl_cert_file=dict(type="path"),
         chart_ssl_key_file=dict(type="path"),
         binary_path=dict(type="path"),
+        plain_http=dict(type="bool", default=False),
     )
     module = AnsibleHelmModule(
         argument_spec=argspec,
@@ -225,6 +233,7 @@ def main():
         chart_ca_cert="3.1.0",
         chart_ssl_cert_file="3.1.0",
         chart_ssl_key_file="3.1.0",
+        plain_http="3.13.0",
     )
 
     def test_version_requirement(opt):
@@ -264,6 +273,7 @@ def test_version_requirement(opt):
         skip_tls_certs_check=dict(key="insecure-skip-tls-verify"),
         chart_devel=dict(key="devel"),
         untar_chart=dict(key="untar"),
+        plain_http=dict(key="plain_http"),
     )
 
     for k, v in helm_flag_args.items():

plugins/modules/helm_template.py

@@ -147,6 +147,13 @@
           - json
           - file
     version_added: 2.4.0
+  plain_http:
+    description:
+      - Use HTTP instead of HTTPS when working with OCI registries
+      - Requires Helm >= 3.13.0
+    type: bool
+    default: False
+    version_added: 6.1.0
 """
 
 EXAMPLES = r"""
@@ -236,6 +243,7 @@ def template(
     values_files=None,
     include_crds=False,
     set_values=None,
+    plain_http=False,
 ):
     cmd += " template "
 
@@ -262,6 +270,17 @@ def template(
     if insecure_registry:
         cmd += " --insecure-skip-tls-verify"
 
+    if plain_http:
+        helm_version = module.get_helm_version()
+        if LooseVersion(helm_version) < LooseVersion("3.13.0"):
+            module.fail_json(
+                msg="plain_http requires helm >= 3.13.0, current version is {0}".format(
+                    helm_version
+                )
+            )
+        else:
+            cmd += " --plain-http"
+
     if show_only:
         for template in show_only:
             cmd += " -s " + template
@@ -307,6 +326,7 @@ def main():
             values_files=dict(type="list", default=[], elements="str"),
             update_repo_cache=dict(type="bool", default=False),
             set_values=dict(type="list", elements="dict"),
+            plain_http=dict(type="bool", default=False),
         ),
         supports_check_mode=True,
     )
@@ -327,6 +347,7 @@ def main():
     values_files = module.params.get("values_files")
     update_repo_cache = module.params.get("update_repo_cache")
     set_values = module.params.get("set_values")
+    plain_http = module.params.get("plain_http")
 
     if not IMP_YAML:
         module.fail_json(msg=missing_required_lib("yaml"), exception=IMP_YAML_ERR)
@@ -357,6 +378,7 @@ def main():
         values_files=values_files,
         include_crds=include_crds,
         set_values=set_values_args,
+        plain_http=plain_http,
     )
 
     if not check_mode:

tests/integration/targets/helm/defaults/main.yml

@@ -4,6 +4,7 @@ helm_binary: "/tmp/helm/{{ ansible_system | lower }}-amd64/helm"
 
 chart_test: "ingress-nginx"
 chart_test_oci: "oci://registry-1.docker.io/bitnamicharts/redis"
+chart_test_oci_insecure: "oci://localhost:5000/charts"
 chart_test_local_path: "nginx-ingress"
 chart_test_version: 4.2.4
 chart_test_version_local_path: 1.32.0
@@ -29,3 +30,4 @@ test_namespace:
   - "helm-chart-with-space-into-name"
   - "helm-reset-then-reuse-values"
   - "helm-insecure"
+  - "helm-plain-http"