From 36d590eb3eff814d4a7d752fdfdd1f74affb2ae8 Mon Sep 17 00:00:00 2001
From: tfwang <tfwang@alauda.io>
Date: Tue, 18 Oct 2022 23:45:40 +0800
Subject: [PATCH] fix pull oci chart with --insecure-skip-tls-verify

Signed-off-by: tfwang <tfwang@alauda.io>
---
 cmd/helm/pull.go        |  6 ++++++
 pkg/getter/ocigetter.go |  6 ++++++
 pkg/registry/client.go  | 36 ++++++++++++++++++++++++++++++++----
 3 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/cmd/helm/pull.go b/cmd/helm/pull.go
index 37830119605..7f76a1f64f2 100644
--- a/cmd/helm/pull.go
+++ b/cmd/helm/pull.go
@@ -94,5 +94,11 @@ func newPullCmd(cfg *action.Configuration, out io.Writer) *cobra.Command {
 		log.Fatal(err)
 	}
 
+	if client.InsecureSkipTLSverify {
+		if err := cfg.RegistryClient.WithInsecureResolver(); err != nil {
+			log.Fatal(err)
+		}
+	}
+
 	return cmd
 }
diff --git a/pkg/getter/ocigetter.go b/pkg/getter/ocigetter.go
index 14f5cb3ecd0..5c17476cd03 100644
--- a/pkg/getter/ocigetter.go
+++ b/pkg/getter/ocigetter.go
@@ -39,6 +39,12 @@ func (g *OCIGetter) Get(href string, options ...Option) (*bytes.Buffer, error) {
 func (g *OCIGetter) get(href string) (*bytes.Buffer, error) {
 	client := g.opts.registryClient
 
+	if g.opts.insecureSkipVerifyTLS {
+		if err := client.WithInsecureResolver(); err != nil {
+			return nil, err
+		}
+	}
+
 	ref := strings.TrimPrefix(href, fmt.Sprintf("%s://", registry.OCIScheme))
 
 	var pullOpts []registry.PullOption
diff --git a/pkg/registry/client.go b/pkg/registry/client.go
index c1004f9564b..c2bbed366b5 100644
--- a/pkg/registry/client.go
+++ b/pkg/registry/client.go
@@ -18,6 +18,7 @@ package registry // import "helm.sh/helm/v3/pkg/registry"
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -87,10 +88,7 @@ func NewClient(options ...ClientOption) (*Client, error) {
 		client.authorizer = authClient
 	}
 	if client.resolver == nil {
-		headers := http.Header{}
-		headers.Set("User-Agent", version.GetUserAgent())
-		opts := []auth.ResolverOption{auth.WithResolverHeaders(headers)}
-		resolver, err := client.authorizer.ResolverWithOpts(opts...)
+		resolver, err := client.newResolver(false)
 		if err != nil {
 			return nil, err
 		}
@@ -138,6 +136,36 @@ func NewClient(options ...ClientOption) (*Client, error) {
 	return client, nil
 }
 
+func (c *Client) newResolver(insecure bool) (remotes.Resolver, error) {
+	headers := http.Header{}
+	headers.Set("User-Agent", version.GetUserAgent())
+	opts := []auth.ResolverOption{auth.WithResolverHeaders(headers)}
+
+	if insecure {
+		insecureClient := &http.Client{
+			Transport: &http.Transport{
+				DisableCompression: true,
+				Proxy:              http.ProxyFromEnvironment,
+				TLSClientConfig: &tls.Config{
+					InsecureSkipVerify: true,
+				},
+			},
+		}
+		opts = append(opts, auth.WithResolverClient(insecureClient))
+	}
+
+	return c.authorizer.ResolverWithOpts(opts...)
+}
+
+func (c *Client) WithInsecureResolver() error {
+	resolver, err := c.newResolver(true)
+	if err != nil {
+		return err
+	}
+	c.resolver = resolver
+	return nil
+}
+
 // ClientOptDebug returns a function that sets the debug setting on client options set
 func ClientOptDebug(debug bool) ClientOption {
 	return func(client *Client) {