Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[OCIRepository] Produce Helm chart artifacts #912

Closed
wants to merge 1 commit into from
Closed

[OCIRepository] Produce Helm chart artifacts #912

wants to merge 1 commit into from

Conversation

stefanprodan
Copy link
Member

@stefanprodan stefanprodan commented Sep 23, 2022
edited
Loading

This PR changes the behaviour of the OCIRepository controller when .spec.layerSelector.mediaType is set to application/vnd.cncf.helm.chart.content.v1.tar+gzip, to make the resulting Flux artifact compatible with Helm.

IMO OCIRepositories should produce valid Helm chart artifacts even if we chose not to use them in helm-controller. If we do chose to add OCIRepository as source to HelmReleases, then this will enable chart verification (cosgin + keyless), insecure registries which are blocked upstream in Helm, and easier debugging experience (no more hidden HelmChart objects, nor HelmRepositories).

Changes:

  • extract the Helm chart tgz from the OCI artifact and save it to storage unaltered
  • set the revision to the chart version instead of the OCI digest
  • emit events specific to Helm mentioning the chart version instead of digests

Given the following definition:

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
  name: podinfo-chart-signed
  namespace: apps
spec:
  interval: 5m0s
  layerSelector:
    mediaType: "application/vnd.cncf.helm.chart.content.v1.tar+gzip"
  url: oci://ghcr.io/stefanprodan/charts/podinfo
  ref:
    semver: '6.x'
  verify:
    provider: cosign # keyless (signed in CI with GitHub Actions OIDC)

The controller produces the following result:

status:
  artifact:
    checksum: 73999c9c2994a16dff89c65b7e77dd4d9e3b5b6eb43a5f2797919c54111622c9
    lastUpdateTime: "2022-09-23T10:56:08Z"
    path: ocirepository/apps/podinfo-chart-signed/podinfo-6.2.0.tgz
    revision: 6.2.0
    size: 13542
    url: http://source-controller.flux-system.svc.cluster.local./ocirepository/apps/podinfo-chart-signed/podinfo-6.2.0.tgz
  conditions:
  - lastTransitionTime: "2022-09-23T10:56:08Z"
    message: stored chart with version '6.2.0'
    observedGeneration: 1
    reason: Succeeded
    status: "True"
    type: Ready
  - lastTransitionTime: "2022-09-23T10:56:08Z"
    message: stored chart with version '6.2.0'
    observedGeneration: 1
    reason: Succeeded
    status: "True"
    type: ArtifactInStorage
  - lastTransitionTime: "2022-09-23T10:56:07Z"
    message: verified signature of digest 635be9b051391f32ba5edb00efcf2abe1105383fa531473c3b7255937e630cc1
    observedGeneration: 1
    reason: Succeeded
    status: "True"
    type: SourceVerified
  lastHandledReconcileAt: "2022-09-23T10:57:27.981294Z"
  observedGeneration: 1
  url: http://source-controller.flux-system.svc.cluster.local./ocirepository/apps/podinfo-chart-signed/latest.tar.gz

And the following events:

  Type    Reason                      Age                 From               Message
  ----    ------                      ----                ----               -------
  Normal  NewArtifact                 42m                 source-controller  stored chart version '6.2.0'
  Normal  ArtifactUpToDate            2m9s (x9 over 41m)  source-controller  chart up-to-date with remote version: '6.2.0'

@stefanprodan
Produce Helm chart artifacts
158476f 
Change the behavior of the OCIRepository controller when `.spec.layerSelector.mediaType` is set to `application/vnd.cncf.helm.chart.content.v1.tar+gzip` to make the resulting Flux artifact compatible with Helm.

Signed-off-by: Stefan Prodan <[email protected]>
@stefanprodan stefanprodan added area/helm Helm related issues and pull requests area/oci OCI related issues and pull requests labels Sep 23, 2022
@stefanprodan
Copy link
Member Author

Superseded by #913

hiddeco
hiddeco reviewed Sep 23, 2022
View reviewed changes
Copy link
Member

@hiddeco hiddeco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Putting in my review which was communicated with Stefan offline as well to help people understand #913 better.

api/v1beta2/ocirepository_types.go
@@ -231,6 +231,11 @@ func (in *OCIRepository) GetLayerMediaType() string {
return in.Spec.LayerSelector.MediaType
}

// IsHelmMediaType returns true if the selector is set to 'application/vnd.cncf.helm.chart.content.v1.tar+gzip'
func (in *OCIRepository) IsHelmMediaType() bool {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would make this accept a parameter instead of pulling "Helm" into the API.

controllers/ocirepository_controller.go
conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
return sreconcile.ResultEmpty, e
// If the artifact is a Helm chart, we write the blob as it is to the storage
if obj.IsHelmMediaType() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would not make this behavior special to Helm. Instead, I would allow the user to decide if the layer blob should be copied as-is, or extracted first. This prevents the potential growth of having n solutions which require this special behavior.

@stefanprodan stefanprodan deleted the oci-helm-charts branch April 4, 2024 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hiddeco hiddeco hiddeco left review comments

Assignees
No one assigned
Labels
area/helm Helm related issues and pull requests area/oci OCI related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stefanprodan @hiddeco