Mirrors
/
flux2
mirror of https://github.com/fluxcd/flux2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/go_modules/tests/integration/golang.org/x/net-0.36.0
rfc-multi-tenant-workload-identity
dependabot/github_actions/ci-256d05664c
release/v2.5.x
main
release/v2.4.x
remove-notation-validation
release/v2.3.x
rfc-flux-bootstrap-oci
release/v2.2.x
RFC
fix-commit-log
flux-audit
release/v2.1.x
context-ns
ksm-dashboard
rfc-passwordless-git-auth
release/v2.0.x
rfc-gating
release/v0.27.4
rfc-0003
rfc-0002
rfc-0001
prompt-for-tokens
encrypt-init-cmd
v2.5.1
v2.5.0
v2.4.0
v2.3.0
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v2.0.0-rc.5
v2.0.0-rc.4
v2.0.0-rc.3
v2.0.0-rc.2
v2.0.0-rc.1
v0.41.2
v0.40.0
v0.39.0
v0.38.2
v0.38.1
v0.38.0
v0.37.0
v0.36.0
v0.35.0
v0.34.0
v0.33.0
v0.32.0
v0.31.3
v0.31.2
v0.31.1
v0.31.0
v0.30.1
v0.28.2
v0.27.2
v0.27.1
v0.27.0
v0.26.3
v0.26.2
v0.26.1
v0.26.0
v0.25.3
v0.0.1
v0.0.1-alpha.1
v0.0.1-beta.1
v0.0.1-beta.2
v0.0.1-beta.3
v0.0.1-beta.4
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.10.0
v0.11.0
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.14.0
v0.14.1
v0.14.2
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.16.1
v0.16.2
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.19.0
v0.19.1
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.22.0
v0.22.1
v0.23.0
v0.24.0
v0.24.1
v0.25.0
v0.25.1
v0.25.2
v0.27.3
v0.27.4
v0.28.0
v0.28.1
v0.28.3
v0.28.4
v0.28.5
v0.29.0
v0.29.1
v0.29.2
v0.29.3
v0.29.4
v0.29.5
v0.3.0
v0.30.0
v0.30.2
v0.31.4
v0.31.5
v0.38.3
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.40.1
v0.40.2
v0.41.0
v0.41.1
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.8.0
v0.8.1
v0.8.2
v0.9.0
v0.9.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0135eb19d4'
${ noResults }
flux2/rfcs/helm-oci/README.md

3.4 KiB
Raw Blame History

RFC-xxxx Flux OCI support for Helm

Status: provisional

Creation date: 2022-03-30

Last update: 2022-03-30

Summary

Given that Helm v3.8 supports OCI for package distribution, we should extend the Flux Source API to allow fetching Helm charts from container registries.

Motivation

Helm OCI support is one of the most requested feature in Flux as seen on this issue.

Goals

  • Add support for fetching Helm charts stored as OCI artifacts with minimal API changes to Flux.
  • Make it easy for users to switch from HTTP/S Helm repositories to OCI repositories.

Non-Goals

  • Introduce a new API kind for referencing charts stored as OCI artifacts.

Proposal

Introduce an optional field called type to the HelmRepository spec.

When not specified, the spec.type field defaults to Default which preserve the current HelmRepository API behaviour.

When the spec.type field is set to OCI, the spec.url field must be prefixed with oci:// (to follow the Helm conventions). For oci:// URLs, source-controller will use the Helm SDK and the oras library to connect to the OCI remote storage. For authentication, the controller will use Kubernetes secrets of kubernetes.io/dockerconfigjson type.

User Stories

Story 1

As a developer I want to use Flux HelmReleases that refer to Helm charts stored as OCI artifacts in GitHub Container Registry.

First create a secret using a GitHub token that allows access to GHCR:

kubectl create secret docker-registry ghcr-charts \
    --docker-server=ghcr.io \
    --docker-username=$GITHUB_USER \
    --docker-password=$GITHUB_TOKEN

Then define a HelmRepository of type OCI and reference the dockerconfig secret:

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: ghcr-charts
  namespace: default
spec:
  type: OCI
  url: oci://ghcr.io/my-org/charts/
  secretRef:
    name: ghcr-charts

And finally in Flux HelmReleases, refer to the ghcr-charts HelmRepository:

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: podinfo
  namespace: default
spec:
  interval: 60m
  chart:
    spec:
      chart: my-app
      version: '1.0.x'
      sourceRef:
        kind: HelmRepository
        name: ghcr-charts
      interval: 1m # check for new OCI artifacts every minute

Alternatives

We could use introduce a new API type e.g. HelmOCIRepository. That is considered unpractical, as there is no benefit for users in having a dedicated kind instead of a type filed in the current HelmRepository API. Adding a type filed to the spec follows the Flux Bucket API design, where the same Kind servers different implementations: AWS S3 vs Azure Blob vs Google Storage.

Design Details

In source-controller we'll add a new predicate for indexing HelmRepositories based on the spec.type field.

When the spec.type field is set to OCI, the HelmRepositoryReconciler will set the HelmRepository Ready status to False if the URL is not prefixed with oci://, otherwise the Ready status will be set to True.

The current HelmChartReconciler will use the HelmRepositories with type: Default. For type: OCI we'll introduce a new reconciler HelmChartOCIReconciler that uses oras to download charts and their dependencies.

Enabling the feature

The feature is enabled by default.