Support Helm charts from OCI registries #124
Comments
squaremo
added
enhancement
|
Yes it would be a really great feature. OCI is the future for Helm chart, and Harbor already support replication to external registries like Azure Container Registry. |
|
The Update: no chances of integration yet, as the |
Isn't it enough to just use OCIGetter which wraps the client you mention? |
|
No, it is not as we do not have access to the |
|
I have browsed for few days searching a solution to have my Charts stored in a private GitLab container registry (OCI compliant registry) and be finally able to pull those charts from the usual Helm command. I have found the code from two small projects that looks appealing: The goal is to build a classic Chart registry from the content of the OCI registry using the following endpoints:
Do you think that such solution can be the good direction to avoid rewriting a specific module to handle OCI registries? |
|
Is there any timeline available on when this might become available? We are also using Azure Container registry and MSFT is suggesting to use OCI with Helm3, which on the Helm side is considered experimental. |
|
@alxy It is also possible to push tar.gz files of Helm chart to an ACR. We currently push both the OCI and the tar.gz, for now we only use the tar.gz with Flux but when OCI is available when can just switch without the need to push all charts again. |
|
@rchrd Thanks for the tip, we have also considered the hybrid approach, but it makes the build and deploy pipelines a lot more complex (as the helm commands to run are quite different). Will need to think about it... Especially since the deploy part is then potentially anyway handled by flux, it might be worth it. |
@alxy Have you though about a proxy/mirror/endpoint that can translate your OCI registry in a classic Chart registry ? |
|
@Jimmy-Newtron I think in that case I'd rather use the approach that @rchrd suggested. At least the ACR (which is a managed cloud resource) supports both methods (in parallel), and I'd prefer that over setting up my custom repository and adding even more tooling to the already complex process and toolchain. |
|
I'm using chartmuseum for now and pushing helm charts parallel to chartmuseum and to gcr.io. |
|
It would be great if OCI registries are supported in FluxCD. |
|
@hiddeco May I ask if this is a technical thing that this cannot be added to flux, or something political, as in you are not using features considered as experimental by Helm? The reason I am asking is that I have found this PR for argo-cd which seems to implement exactly the functionality we are looking for here... |
|
ArgoCD uses We are also blocked by this (we in particular want to use AWS ECR). Would it be an option to copy the necessary parts from helms *edit* |
|
There are a number of well-known issues with the current I would urge others not to copy code from |
|
As a note, here's just the tip of the iceberg of current design issues we need to work through: https://github.com/helm/helm/issues?q=is%3Aissue+is%3Aopen+label%3Abug+oci At least 1/3 of the open issues labeled "bug" in Helm are related to the experimental OCI flag, so there's much work left to be done. Copying this code from Helm means you'll just be inheriting all those bugs into your code before we've had the chance to fix them. Contributions/help is always welcome. If you'd like to help I'd be happy to point you in the right direction. |
|
@bacongobbler thanks for jumping in on this issue as a Helm maintainer, much appreciated. I do agree with all of your points and am well aware of the outstanding issues, which is the reason I did not copy things from Although my available time to spend on other open-source projects while maintaining a healthy work/life balance is limited, I do find it quiet painful that we rely heavily on Helm – and I am personally well informed of its architecture – while my contributions have been limited. Given this, I will take a look and see if I can find some time (or increased priority) to help with some of the issues you linked to. I also noticed that plans are being made for the start of the Helm 4 development phase. If the Helm project is looking for feedback to improve SDK usage, I would be more than happy to have a chat. |
|
Major changes in the OCI implementation in Helm 3.7.0: |
|
With all OCI related APIs still being |
|
Actually it appears since Helm v3.5.0 there was a public OCIGetter, but it wasn't connected to the normal helm code: https://pkg.go.dev/helm.sh/helm/v3@v3.7.0/pkg/getter#OCIGetter
I think that's all public APIs to fetch the chart now? I don't know enough about helm to know if that's enough for you to use it in flux though. |
|
@hiddeco It almost seems usable, I tested enabling the Currently flux supports semver on helm chart versions. To support this with OCI you would need to fetch the list of tags for an OCI image and do semver matching against them. I skipped this for now, I'm not sure if Helm provides any APIs to list these. source-controller currently fetches the index yaml of HTTP HelmRepositories. It seems that Helm does store these in the OCI See main...bburky:oci-hack-test for the very hacky testing I did, but it was mostly enabling the getter for the I used the following flux configuration for testing: apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: test
namespace: flux-system
spec:
interval: 5m
chart:
spec:
# This gets joined with the HelmRepository URL to become oci://172.17.0.1:5000/test/test:0.1.0
# I couldn't find any other easy way to pass a name and version in ChartVersion to DownloadChart()
# This does appear to match how `repository:` is handled in `dependencies:` which joins the name to the URL similarly
chart: test
version: "0.1.0"
sourceRef:
kind: HelmRepository
name: test
namespace: flux-system
interval: 1m
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
name: test
namespace: flux-system
spec:
# This doesn't really work on 5000, it will require TLS without some further changes.
url: oci://172.17.0.1:5000/test
interval: 10m |
|
There are several technical reasons why we couldn't move that code under I'm getting kinda tired of repeating this, but it bears repeating: this code is experimental. Please do not attempt to put experimental features in your code. Things will break. This is expected to happen as we iterate. We will not provide support when that happens. |
|
While I do understand the desire of you all to move to OCI, we do not want to tire our beloved Helm maintainers with our issues. When we can integrate this is clear to all controller maintainers, and I am locking the conversation to this select group of people until we have determined things to be GA on Helm's side. |
|
We are working on a design doc. Would be nice to have feedbacks. |
|
@souleb @hiddeco I've left some comments on the design doc. Basically, my angle is from modeling the OCI Source CRD on By the way, I found hackmd not really friendly in terms of commenting, there's a maximum number of character for each comment that forced me to break my comments into chunks, and also I couldn't edit any comment once submitted. Is it ok to migrate to a Google Doc or something? |
|
In the case of using OCI for helm chart, we define an OCI Registry and a HelmRelease apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: OCIRegistry
metadata:
name: my-local-registry
namespace: flux-system
spec:
interval: 10m
url: localhost:5000
auth:
secretRef:
name: regcredapiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: my-chart
spec:
interval: 5m
chart:
spec:
chart: my-chart
version: '4.0.x'
sourceRef:
kind: OCIRegistry
name: my-local-registry
namespace: flux-system
interval: 1m
In the case of using OCI for kustomize bundle, if the bundle is pushed to the same registry (with a unique mediaType apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: my-kustomization
spec:
interval: 5m
bundle: #ignored if source reference is not OCIRegistry
name: my-kustomization
#oneof
tag: "1.0.x"
digest: "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"
path: "./deploy/webapp/"
prune: true
sourceRef:
kind: OCIRegistry
name: my-local-registry
namespace: flux-system
wait: true
timeout: 2mthe apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: KustomizationBundle
metadata:
name: my-kustomization
namespace: flux-system
spec:
baseName: my-kustomization #ignored if source reference is not OCIRegistry
tag: '1.0.x' #ignored if source reference is not OCIRegistry
path: "./deploy/webapp/"
sourceRef:
kind: OCIRegistry
name: my-local-registry
interval: 5m |
|
@simingweng what about putting this in the alternative design section? |
|
I'm not for introducing two types for Helm and Kustomize to source-controller API. I would very much prefer to reuse the |
|
Isn't the |
Not exactly. The difference is that an OCIRepository would point to a concrete repository like registry.gitlab.com/makkes/repo whereas the idea of a OCIRegistry is more generic. With an OCIRepository you would have to create one such resource per Helm chart. With an OCIRegistry you would create one resource for as many Helm charts or other actual resources you'd like to consume from the registry. That's how I understand both suggestions. Please correct me if I'm wrong @souleb or @simingweng. |
|
@makkes yes, that's where I came from. The fundamental reason that makes me want to try model it at Do we want to allocate this "version selection" semantics in a single resource, rather than overlap in both the "source" resource and the "consuming" resource? I know it sounds too much like a refactoring of existing API, which may not be the goal of this OCI support effort. Then, we just need to educate the user clearly which field takes priority when both the |
Yes, I can. |
|
@simingweng We have updated the doc. Please review it. |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
Hi flux firends! I am actively working to complete PR #450. I am updating the OCIRepository reconciler implementation to match the new standard used in other reconcilers within this project. Additionally, I propose to add "CertSecretRef" to OCIRepository spec as suggested in PR #450. The "CertSecretRef" will be optional and can have a name of a secret that contains certificate data. It will be used for connecting to the registry. I find this useful for registry that has certificates issued by a Private CA (non-public Cetificate Authorties) |
|
@rashedkvm please hold off the implementation, we need to decide on how the API will look. Everyone please add your feedback on the Flux OCI support for Helm, once the RFC is approved we can move forward with the implementation. |
The language in the Helm docs about registries suggests that the plan is support using OCI (https://helm.sh/docs/topics/registries/). This feature still experimental in Helm, but it looks like the plan is to graduate it in a release soon: helm/helm#7613, helm/community#136.
The text was updated successfully, but these errors were encountered: