Add support for OCIRepository as chartRef

[souleb]

fixes #789 #903

[hiddeco]

I would simply let the existence of a reference take precedence over the template existing.

[souleb]

My assumption is that if a user switch to a chartRef and wants to use an existing ociRepo it is because he wants to reduce the number of existing helmChart resources. So if we don't clean up during the reconciliation, the user will likely perform the clean up by other means. That would leave a status that does not reflect the actual state.

[stefanprodan]

I think it's a must to cleanup the old Charts from storage and etcd.

[darkowlzz]

This is expected to be an impossible scenario, right? Because the API server validation won't allow such object to be created.
But if there's a possibility for such object to be reconciled, ensuring that the object status reflects a stalled condition would be better. That is, moving to reconcileRelease(), marking the object with Ready=False and Stalled=True, and then returning the terminal error would be ideal.

But it can be left as it is if we will never process such object and the API server will let the user know about the invalid object.

[souleb]

We use CEL validation to have a oneOf validation behaviour. Quoting here "Kubernetes CRD Validation Using CEL has been turned on by default since Kubernetes 1.25 and graduated to GA in Kubernetes 1.29." As of now we support k8s from 1.27 so most likely it is safe, but I assume that it is still a possible scenario.

[darkowlzz]

I fixed the broken code references from the last commit locally and did some manual testing and it works nicely.
Left some minor suggestions.

[stefanprodan]

It is not clear from this PR if a mutable tag will trigger a Helm upgrade when the upstream digest changes. Can we have a test for this?

[stefanprodan]

Stuck helm-controller, the OCIRepo predicate is buggy:

$ flux -n podinfo get all
NAME                 	REVISION             	SUSPENDED	READY	MESSAGE                                            
ocirepository/podinfo	6.6.2@sha256:83295d47	False    	True 	stored artifact for digest '6.6.2@sha256:83295d47'	

NAME               	REVISION	SUSPENDED	READY	MESSAGE                                                                                           
helmrelease/podinfo	        	False    	False	OCIRepository 'podinfo/podinfo' is not ready: latest generation of object has not been reconciled	

The OCIRepo observedGeneration is up to date:

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
  annotations:
    reconcile.fluxcd.io/requestedAt: "2024-04-12T20:09:15.148746+03:00"
  creationTimestamp: "2024-04-12T17:02:24Z"
  finalizers:
  - finalizers.fluxcd.io
  generation: 2
  name: podinfo
  namespace: podinfo
  resourceVersion: "5910"
  uid: d2464665-8e4c-4845-a449-2e7a384c3292
spec:
  interval: 1m
  layerSelector:
    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
    operation: copy
  provider: generic
  ref:
    semver: '>=5.0.0'
  timeout: 60s
  url: oci://ghcr.io/stefanprodan/charts/podinfo
  verify:
    provider: notation
    secretRef:
      name: podinfo-notation
status:
  artifact:
    digest: sha256:9db648076519fe8ae594182fe0bb74bceb3bd516407d5da6577216d12a1f6625
    lastUpdateTime: "2024-04-12T17:07:06Z"
    metadata:
      org.opencontainers.image.authors: stefanprodan ([email protected])
      org.opencontainers.image.created: "2024-04-10T11:07:52Z"
      org.opencontainers.image.description: Podinfo Helm chart for Kubernetes
      org.opencontainers.image.source: https://github.com/stefanprodan/podinfo
      org.opencontainers.image.title: podinfo
      org.opencontainers.image.url: https://github.com/stefanprodan/podinfo
      org.opencontainers.image.version: 6.6.2
    path: ocirepository/podinfo/podinfo/sha256:83295d47de6d6ca634ed4b952a7572fc176bcc38854d0c11ca0fa197bc5f1154.tar.gz
    revision: 6.6.2@sha256:83295d47de6d6ca634ed4b952a7572fc176bcc38854d0c11ca0fa197bc5f1154
    size: 14905
    url: http://source-controller.flux-system.svc.cluster.local./ocirepository/podinfo/podinfo/sha256:83295d47de6d6ca634ed4b952a7572fc176bcc38854d0c11ca0fa197bc5f1154.tar.gz
  conditions:
  - lastTransitionTime: "2024-04-12T17:02:45Z"
    message: stored artifact for digest '6.6.2@sha256:83295d47de6d6ca634ed4b952a7572fc176bcc38854d0c11ca0fa197bc5f1154'
    observedGeneration: 2
    reason: Succeeded
    status: "True"
    type: Ready
  - lastTransitionTime: "2024-04-12T17:02:45Z"
    message: stored artifact for digest '6.6.2@sha256:83295d47de6d6ca634ed4b952a7572fc176bcc38854d0c11ca0fa197bc5f1154'
    observedGeneration: 2
    reason: Succeeded
    status: "True"
    type: ArtifactInStorage
  - lastTransitionTime: "2024-04-12T17:02:45Z"
    message: verified signature of revision 6.6.2@sha256:83295d47de6d6ca634ed4b952a7572fc176bcc38854d0c11ca0fa197bc5f1154
    observedGeneration: 2
    reason: Succeeded
    status: "True"
    type: SourceVerified
  lastHandledReconcileAt: "2024-04-12T20:09:15.148746+03:00"
  observedGeneration: 2
  observedLayerSelector:
    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
    operation: copy
  url: http://source-controller.flux-system.svc.cluster.local./ocirepository/podinfo/podinfo/latest.tar.gz

[stefanprodan]

The test succeded event does not contain the oci-digest annotation and breaks the promotion workflow:

Helm test succeeded for release podinfo/podinfo.v2 with chart [email protected]+83295d47de6d: 3 test hooks completed successfully
revision
6.6.2+83295d47de6d

The upgrade event has it:

Helm upgrade succeeded for release podinfo/podinfo.v2 with chart [email protected]+83295d47de6d
oci-digest
sha256:83295d47de6d6ca634ed4b952a7572fc176bcc38854d0c11ca0fa197bc5f1154
revision
6.6.2+83295d47de6d

[souleb]

Just tested, test events show the digest as expected now:

- apiVersion: v1
  count: 1
  eventTime: null
  firstTimestamp: "2024-04-16T08:48:41Z"
  involvedObject:
    apiVersion: helm.toolkit.fluxcd.io/v2beta2
    kind: HelmRelease
    name: podinfo
    namespace: default
    resourceVersion: "3928"
    uid: 280e469f-e21e-4edd-b577-8d6ead548396
  kind: Event
  lastTimestamp: "2024-04-16T08:48:41Z"
  message: 'Helm test succeeded for release default/podinfo.v2 with chart [email protected]+83295d47de6d:
    3 test hooks completed successfully'
  metadata:
    annotations:
      helm.toolkit.fluxcd.io/oci-digest: sha256:83295d47de6d6ca634ed4b952a7572fc176bcc38854d0c11ca0fa197bc5f1154
      helm.toolkit.fluxcd.io/revision: 6.6.2+83295d47de6d
      helm.toolkit.fluxcd.io/token: sha256:5ee5478adca0d5fa927d1ebff4714f8eea683389ac0e21489b5572806e3ab307
    creationTimestamp: "2024-04-16T08:48:41Z"
    name: podinfo.17c6b674cd8c4571
    namespace: default
    resourceVersion: "4061"
    uid: 15a0533d-68d0-43ae-b019-ff3dd26ddbd2
  reason: TestSucceeded
  reportingComponent: helm-controller
  reportingInstance: ""
  source:
    component: helm-controller
  type: Normal
kind: List
metadata:
  resourceVersion: ""

[souleb]

note that if no matching snapshot is found, we have no way of retrieving the corresponding oci digest.

[stefanprodan]

LGTM

Awesome contribution! Thanks @souleb 🥇

PS. I have run extensive tests and all the issues I found are now fixed.

[gabrielqs]

is this ready to go live? can't wait to use it

[stefanprodan]

@gabrielqs this will be released in Flux v2.3, see fluxcd/flux2#4712

[souleb]

I plan to merge this tomorrow, so late reviews can still happen.