Attention Iron Bank Customers: On March 27, 2025, we are moving SBOM artifacts from the Anchore Scan job to the Build job to streamline the container hardening pipeline. If you currently download SBOMs from the Anchore Scan job, you can still get them from the Build job and from other sources, including IBFE and image attestations.
HelmRepository should support different OCI Providers
The Helm Repos defined in the values.yaml should have a parameter to set the provider for HelmRepository resources. This gives the ability for flux to use OIDC credentials. The usecase I am using this for is to pull OCI helm charts from ECR. This will also be useful for other cloud providers other than AWS. IRSA credentials can be tied to the helm flux pod, to pull the OCI chart. In this scenario, neither a un/pw or an existing secret is needed.
Hi @jeremy.mcgee. I don't have an environment setup to pull OCI artifacts from a helmRepo using the AWS provider. Any chance you could validate that this branch works with your AWS provider?
checked the logic in the existing helmRepository template. It looks like we're not forcing the user to provide a secretRef name or username and password. If those are left empty, I believe the template will create a HelmRepository without a secretRef.
The stack named bigbang-test failed to deploy: UPDATE_ROLLBACK_COMPLETE: Received response status [FAILED] from custom resource. Message returned: Error: b"Error: UPGRADE FAILED: values don't meet the specifications of the schema(s) in the following chart(s):\nbigbang:\n- helmRepositories.0: Must validate at least one schema (anyOf)\n- helmRepositories.0: existingSecret is required\n\n"
I believe you could do something like this in chart/values.schema.json
Actually, that didn't work. Sorry for the false positive on that. The issue is that my schema is expecting that provider to be passed in the helmRepositories variable, and not in flux. That may be more desirable, that way you can pull from different providers. IE a generic and an AWS. Maybe test with helm template with an input file to test sense you don't have an ECR to test from.
The code below does work, the provider in helmRepositories is just there to make the schema pass.