HelmRepository should support different OCI Providers

Feature Request

Why

The Helm Repos defined in the values.yaml should have a parameter to set the provider for HelmRepository resources. This gives the ability for flux to use OIDC credentials. The usecase I am using this for is to pull OCI helm charts from ECR. This will also be useful for other cloud providers other than AWS. IRSA credentials can be tied to the helm flux pod, to pull the OCI chart. In this scenario, neither a un/pw or an existing secret is needed.

https://fluxcd.io/flux/components/source/helmrepositories

Proposed Solution

Adding the needed variable, and allow not setting un/pw or a external secrets.

changed the description

added community-contribution label

added triage-kind label

added triage-priority label

removed triage-kind label

removed triage-priority label

added kindfeature label

added priority4 label

added teamDevelopment & Ops label

changed iteration to Big Bang Iterations Oct 15, 2024 - Oct 28, 2024

set weight to 3

mentioned in merge request !5252 (merged)

assigned to @chris.oconnell

Hi @jeremy.mcgee. I don't have an environment setup to pull OCI artifacts from a helmRepo using the AWS provider. Any chance you could validate that this branch works with your AWS provider?

checked the logic in the existing helmRepository template. It looks like we're not forcing the user to provide a secretRef name or username and password. If those are left empty, I believe the template will create a HelmRepository without a secretRef.

So I am getting the following error:

The stack named bigbang-test failed to deploy: UPDATE_ROLLBACK_COMPLETE: Received response status [FAILED] from custom resource. Message returned: Error: b"Error: UPGRADE FAILED: values don't meet the specifications of the schema(s) in the following chart(s):\nbigbang:\n- helmRepositories.0: Must validate at least one schema (anyOf)\n- helmRepositories.0: existingSecret is required\n\n"

I believe you could do something like this in chart/values.schema.json

    "helmRepositories": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string"
          },
          "repository": {
            "type": "string",
            "format": "uri"
          },
          "existingSecret": {
            "type": "string"
          },
          "provider": {
            "type": "string",
            "enum": [
              "generic",
              "aws",
              "azure",
              "gcp"
            ]
          },
          "type": {
            "type": "string",
            "enum": [
              "oci",
              "default"
            ]
          },
          "username": {
            "type": "string"
          },
          "password": {
            "type": "string"
          },
          "email": {
            "type": "string"
          },
          "cosignPublicKey": {
            "type": "string"
          }
        },
        "anyOf": [
          {
            "required": [
              "existingSecret"
            ]
          },
          {
            "required": [
              "username",
              "password"
            ]
          },
          {
            "required": [
              "provider"
            ],
            "not": {
              "properties": {
                "provider": {
                  "const": "generic"
                }
              }
            }
          }
        ],
        "required": [
          "name",
          "repository"
        ]
      }
    },

hey @jeremy.mcgee Sorry busy few weeks. I added that schema change to the MR. Could you validate that it works with the AWS provider?

This did work! Thanks for your help, and for getting to this.

Actually, that didn't work. Sorry for the false positive on that. The issue is that my schema is expecting that provider to be passed in the helmRepositories variable, and not in flux. That may be more desirable, that way you can pull from different providers. IE a generic and an AWS. Maybe test with helm template with an input file to test sense you don't have an ECR to test from.

The code below does work, the provider in helmRepositories is just there to make the schema pass.

helmRepositories:
  - name: "ecr"
    repository: "oci://123456.dkr.ecr.us-gov-west-1.amazonaws.com"
    provider: aws
    type: "oci"

flux:
  provider: aws

Thanks again for your help!

removed teamDevelopment & Ops label

changed milestone to %2.39.0

Sorry I just saw the comment. Thanks for looking at this, I will test as well.

removed iteration Big Bang Iterations Oct 15, 2024 - Oct 28, 2024

changed iteration to Big Bang Iterations Oct 29, 2024 - Nov 11, 2024

changed milestone to %2.40.0