Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support OCI Helm charts #191

Closed
janeczku opened this issue Dec 23, 2020 · 12 comments · Fixed by #975
Closed

Support OCI Helm charts #191

janeczku opened this issue Dec 23, 2020 · 12 comments · Fixed by #975
Assignees
Milestone

Comments

@janeczku
Copy link

Storing Helm charts in OCI-compliant container registries is becoming the standard. Fleet needs to support downloading these chart artefacts when referenced in fleet.yaml.

Details: rancher/rancher#29105

@Martin-Weiss
Copy link

Just had an other customer using harbor where we store the helm charts using OCI.. so are there any plans for this feature??

@ferhimedamine
Copy link

@deniseschannon any updates regarding this feature ?

@SimonAlling
Copy link

SimonAlling commented Apr 26, 2022

I decided to give this a shot and tried to upgrade the helm.sh/helm/v3 dependency for starters, after removing the helm.sh/helm/v3 => github.com/rancher/helm/v3 replacement.

📜 What I did
$ sed -i '/rancher\/helm\/v3/d' go.mod

$ go get helm.sh/helm/v3
go: upgraded github.com/evanphx/json-patch v4.9.0+incompatible => v4.12.0+incompatible
go: upgraded github.com/google/go-containerregistry v0.1.1 => v0.5.1
go: upgraded github.com/hashicorp/go-multierror v1.1.0 => v1.1.1
go: upgraded github.com/spf13/cobra v1.1.3 => v1.3.0
go: upgraded golang.org/x/sync v0.0.0-20201207232520-09787c993a3a => v0.0.0-20210220032951-036812b2e83c
go: upgraded helm.sh/helm/v3 v3.5.1 => v3.8.2
go: upgraded k8s.io/api v0.21.3 => v0.23.5
go: upgraded k8s.io/apimachinery v0.21.3 => v0.23.5
go: upgraded k8s.io/cli-runtime v0.21.3 => v0.23.5
go: upgraded sigs.k8s.io/yaml v1.2.0 => v1.3.0

$ make
Building for linux-amd64 ...
go: github.com/deislabs/oras@v0.8.1 requires
	github.com/Microsoft/hcsshim@v0.8.7: missing go.sum entry; to add it:
	go mod download github.com/Microsoft/hcsshim
FATA[0006] exit status 1
make: *** [Makefile:17: default] Error 1

$ go mod download github.com/Microsoft/hcsshim

$ make

At this point, I got literally 100+ missing go.sum entry errors, so I ran all the corresponding suggested go get commands.

$ go get github.com/hashicorp/go-getter@v1.5.11
$ … (~100 go get commands)
$ go get github.com/rancher/fleet/pkg/bundle

$ make
note: module requires Go 1.17
FATA[0006] exit status 2

$ sed -i 's/golang:1\.16\.10/golang:1.17.9/' Dockerfile.dapper

$ sed -i 's/go 1\.16/go 1.17/' go.mod

$ make
go: updates to go.mod needed; to update it:
	go mod tidy
FATA[0008] exit status 1

$ go mod tidy
go: downloading github.com/google/martian v2.1.0+incompatible

$ make
/go/pkg/mod/github.com/bombsimon/logrusr@v1.0.0/logrusr.go:34:9: cannot use &logrusr{...} (type *logrusr) as type logr.Logger in return argument
/go/pkg/mod/github.com/bombsimon/logrusr@v1.0.0/logrusr.go:69:32: undefined: logr.InfoLogger
/go/pkg/mod/github.com/bombsimon/logrusr@v1.0.0/logrusr.go:84:2: cannot use l (type *logrusr) as type logr.Logger in return argument
/go/pkg/mod/github.com/bombsimon/logrusr@v1.0.0/logrusr.go:96:2: cannot use l (type *logrusr) as type logr.Logger in return argument
FATA[0011] exit status 2

$ go get github.com/bombsimon/logrusr
go: upgraded github.com/bombsimon/logrusr v1.0.0 => v1.1.0

$ make
/go/pkg/mod/github.com/bombsimon/logrusr@v1.1.0/logrusr.go:34:9: cannot use &logrusr{...} (type *logrusr) as type logr.Logger in return argument
/go/pkg/mod/github.com/bombsimon/logrusr@v1.1.0/logrusr.go:69:32: undefined: logr.InfoLogger
/go/pkg/mod/github.com/bombsimon/logrusr@v1.1.0/logrusr.go:86:2: cannot use newLogger (type *logrusr) as type logr.Logger in return argument
/go/pkg/mod/github.com/bombsimon/logrusr@v1.1.0/logrusr.go:99:2: cannot use newLogger (type *logrusr) as type logr.Logger in return argument
FATA[0009] exit status 2

$ sed -i 's/golang:1\.17\.9/golang:1.18.1/' Dockerfile.dapper

$ sed -i 's/go 1\.17/go 1.18/' go.mod

$ make
/go/pkg/mod/github.com/bombsimon/logrusr@v1.1.0/logrusr.go:34:9: cannot use &logrusr{…} (value of type *logrusr) as type logr.Logger in return statement
/go/pkg/mod/github.com/bombsimon/logrusr@v1.1.0/logrusr.go:69:37: undefined: logr.InfoLogger
/go/pkg/mod/github.com/bombsimon/logrusr@v1.1.0/logrusr.go:86:9: cannot use newLogger (variable of type *logrusr) as type logr.Logger in return statement
/go/pkg/mod/github.com/bombsimon/logrusr@v1.1.0/logrusr.go:99:9: cannot use newLogger (variable of type *logrusr) as type logr.Logger in return statement
FATA[0189] exit status 2

$ go get -u github.com/bombsimon/logrusr
go: upgraded github.com/go-logr/logr v1.2.2 => v1.2.3
go: upgraded golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e => v0.0.0-20220422013727-9388b58f7150

$ make
/go/pkg/mod/github.com/bombsimon/logrusr@v1.1.0/logrusr.go:34:9: cannot use &logrusr{…} (value of type *logrusr) as type logr.Logger in return statement
/go/pkg/mod/github.com/bombsimon/logrusr@v1.1.0/logrusr.go:69:37: undefined: logr.InfoLogger
/go/pkg/mod/github.com/bombsimon/logrusr@v1.1.0/logrusr.go:86:9: cannot use newLogger (variable of type *logrusr) as type logr.Logger in return statement
/go/pkg/mod/github.com/bombsimon/logrusr@v1.1.0/logrusr.go:99:9: cannot use newLogger (variable of type *logrusr) as type logr.Logger in return statement
FATA[0039] exit status 2

@ghost
Copy link

ghost commented Aug 5, 2022

We would need this feature too. Are there any plans?

@manno
Copy link
Member

manno commented Aug 17, 2022

We could use a chart similar to https://github.com/rancher/fleet-examples/tree/master/single-cluster/helm to check if this already works.

@mattfarina mattfarina added this to Fleet Aug 17, 2022
@mattfarina mattfarina moved this to 🆕 New in Fleet Aug 17, 2022
@mattfarina mattfarina moved this from 🆕 New to 📋 Backlog in Fleet Aug 17, 2022
@manno
Copy link
Member

manno commented Aug 18, 2022

Just found #187 which describes potentially missing "go-getter" functionality around the helm.repo/helm.chart fields in gitrepo.

@thardeck thardeck moved this from 📋 Backlog to 🏗 In progress in Fleet Aug 18, 2022
@thardeck
Copy link
Contributor

thardeck commented Aug 23, 2022

As mentioned in #187 the GitRepo helm.chart value is a go-getter url as described in https://fleet.rancher.io/gitrepo-structure/#reference. The go-getter URL format is described here: https://github.com/hashicorp/go-getter#url-format.

  # Use a custom location for the Helm chart. This can refer to any go-getter URL.
  # This allows one to download charts from most any location.  Also know that
  # go-getter URL supports adding a digest to validate the download. If repo
  # is set below this field is the name of the chart to lookup
  chart: ./chart

OCI is not supported yet in the latest version of go-getter, but there is a feature request for it hashicorp/go-getter#271 and even a PoC pr mentioned.

Helm seems to use the oras library for their oci support.

@deniseschannon
Copy link

Where/how was this tested by QA?

@thardeck
Copy link
Contributor

thardeck commented Sep 19, 2022

Where/how was this tested by QA?

I think it was not tested yet by QA, the issue got closed automatically after merging the pr. Reopening for now.

I have added an example to fleet-examples, which is also used for our CI test and updated the Repo Structure documentation of Fleet.

Authentication for OCI based registries is not supported yet but will be delivered in a separate pr to not block the release.

Let me know if anything else is missing.

@thardeck thardeck reopened this Sep 19, 2022
@thardeck
Copy link
Contributor

thardeck commented Sep 23, 2022

Authentication for OCI based registries are now supported. The structure of the fleet.yaml is the same, the credentials are provided as Kubernetes secret as described in our Repo Structure documentation in the box Private Helm Repo.

The name of the created Kubernetes secret is specified in the gitRepo.spec.helmSecretName value.

We also have an additional CI test for the OCI registry authentication using GitHub secrets.

Both tests are using GHCR hosted packages. There is a great howto which describes how to use GitHub Container Registry (GHCR) to host your Helm Charts.

I am closing this issue now since it is fixed in master, we have integration tests for both use cases and if issues are found in the implementation by QA or somebody else we should create new issues to address them.

@thardeck thardeck moved this from 🏗 In progress to ✅ Done in Fleet Sep 23, 2022
@mattfarina mattfarina moved this from ✅ Done to 👀 In review in Fleet Sep 28, 2022
@mattfarina mattfarina moved this from 👀 In review to Ready for QA in Fleet Sep 28, 2022
@zube zube bot reopened this Oct 13, 2022
@thardeck
Copy link
Contributor

@rancher/qa

Additionnal QA

Problem

Helm charts provided by OCI registries were not supported.

Solution

We are using the helm library to support OCI registries including basic authentication.

Testing

Reference an OCI based helm chart, like this CI example, and check if the app comes up.

Automated Testing

Our CI runs tests against a public OCI registry example and a private OCI registry example.

@zube zube bot removed the [zube]: QA Next up label Oct 21, 2022
@MSpencer87 MSpencer87 self-assigned this Oct 25, 2022
@MSpencer87
Copy link

Verified on Rancher v2.7.0-rc6 with fleet:101.0.0+up0.5.0-rc3

Steps to reproduce:

  1. Bring up HA Rancher on v2.6.8 with fleet:100.0.5+up0.3.11
  2. Provision a downstream cluster
  3. Navigate to Continuous Delivery -> GitRepos and select Add Repository
  4. Add the Fleet Examples repo https://github.com/rancher/fleet-examples.git and set the path for an OCI installation /single-cluster/helm-oci
  5. Select the downstream cluster as your target and select Create
  6. Repo is showing Git Updating label with error message and 0/0 Clusters Ready
Time="2022-10-25T23:55:08Z" level=fatal msg="download not supported for scheme 'oci'"

Steps for Validation:

  1. Bring up HA Rancher on v2.7.0 with fleet:101.0.0+up0.5.0-rc3
  2. Provision a downstream cluster
  3. Navigate to Continuous Delivery -> GitRepos and select Add Repository
  4. Add the Fleet Examples repo https://github.com/rancher/fleet-examples.git and set the path for an OCI installation /single-cluster/helm-oci
  5. Select the downstream cluster as your target and select Create
  6. The guestbook example is reachable inside the downstream clusters via Rancher UI under Service Discovery->Services

This was also tested successfully via the Rancher upgrade scenario v2.6.8->v2.7.0

  1. Fleet is upgraded fleet:100.0.5+up0.3.11->fleet:101.0.0+up0.5.0-rc3 during upgrade
  2. The repo showing the Git Updating label with the error message below changes to the Active label with 2/2 Clusters Ready
Time="2022-10-25T23:55:08Z" level=fatal msg="download not supported for scheme 'oci'"
  1. The guestbook example is reachable inside the downstream clusters via Rancher UI under Service Discovery->Services

@MSpencer87 MSpencer87 moved this from Ready for QA to ✅ Done in Fleet Oct 26, 2022
@zube zube bot removed the [zube]: Done label Jan 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

9 participants