Zarf does not support deploying Flux HelmReleases with OCI Helm chart sources #1974
Comments
|
+1 this, I would also love to have this exact feature for our Flux Releases |
|
Just starting to investigate this and wanted to circle back to update the issue: In terms of the admission controller (Zarf Agent), this development looks like it would touch (for Flux OCIArtifacts): apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: podinfo
namespace: flux-system
spec:
interval: 10m
type: oci
url: oci://ghcr.io/stefanprodan/charts # <- HEREOCIRepository apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: podinfo
namespace: flux-system
spec:
interval: 10m
url: oci://ghcr.io/stefanprodan/manifests/podinfo # <- Here
ref:
tag: latestIn term's of Zarf's transform library, we should already be capable of transforming the URL as long as we emit the oci:// protocol internally. Example here The biggest complexity that I am aware based on the issue of seems like it would be around the insecure registry which needs more investigation. I think worst case we would look at securing the Zarf internal registry possibly |
|
There are at least 3 tasks:
|
|
If at all helpful, for #3 listed above, I had to do this internally for a corporate network with Flux HelmRepository and the only work around I could easily get working was to patch the deployment with the CA that I had into the container like mentioned here: fluxcd/flux2#3417 (comment) i think if its completely insecure (no HTTPS) then I am not sure its at all possible based on what I have tried to do with Flux before and insecure OCI. |
FWIW, for #(2), i think we have to assume they are bringing their images ready to go. So they basically make a scratch container with their manifests. However, there are other blockers in terms of our internal registry before getting to point 3. I'll leave a comment about it for the future when this can be fixed. Actually, going to confirm with the team first. Thanks for the updates |
Not quite. These are OCI artifacts (not quite, that specific term can mean something else), not actual "images". These aren't "Docker images" at all (the layers are not @Noxsios would be familiar and probably help explain. It's also how Zarf's own OCI support works (Zarf uses ORAS, Helm does something slightly different, but it's the same concept). And yes you can assume these images already exist, they're created outsize Zarf. Zarf does need to package and transfer them all the way to the Zarf registry somehow though. In theory these generic OCI images can be copied around the same way as Docker images, which is why I suggested listing them in |
|
I'm not able to pull from the ┌─[cmwylie19@Cases-MacBook-Pro] - [~/hello-zarf] - [2023-09-06 02:45:59]
└─[0] <git:(main 0538a87✱) > k explain ocirepo.spec --recursive
GROUP: source.toolkit.fluxcd.io
KIND: OCIRepository
VERSION: v1beta2
FIELD: spec <Object>
DESCRIPTION:
OCIRepositorySpec defines the desired state of OCIRepository
FIELDS:
certSecretRef <Object>
name <string> -required-
ignore <string>
interval <string> -required-
layerSelector <Object>
mediaType <string>
provider <string>
ref <Object>
digest <string>
semver <string>
tag <string>
secretRef <Object>
name <string> -required-
serviceAccountName <string>
suspend <boolean>
timeout <string>
url <string> -required-
┌─[cmwylie19@Cases-MacBook-Pro] - [~/zarf] - [2023-09-06 02:46:59]
└─[0] <git:(1974 46635184✱✈) > k get ocirepo hello-zarf -n flux-system -oyaml
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
annotations:
meta.helm.sh/release-name: zarf-1ac628beb6600ac961cf019ef1e52045b7fcbb0a
meta.helm.sh/release-namespace: flux-system
creationTimestamp: "2023-09-07T11:56:10Z"
finalizers:
- finalizers.fluxcd.io
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: hello-zarf
namespace: flux-system
resourceVersion: "22934"
uid: ef430da6-2ba5-4854-938b-067eef2c520b
spec:
interval: 10m
provider: generic
ref:
tag: latest-zarf-1662488912
secretRef:
name: private-registry
timeout: 60s
url: oci://127.0.0.1:31999/cmwylie19/oci-manifests-hello-zarf
status:
conditions:
- lastTransitionTime: "2023-09-07T11:56:11Z"
message: no artifact for resource in storage
observedGeneration: 1
reason: NoArtifact
status: "True"
type: Reconciling
- lastTransitionTime: "2023-09-07T11:56:11Z"
message: 'failed to pull artifact from ''oci://127.0.0.1:31999/cmwylie19/oci-manifests-hello-zarf'':
Get "https://127.0.0.1:31999/v2/": dial tcp 127.0.0.1:31999: connect: connection
refused; Get "http://127.0.0.1:31999/v2/": dial tcp 127.0.0.1:31999: connect:
connection refused'
observedGeneration: 1
reason: OCIArtifactPullFailed
status: "False"
type: Ready
- lastTransitionTime: "2023-09-07T11:56:11Z"
message: 'failed to pull artifact from ''oci://127.0.0.1:31999/cmwylie19/oci-manifests-hello-zarf'':
Get "https://127.0.0.1:31999/v2/": dial tcp 127.0.0.1:31999: connect: connection
refused; Get "http://127.0.0.1:31999/v2/": dial tcp 127.0.0.1:31999: connect:
connection refused'
observedGeneration: 1
reason: OCIArtifactPullFailed
status: "True"
type: FetchFailed
observedGeneration: -1
┌─[cmwylie19@Cases-MacBook-Pro] - [~/zarf] - [2023-09-06 02:48:37]
└─[0] <git:(1974 46635184✱✈) > oras repo tags localhost:5000/cmwylie19/oci-manifests-hello-zarf
latest
latest-zarf-1662488912 |
|
@bburky thank you for the clarity!! |
|
Just to clarify on flux support - OCIRepository cannot be used as a source for a HelmRelease. So I believe to fully support OCI sourced Flux HelmReleases with Zarf we'll need to solve the insecure registry issue either by Flux adding support or by securing the Zarf registry. |
|
Unassigned as this will be likely 2 PRs, one for OCIRepo and another that needs more discussion between Zarf team. OCIRepo should be ready soon but is pending one PR. The current PR that I am working on is addressed by this issue (Which is specific for OCIRepo) |
|
The challenge with tls on the registry is their is no safe k8s-native way to tell the CRIs to use a given CA like you can with admission controllers. The most generic k8-way is to use a privileged daemonset to modify your CRI config (which is as awful as it sounds). Many platforms will modify the CRI out-of-band to accommodate this during cluster init or node image building. |
|
re-assigning myself after chatting with @Racer159 , we will support ---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: podinfo
namespace: default
spec:
type: "oci"
interval: 5m0s
url: oci://ghcr.io/stefanprodan/charts |
|
|
Flux added a In addition to mutating the source of an OCI HelmRepository/OCIRepository, zarf could add the insecure flag automatically if a localhost registry is used. |
|
For now, git server is required in local cluster if deploy using flux. Just require the local registry if oci is supported. |
|
I see that this has been unblocked now, what is the latest update on this feature? |
## Description This also changes how we the agent gets secrets from the cluster. Instead of mounting secrets in the deployment and reading from a file the agent will instead read the secret directly from the cluster. This is done for simplicity, and easier testing. Additionally, the agent will need to read from the cluster in #1974 as well so this helps prepare for that change. This only changes and tests pods to keep the scope of the PR slim. This means temporarily the agent will both read from mounted file secrets and regular kubernetes secrets depending on the hook, but this will be changed shortly in future PRs. ## Related Issue Relates to #2512 ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/.github/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Lucas Rodriguez <[email protected]>
## Description This also changes how we the agent gets secrets from the cluster. Instead of mounting secrets in the deployment and reading from a file the agent will instead read the secret directly from the cluster. This is done for simplicity, and easier testing. Additionally, the agent will need to read from the cluster in defenseunicorns#1974 as well so this helps prepare for that change. This only changes and tests pods to keep the scope of the PR slim. This means temporarily the agent will both read from mounted file secrets and regular kubernetes secrets depending on the hook, but this will be changed shortly in future PRs. ## Related Issue Relates to defenseunicorns#2512 ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/.github/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Lucas Rodriguez <[email protected]>
Is your feature request related to a problem? Please describe.
Zarf does not support deploying Flux HelmReleases with OCI Helm chart sources
Related issue
Describe the solution you'd like
zarf.yamlwithmanifests:including a Flux HelmRepository referencing anoci://chart and a HelmRelease referencing it.images:inzarf.yaml.images:does not support arbitrary (non-container) OCI imagesExample Flux manifests referencing an OCI Helm chart: https://fluxcd.io/flux/cheatsheets/oci-artifacts/#helm-oci
A potential issue: Zarf uses an insecure registry and Flux source-controller may not support insecure OCI registries with Helm: fluxcd/source-controller#807
.spec.insecureDescribe alternatives you've considered
Zarf's built in Helm support does allow OCI, see
demo-helm-oci-chartin this example: https://docs.zarf.dev/examples/helm-charts/However, this does not support using Flux.
Additional context
The scenario prompting this is a vendor only provides OCI packaged Helm charts. We do not need to modify the upstream vendor charts, and would like to copy them unmodified, and deploy them using Flux.
Additionally, Big Bang now distributes Helm charts in OCI format. If Zarf supported this, the dependency on a Gitea git repository could be dropped in many cases.
Support for generic OCI artifacts may be generally useful for other non-Flux use cases too.
The text was updated successfully, but these errors were encountered: