cert-manager
cert-manager copied to clipboard
cert-manager
Add design for pushing charts to OCI registry
Pull Request Motivation
This design is for us to agree on a path towards pushing cert-manager charts to an OCI registry. Subprojects will follow later.
Related to #5566 and #7117
Kind
/kind design
Release Note
NONE
Due to a bug in Helm that will probably never get fixed, the v prefix in the Helm chart versions breaks Helm's "latest version" discovery functionality: https://github.com/helm/helm/issues/11107
For example, it is possible to run helm install without --version to get the latest version. The same behavior can be seen with helm upgrade, helm show, and helm template.
Here are two examples:
$ helm show chart oci://ghcr.io/cert-manager/charts/openshift-routes
Pulled: ghcr.io/cert-manager/charts/openshift-routes:0.5.0
Digest: sha256:9eaed8e9444d6504981e8469f47737260da58f80d67851423b4f75ee26ba6d5a
apiVersion: v2
appVersion: 0.5.0
description: A Helm chart to deploy openshift-routes adapter for cert-manager on Kubernetes
name: openshift-routes
type: application
version: 0.5.0
$ helm show chart oci://registry.venafi.cloud/charts/venafi-kubernetes-agent
Pulled: registry.venafi.cloud/charts/venafi-kubernetes-agent:0.1.48
Digest: sha256:701fc245b954f544fe8706ddff2e52bfd94329f33a2d1aac10ed30f9a6a8458a
apiVersion: v2
appVersion: v0.1.48
description: The Venafi Kubernetes Agent connects your Kubernetes or Openshift cluster
to the Venafi Control Plane.
name: venafi-kubernetes-agent
type: application
version: 0.1.48
That's because this chart repo doesn't use v in the version prefixes.
For repos that use v, it isn't possible to determine the latest version. For example, this fails:
$ helm show chart oci://registry.venafi.cloud/charts/venafi-connection
Error: Unable to locate any tags in provided repository: oci://registry.venafi.cloud/charts/venafi-connection
I'd much rather fix the bug upstream but @wallrj found that it is pretty much impossible to improve this (please correct me if what I say is wrong, Richard).
- Pro: people and automated tools that rely on Helm can determine the latest version of the chart and notify or create a PR out of it.
- Con: the version scheme becomes inconsistent with cert-manager's regular HTTP-based Helm chart that uses a
v.
The "pro" wins over the "con" IMO.
You're absolutely right Maël and that looks worth considering! I wonder if it would work to push both tags - one with the v prefix and one without? That would avoid breaking scripts which assume a v prefix 🤔
You're absolutely right Maël and that looks worth considering! I wonder if it would work to push both tags - one with the
vprefix and one without? That would avoid breaking scripts which assume avprefix 🤔
Yes, if you push both the v0.0.0 and the 0.0.0 tags, then Helm can find the latest and if you supply --version v0.0.0 that works too....despite the chart archive only containing the v prefixed chart version.
Here's a record of me trying that out:
- https://github.com/cert-manager/cert-manager/issues/2380#issuecomment-1857801427
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: inteon
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [inteon]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
![cert-manager-prow[bot] avatar](https://avatars.githubusercontent.com/in/877404?v=4 "Published by a pub.dev verified publisher"){kind=small}