helm
feat: OCI install by digest
What this PR does / why we need it: Ths PR Allows helm OCI install of charts using digest. Supported formats include:
helm install billy oci://localhost:5000/demo@sha256:d1c2884a2ac2d2f80fb1bf384e45b4cc72669498ccd237843dcc63bfcac810a3 --version 0.1.0
helm install billy oci://localhost:5000/demo:0.1.0 --version 0.1.0
Without version option
helm install billy oci://localhost:5000/demo@sha256:d1c2884a2ac2d2f80fb1bf384e45b4cc72669498ccd237843dcc63bfcac810a3
helm install billy oci://localhost:5000/demo:0.1.0
Special notes for your reviewer:
If applicable:
- [ ] this PR contains documentation
- [x] this PR contains unit tests
- [x] this PR has been tested for backwards compatibility
Closes: https://github.com/helm/helm/pull/10799 Partial: https://github.com/helm/helm/issues/10312 Closes: https://github.com/helm/helm/issues/10678 Closes: https://github.com/helm/helm/pull/12558
Related docs PR https://github.com/helm/helm-www/pull/1629
This is a great feature! Is there a plan to move it forward? Thanks.
This is still on my list, but haven't had time to address @sabre1041 comment
Any plans to pick this back up soon? This would be a great feature to add.
Yes. I fixed a couple issues back in June, just need complete Andrew's last comment.
I'll look at this again in the next 7 days.
@TerryHowe if you need additional help, let me know. I'm interested in the feature and I might have cycles to spare
This is a great improvement! Hopefully, it will be merged and will be part of the next release.
@TerryHowe when attempting to install by digest, the following error is emitted
Error: object required
Command used
helm template helm-digest oci://<charrt>@sha256:<SHA>
Other uses, such as including a tag, including a tag + version, version only and no tag or version work without issue
@TerryHowe when attempting to install by digest, the following error is emitted
Error: object requiredCommand used
helm template helm-digest oci://<charrt>@sha256:<SHA>Other uses, such as including a tag, including a tag + version, version only and no tag or version work without issue
Fixed
Error: object required
Is just an ambiguous error message from oras-go v1 meaning the tag was required and not provided. The latest change uses the digest if the tag was not provided.
Error: object requiredIs just an ambiguous error message from oras-go v1 meaning the tag was required and not provided. The latest change uses the digest if the tag was not provided.
Issue has been resolved with the latest update. Thanks!
Still one outstanding question and to circle back from my question some time ago. When a digest and version is supplied, what should occur. If both are included, digest always win
Docker, buildah and CRI-O all ignore the tag if a digest is specified. Some discussion here: https://github.com/containers/buildah/issues/1407
one outstanding question and to circle back from my question some time ago. When a digest and version is supplied, what should occur. If both are included, digest always win
I can't say how all registries will handle it, but...
In this PR, helm is going to validate that the tag returns the same digest here https://github.com/helm/helm/pull/12690/files#diff-2c9eb8ecd19796ab58f91f47766276c8d2a0c6732276fe1712d47db6d776cfe6R169-R176
And on the subject of Oras V1, do you think it would be better to aim to merge this PR or https://github.com/helm/helm/pull/13382 first?
I don't think the order will matter much. The digest change just added one mehtod to the ORAS wrapper and v2 has a method that would simplify that call.
Changes since last review are one commit https://github.com/helm/helm/pull/12690/commits/d2b94f62004e79864ec530989109cf0effd4aaae
Should we aim to backport this to helm v3? (add the "needs v3 fix" label and cherrypick to dev-v3 branch)
Should we aim to backport this to helm v3? (add the "needs v3 fix" label and cherrypick to dev-v3 branch)
Yes, I believe that we should as the benefits can be realized prior to the release of Helm 4