fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon rancher

HelmOps AirGap Support

Open manno opened this issue 7 months ago • 1 comments

As a Platform Operator, I want securely deploy Helm charts to downstream clusters with no direct internet access.

Acceptance Criteria:

  • A new mode is introduced in the HelmOps resource (e.g., via a flag like airGap: true).
  • When this air-gap mode is enabled, the upstream Fleet controller will:
    • Pull the specified Helm chart from its repository.
    • Package the chart's contents into a new Content custom resource.
    • Distribute the reference to the Content resource, instead of the direct Helm chart reference, to the targeted downstream clusters using Fleet's existing bundle mechanism. Set up RBAC for the agent, so it can pull Content resources from its cluster namespace.
  • The Fleet agent on a downstream, air-gapped cluster will:
    • Recognize and receive the Content resource.
    • Use the data within the Content resource to perform a local Helm installation or upgrade.
  • The downstream cluster does not require direct network access to the original Helm repository. It has however access to the k8s API of the management cluster.
  • The solution must account for Helm chart dependencies, ensuring they are packaged within the Content resource.
  • The process for handling private Helm repositories on the upstream cluster, using helmSecretName, remains secure and functional.

manno avatar May 28 '25 12:05 manno

HelmOps should currently support air-gap setups when referencing a mirrored registry which would be reachable from both upstream and downstream clusters, which is a common setup. A possible solution for such a registry is Hauler. Therefore, the feature described above is not as high-priority as we initially thought.

weyfonk avatar Sep 30 '25 14:09 weyfonk

Waiting for market validation, tentatively pushing to 2.15 for now.

kkaempf avatar Dec 18 '25 16:12 kkaempf